DLA Energy Worldwide Energy ConferenceTSA Surface Cybersecurity Resources

April 12, 2017

Office of Security Policy & Industry EngagementSurface Division

22

TSAastheCo-SectorSpecificAgency

• TSAistheTransportationSystemsSectorCO-SSAwithDOTandUnitedStatesCoastGuard.

• Missiono ContinuouslyimprovetheriskpostureofTransportationSystems

servingtheNation.• Goals

o Preventanddeteractsofterrorismusing,oragainst,thetransportationsystem.

o Enhancetheall-hazardpreparednessandresilienceoftheglobaltransportationsystemtosafeguardU.S.nationalinterests.

o Improvetheeffectiveuseofresourcesfortransportationsecurity.o Improvesectorsituationalawareness,understanding,and

collaboration.

33

ThreePillarsofCriticalInfrastructureCybersecurityatTSA

• OfficeofInformationTechnologyo FacilitatingtheImplementationofNational

Policy.

• OfficeofSecurityPolicyandIndustryEngagemento Managingrisksthroughindustryengagement.

• OfficeofIntelligenceandAnalysiso Identifyandcommunicatingcyberthreats.

44

CyberCriticalInfrastructureProtection

• Mandateso ExecutiveOrder13636:ImprovingCriticalInfrastructureCyberSecurity.o PresidentialPolicyDirective-21:CriticalInfrastructureSecurityand

Resilience.o PresidentialPolicyDirective-41:UnitedStatesCyberIncident

Coordination.

• Missiono Facilitatethemeasuredimprovementofthenationaltransportation

sectorcybersecurityposture.

• Approacho Non-Operational.Education,Facilitation,andCommunication.

55

PutCybersecurityRiskManagementontheAgendaBeforeitBecomestheAgenda

• Itisnolongersufficienttothinkaboutcybersecurityasapurelytechnicalproblem.Justlikephysicalsecurity,thecurrentthreatenvironmentrequiresacomprehensiveapproachtocybersecurityriskmanagement.

• Asabusinessleaderandemployee,itisvitaltorealizetheimportanceofprotectingyourcompany’ssystemsfromcyberthreatsbecausethesecurityofanorganization’sassets,employees,passengers,cargoandcustomersdependsonit.

• Itiscriticalthatyouandyouremployeesareengagedinappropriatepracticestoavertpotentiallydamagingcyber-attacks.

• Incorporatecyberrisksintoyourorganization'sexistingriskmanagementandgovernanceprocesses.

66

SurfaceTransportationCybersecurityResourceToolkitforSmall&MidsizeBusiness(SMB)

• Thetoolkitisacollectionofdocumentsdesignedtoprovidecyberriskmanagementinformationtosurfacetransportationmanagersownersandoperatorswhohavefewerthan1,000employees.

• ItprovidesguidanceonhowtoincorporateCyberRiskintoyourorganization'sexistingriskmanagementandgovernanceprocesses.

77

SurfaceTransportationCybersecurityResourceToolkitforSmall&MidsizeBusiness(SMB)

UNCLASSIFIED//FOR OFFICIAL USE ONLY

88

NoCostResourcesforSurfaceTransportationSystemsSector(TSS)IndustryStakeholders

“No-CostCybersecurityResourcesforSurfaceTransportationSystems”handoutthatprovidesalistofcybersecurityprogramsanddocuments thatindustrycanusetoreducetheircybersecurityriskandincreasetheircyberresilience.Examplesinclude:

• TheCriticalInfrastructureCyberCommunityVoluntaryProgram(CᶟVP)thatsupports criticalinfrastructureownersandoperatorsinterestedinimprovingtheircyberriskmanagementprocessesandcyberresilience.

• CyberRiskManagementPrimerforCEOsthathighlightsthefivequestionsbusiness leadersshouldaskaboutcyberriskstoprotecttheirorganization’ssystemsfromcyberthreats.

• InformationabouttheCyberResilienceReview(CRR)&CyberSecurityEvaluationTool(CSET)DHScyberriskassessmentsprovidedasthefirststepforadoptionoftheCyberFrameworkandawayforanorganizationtoview/understandtheirapproachtomanagingtheircybersecurityrisk.

99

TransportationSystemsSectorCybersecurityFrameworkImplementationGuidance

TheTransportationSystemsSectorCybersecurityFrameworkImplementationGuidanceprovidesanapproachforTransportationSystemsSectorownersandoperatorstoapplytheprinciplesoftheNationalInstituteofStandardsandTechnologyCybersecurityFrameworktohelp reducecyberrisks. Specifically,organizationsmayusetheimplementationguidance to:

• Characterizetheircurrentcybersecurityposture.• Identifyopportunities forenhancingexistingcyber

riskmanagementprograms.• Findexistingtools, standards,andguides tosupport

Frameworkimplementation.• Communicatetheirriskmanagementissuesto

internalandexternalstakeholders.

Organizationsthatlackaformalcybersecurityriskmanagementprogramcouldusetheguidance toestablishrisk-basedcyberpriorities.

1010

SurfaceCybersecurity“Pocket”AwarenessGuide

• Theguideoutlinesthetypesofthreatsmostcommonlyfoundincyberspaceandexplainshowyoucanprotectyourcompany’sdata,computersystems,andyourpersonalinformation. ItalsoprovidesdetailedinformationonthesafeuseoftheInternet,socialnetworks,andmobiletechnology.

• Theguideisformattedin“pocketsize”withtheaimthatfrontlineemployeeswillkeeptheguidecloseathandwhiletheyareon-dutysothatitcanserveasaconvenientreferencesourceandsecurityawarenesstool.

1111

SurfaceCybersecurity“Pocket”AwarenessGuide

Over10,000surfacecybersecurityawarenesspocketawarenessguideshavebeendistributedtopipelineowner/operators.

1212

PipelineSecurityGuidelines

• ContainscybersecuritymeasuresTSAhasdevelopedwithindustry.Thecyberguidelinesofferbaselinemeasurestosupportadoptionofcybersecurityprotectionstandards.

• These2011Guidelinesarebeingrevisedandthecybersectionreceived300commentsfromindustryrepresentatives. TSAplanstoaddressallcommentsbytheendofFY17andtargetsafinalguidancetobecompletebytheendofMarch2018.

1313

TSSCWGTransportationSystemsSectorCyberWorkingGroup&

WeeklyNewsletter

• ImplementingNationalPolicies

• ModalOutreachAwarenessandCoordination

• InformationSharingBestPractices

• FacilitatingGovernmentProgramsandEfforts

• WeeklyNewsletter

1414

https://www.tsa.gov/for-industry

15

• ForadditionalinformationaboutjoiningtheTSSCWGortoreceiveThisWeekinTransportationCybersecurity,email:Cybersecurity@tsa.dhs.gov

• Foradditionalinformationand/ortorequesttheAwarenessGuideorToolkit,email:Lee.Allen@tsa.dhs.gov

• Pleaseinclude“CybersecurityGuideandToolkit”inthesubjectlineofyouremailtofacilitateproperhandling.

16