0

National Railroad Passenger Corp. (AMTRAK) Session 1 – Threats and Constraints “Continuous” - Continuous Monitoring - Continuous Assessment

- Continuous Education

1

Page 2

Amtrak Information Security Challenges & Execution

International Union of Railways North American Regional Assembly on May 4th and the UIC Workshop on the Digital Railway and Rail Security

on May 5th (Washington D.C.)

Ron Baklarz, C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer

Page 3

AMTRAK Corporate Presentation & Key Challenges

Page 4

Amtrak Mission

The Amtrak mission is to deliver intercity transportation with superior safety, customer service and financial excellence.

To accomplish this mission, Amtrak has identified three overarching strategic themes: Safety and Security, Customer Focus and Financial

Excellence.

Page 5

Covering America

Page 6

About Amtrak - Physical Aspects

Employees: 20,000 Annual Revenue FY2015: > $3.2 billion Route Miles:

Amtrak Owned Track: 363 miles of the 457-mile Northeast Corridor (NEC) Freight Owned Track: ≈ 21,000 Miles

NEC: 2,200 trains each weekday, including: freight trains traveling at speeds of 30-50 mph commuter trains that travel at speeds up to 125 mph Amtrak Regional trains that travel at 110 or 125 mph Acela Express trains that can reach speeds of 150 mph.

Long Distance: Amtrak operates 15 long distance routes over an 18,500 mile network serving 39 states and the District of Columbia. Long distance trains are the only intercity passenger rail service in 23 states and 223 communities.

Amtrak Operated Corridor and State Services: 6,000-mile route system serving 23 states primarily in the Northeast, Midwest and along the Pacific Coast

Destinations Serviced: >500 Passengers FY15: 30.8 million Amtrak owns 18 tunnels (consisting of 24 miles of track) and 1,414 bridges.

Page 7

About Amtrak - Cyber Aspects

2 Datacenters 1500 servers Mainframes, Unix, Linux and Windows 10,000 client devices (endpoints) 350 Application Portfolio 300 + Ticket Kiosks VISA/Master Card Level 1 Merchant Industrial Control Systems – SCADA (electric distribution), CETC (signaling), PTC Network Statistics:

5000+ data switches 25,000 voice sets 174 routers 116 firewalls 100 voice switches

Page 8

Challenges

PEOPLE – PROCESS -- TECHNOLOGY

Build and maintain an effective, efficient, and credible Information Security Program - staff, governance model, and budget

Bring specific people, processes, and technologies in compliance

with various regulatory frameworks: e.g., PCI-DSS standards (>200 Controls) as a Level 1 Merchant; FISMA (189 Controls), NIST Framework and IT General Controls (ITGC) – Change Management, Configuration Management, SOD, Access Control, etc.

TECHNOLOGY - Implement Information Security initiatives across

a geographically and culturally diverse organization and in the context of a ubiquitous network and computing environment.

Page 9

Implementation & Execution

Executive management buy-in and support Close relationship with auditors and Office of Inspector General Accountability & Compliance Documented Policies & Procedures Implement Best Practices & Control Frameworks Communication & Education Continuous Monitoring of Networks and Systems

Page 10

Key Themes

“CONTINUOUS”

─Continuous Monitoring ─Continuous Assessments ─Continuous Awareness & Education

Page 11

Amtrak Information Security Challenges & Execution

International Union of Railways North American Regional Assembly on May 4th and the UIC Workshop on the Digital Railway and Rail Security

on May 5th (Washington D.C.)

Ron Baklarz, C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer

Page 12

May 4th Session 1: Threats & Constraints

National Railroad Passenger Corp. (AMTRAK) Session 1 – Threats and Constraints “Continuous” - Continuous Monitoring - Continuous Assessment

- Continuous Education

13

Threat Categories

14

Hacked PC – Threats & Uses

Source: Brian Krebs 15

Hacked Email – Threats & Uses

Source: Brian Krebs

16

Page 17

Cyber Kill Chain

Page 18

Cyber Kill Chain – Defensive Strategies

Page 19

The Adaptive Security Architecture

Continuous Monitoring

and Analytics

Divert Attackers

Investigate/ Forensics

Remediate/ Make Change

Detect Incidents

Harden and Isolate Systems

Prevent Incidents

Baseline Systems

Confirm and Prioritize

Contain Incidents

Proactive Exposure Assessment

Design/Model Change

Predict Attacks Predict

Prevent & Protect

Detect & Analyze

Respond

.

Page 20

Amtrak IT Information Security Program

Monthly 3rd Party Scans

Monthly Other 3rd Party Scans

Quarterly PCI-DSS Scans

Annual PCI External

Annual PCI Internal

INFOSEC – Internal/External (weekly & ad hoc)

Other 3rd Party Assessments

Tool Mapping (Defense in Depth & Cyber Kill Chain Models)

Vulnerability Identification & Remediation

PCI – DSS (200)

FISMA (140)

Maturity Model (123)

NIST Framework (100)

SIEM

Anti-Malware

MSS

Looking Glass

Open Source Intel

DHS

FBI

US CERT

Ad Hoc

Cloud Security Policy

Data Encryption

Firewall Standard & Procedures

IS – Roles & Responsibilities

Server Policy & Standard

Auditing Policy & Procedures

File Integrity Monitoring (FIM)

Incident Response Procedure

Security Standards for Developers

Wireless Security Policy

Mobile Security Policy

IT Security Policies/ Incident Response

Threat Inputs Frameworks

(~ 560 controls) Vulnerability Assessments

Detect & Analyze Prevent & Protect Predict

Full Time Employees Combined Security

Experience Post-Graduate Degrees Professional Certificates

9 82 years 5 47

RESPOND

Continuous Monitoring

Continuous Assessments

Continuous Education

Page 21

Amtrak IT Security Operations Center

Security Operations Center (SOC)

Predict Detect & Analyze Prevent & Protect

RESPOND

22

SOC Operations Statistics

Log Volume and Tickets Summary SIEM October 2015 November 2015 December 2015 January 2016 February 2016 March 2016

SIEM Logs per Month

2,569,978,089

3,265,894,595

5,124,446,692

5,580,206,400

4,570,989,060

4,995,833,869

SIEM Logs per Day

82,902,519

112,617,055

165,304,732 180,006,658

163,249,609

166,527,796

System Agents Deployed

327

336

327 397

411

408

Log Sources

1,727

1,979

1,983 2119

2076

2048

Incident Tickets per Month

280

212

213

136

250

293

SIEM Maintenance Tickets Per Month 2 7 13 12 10 8

Alarms Investigations Per Month N/A N/A N/A 11,708 6,908 5,252

Vulnerability Scan Summary Scanning Tool October 2015 November 2015 December 2015 January 2016 February 2016 March 2016

Tool 1 15 10 19 3 19 15

Tool 2 165 613 807 1083 674 1213

Tool 3 0 0 0 7 7 0

Tool 4 313 354 79 319 375 279

Tool 5 130 132 132 130 138 128

Tool 6 460 144 551 144 124 0

Tool 7 368 177 174 181 474 6046

Tool 8 N/A N/A N/A N/A N/A 301

Tool 9 3 3 3 3 3 3

Total Number of IP Addresses Assessed 1914 1433 2316 1870 1814 7985

23

Threat Resource

2016 Global Threat Intelligence Report (GTIR) The NTT Group security companies - Solutionary, NTT Com Security and Dimension Data have produced the most comprehensive report to date, pulling information from 24 security operations centers, seven R&D centers, 3.5 trillion logs, 6.2 billion attacks and nearly 8,000 security clients across six continents. Get actionable intelligence, guidance about what attackers are doing, and comprehensive security controls designed to disrupt attacks in the 2016 GTIR. Controls recommended in this report will contribute to an organization's survivability and resiliency in the face of an attack. Get the Report. Learn how to utilize the Lockheed Martin Cyber Kill Chain® in the 2016 NTT Group Global Threat Intelligence Report. Sponsor: Solutionary Inc http://resources.idgenterprise.com/original/AST-0166576_2016-NTT-Group-GTIR-Final.pdf