![Page 1: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/1.jpg)
1[Distribution Statement (A-F)]
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
The Need for Operational and Cyber Resilience inTransportation Systems
January 14, 2016
Dr. Nader Mehravari, MBCP, MBCI
Cyber Risk and Resilience ManagementSoftware Engineering InstituteCarnegie Mellon [email protected]://www.cert.org/resilience/
![Page 2: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/2.jpg)
2[Distribution Statement (A-F)]
Notices
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0003164
![Page 3: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/3.jpg)
3© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
CERT | Software Engineering Institute | Carnegie Mellon
Software Engineering Institute (SEI)
• Federally funded research and development center based at Carnegie Mellon University
• Basic and applied research in partnership with government and private organizations
• Helps organizations improve development, operation, and management of software-intensive and networked systems
CERT Division – Anticipating and solving
our nation’s cybersecurity challenges
• Largest technical program at SEI
• Focused on internet security, secure systems, operational resilience, and coordinated response to security issues
![Page 4: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/4.jpg)
4© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Cyber Risk & Resilience Management Team
Engaged in
• Applied research
• Education & training
• Putting into practice
• Enabling our federal, state, and commercial partners
In areas dealing with
• Resilience Management
• Operation Risk Management
• Cyber and Resilience Frameworks
• Integration of cybersecurity, business continuity, & disaster recovery
![Page 5: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/5.jpg)
5© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Contents
Operational Stress
Cyber-Induced Operational Stress on Transportation Sector
Prevention is Futile
Operational Resilience & Cyber Resilience
Techniques for Improving and Managing Cyber Resilience
Summary
![Page 6: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/6.jpg)
6© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
What do you see here?
A set of well looking evergreens.
![Page 7: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/7.jpg)
7© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Look Again!
A tree under operational stress
![Page 8: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/8.jpg)
8© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational Stress
Naturalor
Manmade
Accidentalor
Intentional
Smallor
Large
Kineticof
Cyber
InformationTechnology
or Not
• Fire
• Flooding
• IT failures
• Earthquakes
• Cyber attacks
• Severe weather
• Network failures
• Technology failures
• Organizational changes
• Loss of service provider
• Strikes or other labor actions
• Loss of customer or trading partner
• Chemical, biological, nuclear hazards
• Unavailability of workforce
• Failed internal processes
• Supply chain disruption
• Employee kidnappings
• Workplace violence
• Data corruption
• Product failure
• Power outages
• Civil unrest
• Terrorism
• Fraud
• Etc.
Result in
Interruption
of
Business
Mission
…through which risks
are realized
Today’s
Discussion
Today’s
Discussion
![Page 9: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/9.jpg)
9© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Examples
of
Cyber-Induced Operational Stress
on
Transportation Sector
![Page 10: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/10.jpg)
10© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
July 2015
![Page 11: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/11.jpg)
11© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
August 2015
![Page 12: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/12.jpg)
12© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
August 2015
![Page 13: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/13.jpg)
13© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
January 2008
![Page 14: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/14.jpg)
14© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
January 2012
![Page 15: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/15.jpg)
15© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
September 2012
![Page 16: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/16.jpg)
16© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
December 2015
![Page 17: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/17.jpg)
17© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
October 2013
![Page 18: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/18.jpg)
18© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
October 2015
![Page 19: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/19.jpg)
19© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
May 2012
![Page 20: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/20.jpg)
20© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
February 2014
![Page 21: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/21.jpg)
21© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
August 2014
![Page 22: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/22.jpg)
22© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
May 2015
![Page 23: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/23.jpg)
23© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
![Page 24: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/24.jpg)
24© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Aviation
Maritime
Mas
Transit
Passenger
Rail
Postal &
Shipping
Pipeline
Freight
Rail
Highway
InfrastructureMotor
Carrier
Discussion is Applicable to All Subsectors
![Page 25: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/25.jpg)
25© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Discussion is Applicable to…
Transportation
Subsectors
Primary Units of
Transportation
Modes of
Transportation
Aviation People & Goods Air
Highway Infrastructure & Motor Carrier People & Goods Ground
Maritime Transportation Systems People & Goods Sea
Mass Transit & Passenger Rail People Ground
Pipeline Systems Oil & Gas Ground
Freight Rail Goods Ground
Postal & Shipping Mailpieces &
Goods
Air, Ground,
Sea
![Page 26: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/26.jpg)
26© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Prevention is Futile
![Page 27: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/27.jpg)
27© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Cyber Intrusions are a Fact of Life
![Page 28: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/28.jpg)
28© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Traditional Information Security Function
Protect / Shield / Defend / Prevent
Is necessary
Is not Sufficient
Fails too frequently
![Page 29: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/29.jpg)
29© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational and Cyber Resilience
![Page 30: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/30.jpg)
30© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
An Operationally Resilient Entity?
A tree under operational stress…
…while achieving its “business” mission
![Page 31: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/31.jpg)
31© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational Resilience
The emergent property of an entity
• that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit
The ability of an entity to
• Prevent disruptions from occurring;
• And when struck by a disruption, the ability to quickly respond to and recover from a disruption in the primary business processes.
![Page 32: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/32.jpg)
32© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Sample Techniques
for
Improving and Managing
Cyber Resilience
![Page 33: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/33.jpg)
33© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Organizational Aspects
How should organizational structures, roles, and
responsibilities be adapted?
Example:
• “Traditional” vs. “Modern” information security functions
![Page 34: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/34.jpg)
34© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Modern Information Security Functions
Protect / Shield /
Defend / Prevent
Monitor / Detect / Hunt
Management,
Governance,
Compliance,
Education,
Risk Management.
Respond/ Recover /
Sustain
![Page 35: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/35.jpg)
35© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Operational Risk Aspects
How should organizations adapt their overall operational risk
management principles and practices?
Example:
• Integration and convergence of operational risk management activities.
![Page 36: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/36.jpg)
36© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Today’s Operational Risk Management
IT Disaster Recovery
Continuity of Operation
(COOP)Business
Continuity
Emergency
Management
Supply Chain
Continuity
Crisis
ManagementContingency Planning
Pandemic
Planning
Preparedness
Planning
Operational Risk
Management
Enterprise Risk Management
IT Operations
Privacy
Risk
Management
Workforce
Continuity
Cyber Protection
Crisis Communications
Information
Security
Health & Safety
![Page 37: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/37.jpg)
37© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Desired Solution Approach
IT
Disaster
Recovery
Business
Continuity
Health &
Safety
Emergency
Management
Crisis
Management
Information
Security
IT
Operations
Supply
Chain
Continuity
Physical
Security
Workforce
Continuity
Operational
Resilience
IT Disaster Recovery
Continuity of
Operation (COOP)Business
Continuity
Emergency
Management
Supply Chain
Continuity
Crisis
Manageme
ntContingency Planning
Pandemic
Planning
Preparedness
Planning
Operational Risk
Management
Enterprise Risk Management
IT Operations
Privacy
Risk
Management
Workforce
Continuity
Cyber Protection
Crisis Communications
Information
Security
Health & Safety
![Page 38: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/38.jpg)
38© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Tools and Techniques Aspects
What structured (i.e., not ad hoc) frameworks could guide
and assist organizations?
Example:
• Resilience Management Model
![Page 39: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/39.jpg)
39© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
What is Resilience Management Model?
Framework for managing and improving operational resilience
Guides implementation, mgmt, and sustainment of operational risk management activities
Improves confidence in how an organization manages and responds to operational stress
Focuses on “What” not “How”
Applicable to a variety of organizations• small or large
• simple or complex
• public or private
“…an extensive super-
set of the things an
organization could do to
be more resilient.”
- CERT-RMM adopter
![Page 40: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/40.jpg)
40© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
A Sampling of RMM Success Stories
![Page 41: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/41.jpg)
41© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
In Closing
![Page 42: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/42.jpg)
42© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Sampling of ITS Emerging Capabilities
Advanced Driver
Assistant Systems
(ADAS)
• Smart lighting control
• Adaptive cruise control
• Lane departure warning
• Parking assistAdvanced fleet
Management
• Real-time telematics
• Driver fatigue detection
• Package tracking.
Smart Transportation
• Vehicle-to-infrastructure communications
• Smart intersection
• Traffic light control
• Collision avoidance
• Traffic management.
Autonomous
Driving
Convenience,
Comfort, &
Entertainment
• Keyless entry
• Remote engine start
• Mobile device integration
• Infotainment
Diagnostics &
Maintainability
• On-Board Diagnostics
• Software update in the garage
• Tire Pressure Monitoring
Etc., Etc., Etc. …
![Page 43: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/43.jpg)
43© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Commonalities in Emerging Capabilities
Commonalities?
Information
Technology
&
Communication
Technology
![Page 44: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/44.jpg)
44© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Primary Risks to Common Elements
Accidental
Information
Technology
&
Communication
Technology
Intentional
Design Flaws
Cybersecurity
Component Failures
![Page 45: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/45.jpg)
45© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Cyber Risk Mitigation Challenge
Traditional IT cybersecurity contingencies are not feasible
• Failover over to a disaster recovery site
• Restoring from backup
• Failover to another vehicle
• Federal Motor Vehicle Safety Standards (FMVSS) timeframes precludes “Patch Tuesdays.”
• Can’t call a breach response team (AAA does not do that yet)
Successful management of cyber risk within ITS may
require a (significant) shift in thinking and approach.
![Page 46: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/46.jpg)
46© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Promising and Proven Approach
Cyber
Resilience
Management
![Page 47: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/47.jpg)
47© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
Thank you for your attention.
![Page 48: The Need for Operational and Cyber Resilience in ...trbcybersecurity.erau.edu/resources/2016-011416... · Operational and Cyber Resilience in Transportation Systems January 14, 2016](https://reader034.vdocuments.net/reader034/viewer/2022042622/5f857fbe6e2f206b5b13dbef/html5/thumbnails/48.jpg)
48© 2016 Carnegie Mellon University[Distribution Statement (A-F)]
References
1. J. H. Allen, R. H. Caralli, and D. W. White, CERT® Resilience Management Model: A Maturity Model for Managing
Operational Resilience, Addison-Wesley Professional, 2010.
2. N. Mehravari, J. Allen, P. Curtis, and G. Crabb, “A Proven Method for Identifying Security Gaps in International Postal
and Transportation Critical Infrastructure,” 93rd Annual Transportation Research Board Conference, Washington, DC,
January 13-18, 2014.
3. N. Mehravari, J. Allen, P. Curtis, and G. Crabb, “Improving the Security and Resilience of U.S. Postal Service Mail
Products and Services,” 93rd Annual Transportation Research Board Conference, Washington, DC, January 13-18,
2014.
4. N. Mehravari, "Cybersecurity Update,” a lecture as part of the Business Continuity and Crisis Management Summer
School, Massachusetts Institute of Technology, July 2015.
5. N. Mehravari, “Cyber and Operational Resilience Management,” half-day tutorial, planned for 2015 IEEE Military
Communications Conference (MILCOM’15), Tampa, FL, October 26-28, 2015.
6. N, Mehravari, “Principles and Practice of Operational Resilience,” half-day tutorial, IEEE Systems Conference,
Vancouver, BC, April 12-16, 2015.
7. N. Mehravari, “Information Resilience in Today's High-Risk Economy,” Software Engineering Institute Blog, November
17, 2014.