APTA 2006 RAIL CONFERENCE

1
APTA 2006 RAIL CONFERENCE
Cyber Security for Railway Control An Overview

• Robert P. Evans
• Idaho National Laboratory
• Engineer

Investing Today for a Brighter Tomorrow
2
Outline

• Introduce Rail Control System Cyber Security
• Describe Government Support for this Area
• Describe APTA Communications Subcommittee Control
  System Cyber Security Working Group and its Goals
• Status Report on these Efforts

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
3
Control System for Rail

• Controls the system process
• Provides the control logic and safety functions
• Provides for the transport and storage of
  information
• Includes all the hardware and software including
  sensors, controllers, actuators, wiring, HMIs,
  etc.

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
4
Attack Targets

• Petroleum 28
• Power and utilities 19
• Transportation 16
• Chemical 14
• Other 23
• 
  
  Eric Byres

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
5
Methods of Cyber Attacks on Control Systems

• Using malware or directed attacks
• Disruption of control system operation by
  delaying or blocking information flow
• Sending of false information
• Modification of control system software
• Interfere with operation of safety systems
• Making unauthorized changes to program
  instructions or set points

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
6
Government Support

• February, 2003 the National Strategy to Secure
  Cyberspace called for DHS . . . to work in
  partnership with industry to . . . develop best
  practices . . . to increase security of DCS/SCADA
  . . .
• DHS identified 13 critical infrastructure
  sectors, including transportation
• Support for Transportation Security is coming
  from National Laboratories and National Institute
  of Standards and Technology
• Two National Laboratories (Idaho National
  Laboratory and Sandia National Laboratories) are
  supporting APTA by co-chairing the Control
  Systems Security Working Group of the
  Communications subcommittee.

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
7
Idaho National Laboratory

• Member of the Standards Awareness Team
• Multi-Laboratory Team
• Develop General Requirements for Control System
  Cyber Security
• Control System Security Program
• Assess Vulnerabilities and Risks
• Enhance Security Awareness
• Support Standards Bodies
• National SCADA Test Bed Program
• Test Commercial Control Systems for
  Vulnerabilities

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
8
Control System Security Working Group

• Members represent transit agencies, equipment
  vendors, engineers, and consultants
• Goal produce recommended practices for transit
  agencies to secure control and communications
  networks
• Method leverage technical documents and
  standards from other sectors using control
  systems

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
9
Resources Available

• Control system cyber security standards such as
• ISA-99
• NIST 800-82
• NERC CIP
• AGA 12

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow
10
Recommended Practice - Preliminary

• Title Recommended practice for a Communication
  and Control System Security Program within a
  Transit Agency
• Part 1 Evaluation and Decision Making Relates
  Control System Security to existing physical,
  personnel and cyber security efforts and risk
  assessment/risk management
• Part 2 Segmentation of Communication and
  Control System Networks A step-by-step method
  to segment control and communication networks by
  risk level and apply countermeasures.

2006 APTA RAIL CONFERENCE Investing Today for a
Brighter Tomorrow