Title: APTA 2006 RAIL CONFERENCE
1APTA 2006 RAIL CONFERENCE
Cyber Security for Railway Control An Overview
- Robert P. Evans
- Idaho National Laboratory
- Engineer
Investing Today for a Brighter Tomorrow
2Outline
- Introduce Rail Control System Cyber Security
- Describe Government Support for this Area
- Describe APTA Communications Subcommittee Control
System Cyber Security Working Group and its Goals - Status Report on these Efforts
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
3Control System for Rail
- Controls the system process
- Provides the control logic and safety functions
- Provides for the transport and storage of
information - Includes all the hardware and software including
sensors, controllers, actuators, wiring, HMIs,
etc.
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
4Attack Targets
- Petroleum 28
- Power and utilities 19
- Transportation 16
- Chemical 14
- Other 23
-
Eric Byres
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
5Methods of Cyber Attacks on Control Systems
- Using malware or directed attacks
- Disruption of control system operation by
delaying or blocking information flow - Sending of false information
- Modification of control system software
- Interfere with operation of safety systems
- Making unauthorized changes to program
instructions or set points
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
6Government Support
- February, 2003 the National Strategy to Secure
Cyberspace called for DHS . . . to work in
partnership with industry to . . . develop best
practices . . . to increase security of DCS/SCADA
. . . - DHS identified 13 critical infrastructure
sectors, including transportation - Support for Transportation Security is coming
from National Laboratories and National Institute
of Standards and Technology - Two National Laboratories (Idaho National
Laboratory and Sandia National Laboratories) are
supporting APTA by co-chairing the Control
Systems Security Working Group of the
Communications subcommittee.
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
7Idaho National Laboratory
- Member of the Standards Awareness Team
- Multi-Laboratory Team
- Develop General Requirements for Control System
Cyber Security - Control System Security Program
- Assess Vulnerabilities and Risks
- Enhance Security Awareness
- Support Standards Bodies
- National SCADA Test Bed Program
- Test Commercial Control Systems for
Vulnerabilities
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
8Control System Security Working Group
- Members represent transit agencies, equipment
vendors, engineers, and consultants - Goal produce recommended practices for transit
agencies to secure control and communications
networks - Method leverage technical documents and
standards from other sectors using control
systems
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
9Resources Available
- Control system cyber security standards such as
- ISA-99
- NIST 800-82
- NERC CIP
- AGA 12
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
10Recommended Practice - Preliminary
- Title Recommended practice for a Communication
and Control System Security Program within a
Transit Agency - Part 1 Evaluation and Decision Making Relates
Control System Security to existing physical,
personnel and cyber security efforts and risk
assessment/risk management - Part 2 Segmentation of Communication and
Control System Networks A step-by-step method
to segment control and communication networks by
risk level and apply countermeasures.
2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow