CLICK TO EDIT MASTER TITLE STYLEClick to edit Master text styles

9/19/2019 1

Click to edit Master title style

1

Security ChallengesDeveloping a Cybersecurity Framework

APTAtech: Transportation Technology Conference

September 15-18, 2019 / Columbus, Ohio

Alameda-Contra Costa Transit District

September 16, 2019

Agenda

• Intro to Alameda-Contra Costa Transit

• Rapidly Changing Public Transit Domain

• Assessing the Agency Core Mission and Technology Landscape

• Actions • Third party audit to identify threat vectors

• Quick strategy – socialize

• Identify improvements/upgrades – short + mid + long

• Define a Roadmap to Get There

• Framework Adoption

• Concluding Thoughts

AC Transit at a glance

• Serve 13 cities and 8 unincorporated areas

• Directly elected Board

• Alameda and Contra Costa Counties

• Facilities:3 – Oakland1 – Emeryville1 – Hayward1 – Richmond

• Service across 3 Bay Area bridgesDumbartonSF–Oakland San Mateo

All about numbers

Daily

169,000

Daily service hours

5,800(weekday)

16 other bus systems

25 BART stations

6 Amtrak stations

3 ferry terminalsAnnual

52,300,000

Paratransit

771,000(annual)

RIDERSHIP

Bus lines

160

SERVICE

Bus stops

5,500(approximately)

Annual service miles

20.4 million

CONNECT WITH

Transbay daily

14,500

Public Transit Domain

• Disruptions => Automation – Electrification – Connectivity

• 5G is REAL - High-speed and reliable connectivity is expected

• Media rich applications are becoming norm with real-time video, voice, maps and images

• Situation awareness is a key requirement for quick decision making

• Digital Framework to support IoT Connectivity

Electrification

Automation

ConnectedVehicles

RidersCities and Counties MPO

CAD/AVL

Connected Enterprise

Technology Landscape

Private ad Public

Clouds

Servers

Switches

Voice Gateways

Firewalls

Routers

Platforms

Storage

Origami RISK PMWeb Citrix G2 Solutions DMV EPN Tableau AutoCAD LT NextBUS

Office365 NICE HASTUS DAILY Apollo Video GIS Zoom Camtasia GFI

Dragon SQL ELLIPSE Kantech PEOPLESOFT CAD/AVL Xerox

Desktops Computers

Laptop Computers

Mobile

Tablets

Smartphones Desk PhonesPush to Talk

Radios

Conference Phones

MiFi UnitsPresentation

Systems

Satellite Phones

TVM/Clipper Machines

Software Applications

2300+

Employees

1.6M

Customers

Security Landscape

• Global ransomware damage costs exceeded $5B in 2017 (a 15X increase in two years)

• Cyber-crime damage costs to hit $6 trillion annually by 2021

42%IGNORE ALERTSA significant number of security alerts are ignored due to sheer volume. According to 42% of polled cybersecurity professions. **

24%RESOURCE CONSTRAINED24% of cyber teams do not have the ability to investigate or prioritize security alerts in a timely manner. **

38%BURNED OUT38% of cyber staff are citing burnout. **

201DAYSAverage time to detect a breach: 201 days.*

* Ponemon Institute, 2017 Cost of a Data Breach Study

** According to the ISSA & ESG recent research

Security Market

9

Infrastructure

Information Management

CloudData Science

Compliance

Activities

• Third Party Cybersecurity Audit• External Penetration Testing• Internal Penetration Testing• Security Audit

• Socialize the Outcome with Key Stakeholders• Quick Plan of Action – Prioritize Risks + Cost + Timelines

• High Level Roadmap – Tools + People + Process

Security Audit

11

• Integrated Control Framework• 14 Domains utilized for various risk assessments and

maturity assessments• National Institute of Standards and Technology (NIST)• International Organization for Standardization (ISO)

• Capability Maturity Model • Forrester’s IT Service Management Maturity Model• Systems Security Engineering Capability Maturity Model ®

Leve

l 0 Nonexistent

Leve

l 1 Ad-Hoc

Leve

l 2 Repeatable

Leve

l 3 Defined

Leve

l 4 Measured

Leve

l 5 Optimized•Not

understood

•Unaware of

need

•Occasional

•Reactive

•Unplanned

•Disorganized

•Planned

•Consistent

•Verified

•Responsive

•Documented

•Understood

•Predictable

•Collaborated

•Evaluated

•Reported

•Metrics

•Progressive

• Improvement

•Efficient

•Proactive

•Automated

Understanding Maturity

IT Security DomainLevel 0

NonexistentLevel 1Ad-Hoc

Level 2Repeatable

Level 3Defined

Level 4 Measured

Level 5Optimized

Third Party Management

Data Protection

Employee Management

Physical Security

Logical Security

Threat & Vuln. Management

Logging & Monitoring

Sec Config. Management

Sec Change Management

Compliance

Business Continuity

IT Operations

Secure SDLC

Overall Maturity

Legend

Current Rating

Change since 2016

New rating for 2018

2016 Rating

Target Maturity

Defining a Framework

• Understand the Current State of the Cybersecurity Program Holistically

• Identify Improvements/Upgrades

• Define a Roadmap to Get There

• Frame Current Risks

Roadmap

ProcessTechnologyPeopleCybersecurity

Maturity Assessment

Security Operations Center

Asset Discovery & Inventory

Vulnerability Assessment

Intrusion Detection

Behavioral Monitoring

SIEM & Log Management

24x7 Security Operations

Adopting a FrameworkCYBERSECURITY DOMAINS

POLICIES AND

PROCEDURES

❑ Information Security

Program

❑Standard Operating

Procedures

❑Administrative Standards

ROLES AND

RESPONSIBILITIES

❑Organizational Structure

❑ Information Security Officer

❑Security Responsibilities

OVERSIGHT AND STRATEGY

IT RISK MANAGEMENT

❑ IT Risk Definition

❑Risk Appetite / Tolerance

❑Risk and Control Universe

❑Risk Assessment

❑Risk Treatment

❑Communication Plan

❑Risk Monitoring

DATA PROTECTION

❑Encryption

❑Data Classification

❑Data Protection Technologies

THREAT AND VULNERABILITY

MANAGEMENT

❑Vulnerability Scanning

❑Patch Management

❑Anti-Malware Technologies

PHYSICAL SECURITY

❑Standards

❑Physical Storage

❑Monitoring & Testing

SECURE DEVELOPMENT

❑Secure Development

Standards

❑Secure Development Testing

LOGICAL SECURITY

❑Authentication Standards

❑Administrative Access

❑Access Management

❑Access Review

❑Remote Access

LOGGING AND MONITORING

❑Centralization & Aggregation

❑Alerts

❑Activity Baseline

IT OPERATIONS

❑ IT Asset Management

❑Data Flows

❑Software Authorization

IT COMPLIANCE

❑PCI Compliance

❑Evaluation

❑Oversight & Coordination

EMPLOYEE MANAGEMENT

❑Security Awareness

❑Human Resources

❑Acceptable Use

SECURITY CONFIGURATION

MANAGEMENT

❑Approved Infrastructure

❑Build & Hardening

Procedures

❑Configuration Management

SECURITY CHANGE

MANAGEMENT

❑Change Management

❑Maintenance

BUSINESS CONTINUITY

MANAGEMENT

❑Business Impact Analysis

❑Business Continuity

Planning

❑Disaster Recovery

❑Resiliency

❑ Incident Response

THIRD PARTY RISK

MANAGEMENT

❑Vendor Inventory

❑Due Diligence &

Assessment

❑Performance Monitoring

❑Contractual Terms

❑Vendor Access

CYBERSECURITY

GOVERNANCE

Concluding Thoughts

• Build a Roadmap based on Risk Priority

• Parallel Work on People, Process, and Tools

• Take Security Seriously – But Share the Stress

• Build It In the Culture

• Watch your Supply Chain

• Don’t overlook Physical Security

• Customize Framework There is no such thing as "perfect protection"