1 / 17

NHTSA Cyber Security Best Practices Study Tim Weisenberger

NHTSA Cyber Security Best Practices Study Tim Weisenberger. December 7, 2011. Presentation Overview. Purpose of the study Study approach and methodology Lessons Learned. Study Purpose.

derrickw
Download Presentation

NHTSA Cyber Security Best Practices Study Tim Weisenberger

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011

  2. Presentation Overview • Purpose of the study • Study approach and methodology • Lessons Learned

  3. Study Purpose • Seek best practices in industries with similar concerns, risks, and constraints to the Automotive industry (NOT a study of cybersecurity in Automotive) • Get a sense of where others are in tackling cybersecurity and where they are going • Bring forward key learnings to help NHTSA craft a strategic roadmap for automobile electronic resiliency • Parallel study of system reliability of safety-critical automobile electronic systems

  4. Research Approach • Open solicitation to learn from any and all cyber experts • These three elements resulted in final findings • Sought out specific experts to discuss cyber security best practices • Reviewed academic research, standards, etc.

  5. Industries/Sectors Studied and Why

  6. Industries/Sectors Studied and Why

  7. Industries/Sectors Studied and Why

  8. Overarching Cybersecurity Issues

  9. Information Security Lifecycle

  10. Starting Point FIPS 200 / SP 800-53 FIPS 199 / SP 800-60 CATEGORIZE Information System SELECT Security Controls SP 800-37 / SP 800-53A Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. MONITOR Security State Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Security Life Cycle SP 800-39 SP 800-37 AUTHORIZE Information System SP 800-53A ASSESS Security Controls SP 800-70 Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. IMPLEMENT Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). Security Lifecycle – NIST 800 Series/FIPS

  11. Industry Best Practices Findings

  12. Findings Linked to Security Lifecycle

  13. CONTACT INFORMATION Michael Dinning US DOT John A. Volpe National Transportation Systems Center Michael.Dinning@dot.gov Edward Fok FHWA Resource Center in San Francisco Office of Technical Service - Operations Technical Service Team Edward.Fok@dot.gov Timothy Weisenberger US DOT John A. Volpe National Transportation Systems Center Timothy.Weisenberger@dot.gov

More Related