JACKSONVILLE TRANSPORTATION AUTHORITYThe Role of Cyber Security in Safety

Kevin Holzendorf

Jacksonville Transportation Authority

Safety Culture

▪ Proactive approach to safety▪ Identify risky behavior▪ Provide mentoring▪ Internal audits▪ Safety committees▪ Review policies and procedures

Safety Performance Objectives

FY17 OCT 1.00 1.32 1.32

FY17 NOV 1.00 0.87 1.09

FY17 DEC 1.00 1.21 1.13

FY17 JAN 1.00 0.98 1.09

FY17 FEB 1.00 0.59 0.99

FY17 MAR 1.00 1.31 1.05

FY17 APR 1.00 1.08 1.05

FY17 MAY 1.00 1.43 1.10

FY17 JUN 1.00 0.79 1.06

FY Month Target MTD YTD

JACKSONVILLE TRANSPORTATION AUTHORITY

Cyber Security

▪ Endangerment of public or employee safety▪ Impact on regional/national security▪ Loss of public confidence▪ Violation of regulatory requirements▪ Loss of proprietary or confidential information▪ Economic loss

Cyber Security is the protecting of systems and data from attacks, damage or unauthorized access

Cyber Security = Risk Management

What’s at Risk if we fail?▪ Public or employee safety▪ Public confidence▪ Regulatory violation▪ Proprietary or confidential info▪ Economic loss▪ Regional/national security

Presentation Title

Your Title

Cyber Breach Probability

2015 Data Breaches by Industry Sector

Source: Verizon 2016 Data Breach Investigations Report

Less than 0.7% of all reported breaches occurred in the

Transportation Sector

JACKSONVILLE TRANSPORTATION AUTHORITY

Your Title

Why do anything?

What Technology is Vulnerable?

InformationTechnology

OperationalTechnology

JACKSONVILLE TRANSPORTATION AUTHORITY

Transportation Operations Systems

Adapted from the National Academy of Sciences, “Protection of Transportation Infrastructure from Cyber Attacks: A Primer”

TYPE CATEGORY HIGHWAYS TRANSITOperational Technology (OT) Control Systems Advanced Traffic Management System

(ATMS)Train Control System

Bus Control System

SCADA Road/Weather Systems Traction Power

Traffic Monitoring and Surveillance Emergency Ventilation System

RR Crossings Monitoring (Pumps, Alarms)

GPS

Signaling Highway Signals Train Signals

Signal Priority Systems

Communications Advance Traveler Information System (ATIS)

Communications

DSRC

Fare Collection Systems

Electronic Toll Collection (ETC) Entry/Exit Gates

Ticket Vending Machines, Fare Boxes, Fare Validators, Ticket Encoding

HVAC/Building Management

HVAC HVAC Systems

Tunnel Ventilation "People Movers"

Information Technology (IT) Enterprise systems: Finance, HR, Productivity, Archives

Driver, Vehicle and Crash systems Asset Management

Asset Management BYOD

BYOD

Design, Construction CADD, Electronic Bidding Track Inspection

Typical IT & OT systems

JACKSONVILLE TRANSPORTATION AUTHORITY

Your Title

Who is breaching our Systems?

~85% of data breaches are External

Percent of Breaches by Threat

~15% are Internal

Source: Verizon 2016 Data Breach Investigations Report

Your Title

How are they getting in?

Source: Verizon 2016 Data Breach Investigations Report

10%

16%

6%

26%6%

36%

Transportation Cyber Incidents by Pattern

Crimeware

Espionage

Misc Errors

Denial of Service

Privilege Misuse

Web Apps

What about the Transportation Sector?

Source: Verizon 2016 Data Breach Investigations Report

Threat Landscape Recap

▪ External Threats are almost 6x more likely than Internal▪ Hacking, Malware, and Social Engineering are the primary

methods to breach an environment▪ Primary incident scenarios in the Transportation Sector are:

▪ Hacking into our Web Applications▪ Denial of Service attacks▪ State Actors committing acts of Espionage

Since time and resources are limited, our initial Cyber Strategy efforts should focus on the top 3 first

Network Security Best Practices

Internal Vulnerability Scanning

External Vulnerability ScanningExternal Penetration Testing

At a minimum…

Policy & Procedure

Intrusion Detection/Prevention

System Hardening

Firewall Protection

Email Scanning/Spam Filtering

Web Content Filtering

Anti-virus/Anti-malware

Patch Management

Summary

Is your agency secure?

Don’t know?

APTA TranslTech Conference

Join us in Jacksonville – April 9-11, 2018