dla energy worldwide energy conference tsa surface ...€¦ · pipeline security guidelines •...
TRANSCRIPT
DLA Energy Worldwide Energy ConferenceTSA Surface Cybersecurity Resources
April 12, 2017
Office of Security Policy & Industry EngagementSurface Division
22
TSAastheCo-SectorSpecificAgency
• TSAistheTransportationSystemsSectorCO-SSAwithDOTandUnitedStatesCoastGuard.
• Missiono ContinuouslyimprovetheriskpostureofTransportationSystems
servingtheNation.• Goals
o Preventanddeteractsofterrorismusing,oragainst,thetransportationsystem.
o Enhancetheall-hazardpreparednessandresilienceoftheglobaltransportationsystemtosafeguardU.S.nationalinterests.
o Improvetheeffectiveuseofresourcesfortransportationsecurity.o Improvesectorsituationalawareness,understanding,and
collaboration.
33
ThreePillarsofCriticalInfrastructureCybersecurityatTSA
• OfficeofInformationTechnologyo FacilitatingtheImplementationofNational
Policy.
• OfficeofSecurityPolicyandIndustryEngagemento Managingrisksthroughindustryengagement.
• OfficeofIntelligenceandAnalysiso Identifyandcommunicatingcyberthreats.
44
CyberCriticalInfrastructureProtection
• Mandateso ExecutiveOrder13636:ImprovingCriticalInfrastructureCyberSecurity.o PresidentialPolicyDirective-21:CriticalInfrastructureSecurityand
Resilience.o PresidentialPolicyDirective-41:UnitedStatesCyberIncident
Coordination.
• Missiono Facilitatethemeasuredimprovementofthenationaltransportation
sectorcybersecurityposture.
• Approacho Non-Operational.Education,Facilitation,andCommunication.
55
PutCybersecurityRiskManagementontheAgendaBeforeitBecomestheAgenda
• Itisnolongersufficienttothinkaboutcybersecurityasapurelytechnicalproblem.Justlikephysicalsecurity,thecurrentthreatenvironmentrequiresacomprehensiveapproachtocybersecurityriskmanagement.
• Asabusinessleaderandemployee,itisvitaltorealizetheimportanceofprotectingyourcompany’ssystemsfromcyberthreatsbecausethesecurityofanorganization’sassets,employees,passengers,cargoandcustomersdependsonit.
• Itiscriticalthatyouandyouremployeesareengagedinappropriatepracticestoavertpotentiallydamagingcyber-attacks.
• Incorporatecyberrisksintoyourorganization'sexistingriskmanagementandgovernanceprocesses.
66
SurfaceTransportationCybersecurityResourceToolkitforSmall&MidsizeBusiness(SMB)
• Thetoolkitisacollectionofdocumentsdesignedtoprovidecyberriskmanagementinformationtosurfacetransportationmanagersownersandoperatorswhohavefewerthan1,000employees.
• ItprovidesguidanceonhowtoincorporateCyberRiskintoyourorganization'sexistingriskmanagementandgovernanceprocesses.
77
SurfaceTransportationCybersecurityResourceToolkitforSmall&MidsizeBusiness(SMB)
UNCLASSIFIED//FOR OFFICIAL USE ONLY
88
NoCostResourcesforSurfaceTransportationSystemsSector(TSS)IndustryStakeholders
“No-CostCybersecurityResourcesforSurfaceTransportationSystems”handoutthatprovidesalistofcybersecurityprogramsanddocuments thatindustrycanusetoreducetheircybersecurityriskandincreasetheircyberresilience.Examplesinclude:
• TheCriticalInfrastructureCyberCommunityVoluntaryProgram(CᶟVP)thatsupports criticalinfrastructureownersandoperatorsinterestedinimprovingtheircyberriskmanagementprocessesandcyberresilience.
• CyberRiskManagementPrimerforCEOsthathighlightsthefivequestionsbusiness leadersshouldaskaboutcyberriskstoprotecttheirorganization’ssystemsfromcyberthreats.
• InformationabouttheCyberResilienceReview(CRR)&CyberSecurityEvaluationTool(CSET)DHScyberriskassessmentsprovidedasthefirststepforadoptionoftheCyberFrameworkandawayforanorganizationtoview/understandtheirapproachtomanagingtheircybersecurityrisk.
99
TransportationSystemsSectorCybersecurityFrameworkImplementationGuidance
TheTransportationSystemsSectorCybersecurityFrameworkImplementationGuidanceprovidesanapproachforTransportationSystemsSectorownersandoperatorstoapplytheprinciplesoftheNationalInstituteofStandardsandTechnologyCybersecurityFrameworktohelp reducecyberrisks. Specifically,organizationsmayusetheimplementationguidance to:
• Characterizetheircurrentcybersecurityposture.• Identifyopportunities forenhancingexistingcyber
riskmanagementprograms.• Findexistingtools, standards,andguides tosupport
Frameworkimplementation.• Communicatetheirriskmanagementissuesto
internalandexternalstakeholders.
Organizationsthatlackaformalcybersecurityriskmanagementprogramcouldusetheguidance toestablishrisk-basedcyberpriorities.
1010
SurfaceCybersecurity“Pocket”AwarenessGuide
• Theguideoutlinesthetypesofthreatsmostcommonlyfoundincyberspaceandexplainshowyoucanprotectyourcompany’sdata,computersystems,andyourpersonalinformation. ItalsoprovidesdetailedinformationonthesafeuseoftheInternet,socialnetworks,andmobiletechnology.
• Theguideisformattedin“pocketsize”withtheaimthatfrontlineemployeeswillkeeptheguidecloseathandwhiletheyareon-dutysothatitcanserveasaconvenientreferencesourceandsecurityawarenesstool.
1111
SurfaceCybersecurity“Pocket”AwarenessGuide
Over10,000surfacecybersecurityawarenesspocketawarenessguideshavebeendistributedtopipelineowner/operators.
1212
PipelineSecurityGuidelines
• ContainscybersecuritymeasuresTSAhasdevelopedwithindustry.Thecyberguidelinesofferbaselinemeasurestosupportadoptionofcybersecurityprotectionstandards.
• These2011Guidelinesarebeingrevisedandthecybersectionreceived300commentsfromindustryrepresentatives. TSAplanstoaddressallcommentsbytheendofFY17andtargetsafinalguidancetobecompletebytheendofMarch2018.
1313
TSSCWGTransportationSystemsSectorCyberWorkingGroup&
WeeklyNewsletter
• ImplementingNationalPolicies
• ModalOutreachAwarenessandCoordination
• InformationSharingBestPractices
• FacilitatingGovernmentProgramsandEfforts
• WeeklyNewsletter
1414
https://www.tsa.gov/for-industry
15
• ForadditionalinformationaboutjoiningtheTSSCWGortoreceiveThisWeekinTransportationCybersecurity,email:[email protected]
• Foradditionalinformationand/ortorequesttheAwarenessGuideorToolkit,email:[email protected]
• Pleaseinclude“CybersecurityGuideandToolkit”inthesubjectlineofyouremailtofacilitateproperhandling.
16