Module 64 - CSE202

Module CSE202: Introduction to Cybersecurity for Transportation Agencies

HTML of the PowerPoint Presentation

(Note: This document has been converted from a PowerPoint presentation to 508-compliant HTML. The formatting has been adjusted for 508 compliance, but all the original text content is included, plus additional text descriptions for the images, photos and/or diagrams have been provided below.)


Slide 1:

This slide contains a graphic with the word “Welcome” in large letters. ITS Training Standards “WELCOME” slide, with reference to the U.S. Department of Transportation Office of Assistant Secretary for Research and Technology

 

Slide 2:

This slide contains a graphic with the word “Welcome” in large letters, photo of Kenneth Leonard, Director ITS Joint Program Office - Ken.Leonard@dot.gov - and on the bottom is a screeshot of the ITS JPO website - www.pcb.its.dot.gov

 

Slide 3:

Module CSE202:

Introduction to Cybersecurity for Transportation Agencies

This slide contains one photo showing a traffic management center with an operator at a workstation and with a video wall in the background.  Superimposed upon the photo are a key padlock symbol and some network symbols indicating cybersecurity for systems and networks.

Graphics: Ralph W. Boaz

 

Slide 4:

Instructors

Photo of Ralph W. Boaz

Ralph W. Boaz

President

Pillar Consulting, Inc.

 

Photo of Bruce S. Eisenhart

Bruce S. Eisenhart

Vice President Operations

Consensus Systems Technologies Corporation

 

Slide 5:

Learning Objectives

 

Slide 6:

Learning Objective 1

 

Slide 7:

Cybersecurity Terminology

This slide has a rectangular picture centered below the text of the slide that appears to be picture from space. The picture has a large white round sphere that covers most of the black background. There appears to be gases emanating from the edges of the sphere. There are 1’s and 0’s written across the entire picture.

 

Slide 8:

Cybersecurity Terminology (cont.)

This slide has a rectangular picture to the right of the slide text. In the foreground left 1/3 of the slide, there is a back view of a person in a black leather jacket with a full head covering black ski mask. The person appears to be facing a blue wall of 1’s and 0’s. In the center of the wall (and the picture) there appears to be a large white spherical bulge in the wall that is almost the diameter of the height of the picture.  The bulge has the word “HACKED” written across the middle in red lettering.

 

Slide 9:

Cybersecurity Terminology (cont.)

This slide has the same image of the picture in Slide #3 located in the lower right of slide below the slide text.

Graphics: Ralph W. Boaz

 

Slide 10:

Cybersecurity Terminology (cont.)

 

Slide 11:

Cybersecurity Terminology (cont.)

This slide has a rectangular picture in the lower right of the slide below the slide text. It has a business man in a suite sitting at desk typing on a laptop.  Standing on top of the desk on the left side of the picture is smaller person standing on the desk dressed completely in black clothing and mask with only the eyes being uncovered. The person has a fishing pole with line and a hook extending in front of the businessman’s laptop.

 

Slide 12:

Critical Infrastructure

Please see extended text description below.

(Extended Text Description: This slide contains a bullet list with the following text and one of the items highlighted as indicated below:

This slide has an oval that appears around the bulleted item "Transportation Systems Sector" as the instructor presents the slide.)

 

Slide 13:

Critical Infrastructure

Please see extended text description below.

(Extended Text Description: This slide contains a bullet list with the following text and one of the items highlighted as indicated below:

This slide has an oval that appears around the bulleted item "Highway and Motor Carrier" as the instructor presents the slide.)

 

Slide 14:

Critical Infrastructure

Please see extended text description below.

(Extended Text Description: This slide contains a bullet list with the following text and two of the items highlighted as indicated below:

This slide has an oval that appears around the bulleted items "Traffic management systems" and "Cyber systems for operational management" as the instructor presents the slide.)

 

Slide 15:

Scope of Concern for Traffic Operations (Traffic Ops)

This slide contains a large complex graphic made up of smaller groups of graphic images that appear as the instructor discusses them. Group #1 is located in the center right of the slide. It has four computer workstations in a square arrangement with dotted lines connecting each computer to the others representing the communications between the computers. This group is labeled “Central System(s)” at the top of this group and “Traffic Ops Network” at the bottom of the group. Group #2 is located in the center left are of the slide. It has assorted on-street transportation related devices including: a street light, a traffic signal, a ramp meter, a parking gate, a video detection camera, a video surveillance camera, a dynamic message sign, a transportation field cabinet, and a weather station (a tall pole with weather devices attached to it). This group is labeled “Field Devices.” Group #3 is located between the two previous small graphics.  It has a thick vertical line that is about the same height as Group #1.  This line also has three double arrows that are the same thickness of the line crossing the line horizontally representing the communications between the Central Systems and the field devices. This graphic is labeled “C2F Comm.” Group #4 is located below the previously described three groups. It is the shape of a cloud and contains the words “External Cloud Computing.” There are dotted lines connecting the cloud to Group #1 and Group #2 above it representing communications between the field equipment and the cloud and between the central systems and the cloud. Group #5 is made up of two pairs of computers. One pair pair is located to the right of Group #1 and the second pair is to the upper right of Group #1. The pair of computers on the upper right is labeled “Non-Agency Computers.” The pair of computers the right is labeled “Other Agency Systems.” There are two dashed lines connecting the pairs of computers to the Central System Computers in Group #1. Between the dashed lines is the label “C2C & Other Comm.” Group #6 is located to the lower left of the field equipment of Group #2. It has a car, a bus and 2 people on bicycles. The group is connected to the transportation field cabinet in Group #2 by concentric arcs that represent the radio waves of a wireless connection. The group is labeled “Connected V2X Technology.” Group #7 is a label with the words “Remote Use” that is located to the lower right of Group #1. It is connected by a dotted line to Group #1. Group #8 is a label with the words “Remote Use” that is located to the left of Group #2. It is connected by a dotted line to Group #2. Group #9 is a left skewed parallelogram that identifies a boundary between the Groups #1, #2 and #3 and the other groups on the slide. It identifies the equipment that is the responsibility of Traffic Operations to protect.

Graphics: Ralph W. Boaz

 

Slide 16:

Scope of Concern for Traffic Operations (Traffic Ops) (cont.)

Cybersecurity Concerns for Traffic Ops

 

Slide 17:

Scope of Concern for Traffic Operations (Traffic Ops) (cont.)

Cybersecurity Concerns Outside of Traffic Ops Control

 

Slide 18:

Sources of Cyber Attacks

This slide has a rectangular photograph of a woman from the shoulders up. The picture is mostly dark with the light illuminating the left side of her face. She is wearing a fedora hat, dark glasses, and what appears to be a buttoned up jacket. The picture is to the lower right of the slide text.

 

Slide 19:

Types of Attacks and Threats

This slide has a rectangular photograph of a portion of a computer screen. It has a dark bluish background. There is white courier font lettering of file pathnames, URLs (Uniform Resource Locators), and computer system commands filling the screen. There is a large shape of a human skull filling most of the picture identified by the absence of the white lettering.

Supplement icon indicating items or information that are further explained/detailed in the Student Supplement.

 

Slide 20:

Types of Hackers

This slide has a graphic of three characters representing types of hackers aligned horizontally beneath the text of the slide. They all have trench coats, dark glasses and a fedora hat. The only differences are the colors of the hats: the hacker on the left has a black hat, the hacker on the right has a white hat, and the hacker in the middle has a grey hat.

Graphics: Ralph W. Boaz

Supplement icon indicating items or information that are further explained/detailed in the Student Supplement.

 

Slide 21:

Vulnerabilities to Traffic Ops Technology

 

Slide 22:

Vulnerabilities to Traffic Ops Technology (cont.)

So far, all known hacking into traffic signal systems has been done in a white hat capacity

 

Slide 23:

This slide contains a graphic with the word "Case Study" in large letters. A placeholder graphic of a traffic control center indicating that a real-world case study follows.

 

Slide 24:

Colorado DOT Ransomware Attack (CDOT) 2018

This slide contains a graphic taking up the right side of the slide.  At the upper part of the graphic is a black silhouette of a person in a trench coat, hat, and mask representative of a hacker. To the lower left of the hacker is a cloud with the words “Cloud Service Provider” written in it. In the lower part of the graphic is a black silhouette of three rectangular network computers stacked vertically. The stack of computers is labeled “Virtual Server.” To the right of the stack of computers is a cloud with the words “DOT Network.” There is a thick bluish arrow point downward from the hacker to the stack of computers. To the right of the arrow are the words “Access Inbound from Internet through a Cloud Service Provider into a DOT Network.

 

Slide 25:

Sacramento Regional Transit (SacRT) 2017

 

Slide 26:

Activity Placeholder: This slide has the word “Activity” in large letters at the top of the slide, with a graphic of a hand on a computer keyboard below it.

 

Slide 27:

Question

Which of the following is a true statement? Answer Choices

  1. Modern transportation controllers are less sophisticated than other cyber devices and easier to protect
  2. Cybersecurity is an IT responsibility only
  3. Traffic Ops needs to protect any external cloud-based systems used
  4. Transportation infrastructure could be a target for a state-sponsored cyber attack

 

Slide 28:

Review of Answers

A small graphical red and yellow X representing incorrect.a) Modern transportation controllers are less sophisticated than other cyber devices and easier to protect
Incorrect. Modern transportation controllers are Linux computers.

A small graphical red and yellow X representing incorrect.b) Cybersecurity is an IT responsibility only
Incorrect. Cybersecurity is the responsibility of everyone in the organization.

A small graphical red and yellow X representing incorrect.c) Traffic Ops needs to protect any external cloud-based systems used
Incorrect. Traffic Ops needs to protect the interface to any external cloud based systems used.

A small graphical green and yellow check mark representing correct.d) Transportation infrastructure could be a target for a state-sponsored cyberattack
Correct. Such an attack could have a high economic impact on a large metropolitan area due to the cost of delay.

 

Slide 29:

Learning Objective 2

 

Slide 30:

NIST Cybersecurity Framework

This slide has one figure in the bottom right corner of the slide which shows the three key components of the NIST Cybersecurity Framework: Core, Implementation Tiers, and Profiles. The figure shows a circle with three equal divisions with the names of the three components.

 

Slide 31:

Framework Core

This slide has one figure in the bottom right corner of the slide which shows the five functions of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. The word Framework is in the center of the circular image, with the five functions in different colored portions of a ring: Identify (blue), Protect (purple), Detect (orange), Respond (red), Recover (green). These portions of the ring will be shown again in following slides.

 

Slide 32:

Framework Core

Please see extended text description below.

(Extended Text Description: This slide contains a table as indicated below:

Function Categories Subcategories References
Identify (ID) 6 29 6
Protect (PR) 6 39 6
Detect (DE) 3 18 6
Respond (RS 5 16 6
Recover (RC) 3 6 5

Note that the rows of the table are highlighted in corresponding relevant colors to the Framework Core figure on slide 31 with Identify in blue, Protect in purple, Detect in yellow, Respond in red, and Recover in green.)

 

Slide 33:

Framework Core

 

Slide 34:

Framework Core

Function Category Subcategory Informative References
IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried CIS CSC 1
COBIT 5 BAI09.01. BAI09.02
ISA 62443-2-1:2009 4.2.3.4
ISA 62443-3-3:2013 SR 7.8
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
NIST SP 800-53 Rev. 4 CM-8, PM-5
ID.AM-2: Software platforms and applications within the organization are inventoried CIS CSC 2
COBIT 5 BAI09.01. BAI09.02, BAI09.05
ISA 62443-2-1:2009 4.2.3.4
ISA 62443-3-3:2013 SR7.8
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1
NIST SP 800-53 Rev. 4 CM-8, PM-5

 

Slide 35:

Framework Core- Identify Function

Cropped image portion of the Framework diagram from slide 31 showing the Identify portion of the ring.

 

Slide 36:

Framework Core- Identify Function

Cropped image portion of the Framework diagram from slide 31 showing the Identify portion of the ring.

 

Slide 37:

Framework Core- Protect Function

Cropped image portion of the Framework diagram from slide 31 showing the Protect portion of the ring.

 

Slide 38:

Framework Core- Protect Function

Cropped image portion of the Framework diagram from slide 31 showing the Protect portion of the ring.

 

Slide 39:

Framework Core- Detect Function

Cropped image portion of the Framework diagram from slide 31 showing the Detect portion of the ring.

 

Slide 40:

Framework Core- Detect Function

Cropped image portion of the Framework diagram from slide 31 showing the Detect portion of the ring.

 

Slide 41:

Framework Core- Respond Function

Cropped image portion of the Framework diagram from slide 31 showing the Respond portion of the ring.

 

Slide 42:

Framework Core- Respond Function

Cropped image portion of the Framework diagram from slide 31 showing the Respond portion of the ring.

 

Slide 43:

Framework Core- Recover Function

Cropped image portion of the Framework diagram from slide 31 showing the Recover portion of the ring.

 

Slide 44:

Framework Core- Recover Function

Cropped image portion of the Framework diagram from slide 31 showing the Recover portion of the ring.

 

Slide 45:

Activity Placeholder: This slide has the word “Activity” in large letters at the top of the slide, with a graphic of a hand on a computer keyboard below it.

 

Slide 46:

Question

Which of the following is NOT one of the NIST Functions?

Answer Choices

  1. Identify
  2. Defend
  3. Detect
  4. Respond
  5. Recover

 

Slide 47:

Review of Answers

A small graphical red and yellow X representing incorrect.a) Identify
Incorrect. One of 5 Framework Functions

A small graphical green and yellow check mark representing correct.b) Defend
Correct. The actual Framework Function is Protect, which covers a wider range of topics than "defend"

A small graphical red and yellow X representing incorrect.c) Detect
Incorrect. One of 5 Framework Functions

A small graphical red and yellow X representing incorrect.d) Respond
Incorrect. One of 5 Framework Functions

A small graphical red and yellow X representing incorrect.e) Recover
Incorrect: One of 5 Framework Functions.

 

Slide 48:

Learning Objective 3

 

Slide 49:

Framework Implementation Tiers

This slide has the same graphic as Slide #30 in the lower right of the slide.

 

Slide 50:

Tiers Describe Rigor and Sophistication in Cybersecurity Risk Management

 

Slide 51:

Tier 1: Partial

 

Slide 52:

Tier 2: Risk Informed

 

Slide 53:

Tier 3: Repeatable

 

Slide 54:

Tier 3: Repeatable (cont.)

 

Slide 55:

Tier 4: Adaptive

 

Slide 56:

Tier 4: Adaptive (cont.)

 

Slide 57:

Tier Progression

 

Slide 58:

Framework Core and Tiers

This slide has a graphical representation of the Framework Core and Tiers. It is constructed in groups as the instructor discusses it. Group #1 has a color coded labeled rectangles matching the core items in the Framework: Identify (blue), Protect (purple), Detect (orange), Respond (red), and Recover (green). The labeled rectangles are adjacent to each other and are located about 1/3 of the way from the bottom of the slide. Group #2 has set of six columns that extend from the top of each labeled rectangle in Group #1 to about 2/3s from the top of the slide (30 columns total).  They are the same color as labeled rectangles below them. There is a horizontal line above the columns that extends the length of the 30 columns. There are short vertical lines at each end of the line. The line is labeled “Framework Categories and Subcategories.” Below labeled rectangles in Group #1 is the label “Framework Core.” Group #3 has four rectangles made of dotted lines that are stacked vertically so has to cover the height of the columns in Group #2.  The width of the rectangles is longer than that of the columns so as to provide room for labeling the rectangles. The first dotted rectangle (the one closest to the labeled rectangles in Group #1 is labeled “Tier 1.” The second dotted rectangle (immediately above the Tier 1 rectangle) is labeled “Tier 2.” The third dotted rectangle (immediately above the Tier 2 rectangle) is labeled “Tier 3.” The fourth dotted rectangle (immediately above the Tier 3 rectangle) is labeled “Tier 4.” To the right of the dotted rectangles is a blue arrow pointed upwards that is as tall as the columns in Group #2. At the bottom of the arrow is the label “Risk Management.”

Graphics: Ralph W. Boaz

 

Slide 59:

Framework Profiles

This slide has the same graphic as Slide #30 in the lower right of the slide.

 

Slide 60:

Framework Core and Tiers Help Build Profiles

This slide has a graphical representation how Tiers and profiles are used. There are three groups of graphics that are displayed as the instructor discusses it. Group #1 is located on the top half of the slide. Taking up the upper left quarter of the slide is a smaller version of the Framework Core and Tiers graphics described in Slide #58. Missing from this version is the blue arrow and “Risk Management” label that was to the right of the columns. In addition, the lines and label “Framework Categories and Subcategories” that was above the graphic in Slide #58 is replaced by the label “Outcomes Currently Being Achieved *.” There are 12 black dots populating various columns at the Tier 2 level. There are 6 black dots populating various columns at the Tier 1 level. Towards the right of the slide is a graphic that looks like a document. Above this graphic is the label “Current Profile.” Between the framework and tiers graphic and the document graphic is a large right curly bracket. Group #2 is located on the bottom half of the slide. Taking up the bottom left quarter of the slide is a smaller version of the Framework Core and Tiers graphics described in Slide #58. Missing from this version is the blue arrow and “Risk Management” label that was to the right of the columns. In addition, the lines and label “Framework Categories and Subcategories” that was above the graphic in Slide #58 is replaced by the label “Outcomes Needed To Achieve Goals *.” There are 16 black dots populating various columns at the Tier 2 level. There are 2 black dots populating various columns at the Tier 1 level. Towards the right of the slide is a graphic that looks like a document. Above this graphic is the label “Target Profile.” Between the framework and tiers graphic and the document graphic is a large right curly bracket. Group #3 is located on the right corner of the slide. It is a text box saying “*Charts are conceptual and not intended to reflect the specific contents of a profile.”

* Charts are conceptual and not intended to reflect the specific contents of a profile.

Graphics: Ralph W. Boaz

 

Slide 61:

Establishing or Improving a Cybersecurity Program

Step 1: Prioritize and Scope

Step 2: Orient

 

Slide 62:

Establishing or Improving a Cybersecurity Program (cont.)

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

 

Slide 63:

Establishing or Improving a Cybersecurity Program (cont.)

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

 

Slide 64:

Establishing or Improving a Cybersecurity Program (cont.)

 

Slide 65:

Use the Framework

 

Slide 66:

Activity Placeholder: This slide has the word “Activity” in large letters at the top of the slide, with a graphic of a hand on a computer keyboard below it.

 

Slide 67:

Question

Which of the following is a correct statement? Answer Choices

  1. A Tier represents the maturity level of the organization
  2. Profiles always represent cybersecurity outcomes currently achieved
  3. Outcomes from using the Framework should reflect in operations
  4. Self-assessment is a one-time step at the beginning of a cyber program

 

Slide 68:

Review of Answers

A small graphical red and yellow X representing incorrect.a) A Tier represents the maturity level of the organization
Incorrect. Tiers provide context on how an organization views risks.

A small graphical red and yellow X representing incorrect.b) Profiles always represent cybersecurity outcomes currently achieved
Incorrect. A current profile and a target profile are used to improve cybersecurity risk management.

A small graphical green and yellow check mark representing correct.c) Outcomes from using the Framework should reflect in operations
Correct! Without this follow-through the cybersecurity program is ineffective.

A small graphical red and yellow X representing incorrect.d) Self-assessment is a one-time step at the start of a cyber program
Incorrect. Self-assessment is used every time the cyber program is to be improved.

 

Slide 69:

Learning Objective 4

 

Slide 70:

What to Report

Supplement icon indicating items or information that are further explained/detailed in the Student Supplement.

 

Slide 71:

Where to find information and report incidents

Information Sharing and Analysis Centers (ISACs)

 

Slide 72:

Where to find information and report incidents

This slide has a screen shot of the logo and name of the Multi-State Information Sharing and Analysis Center from their website. The logo is a circle with a couple stars and stripes from a small portion of an American flag.

 

Slide 73:

Where to find information and report incidents

Please see extended text description below.

(Extended Text Description: This slide contains a bullet list with the following information:

MS ISAC provides:

This slide has a screen shot image on the right upper corner from the MS-ISAC public website that shows a list of the "Top Malware Last Month". This list of 10 specific Malware is just representative of what members of the ISAC see on the member's website and is meant just to show an example of the type of information members have available. The example list contains the text:

Top Malware Last Month

  1. Emotet
  2. Kovter
  3. ZeuS
  4. NanoCore
  5. Cerber
  6. Gh0st
  7. CoinMiner
  8. Trickbot
  9. WannaCry
  10. Xtrat

)

 

Slide 74:

Where to find information and report incidents

ST- ISAC

This slide has a screen shot image on the right upper corner from the ST-ISAC public website that shows a set of rail arrival and departure displays.  The details of the displays are not relevant to the presentation.

 

Slide 75:

Where to find information and report incidents

Fusion Centers

 

Slide 76:

Where to get help?

Two additional Key Resources:

This slide has a screen shot image on the right upper corner of the NCCIC Systems Operation Center, with people sitting at monitors in front of a video wall.

 

Slide 77:

Activity Placeholder: This slide has the word “Activity” in large letters at the top of the slide, with a graphic of a hand on a computer keyboard below it.

 

Slide 78:

Question

Which group cannot be a member of MS-ISAC? Answer Choices

  1. State Transportation Agencies
  2. Municipal Transportation Agencies
  3. ITS Vendors
  4. County transportation agencies

 

Slide 79:

Review of Answers

A small graphical red and yellow X representing incorrect.a) State Transportation Agencies
Incorrect. MS ISAC members are made up of public sector agencies.

A small graphical red and yellow X representing incorrect.b) Municipal Transportation Agencies
Incorrect. MS ISAC members are made up of public sector agencies.

A small graphical green and yellow check mark representing correct.c) ITS Vendors
Correct MS ISAC only allows public sector members.

A small graphical red and yellow X representing incorrect.d) County transportation agencies
Incorrect. MS ISAC members are made up of public sector agencies.

 

Slide 80:

Module Summary

 

Slide 81:

Thank you for completing this module.

Feedback

Please use the Feedback link below to provide us with your thoughts and comments about the value of the training.

Thank you!

↑ Return to top