This document from the National Highway Traffic Safety Administration provides non-binding guidance to the automotive industry for improving motor vehicle cybersecurity. It recommends adopting a layered approach to vehicle cybersecurity based on the NIST Cybersecurity Framework. This includes identifying and prioritizing safety-critical systems, incorporating detection and response capabilities, and designing recovery methods. The document also provides definitions and an overview of recent NHTSA actions and industry best practices related to automotive cybersecurity.
31,000 federal government cyber incidents identified by White HouseDavid Sweigert
This document is the FY 2016 annual report to Congress on federal cybersecurity as required by the Federal Information Security Modernization Act of 2014. It provides an overview of key federal cybersecurity roles and responsibilities held by agencies such as OMB, DHS, NSC, GSA, NIST, and FBI. It also summarizes government-wide cybersecurity programs and initiatives and FY 2016 policy updates related to strengthening federal cybersecurity.
This document summarizes discussions from a working session with insurance industry participants on potential approaches to advance the first-party cybersecurity insurance market. Key topics discussed included: 1) Developing a cyber incident data repository to facilitate anonymized sharing of cyber incident information between organizations to help build actuarial data and inform best practices; 2) Conducting cyber incident consequence analytics to help insurance carriers understand critical infrastructure impacts and dependencies to better assess risk; and 3) Promoting enterprise risk management approaches to cyber risk to help organizations better address this risk holistically. Participants provided input on requirements, challenges, and next steps for each topic.
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
The document is a multi-page essay analyzing the validity of US protests against China's new cyber security laws and regime. It provides background on China's cyber security priorities and laws, which include source code disclosure, domestic IP ownership, and limiting foreign tech company access to the Chinese market. The essay argues the laws are protectionist and limit US tech market access. It also notes China's motivation is to increase control over cyberspace and boost its level of informatization and tech capabilities. The US has valid economic and national security concerns over the laws threatening its tech industry and primacy in cyberspace.
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
Protecting Patient Health Information in the HITECH EraRapid7
The document discusses how the HITECH Act strengthened enforcement of HIPAA regulations regarding the privacy and security of patient health information. It established much higher penalties for non-compliance in an effort to incentivize healthcare providers to improve practices for protecting electronic personal health records. The HITECH Act also expanded the scope of HIPAA to cover business associates of healthcare organizations and allow state attorneys general to pursue legal action on behalf of individuals affected by privacy or security violations. Overall, the legislation aims to increase adoption of health information technology while maintaining patient trust through more rigorous auditing and enforcement of standards for securing electronic patient data.
31,000 federal government cyber incidents identified by White HouseDavid Sweigert
This document is the FY 2016 annual report to Congress on federal cybersecurity as required by the Federal Information Security Modernization Act of 2014. It provides an overview of key federal cybersecurity roles and responsibilities held by agencies such as OMB, DHS, NSC, GSA, NIST, and FBI. It also summarizes government-wide cybersecurity programs and initiatives and FY 2016 policy updates related to strengthening federal cybersecurity.
This document summarizes discussions from a working session with insurance industry participants on potential approaches to advance the first-party cybersecurity insurance market. Key topics discussed included: 1) Developing a cyber incident data repository to facilitate anonymized sharing of cyber incident information between organizations to help build actuarial data and inform best practices; 2) Conducting cyber incident consequence analytics to help insurance carriers understand critical infrastructure impacts and dependencies to better assess risk; and 3) Promoting enterprise risk management approaches to cyber risk to help organizations better address this risk holistically. Participants provided input on requirements, challenges, and next steps for each topic.
Rapid7 Report: Data Breaches in the Government SectorRapid7
Rapid7, the leading provider of security risk intelligence solutions, analyzed data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches. Using this data, the company outlined patterns for government data breaches, including year, month, location and breach type patterns. This information and tips for protecting infrastructure can ensure that government IT environments stay protected against malicious attacks and unintended disclosure.
The document is a multi-page essay analyzing the validity of US protests against China's new cyber security laws and regime. It provides background on China's cyber security priorities and laws, which include source code disclosure, domestic IP ownership, and limiting foreign tech company access to the Chinese market. The essay argues the laws are protectionist and limit US tech market access. It also notes China's motivation is to increase control over cyberspace and boost its level of informatization and tech capabilities. The US has valid economic and national security concerns over the laws threatening its tech industry and primacy in cyberspace.
According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
Protecting Patient Health Information in the HITECH EraRapid7
The document discusses how the HITECH Act strengthened enforcement of HIPAA regulations regarding the privacy and security of patient health information. It established much higher penalties for non-compliance in an effort to incentivize healthcare providers to improve practices for protecting electronic personal health records. The HITECH Act also expanded the scope of HIPAA to cover business associates of healthcare organizations and allow state attorneys general to pursue legal action on behalf of individuals affected by privacy or security violations. Overall, the legislation aims to increase adoption of health information technology while maintaining patient trust through more rigorous auditing and enforcement of standards for securing electronic patient data.
This document discusses how terrorist groups use the internet for propaganda distribution, recruitment, communication and training. It also examines the challenges facing the US government in monitoring terrorist websites and conducting counterpropaganda activities online. Key issues for Congress include balancing national security with civil liberties concerns, and coordinating counterterrorism strategies across different government agencies.
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
The panel discussed security and privacy in healthcare. Some key points:
- 43% of all 2011 security breaches began in healthcare according to Symantec.
- Medical records are valued at $50 each on the black market, much more than credit cards.
- Top threats to healthcare security are malware, automatic log-off not being used, and removable media.
- HIPAA compliance does not ensure security. Access must be controlled and critical data identified.
- Presenters provided overviews of trust frameworks, Direct secure messaging between providers, and the role of digital certificates in authentication. Ensuring security requires addressing both technical and human factors.
This document provides guidance for fusion centers to integrate cybersecurity capabilities by effectively incorporating information and expertise from cyber partners and stakeholders. It recognizes that cyber attacks can be as damaging as physical attacks, and that incorporating cyber intelligence can help fusion centers achieve their all-crimes and all-hazards missions. The document outlines how fusion centers can leverage cyber community resources to enhance information collection, analysis, and dissemination related to cyber threats. It also discusses the value fusion centers provide in promoting cybersecurity through improved information sharing between state, local, private, and federal entities.
Cyber Integration for Fusion Centers to develop Cyber Threat IntelligenceDavid Sweigert
This document provides guidance for fusion centers to integrate cybersecurity capabilities by effectively incorporating information and expertise from cyber partners and stakeholders. It recognizes that cyber attacks can be as damaging as physical attacks, and that incorporating cyber intelligence can help fusion centers achieve their all-crimes and all-hazards missions. The document outlines how fusion centers can leverage cyber community resources to enhance information collection, analysis, and dissemination related to cyber threats. It also discusses the value fusion centers provide in promoting cybersecurity through improved information sharing between state, local, private, and federal entities.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
These groups are loosely organized and have a small number of members. They
usually have little experience and rely on pre-packaged tools. Their attacks are usually not
sophisticated and they are more likely to get caught.
Associate: These groups are moderately organized with a moderate number of members. They
have some experience and skills but still rely on pre-packaged tools. Their attacks show some
planning and sophistication.
Principal: These groups are highly organized with a large number of experienced members. They
have strong technical skills and develop their own tools. Their attacks show extensive planning
and are very sophisticated. They are also very security conscious to avoid detection.
In summary, the typologies provided
Open Government Data & Privacy ProtectionSylvia Ogweng
The document discusses privacy issues related to open government data initiatives. It notes that while open data brings benefits, privacy concerns have slowed its adoption. The types of government data - infrastructure, public services, and personal - present different privacy risks. Maintaining privacy involves de-identifying and anonymizing data, but these processes do not always guarantee privacy. North American governments are working to address privacy through funding for privacy-enhancing technologies and focusing on privacy within specific domains like healthcare and as an extension of security.
Buying a car entails a cost, not counting the day to day high price tag of gasoline. People are looking for
viable means of transportation that is cost-effective and can move its way through traffic faster. In the
Philippines, motorcycle was the answer to most people transportation needs. With the increasing number of
a motorcycle rider in the Philippines safety is the utmost concern. Today technology plays a huge role on
how this safety can be assured. We now see advances in connected devices. Devices can sense its
surrounding through sensor attach to it. With this in mind, this study focuses on the development of a
wearable device named Smart Motorcycle Helmet or simply Smart Helmet, whose main objective is to help
motorcycle rider in times of emergency. Utilizing sensors such as alcohol level detector, crash/impact
sensor, Internet connection thru 3G, accelerometer, Short Message Service (SMS) and cloud computing
infrastructure connected to a Raspberry Pi Zero-W and integrating a separate Arduino board for the antitheft tracking module is used to develop the propose Internet-of Things (IoT) device.
An Overview of the Major Compliance RequirementsDoubleHorn
In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.
NSTC Identity Management Task Force Report Executive SummaryDuane Blackburn
The National Science and Technology Council's Task Force on Identity Management was established to assess the current state of identity management (IdM) across the US federal government and develop a vision for the future. The Task Force found that over 3,000 federal systems currently utilize personally identifiable information in an inconsistent and duplicative manner. Their vision calls for a federated network to securely manage digital identities using common data standards. This would enhance accuracy, availability, and privacy while reducing duplication. The Task Force provided recommendations in areas like standards, architecture, research needs, and government-wide coordination to advance toward this holistic IdM framework.
Arkansas Department of Corrections Case StudyDaniel Potter
The Arkansas Department of Corrections deployed a customized version of the Fusion Core Solution based on Microsoft SharePoint to aggregate and analyze data from multiple databases in order to identify patterns related to contraband activity. This has enabled investigators to more efficiently allocate resources and confiscate illegal drugs, phones, and money, creating a safer environment for staff and inmates. The solution provides dashboards and visualization of trends that were previously difficult to see, supporting improved security operations.
Final national cyber security strategy november 2014vikawotar
This document outlines Mauritius' National Cyber Security Strategy for 2014-2019. It establishes the vision, mission and goals for cyber security, which include securing cyberspace against cybercrime, enhancing resilience to cyber attacks, developing efficient collaboration models between authorities and businesses, and improving cyber expertise and awareness. The strategy proposes a governance structure and defines the roles of key stakeholders like the Ministry of ICT, National Cyber Security Committee, National CERT, law enforcement, regulatory bodies, critical sectors, and academia. It presents strategic guidelines to achieve the goals, focusing on defense, resilience, collaboration, and capacity building. The importance of the strategy is to effectively manage cyber threats and risks through a coordinated national approach.
This document discusses cybersecurity risks facing institutions and proposes countermeasures. It begins by explaining how the expansion of cyber space has increased cyber risks and how most countries have developed national cybersecurity strategies in response. However, it notes that institutions also need their own robust cybersecurity strategies to protect against modern cyber threats targeting both infrastructure and personnel.
The document then presents a case study analyzing how open source intelligence (OSINT) techniques using social media and other online sources can expose sensitive personal and institutional data. It demonstrates how cyber criminals could potentially gather usernames, email addresses, location data and other metadata about employees and systems.
Finally, it recommends several countermeasures institutions should take. These include educating employees about metadata risks, implementing
The mission of the IC3 is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners. Information is analyzed and disseminated for investigative and intelligence purposes, for law enforcement, and for public awareness.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
The 2018 Internet Crime Report from the FBI's Internet Crime Complaint Center (IC3) summarizes internet crime complaints received in 2018. It reports that IC3 received over 351,936 complaints involving losses over $2.7 billion. The top crime types reported were non-payment/non-delivery, extortion, and personal data breach. In 2018, IC3 established a Recovery Asset Team to help recover funds from business email compromise schemes and created new Victim Specialist positions to provide support to victims of internet crimes.
The National Highway Traffic Safety Administration conducted research on cybersecurity best practices across several industries, including information technology, telecommunications, aviation, industrial control systems, energy, medical devices, and automotive. The research found that cybersecurity is best addressed as a life-cycle process including assessment, design, implementation, and operations. It is important to perform risk assessments to identify vulnerabilities in systems and quantify risks. Industries have developed guidelines specific to their needs based on this approach.
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
The HIPAA Security Rule (at 45 C.F.R. §164.308(a)(1)(ii)(A)) requires an initial security risk analysis according to risk analysis guidance issued by HHS/OCR based on NIST standards.
OCR Audit Protocols for Risk Analysis are clear! CMS, as planned, has launched audits of organizations who have attested to Meaningful Use Objectives and Risk Analyses will be audited. Have you completed a bona fide HIPAA Security Risk Analysis?
Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Gove...xstokes825
The document establishes procedures for federal entities to receive, process, and disseminate cyber threat indicators and defensive measures under the Cybersecurity Information Sharing Act of 2015 (CISA). It describes the Department of Homeland Security's Automated Indicator Sharing capability which allows real-time exchange of indicators and defensive measures between federal entities and qualifying non-federal entities using machine-to-machine specifications. It also provides guidance on submitting indicators through non-automated means and outlines auditing and sanction requirements for unauthorized use of shared information.
Cybersecurity Guide for the State of Washington Critical Infrastructure_9_2015tmuehleisen
This document provides a summary of key recommendations for improving cybersecurity practices for critical infrastructure organizations in Washington state. It recommends instituting cybersecurity at all levels of an organization, identifying important assets and risks, developing security policies, sharing threat information with peers, conducting risk management, managing vendors' access to systems, detecting and responding to incidents, and utilizing state and federal cybersecurity resources for assistance. The document is intended to help critical infrastructure organizations establish effective cybersecurity programs.
12 part framework to structure safety assessment for autonomous drivingZiaullah Mirza
The document provides voluntary guidance from the National Highway Traffic Safety Administration (NHTSA) to support the safe development and deployment of Automated Driving Systems (ADS). It outlines 12 safety elements that entities developing ADS should consider, including system safety, object and event detection, fallback procedures, validation methods, cybersecurity, and data recording. The guidance encourages entities to disclose voluntary safety self-assessments and emphasizes that safety remains the top priority for ADS. It is intended to help industry develop best practices without establishing compliance requirements.
Since announcing its “Cloud First” policy in 2010, the Federal government has correctly identified cloud computing as a way to reduce costs and improve the use of existing assets, and has accordingly prioritized its adoption. It has also taken judicious steps to protect Federal networks from nefarious cyber-attacks and promote the dissemination of best practices for cybersecurity. The Federal government has also embraced mobility as a means to conduct work from any location. But until now, the implementation of these initiatives has been fragmented and lacked coordination across Federal agencies. This paper offers a framework for integrating these programs in a way that enables the Federal government to realize the economic, technological, and mission-effectiveness benefits of cloud services while simultaneously meeting current Federal cybersecurity
requirements. It advocates shifting from a compliance-based cybersecurity paradigm to
one that is risk-based and focusing on how to most effectively secure their implementation of cloud services.
Whitepaper best practices for integrated physical security supporti…Basavaraj Dodamani
The document discusses best practices for integrated physical security capabilities to support Massachusetts'
Enterprise Physical & Environmental Security Policy. It recommends physical security and monitoring solutions
that meet the policy's requirements. Key recommendations include implementing strong access controls,
internal monitoring systems, and other security measures to deter threats, detect issues, and enable rapid
response. Compliance with the policy helps organizations protect assets, data, and IT resources from security
risks.
This document discusses how terrorist groups use the internet for propaganda distribution, recruitment, communication and training. It also examines the challenges facing the US government in monitoring terrorist websites and conducting counterpropaganda activities online. Key issues for Congress include balancing national security with civil liberties concerns, and coordinating counterterrorism strategies across different government agencies.
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
The panel discussed security and privacy in healthcare. Some key points:
- 43% of all 2011 security breaches began in healthcare according to Symantec.
- Medical records are valued at $50 each on the black market, much more than credit cards.
- Top threats to healthcare security are malware, automatic log-off not being used, and removable media.
- HIPAA compliance does not ensure security. Access must be controlled and critical data identified.
- Presenters provided overviews of trust frameworks, Direct secure messaging between providers, and the role of digital certificates in authentication. Ensuring security requires addressing both technical and human factors.
This document provides guidance for fusion centers to integrate cybersecurity capabilities by effectively incorporating information and expertise from cyber partners and stakeholders. It recognizes that cyber attacks can be as damaging as physical attacks, and that incorporating cyber intelligence can help fusion centers achieve their all-crimes and all-hazards missions. The document outlines how fusion centers can leverage cyber community resources to enhance information collection, analysis, and dissemination related to cyber threats. It also discusses the value fusion centers provide in promoting cybersecurity through improved information sharing between state, local, private, and federal entities.
Cyber Integration for Fusion Centers to develop Cyber Threat IntelligenceDavid Sweigert
This document provides guidance for fusion centers to integrate cybersecurity capabilities by effectively incorporating information and expertise from cyber partners and stakeholders. It recognizes that cyber attacks can be as damaging as physical attacks, and that incorporating cyber intelligence can help fusion centers achieve their all-crimes and all-hazards missions. The document outlines how fusion centers can leverage cyber community resources to enhance information collection, analysis, and dissemination related to cyber threats. It also discusses the value fusion centers provide in promoting cybersecurity through improved information sharing between state, local, private, and federal entities.
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks are becoming increasingly more sophisticated. Learn more about best practices to protect the cardholder data environment and achieve PCI compliance.
These groups are loosely organized and have a small number of members. They
usually have little experience and rely on pre-packaged tools. Their attacks are usually not
sophisticated and they are more likely to get caught.
Associate: These groups are moderately organized with a moderate number of members. They
have some experience and skills but still rely on pre-packaged tools. Their attacks show some
planning and sophistication.
Principal: These groups are highly organized with a large number of experienced members. They
have strong technical skills and develop their own tools. Their attacks show extensive planning
and are very sophisticated. They are also very security conscious to avoid detection.
In summary, the typologies provided
Open Government Data & Privacy ProtectionSylvia Ogweng
The document discusses privacy issues related to open government data initiatives. It notes that while open data brings benefits, privacy concerns have slowed its adoption. The types of government data - infrastructure, public services, and personal - present different privacy risks. Maintaining privacy involves de-identifying and anonymizing data, but these processes do not always guarantee privacy. North American governments are working to address privacy through funding for privacy-enhancing technologies and focusing on privacy within specific domains like healthcare and as an extension of security.
Buying a car entails a cost, not counting the day to day high price tag of gasoline. People are looking for
viable means of transportation that is cost-effective and can move its way through traffic faster. In the
Philippines, motorcycle was the answer to most people transportation needs. With the increasing number of
a motorcycle rider in the Philippines safety is the utmost concern. Today technology plays a huge role on
how this safety can be assured. We now see advances in connected devices. Devices can sense its
surrounding through sensor attach to it. With this in mind, this study focuses on the development of a
wearable device named Smart Motorcycle Helmet or simply Smart Helmet, whose main objective is to help
motorcycle rider in times of emergency. Utilizing sensors such as alcohol level detector, crash/impact
sensor, Internet connection thru 3G, accelerometer, Short Message Service (SMS) and cloud computing
infrastructure connected to a Raspberry Pi Zero-W and integrating a separate Arduino board for the antitheft tracking module is used to develop the propose Internet-of Things (IoT) device.
An Overview of the Major Compliance RequirementsDoubleHorn
In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.
NSTC Identity Management Task Force Report Executive SummaryDuane Blackburn
The National Science and Technology Council's Task Force on Identity Management was established to assess the current state of identity management (IdM) across the US federal government and develop a vision for the future. The Task Force found that over 3,000 federal systems currently utilize personally identifiable information in an inconsistent and duplicative manner. Their vision calls for a federated network to securely manage digital identities using common data standards. This would enhance accuracy, availability, and privacy while reducing duplication. The Task Force provided recommendations in areas like standards, architecture, research needs, and government-wide coordination to advance toward this holistic IdM framework.
Arkansas Department of Corrections Case StudyDaniel Potter
The Arkansas Department of Corrections deployed a customized version of the Fusion Core Solution based on Microsoft SharePoint to aggregate and analyze data from multiple databases in order to identify patterns related to contraband activity. This has enabled investigators to more efficiently allocate resources and confiscate illegal drugs, phones, and money, creating a safer environment for staff and inmates. The solution provides dashboards and visualization of trends that were previously difficult to see, supporting improved security operations.
Final national cyber security strategy november 2014vikawotar
This document outlines Mauritius' National Cyber Security Strategy for 2014-2019. It establishes the vision, mission and goals for cyber security, which include securing cyberspace against cybercrime, enhancing resilience to cyber attacks, developing efficient collaboration models between authorities and businesses, and improving cyber expertise and awareness. The strategy proposes a governance structure and defines the roles of key stakeholders like the Ministry of ICT, National Cyber Security Committee, National CERT, law enforcement, regulatory bodies, critical sectors, and academia. It presents strategic guidelines to achieve the goals, focusing on defense, resilience, collaboration, and capacity building. The importance of the strategy is to effectively manage cyber threats and risks through a coordinated national approach.
This document discusses cybersecurity risks facing institutions and proposes countermeasures. It begins by explaining how the expansion of cyber space has increased cyber risks and how most countries have developed national cybersecurity strategies in response. However, it notes that institutions also need their own robust cybersecurity strategies to protect against modern cyber threats targeting both infrastructure and personnel.
The document then presents a case study analyzing how open source intelligence (OSINT) techniques using social media and other online sources can expose sensitive personal and institutional data. It demonstrates how cyber criminals could potentially gather usernames, email addresses, location data and other metadata about employees and systems.
Finally, it recommends several countermeasures institutions should take. These include educating employees about metadata risks, implementing
The mission of the IC3 is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners. Information is analyzed and disseminated for investigative and intelligence purposes, for law enforcement, and for public awareness.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
The 2018 Internet Crime Report from the FBI's Internet Crime Complaint Center (IC3) summarizes internet crime complaints received in 2018. It reports that IC3 received over 351,936 complaints involving losses over $2.7 billion. The top crime types reported were non-payment/non-delivery, extortion, and personal data breach. In 2018, IC3 established a Recovery Asset Team to help recover funds from business email compromise schemes and created new Victim Specialist positions to provide support to victims of internet crimes.
The National Highway Traffic Safety Administration conducted research on cybersecurity best practices across several industries, including information technology, telecommunications, aviation, industrial control systems, energy, medical devices, and automotive. The research found that cybersecurity is best addressed as a life-cycle process including assessment, design, implementation, and operations. It is important to perform risk assessments to identify vulnerabilities in systems and quantify risks. Industries have developed guidelines specific to their needs based on this approach.
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
The HIPAA Security Rule (at 45 C.F.R. §164.308(a)(1)(ii)(A)) requires an initial security risk analysis according to risk analysis guidance issued by HHS/OCR based on NIST standards.
OCR Audit Protocols for Risk Analysis are clear! CMS, as planned, has launched audits of organizations who have attested to Meaningful Use Objectives and Risk Analyses will be audited. Have you completed a bona fide HIPAA Security Risk Analysis?
Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Gove...xstokes825
The document establishes procedures for federal entities to receive, process, and disseminate cyber threat indicators and defensive measures under the Cybersecurity Information Sharing Act of 2015 (CISA). It describes the Department of Homeland Security's Automated Indicator Sharing capability which allows real-time exchange of indicators and defensive measures between federal entities and qualifying non-federal entities using machine-to-machine specifications. It also provides guidance on submitting indicators through non-automated means and outlines auditing and sanction requirements for unauthorized use of shared information.
Cybersecurity Guide for the State of Washington Critical Infrastructure_9_2015tmuehleisen
This document provides a summary of key recommendations for improving cybersecurity practices for critical infrastructure organizations in Washington state. It recommends instituting cybersecurity at all levels of an organization, identifying important assets and risks, developing security policies, sharing threat information with peers, conducting risk management, managing vendors' access to systems, detecting and responding to incidents, and utilizing state and federal cybersecurity resources for assistance. The document is intended to help critical infrastructure organizations establish effective cybersecurity programs.
12 part framework to structure safety assessment for autonomous drivingZiaullah Mirza
The document provides voluntary guidance from the National Highway Traffic Safety Administration (NHTSA) to support the safe development and deployment of Automated Driving Systems (ADS). It outlines 12 safety elements that entities developing ADS should consider, including system safety, object and event detection, fallback procedures, validation methods, cybersecurity, and data recording. The guidance encourages entities to disclose voluntary safety self-assessments and emphasizes that safety remains the top priority for ADS. It is intended to help industry develop best practices without establishing compliance requirements.
Since announcing its “Cloud First” policy in 2010, the Federal government has correctly identified cloud computing as a way to reduce costs and improve the use of existing assets, and has accordingly prioritized its adoption. It has also taken judicious steps to protect Federal networks from nefarious cyber-attacks and promote the dissemination of best practices for cybersecurity. The Federal government has also embraced mobility as a means to conduct work from any location. But until now, the implementation of these initiatives has been fragmented and lacked coordination across Federal agencies. This paper offers a framework for integrating these programs in a way that enables the Federal government to realize the economic, technological, and mission-effectiveness benefits of cloud services while simultaneously meeting current Federal cybersecurity
requirements. It advocates shifting from a compliance-based cybersecurity paradigm to
one that is risk-based and focusing on how to most effectively secure their implementation of cloud services.
Whitepaper best practices for integrated physical security supporti…Basavaraj Dodamani
The document discusses best practices for integrated physical security capabilities to support Massachusetts'
Enterprise Physical & Environmental Security Policy. It recommends physical security and monitoring solutions
that meet the policy's requirements. Key recommendations include implementing strong access controls,
internal monitoring systems, and other security measures to deter threats, detect issues, and enable rapid
response. Compliance with the policy helps organizations protect assets, data, and IT resources from security
risks.
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
1. The document discusses the NIST Framework for improving critical infrastructure cybersecurity that was mandated by an Executive Order from President Obama. It outlines the development process for the Framework, which included input from various industries.
2. The Framework takes a risk-based approach and includes five cybersecurity functions along with implementation levels. It references existing cybersecurity standards and guidelines.
3. Privacy concerns were addressed through a subgroup that conducted the first SmartGrid privacy impact assessment. Recommendations included transparency, privacy impact assessments, and training for workers with access to personal information.
The document summarizes a White House report titled the "Blueprint for an AI Bill of Rights" which outlines five principles for developing and using automated systems in a way that protects civil rights and democratic values. It was created through public engagement and consultation to address issues like bias, lack of transparency, and privacy concerns with existing automated systems. The report provides guidance for governments, companies and others on incorporating these principles into policies, practices and technological design to ensure AI and new technologies benefit rather than harm the American public.
Approved for public release; distribution is unlimited. Sy.docxjewisonantone
This document provides an overview of innovative uses of social media in emergency management based on case studies and literature review. It finds that public safety organizations are increasingly using social media to engage with communities before, during, and after emergencies to share timely information and gain situational awareness. The case studies highlight how government agencies and non-profits collaborated with communities through social media during recent natural disasters like hurricanes, earthquakes, floods and wildfires to coordinate responses and distribute updates. The document also outlines best practices for social media implementation identified in literature, including developing strategic and policy frameworks, actively monitoring content, and using mapping tools to provide visual context.
Approved for public release; distribution is unlimited. Sy.docxfestockton
Approved for public release; distribution is unlimited.
System Assessment and Validation for Emergency Responders (SAVER)
Innovative Uses of Social Media in
Emergency Management
September 2013
Prepared by Space and Naval Warfare Systems Center Atlantic
The Innovative Uses of Social Media in Emergency Management report was funded under
Interagency Agreement No. HSHQDC-07-X-00467 from the U.S. Department of
Homeland Security, Science and Technology Directorate.
The views and opinions of authors expressed herein do not necessarily reflect those of the
U.S. Government.
Reference herein to any specific commercial products, processes, or services by trade
name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the U.S. Government.
The information and statements contained herein shall not be used for the purposes of
advertising, nor to imply the endorsement or recommendation of the U.S. Government.
With respect to documentation contained herein, neither the U.S. Government nor any of
its employees make any warranty, express or implied, including but not limited to the
warranties of merchantability and fitness for a particular purpose. Further, neither the
U.S. Government nor any of its employees assume any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed; nor do they represent that its use would not infringe privately owned
rights.
Cover images are courtesy of Federal Emergency Management Agency (FEMA) News
Photos.
Approved for public release; distribution is unlimited.
i
FOREWORD
The U.S. Department of Homeland Security (DHS) established the System Assessment and
Validation for Emergency Responders (SAVER) Program to assist emergency responders
making procurement decisions. Located within the Science and Technology Directorate (S&T)
of DHS, the SAVER Program conducts objective assessments and validations on commercial
equipment and systems and provides those results along with other relevant equipment
information to the emergency response community in an operationally useful form. SAVER
provides information on equipment that falls within the categories listed in the DHS Authorized
Equipment List (AEL). The SAVER Program mission includes:
Conducting impartial, practitioner-relevant, operationally oriented assessments and
validations of emergency responder equipment; and
Providing information, in the form of knowledge products, that enables decision-makers
and responders to better select, procure, use, and maintain emergency responder
equipment.
Information provided by the SAVER Program will be shared nationally with the responder
community, providing a life- and cost-saving asset to DHS, as well as to Federal, state, and local
responders.
The SAVER Program is supported by a network of Technical Agents who perf ...
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerDavid Sweigert
This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
FACT SHEET: FEDERAL AUTOMATED VEHICLES POLICY OVERVIEWFabMob
The primary focus of the policy is on highly automated vehicles (HAVs), or those in which the vehicle can take full control of the driving task in at least some circumstances. Portions of the policy also apply to lower levels of automation, including some of the driver-assistance systems already being deployed by automakers today.
Analyze:
1. Foreign Stock
a. Samsung Electronics LTD. (Korean Stock Exchange)
b. Focus on phone explosions
*Monitor their performance throughout the semester (begin: 9/15/2016, end: 12/2/2016), reflecting on the performance of each at the end of the semester, and providing a forward looking discussion of their prospects as of end of the semester.
→ what happened, why, recommendation/opinion (hold, sell), future performance
*the more graphs/data the better!!
Grading of the project will be based on the following criteria: (1) the neatness of the written report, (2) the extensiveness and relevance of research information gathered regarding each asset, (3) the inclusion of your own opinions and observations in the report
Fill this out:
Price Information on Holdings
Foreign Stock
Ticker
Beginning Value on __/__/___
in Local Currency
Exchange Rate of Local Currency with USD on __/__/____
Beginning Value on __/__/___
in USD
Ending Value on __/__/___
in Local Currency on __/__/____
Exchange Rate of Local Currency with USD on __/__/____
Ending Value on __/__/___
in USD
Percentage Change in the Value of Local Currency
Percentage Change in the Value of Stock in Local Currency
Percentage Change in the Value of Stock in USD
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
National Institute of Standards and Technology
February 12, 2014
February 12, 2014 Cybersecurity Framework Version 1.0
Table of Contents
Executive Summary .........................................................................................................................1
1.0 Framework Introduction .........................................................................................................3
2.0 Framework Basics...................................................................................................................7
3.0 How to Use the Framework ..................................................................................................13
Appendix A: Framework Core.......................................................................................................18
Appendix B: Glossary....................................................................................................................37
Appendix C: Acronyms .................................................................................................................39
List of Figures
: Framework Core Structure .............................................................................................. 7
Figure 1
Figure 2: Notional Information and Decision Flows within an Organization .............................. 12
List of Tables
Table 1: Function and Category Unique Identifiers ..................................................................... 19
Table 2: Framework Core ..................................................................................................
Please don’t give me a two to three sentence replies. It has to lo.docxmattjtoni51554
Please don’t give me a two to three sentence replies. It has to look burky. At least 7 to 8 sentences. Thank you
Reply needed 1
john,
You provided a great explanation of what the MS-ISAC does for the organizations that it supports. Cities have a daunting task of trying to comply with federal regulations and laws as it tries to secure all of the sensitive data that it stores. There are several organizations that cities can partner up with to enhance security of their networks such as Cyber Security Research Alliance (CSRA), Microsoft, MITRE, and more. These partners can assist in planning and developing networks and other smart services. By partnering up with different organizations it will allow them to combat the many threats it faces.
Hall, A. (2015, February 03). Microsoft partners with cities and governments to improve cybersecurity for citizens. Retrieved July 04, 2016, from https://blogs.microsoft.com/cybertrust/ 2015/02/03/microsoft-partners-with-cities-and-governments-to-improve-cybersecurity-for-citizens/
Partnership. (n.d.). Retrieved July 04, 2016, from https://www.mitre.org/capabilities/ cybersecurity/partnership
Reply needed 2
With such resources available it’s hard to believe cyber-attacks are continuously successful at such a high rate. Swimlane.com published shocked 2015 stats and the numbers are enormous. To name a couple, there were over $169 million personal records compromised and some companies lost and upward of $300 for every personal record lost (Cornell, 2016). I’m also curious to know what type of insurance is provided by cybersecurity companies such as MS-ISAC. If a company suffers a loss due to a cyber breach with their operation were under the monitoring and maintenance of such a company, does the company cover the cost? Something I’ll research.
R,
E.W.
Reply needed 3
Hard to believe. Really. Do you know anyone that goes against their company policies and checks their personal email or better yet has to check their Facebook page? What about someone that clicks on a link within an email from a bank they do not have an account with. All the security controls in the world will not work if users of the system can circumvent them. Sure companies and agencies can automate and lock down most things; however, they try to maintain some level of balance for their workers so they accept a certain level of risks. Remember security is a responsibility of everyone not just cyber security and IT professionals.
Reply needed 4
Working with the Multi-State Information Sharing and Analysis Center (MS-ISAC)
States collect, process, transmit, and store large amounts of private information about individuals and businesses and require assistance with cyber threat prevention, protection, response and recovery of this data (CIS 2016). MS-ISAC assist state governments with improving their overall cyber security posture, by providing opportunities for collaboration and information sharing among members, private sector partners a.
This document provides an overview of safety target setting requirements and coordination processes between State DOTs, SHSOs, and MPOs. Key points include:
- MAP-21/FAST Act require States and MPOs to set annual targets for 5 safety performance measures. Targets must be identical for 3 common measures between State DOTs and SHSOs.
- Coordination is important given the need to consider both engineering and non-engineering strategies. The target setting process is shifting to be co-led by State DOTs and SHSOs, including MPOs.
- MPOs must establish targets within 180 days of State targets and can either set their own numerical targets or agree to support the
This document summarizes the results of a survey of standards and best practices used to ensure successful information resource projects. The survey examined practices in the public sector, including federal and state governments, and private sector organizations. Commonly used standards identified include the Capability Maturity Model, Project Management Body of Knowledge, software engineering standards, and ISO 9000 quality standards. State usage of these standards varies, with some states explicitly using standards more than others. Critical success factors for information resource projects identified in research include clear goals and support, detailed planning, stakeholder involvement, adequate resources and expertise, and monitoring progress. The survey findings can help organizations better apply standards and practices to deliver projects on time and on budget.
(U fouo) committee on national security systems supply chain risk management ...PublicLeaker
This document provides policy for the U.S. Government to develop an initial capability for supply chain risk management (SCRM) for National Security Systems. It establishes minimum requirements for identifying and managing supply chain risks early in a system's lifecycle through threat-informed acquisition and engineering practices. Departments and agencies must develop SCRM strategies and capabilities to protect critical systems from supply chain threats.
(U fouo) committee on national security systems supply chain risk management ...PublicLeaks
This document provides guidance for implementing Supply Chain Risk Management (SCRM) capabilities to protect National Security Systems from risks in the commercial technology supply chain. It assigns responsibilities to government departments to develop SCRM strategies and initial capabilities within one year. The strategies are to integrate SCRM practices into system lifecycles using threat information to assess risks to mission-critical components. Full SCRM capabilities are to be implemented within six years to identify and manage supply chain risks throughout the design, development, manufacturing and maintenance of critical systems.
Similar to Dr Dev Kambhampati | Cybersecurity Best Practices for Modern Vehicles (20)
This document summarizes the history and current state of China's economic rise over the past 40 years since implementing market reforms in 1979. It describes how China has transitioned from a poor, centrally planned economy to become the world's largest economy based on purchasing power parity. However, China still faces major economic challenges including transitioning to a free market system, rebalancing its economy away from exports and investment towards domestic consumption, reducing debt and overcapacity, and addressing environmental and corruption issues. The rapid growth of the Chinese economy has significant implications for the US and is an important issue for Congress.
Specialty drugs are one of the fastest growing areas of health care spending in the United States. There is no single definition but they are generally expensive drugs that treat complex conditions like cancer and hepatitis C and often require special administration. Spending on specialty drugs increased 26.5% in 2014 and they now account for about one-third of total US prescription drug spending. This growth raises issues for private insurers and government programs who are trying to control costs while still providing access to important treatments. Insurers use strategies like higher copays, prior authorization requirements, and limiting coverage to the sickest patients to manage specialty drug utilization.
The document summarizes the process by which the FDA approves new drugs for use and regulates drugs post-approval. It discusses how drugs are tested in clinical trials through an investigational new drug application and new drug application. It then outlines the FDA's role in reviewing applications and ensuring safety and effectiveness. Finally, it describes the FDA's ongoing role in regulating approved drugs, including product quality, labeling, adverse event reporting, and risk management. The House passed legislation that would reauthorize FDA drug user fee programs and make changes to the drug approval process.
The document summarizes FDA regulation of medical devices in the United States. It discusses that many medical devices must undergo premarket review by the FDA to be legally marketed. Devices are classified based on risk, and moderate and high-risk devices must receive FDA clearance or approval prior to marketing, usually via the 510(k) or premarket approval (PMA) processes. Concerns have been raised about FDA's device review processes and oversight of marketed devices based on reports of device problems causing injuries.
This document provides an overview of frequently asked questions about prescription drug pricing and policy in the United States. It discusses key topics such as how much the US spends on prescription drugs annually, factors contributing to increases in drug spending, the role of government programs in drug coverage, and policies around pharmaceutical research and marketing. The document contains data on US drug spending trends, the share of spending from different sources, international comparisons, and the impact of publicly funded research. It aims to give Congress a broad understanding of issues related to prescription drug costs and availability.
This document provides an overview of carbon capture and sequestration (CCS) projects in the United States. It summarizes three large CCS power plants: the Petra Nova plant in Texas, which began operations in 2017 and captures 1.4-1.6 million tons of CO2 annually; the Kemper County plant in Mississippi, which suspended its CCS operations in 2017 due to cost overruns and delays; and the Boundary Dam plant in Canada, which captures around 1 million tons of CO2 annually. It also discusses legislation and funding for CCS, and provides a primer on the CCS process.
The document provides an overview of the Arctic National Wildlife Refuge (ANWR) and the ongoing debate over whether to allow energy development in the refuge. It discusses the history and establishment of ANWR, the potential energy resources within the refuge including oil and natural gas, the biological resources and native interests, and the options for both protecting and developing the refuge. Key points of contention have been over whether to allow drilling in the 1.57 million acre Coastal Plain area, which supporters view as promising for oil but others want to protect for its wildlife and subsistence values.
NIST Guide- Situational Awareness for Electric UtilitiesDr Dev Kambhampati
This document is a draft of a NIST special publication providing guidance on situational awareness solutions for electric utilities. It includes an executive summary, approach, architecture, and security characteristics for implementing situational awareness. The publication describes a NCCoE project that developed an example solution to converge monitoring across IT, operational technology, and physical access systems in order to improve utilities' ability to detect cyberattacks and security incidents. The solution is presented as a modular guide to help utilities implement standards-based technologies in a risk-based manner to gain efficiencies in monitoring, identification, and response to cyber incidents.
Dr Dev Kambhampati | Cybersecurity Guide for UtilitiesDr Dev Kambhampati
This document provides guidance for small and under-resourced utilities to improve cybersecurity, reliability, and resilience. It finds that existing guidance documents are not always scalable to small utilities due to challenges like limited resources, staff expertise, and information sharing. It recommends tailoring approaches to individual utility contexts by starting simply and growing programs over time. The document also proposes several forms of federal and mutual assistance to support improvement efforts.
Dr Dev Kambhampati | USA Cybersecurity R&D Strategic PlanDr Dev Kambhampati
This document presents the Federal Cybersecurity Research and Development Strategic Plan, which was developed in response to a requirement in the Cybersecurity Enhancement Act of 2014. The plan outlines the US government's strategic approach to guide Federal investments in cybersecurity research over the next 5 years, with the goals of deterring cyber attacks, protecting systems and data, detecting threats, and helping systems adapt. It emphasizes critical areas like the scientific foundations of security, risk management, human aspects, workforce development and transitioning research into practice. The plan aims to establish a position of assurance, strength and trust in cyber systems through advances in cybersecurity science and engineering.
Dr Dev Kambhampati | USA Artificial Intelligence (AI) R&D Strategic PlanDr Dev Kambhampati
This document establishes a strategic plan for federally-funded artificial intelligence (AI) research and development in the United States. It identifies seven priority strategies for AI R&D investments: 1) making long-term investments in basic AI research, 2) developing methods for human-AI collaboration, 3) understanding ethical and societal implications of AI, 4) ensuring safety and security of AI systems, 5) developing shared public datasets for AI training, 6) establishing standards and benchmarks for measuring AI, and 7) understanding national workforce needs for AI R&D. The plan aims to advance national priorities through AI while minimizing potential negative impacts.
This document presents the Federal Big Data Research and Development Strategic Plan, which outlines seven strategies to guide federal agencies in developing and expanding mission-driven Big Data programs and investments. The strategies address: 1) leveraging emerging Big Data technologies and techniques, 2) exploring trustworthiness of data and knowledge, 3) building research cyberinfrastructure, 4) promoting data sharing and management policies, 5) understanding privacy, security and ethics regarding Big Data, 6) improving national Big Data education and training, and 7) enhancing cross-sector collaboration in the Big Data innovation ecosystem. The overarching goal is to maximize the benefits of Big Data for scientific discovery, research, and informed decision-making.
DARPA has had some success transitioning technologies since 2010, but inconsistently defines and assesses transitions. GAO's analysis identified four key factors for successful transition: military/commercial demand for the technology, sustained DARPA interest in the research area, technology maturity, and partnerships. However, DARPA prioritizes innovation over transition and provides limited transition training and assessment. GAO recommends DARPA regularly assess transition strategies, refine training, and increase sharing of technical data to improve transition success.
NASA Technology Roadmaps- Materials, Structures & ManufacturingDr Dev Kambhampati
This document is NASA's 2015 Technology Roadmap for Materials, Structures, Mechanical Systems, and Manufacturing (TA 12). It identifies technologies needed over the next 20 years to address challenges for deep space exploration, including radiation protection, mass reduction, reliability, and affordability. The roadmap focuses on applied research and development for materials, structures, mechanisms, and manufacturing methods. Advances in these areas are critical to enable future NASA missions and strengthen the US economy through commercial applications. The roadmap was developed in collaboration with industry and academia to identify cutting-edge technologies.
Dr Dev Kambhampati | Tennessee Exports, Jobs & Foreign InvestmentDr Dev Kambhampati
This document summarizes Tennessee's exports, jobs supported by exports, and foreign investment. It finds that in 2015, Tennessee exports supported over 158,000 jobs, up 35,000 since 2009. Tennessee's top export markets are Canada, Mexico, China, and Japan, and its top exported products are transportation equipment, computer and electronic products, chemicals, and machinery. The document also notes that over 7,300 Tennessee companies export goods, with small and medium enterprises accounting for 83% of exporters and 16% of export value. Finally, it states that in 2014 over 139,000 Tennessee workers were employed by foreign-owned companies, most from Japan, the UK, Germany, France and the Netherlands.
The document analyzes the impact of NAFTA on state-level exports in the United States from 1993 to 2003. It finds that exports to NAFTA partners (Canada and Mexico) grew faster than total US exports over this period, increasing their share. By 2003, NAFTA markets accounted for 37% of US merchandise exports, up from 31% in 1993. Texas was the top exporting state to NAFTA partners in 2003, sending $52.4 billion worth of goods, followed by California at $26.1 billion. Six of the top ten state exporters to NAFTA were traditional manufacturing states in the North.
The document discusses the impact of NAFTA on the US chemicals industry over the past 10 years. It finds that US chemical firm exports to Canada increased 38% and exports to Mexico increased 97% from 1992 to 2002. In 2002, US firms captured 71% of Mexico's chemicals import market and 70% of Canada's. NAFTA eliminated tariffs on US chemical imports to Mexico and Canada, providing a competitive advantage. Some US chemical companies have benefited from expanding sales and investment opportunities in Mexico under NAFTA.
This document summarizes a hearing held by the U.S.-China Economic and Security Review Commission on China's 13th Five-Year Plan. The hearing examined:
1) How China will finance its ambitious reform agenda under the 13th Five-Year Plan. Local governments face debt burdens and limited ability to raise funds for reforms.
2) The impact of China's industrial policies on U.S. automotive, aerospace, and semiconductor industries. China supports its domestic firms through subsidies and restrictions to acquire foreign technology.
3) Opportunities and challenges for U.S. companies to compete in China's expanding consumer and services markets.
The hearing discussed financing China's reforms, challenges
Chinese Investments in the USA: Impacts & Issues for PolicymakersDr Dev Kambhampati
This document provides background information for a hearing held by the U.S.-China Economic and Security Review Commission on January 26, 2017 regarding Chinese investment in the United States. The hearing had three panels that examined trends in Chinese investment, case studies of investments in different industries, and Chinese firms listed on U.S. stock exchanges. Witnesses included economists, legal and business experts, and representatives from think tanks. The commissioners sought to evaluate the impacts of Chinese investments and identify any issues for U.S. policymakers. The hearing was intended to inform the commission's annual report to Congress on U.S.-China relations and their implications for U.S. security.
China's Pursuit of Next Frontier Tech- Computing, Robotics & BiotechnologyDr Dev Kambhampati
The panel discussed China's pursuit of leadership in computing technologies. China has rapidly expanded its high-performance computing capabilities in recent decades, now having the world's two fastest supercomputers. It is also expected to deploy an exascale computer before the United States, which would be ten times faster than the current fastest system. The panel examined China's policies supporting domestic firms and restricting foreign competition to develop its own computing champions. While China is aggressively closing the technology gap, U.S. leadership is not assured given its continued strengths in expertise, research, and innovation if provided the right support. The implications of China's computing ambitions for U.S. economic and national security interests were also assessed.
PPT on Direct Seeded Rice presented at the three-day 'Training and Validation Workshop on Modules of Climate Smart Agriculture (CSA) Technologies in South Asia' workshop on April 22, 2024.
Mending Clothing to Support Sustainable Fashion_CIMaR 2024.pdfSelcen Ozturkcan
Ozturkcan, S., Berndt, A., & Angelakis, A. (2024). Mending clothing to support sustainable fashion. Presented at the 31st Annual Conference by the Consortium for International Marketing Research (CIMaR), 10-13 Jun 2024, University of Gävle, Sweden.
ESR spectroscopy in liquid food and beverages.pptxPRIYANKA PATEL
With increasing population, people need to rely on packaged food stuffs. Packaging of food materials requires the preservation of food. There are various methods for the treatment of food to preserve them and irradiation treatment of food is one of them. It is the most common and the most harmless method for the food preservation as it does not alter the necessary micronutrients of food materials. Although irradiated food doesn’t cause any harm to the human health but still the quality assessment of food is required to provide consumers with necessary information about the food. ESR spectroscopy is the most sophisticated way to investigate the quality of the food and the free radicals induced during the processing of the food. ESR spin trapping technique is useful for the detection of highly unstable radicals in the food. The antioxidant capability of liquid food and beverages in mainly performed by spin trapping technique.
The technology uses reclaimed CO₂ as the dyeing medium in a closed loop process. When pressurized, CO₂ becomes supercritical (SC-CO₂). In this state CO₂ has a very high solvent power, allowing the dye to dissolve easily.
ESA/ACT Science Coffee: Diego Blas - Gravitational wave detection with orbita...Advanced-Concepts-Team
Presentation in the Science Coffee of the Advanced Concepts Team of the European Space Agency on the 07.06.2024.
Speaker: Diego Blas (IFAE/ICREA)
Title: Gravitational wave detection with orbital motion of Moon and artificial
Abstract:
In this talk I will describe some recent ideas to find gravitational waves from supermassive black holes or of primordial origin by studying their secular effect on the orbital motion of the Moon or satellites that are laser ranged.
EWOCS-I: The catalog of X-ray sources in Westerlund 1 from the Extended Weste...Sérgio Sacani
Context. With a mass exceeding several 104 M⊙ and a rich and dense population of massive stars, supermassive young star clusters
represent the most massive star-forming environment that is dominated by the feedback from massive stars and gravitational interactions
among stars.
Aims. In this paper we present the Extended Westerlund 1 and 2 Open Clusters Survey (EWOCS) project, which aims to investigate
the influence of the starburst environment on the formation of stars and planets, and on the evolution of both low and high mass stars.
The primary targets of this project are Westerlund 1 and 2, the closest supermassive star clusters to the Sun.
Methods. The project is based primarily on recent observations conducted with the Chandra and JWST observatories. Specifically,
the Chandra survey of Westerlund 1 consists of 36 new ACIS-I observations, nearly co-pointed, for a total exposure time of 1 Msec.
Additionally, we included 8 archival Chandra/ACIS-S observations. This paper presents the resulting catalog of X-ray sources within
and around Westerlund 1. Sources were detected by combining various existing methods, and photon extraction and source validation
were carried out using the ACIS-Extract software.
Results. The EWOCS X-ray catalog comprises 5963 validated sources out of the 9420 initially provided to ACIS-Extract, reaching a
photon flux threshold of approximately 2 × 10−8 photons cm−2
s
−1
. The X-ray sources exhibit a highly concentrated spatial distribution,
with 1075 sources located within the central 1 arcmin. We have successfully detected X-ray emissions from 126 out of the 166 known
massive stars of the cluster, and we have collected over 71 000 photons from the magnetar CXO J164710.20-455217.
The binding of cosmological structures by massless topological defectsSérgio Sacani
Assuming spherical symmetry and weak field, it is shown that if one solves the Poisson equation or the Einstein field
equations sourced by a topological defect, i.e. a singularity of a very specific form, the result is a localized gravitational
field capable of driving flat rotation (i.e. Keplerian circular orbits at a constant speed for all radii) of test masses on a thin
spherical shell without any underlying mass. Moreover, a large-scale structure which exploits this solution by assembling
concentrically a number of such topological defects can establish a flat stellar or galactic rotation curve, and can also deflect
light in the same manner as an equipotential (isothermal) sphere. Thus, the need for dark matter or modified gravity theory is
mitigated, at least in part.
2. Suggested APA Format Citation:
National Highway Traffic Safety Administration. (2016, October). Cybersecurity
best practices for modern vehicles. (Report No. DOT HS 812 333).
Washington, DC: Author.
3. 3
Cybersecurity Best Practices for Modern Vehicles
Table of Contents
1 Purpose of This Document.......................................................................................................... 5
2 Scope.................................................................................................................................................. 5
3 Background...................................................................................................................................... 6
4 Definitions........................................................................................................................................ 8
5 General Cybersecurity Guidance............................................................................................. 10
5.1 Layered Approach................................................................................................................. 10
5.2 Information Technology Security Controls...................................................................11
6 Automotive Industry Cybersecurity Guidance.................................................................... 12
6.1 Vehicle Development Process With Explicit Cybersecurity Considerations....... 12
6.2 Leadership Priority on Product Cybersecurity............................................................. 12
6.3 Information Sharing............................................................................................................ 13
6.4 Vulnerability Reporting/Disclosure Policy.................................................................... 14
6.5 Vulnerability / Exploit / Incident Response Process................................................... 14
6.6 Self-Auditing.......................................................................................................................... 15
6.6.1 Risk Assessment............................................................................................................. 15
6.6.2 Penetration Testing and Documentation............................................................... 16
6.6.3 Self-Review...................................................................................................................... 16
6.7 Fundamental Vehicle Cybersecurity Protections.........................................................17
6.7.1 Limit Developer/Debugging Access in Production Devices..............................17
6.7.2 Control Keys.....................................................................................................................17
6.7.3 Control Vehicle Maintenance Diagnostic Access..................................................17
6.7.4 Control Access to Firmware........................................................................................ 18
6.7.5 Limit Ability to Modify Firmware.............................................................................. 18
6.7.6 Control Proliferation of Network Ports, Protocols and Services...................... 19
4. Cybersecurity Best Practices for Modern Vehicles
4
6.7.7 Use Segmentation and Isolation Techniques in Vehicle Architecture
Design............................................................................................................................... 19
6.7.8 Control Internal Vehicle Communications............................................................ 19
6.7.9 Log Events........................................................................................................................20
6.7.10 Control Communication to Back-End Servers....................................................20
6.7.11 Control Wireless Interfaces.......................................................................................20
7 Education.......................................................................................................................................20
8 Aftermarket Devices....................................................................................................................20
9 Serviceability................................................................................................................................. 21
5. 5
Cybersecurity Best Practices for Modern Vehicles
1. Purpose of This Document
This document describes the National Highway Traffic Safety Administration’s non-
binding guidance to the automotive industry for improving motor vehicle cybersecurity.
Vehicles are cyber-physical systems1
and cybersecurity vulnerabilities could impact
safety of life. Therefore, NHTSA’s authority would be able to cover vehicle cybersecurity,
even though it is not covered by an existing Federal Motor Vehicle Safety Standard at
this time. Nevertheless, motor vehicle and motor vehicle equipment manufacturers are
required by the National Traffic and Motor Vehicle Safety Act, as amended, to ensure that
systems are designed free of unreasonable risks to motor vehicle safety, including those
that may result due to existence of potential cybersecurity vulnerabilities.2
NHTSA believes that it important for the automotive industry to make vehicle
cybersecurity an organizational priority. This includes proactively adopting and using
available guidance such as this document and existing standards and best practices.
Prioritizing vehicle cybersecurity also means establishing other internal processes
and strategies to ensure that systems will be reasonably safe under expected real-
world conditions, including those that may arise due to potential vehicle cybersecurity
vulnerabilities.
The automotive cybersecurity environment is dynamic and is expected to change
continually and, at times, rapidly. NHTSA believes that the voluntary best practices
described in this document provide a solid foundation for developing a risk-based
approach and important processes that can be maintained, refreshed and updated
effectively over time to serve the needs of the automotive industry.
2. Scope
This document is intended to cover cybersecurity issues for all motor vehicles3
and
therefore applicable to all individuals and organizations manufacturing and designing
vehicle systems and software. These entities include, but are not limited to, motor
vehicle and motor vehicle equipment designers, suppliers, manufacturers, alterers, and
modifiers.
1 National Science Foundation defines cyber-physical systems (CPS) as engineered systems
that are built from, and depend upon, the seamless integration of computational algorithms and
physical components.
2 49 U.S.C. 30101 et seq.
3 “Motor vehicle” means a vehicle driven or drawn by mechanical power and manufactured
primarily for use on public streets, roads, and highways. See 49 U.S.C. § 30102(a)(6).
6. Cybersecurity Best Practices for Modern Vehicles
6
3. Background
A top United States Department of Transportation priority is enhancing vehicle
cybersecurity to mitigate cyber threats that could present unreasonable safety risks to
the public or compromise sensitive information such as consumers' personal data.4
On behalf of USDOT, NHTSA is actively engaged in vehicle cybersecurity research
and employs a proactive and collaborative approach to protect vehicle owners from
safety-related cybersecurity risks. NHTSA has been actively engaging stakeholders and
working to broadly enhance cybersecurity capabilities. The following are examples of
recent actions NHTSA has taken:
•• Used NHTSA’s enforcement authority to recall5
almost 1.5 million vehicles in July
2015 due to cybersecurity vulnerabilities that NHTSA believed represented an
unreasonable risk to safety.
•• Submitted a report, Electronic Systems Performance in Passenger Motor Vehicles,6
4 As defined in Section 4 of the White House Consumer Privacy Bill of Rights, available at
www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-
draft.pdf, the Agency views as personal data: “data that are under the control of a covered entity,
not otherwise generally available to the public through lawful means, and are linked, or as a
practicable matter linkable by the covered entity, to a specific individual, or linked to a device
that is associated with or routinely used by an individual.” Similarly, in a recent comment to the
Federal Communications Commission, Federal Trade Commission (FTC) staff recommended
that the definition of personally identifiable information (PII) include only data that is linked or
“reasonably” linkable to an individual. https://www.ftc.gov/system/files/documents/advocacy_
documents/comment-staff-bureau-consumer-protection-federal-trade-commission-federal-
communications-commission/160527fcccomment.pdf. Additionally, the National Institute
for Standards and Technology defines personally identifiable information as “any information
about an individual, including (1) any information that can be used to distinguish or trace an
individual‘s identity, such as name, social security number, date and place of birth, mother‘s
maiden name, or biometric records; and (2) any other information that is linked or linkable to an
individual, such as medical, educational, financial, and employment information.” McAllister,
E., Grance, T., & Scarfone, K. (2010, April). Guide to Protecting the Confidentiality of Personally
Identifiable Information (PII) (NIST Special Publication 800-122). Gaithersburg, MD: National
Institute of Standards and Technology.
Available at http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf NHTSA also
encourages manufacturers to review the Federal Trade Commission’s educational resources on
security and protecting personal information. Start with Security: A Guide for Business (June
2015), available at www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-
business and Protecting Personal Information: A Guide for Business (Nov. 2011), available at www.
ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business
5 NHTSA Recall Campaign Number 15V461000.
6 NHTSA. (2015, December). Electronic systems performance in passenger motor vehicles:
Report to Congress. Washington, DC: Author. Available at www.nhtsa.gov/staticfiles/laws_regs/
pdf/Electronic-Systems-Performance-in-Motor%20Vehicles.pdf
7. 7
Cybersecurity Best Practices for Modern Vehicles
to Congress in January 2016 that included the results of NHTSA’s examination of
the need for safety standards with regard to electronic systems in passenger motor
vehicles, including “security needs for those electronic components to prevent
unauthorized access.”
•• Convened a public vehicle cybersecurity roundtable meeting7
in January 2016 to
facilitate diverse stakeholder discussion on key vehicle cybersecurity topics. Over
300 people attended this meeting. These attendees represented more than 200
unique organizations including 17 original equipment manufacturers (OEMs), 25
government entities, and 13 industry associations. During the roundtable meeting,
the stakeholder groups identified actionable steps for the vehicle manufacturing
industry to effectively and expeditiously address vehicle cybersecurity challenges.
•• Held a follow-on meeting with other government agencies in February 2016 to
discuss possibilities for collaboration among Federal partners to help the industry
improve vehicle cybersecurity.
•• Finalized an agreement with 18 automakers in January 2016, on proactive
safety principles, including an objective to “explore and employ ways to work
collaboratively in order to mitigate cyber threats that could present unreasonable
safety risks.”8
•• Published the NHTSA Federal Automated Vehicles Policy9
in September 2016,
which considers vehicle cybersecurity as one of the important safety areas in the
Vehicle Performance Guidance for automated vehicles.
Motor vehicle and equipment manufacturers, suppliers, and other industry stakeholders
have also been active in their efforts to contribute to improving the security posture of
motor vehicles. These activities include:
•• Developed and published SAE J3061 Recommended Best Practice, Cybersecurity
Guidebook for Cyber-Physical Vehicle Systems, in January 2016.10
7 NHTSA. (2016, January 19). Vehicle Cybersecurity Roundtable (Web page of agenda).
Washington, DC: Author. Available at www.nhtsa.gov/Research/Crash+Avoidance/
NHTSA+Vehicle+Cybersecurity+Roundtable
8 Department of Transportation. (2016, January 15). Proactive safety principles. Washington,
DC: Author. Available at www.transportation.gov/briefing-room/proactive-safety-principles-2016
9 NHTSA. (2016, September). Federal Automated Vehicles Policy: Accelerating the next
revolution in roadway safety. Washington, DC: Author. Available at www.nhtsa.gov/nhtsa/av/pdf/
Federal_Automated_Vehicles_Policy.pdf
10
Society of Automotive Engineers. (2016). SAE Standard J 3061: Cybersecurity Guidebook
for Cyber-Physical Vehicle Systems. (Web page). Warrendale, PA: Author. Available at http://
standards.sae.org/wip/j3061/
8. Cybersecurity Best Practices for Modern Vehicles
8
•• Established the Automotive Information Sharing and Analysis Center11
(Auto ISAC)
in late 2015, which became fully operational in January 2016.
•• Developed a framework12
for automotive cybersecurity best practices, which was
issued in January 2016 by the two trade associations, Alliance of Automobile
Manufacturers and Global Automakers. A subsequent initiative to establish a
robust set of industry cybersecurity best practices built around this framework is
under development by the Auto ISAC in collaboration with the trade associations
targeting summer 2016.
NHTSA supports the industry activities and provides this guidance as a resource
to supplement existing voluntary vehicle cybersecurity standards, principles, best
practices, and lessons learned and help guide future industry efforts. This guidance is
consistent with and builds upon NHTSA’s prior publications on this topic.13 14 15
4. Definitions
Attack Surface is the set of interfaces (the “attack vectors”) where an unauthorized user
can try to enter data to or extract data from a system, or modify a system’s behavior.
Attack Vector refers to the interfaces or paths an attacker uses to exploit a vulnerability.
For instance, an exploit may use an open IP port vulnerability on a variety of different
attack vectors such as Wi-Fi, cellular networks, IP over Bluetooth, etc. Attack vectors
11
McCarthy, C., Harnett, K., Carter, A., & Hatipoglu, C. (2014, October). Assessment of the
information sharing and analysis center model. (Report No. DOT HS 812 076). Washington,
DC: National Highway Traffic Safety Administration. Available at www.nhtsa.gov/Research/
Crash+Avoidance/ci.Office+of+Crash+Avoidance+Research+Technical+Publications.print
12
Alliance of Automobile Manufacturers. (n.a.). Framework for automotive cybersecurity
best practices. Washington, DC: Author. Available at www.autoalliance.org/index.
cfm?objectid=1E518FB0-BEC3-11E5-9500000C296BA163
13
McCarthy, C., Harnett, K., & Carter, A. (2014, October). A summary of cybersecurity
best practices. (Report No. DOT HS 812 075). Washington, DC: National Highway Traffic
Safety Administration. Available at www.nhtsa.gov/Research/Crash+Avoidance/
ci.Office+of+Crash+Avoidance+Research+Technical+Publications.print
14
McCarthy, C., Harnett, K., & Carter, A. (2014, October). Characterization of potential security
threats in modern automobiles: A composite modeling approach. (Report No. DOT HS 812 074).
Washington, DC: National Highway Traffic Safety Administration. Available at www.nhtsa.gov/
Research/Crash+Avoidance/ci.Office+of+Crash+Avoidance+Research+Technical+Publications.
print
15
McCarthy, C., & Harnett, K. (2014, October). National Institute of Standards
and Technology cybersecurity risk management framework applied to modern
vehicles (Report No. DOT HS 812 073). Washington, DC: National Highway Traffic
Safety Administration. Available at www.nhtsa.gov/Research/Crash+Avoidance/
ci.Office+of+Crash+Avoidance+Research+Technical+Publications.print
9. 9
Cybersecurity Best Practices for Modern Vehicles
enable attackers to exploit system vulnerabilities, including the human element.
Automotive refers to “of, relating to, or concerned with motor vehicles in general.”
Binary image or firmware image refers to the sequence of bytes that comprises the
software, both code and data, running on vehicle electronics.
Controller Area Network (CAN) is dominant serial communication network protocol used
for intra-vehicle communication.
Debug is the activity of discovering errors or undesirable actions within computer code.
Digital signing is a mathematical technique used to validate the authenticity and integrity
of a message, software or digital document.
Electronic Control Unit (ECU) is an embedded system that provides a control function
to a vehicle’s electrical system or subsystems through digital computing hardware and
associated software.
Exploit refers to an action that takes advantage of a vulnerability in order to cause
unintended or unanticipated behavior to occur on computer software and/or hardware.
An example of an exploit would be using a diagnostic port vulnerability to take
advantage of a buffer overflow that allows access over Internet Protocol (IP) networks.
Firmware refers to the software code and data that reside on an embedded system, such
as an automotive electronic control system, that implements dedicated functions and
manage system resources (e.g., system input/outputs (I/O) to execute those functions.
Firmware may take a variety of different forms. For example, in some cases “firmware”
may refer to source code while in some cases it may take the form of a binary image
consisting of a file system and compiled code.
Incident is an occurrence that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system on a vehicle computing platform
through the use of an exploit.
Public Key Infrastructure refers to a set of policies, processes, server platforms, software,
and workstations used for the purpose of administering certificates and public-private
key pairs, including the ability to issue, maintain, and revoke public key certificates.
Telematics refers to the integration of telecommunications and informatics for intelligent
applications in vehicles, such as fleet management.
10. Cybersecurity Best Practices for Modern Vehicles
10
Vulnerability is a weakness in a system or its associated networks, system security
procedures, internal controls, or implementation that could be exploited to obtain
unauthorized access to system resources. For instance, an open diagnostic port on an
ECU is a vulnerability.
5. General Cybersecurity Guidance
5.1 Layered Approach
NHTSA is focusing on solutions to harden the vehicle’s electronic architecture against
potential attacks and to ensure vehicle systems take appropriate and safe actions, even
when an attack is successful.16
A layered approach to vehicle cybersecurity reduces the probability of an attack’s success
and mitigates the ramifications of a potential unauthorized access.
The automotive industry should follow the National Institute of Standards and
Technology’s documented Cybersecurity Framework,17
which is structured around
the five principal functions “Identify, Protect, Detect, Respond, and Recover,” to build
a comprehensive and systematic approach to developing layered cybersecurity
protections for vehicles.
This approach should:
•• Be built upon risk-based prioritized identification and protection of safety-critical
vehicle control systems and personally identifiable information;
•• Provide for timely detection and rapid response to potential vehicle cybersecurity
incidents in the field;
•• Design-in methods and measures to facilitate rapid recovery from incidents when
they occur; and
•• Institutionalize methods for accelerated adoption of lessons learned across the
industry through effective information sharing, such as through participation in
the Auto ISAC.
16
NHTSA. (n.a.). NHTSA and Vehicle Cybersecurity. Washington, DC: Author. Available
at www.nhtsa.gov/staticfiles/administration/pdf/presentations_speeches/2015/NHTSA-
VehicleCybersecurity_07212015.pdf
17
National Institute of Standards and Technology. (2014, February 12). Framework for
Improving Critical Infrastructure Cybersecurity PowerPoint presentation). Washington, DC:
Author. Available at www.nist.gov/sites/default/files/documents/cyberframework/Cybersecurity-
Framework-for-FCSM-Jan-2016.pdf
11. 11
Cybersecurity Best Practices for Modern Vehicles
5.2 Information Technology Security Controls
NHTSA recommends that the automotive industry review and consider the information
technology (IT) security suite of industry standards, such as the ISO 27000 series
standards, and other best practices, such as the Center for Internet Security’s
(CIS) “Critical Security Controls for Effective Cyber Defense (CIS CSC),18
which are
broadly used in a number of other sectors, such as the Financial Sector, Energy,
Communications, and Information Technology.19
Because these standards and controls are designed primarily for IT networks and
network services, they are directly applicable to, and should be considered and used, to
improve the cybersecurity of IT infrastructures for the vehicle controller development,
dealer and service environments, and the supply-chain as they are applicable.
In particular, the CIS CSC enumerates 20 high-priority areas for cybersecurity
protections based on actual attack data pulled from a variety of threat sources, primarily
against IT networks. The CIS CSC discusses the internet, private computer networks,
and the connections between them, rather than automotive networks and devices,
which can present different risks. However, most of the controls within the CIS CSC
framework may be adopted for use in the automotive realm. For example, CIS CSC #1
suggests creating an inventory of connected devices, which, in the automotive context,
would be all vehicles and vehicle equipment that have some form of connectivity to
each other or to other services. While the application of many CIS CSC’s can be straight-
forward, automotive industry members should work out the details of interpretation
and translation with their own cybersecurity teams, either through a standards-setting
organization’s working group or individually.
The industry should also consider the following recommended approach in the CIS CSC:
•• performing cybersecurity gap assessment,
•• developing implementation roadmaps,
•• effectively and systematically executing cybersecurity plans,
•• integrating controls into vehicle systems and business operations, and
•• reporting and monitoring progress through iterative cycles.
18
Center for Internet Security. (2015, October 15). Critical Security Controls for Effective Cyber
Defense (Web page). Arlington, VA: Author. Available at www.cisecurity.org/critical-controls.cfm
19
As an example, the Federal Reserve uses CIS’s Critical Security Controls as a framework
in internal audits. See www.cisecurity.org/critical-controls/documents/Manage%20
Cybersecurity%20Risk%20with%20the%20Critical%20Security%20Controls_12.2.2014.pdf
12. Cybersecurity Best Practices for Modern Vehicles
12
6. Automotive Industry Cybersecurity Guidance
6.1 Vehicle Development Process With Explicit Cybersecurity
Considerations
The automotive industry should follow a robust product development process based on a
systems-engineering approach with the goal of designing systems free of unreasonable
safety risks including those from potential cybersecurity threats and vulnerabilities.
Companies should make cybersecurity a priority by using a systematic and ongoing
process to evaluate risks. This process should give explicit considerations to privacy
and cybersecurity risks through the entire life-cycle of the vehicle. The life-cycle of
a vehicle includes conception, design, manufacture, sale, use, maintenance, resale,
and decommissioning. Safety of vehicle occupants and other road users should be of
primary consideration when assessing risks.
The automotive industry should use guidance, best practices, and design principles
based on or published by NIST, NHTSA, industry associations, Auto ISAC, and
recognized standards-setting bodies. For example, industry should consider SAE
International’s J3061 Recommended Practice Cybersecurity Guidebook for Cyber-
Physical Vehicle Systems20
for adoption.
The process with inherent cybersecurity considerations should include a safety risk
assessment step, which is appropriate for the full life cycle of the vehicle. Once risks have
been prioritized, the automotive industry should develop layers of protection which are
appropriate for the identified risks.
In addition to identifying risks and analyzing potential threats, the automotive
industry should establish rapid detection and remediation capabilities. If a cyber-
attack is detected, the safety risk to vehicle occupants and surrounding road users
should be mitigated and the vehicle should be transitioned to a reasonable risk state.
The automotive industry should also collect information on any potential attack. This
information may be analyzed and shared with industry through the Auto ISAC.
The automotive industry should fully document any actions, changes, design choices,
and analyses. The associated testing data should be traceable within a robust document
version control system.
6.2 Leadership Priority on Product Cybersecurity
It is essential for the automotive industry to create corporate priorities and foster a
culture that is prepared and able to handle increasing cybersecurity challenges.
20
SAE J3061, January 2016, available at http://standards.sae.org/wip/j3061/.
13. 13
Cybersecurity Best Practices for Modern Vehicles
Along this line, NHTSA recommends that companies developing or integrating safety-
critical vehicle systems prioritize vehicle cybersecurity and demonstrate management
commitment to doing so with the following actions:
•• Allocating dedicated resources within the organization focused on researching,
investigating, implementing, testing, and validating product cybersecurity
measures and vulnerabilities;
•• Facilitating seamless and direct communication channels through organizational
ranks related to product cybersecurity matters; and
•• Enabling an independent voice for vehicle cybersecurity related considerations
within the vehicle safety design process.
For example, companies could implement these actions by appointing a high-level
corporate officer exclusively and directly responsible for product cybersecurity and
providing this executive with appropriate staff, authority, and resources.
A top-down emphasis on product cybersecurity demonstrates the seriousness of the
organization in managing cybersecurity risks. This emphasis provides a cybersecurity-
oriented leadership within the organization, and it enables a proactive cybersecurity
culture to develop. In addition, it causes the product development cycle to consider
cybersecurity protections early in the design phases.
6.3 Information Sharing
Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing
strongly encourages the development and formation of industry-specific Information
Sharing and Analysis Organizations and calls on private companies, nonprofit
organizations, executive departments, agencies, and other entities to “share information
related to cybersecurity risks and incidents and collaborate in as close to real time as
possible.”21
In late 2014 NHTSA began encouraging the industry22
to create the Auto ISAC.23
The automotive industry established the Auto ISAC in late 2015 and it became fully
operational on January 19, 2016. While a large number of motor vehicle and equipment
manufacturers are now involved in the Auto ISAC, the agency continues to encourage
all members of the vehicle manufacturing industry to participate in it, and NHTSA also
21
Executive Order No. 13691, Promoting Private Sector Cybersecurity Information Sharing,
80 FR 9347 (Feb. 13, 2015). Available at www.federalregister.gov/articles/2015/02/20/2015-03714/
promoting-private-sector-cybersecurity-information-sharing
22
NHTSA Report to Congress, 2015.
23
McCarthy, Harnett, Carter, & Hatipoglu, 2014.
14. Cybersecurity Best Practices for Modern Vehicles
14
encourages the Auto ISAC to expand its membership domain to include suppliers and
other vehicle segments.
6.4 Vulnerability Reporting/Disclosure Policy
NHTSA supports additional mechanisms for information sharing, such as a vulnerability
reporting/disclosure program. These have been effective in other sectors and would
likely benefit the motor vehicle industry. Automotive industry members should consider
creating their own vulnerability reporting/disclosure policies, or adopting policies
used in other sectors or in technical standards. Such policies would provide any
external cybersecurity researcher with guidance on how to disclose vulnerabilities to
organizations that manufacture and design vehicle systems.
A vulnerability reporting/disclosure policy should inform cybersecurity researchers how
a company plans to interact with them. In general, the company’s expectations for the
relationship between companies and cybersecurity researchers should be described in
detail and publicly available.
6.5 Vulnerability / Exploit / Incident Response Process
The automotive industry should have a documented process for responding to incidents,
vulnerabilities, and exploits. This process should cover impact assessment, containment,
recovery and remediation actions, and the associated testing.
This process should clearly outline roles and responsibilities for each responsible group
within the organization and also specify any requirements for internal and external
coordination. The process should be designed in a manner that ensures rapid response
without sole dependence on any single person.
The automotive industry should define metrics to periodically assess the effectiveness
of their response process. In addition, companies should document details of each
identified and reported vulnerability, exploit, or incident. These documents should
include information which extends from onset to disposition with sufficient granularity
to enable response assessment.
The response process should report all incidents, exploits, and vulnerabilities to the
Auto ISAC as soon as possible. This is recommended for companies who may not yet
be a member of Auto ISAC as well. Any incidents should also be reported to US-CERT in
accordance with the US-CERT Federal Incident Notification Guidelines.24
Additionally,
24
US-CERT Federal Incident Notification Guidelines. Available at www.us-cert.gov/incident-
notification-guidelines
15. 15
Cybersecurity Best Practices for Modern Vehicles
they may be reported to the industrial control systems CERT.25
Finally, industry members should periodically run response capabilities exercises26
to
test the effectiveness of their disclosure policy operations and their internal response
processes.
6.6 Self-Auditing
In addition to implementing a cybersecurity process based on a sound systems-
engineering approach, the automotive industry should document the details related
to the cybersecurity process to allow for both auditing and accountability. Such
documentation may include the following:
•• risk assessments,
•• penetration test results,
•• organizational decisions.
Further, such documents should be retained through the expected life span of the
associated product. Persistent documents (such as cybersecurity requirements)
should follow a robust version control protocol, and should be revised regularly as new
information, data, and research results become available.
6.6.1 Risk Assessment
The automotive industry should develop and use a risk-based approach to assessing
vulnerabilities and potential impacts and should consider the entire supply-chain of
operations. This approach should involve an ongoing risk management framework to
assess and mitigate risk over time.
At a minimum, organizations should consider cybersecurity risks to safety-critical
vehicle control functions and PII. For example, a risk assessment process and the
associated documentation should consider the following questions as suggested in the
following modification of the documented CIS approach:27
•• What are the functions?
•• What are the implications if they were compromised?
25
https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy
26
A cybersecurity capability exercise is a simulated attack and response exercise.
27
SANS Institute. (2002). An Overview of Threat and Risk Assessment. Fredericksburg, VA:
Author. Available at www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-
assessment-76
16. Cybersecurity Best Practices for Modern Vehicles
16
•• What are the potential safety hazards that could be exposed by these
vulnerabilities?
•• What is the safety risk to society and the value risk to the organization?
•• What can be done to minimize exposure to the potential loss or damage?
•• What design decisions could be made with respect to the risk assessment process?
•• Who/what are the threats and vulnerabilities?
A risk assessment document should minimally cover internal vehicle networks, external
wireless networks, and any interface an ECU presents to the world.
6.6.2 Penetration Testing and Documentation
The automotive industry should consider extensive product cybersecurity testing
to include using penetration tests. These tests should include stages that deploy
qualified testers who have not been part of the development team, and who are highly
incentivized to identify vulnerabilities.
All reports which result from these penetration tests should be maintained as
part of the body of internal documentation associated with the cybersecurity
approach. Documentation should identify the testers, their qualifications, and their
recommendations.
These penetration testing reports should also document the disposition of detected
cybersecurity vulnerabilities. If a vulnerability is fixed, the details of the fix need to be
documented. If a vulnerability is not addressed, the reasoning behind the acceptability
of the underlying risk should be documented as well. In addition, the penetration testing
reports should note the authorized approving authority for each vulnerability.
6.6.3 Self-Review
The automotive industry should establish procedures for internal review and
documentation of cybersecurity-related activities. This will assist companies in better
understanding their cybersecurity practices and determining where their processes
could benefit from improvement. One suggested approach is for the automotive
industry to produce annual reports28
on the state of their cybersecurity practices. These
annual reports could discuss the current state of implemented cybersecurity controls,
findings from self-auditing activities, and the state of records maintenance. Information
concerning the corporate structure related to cybersecurity and all other cybersecurity
28
An example of an annual report from the financial industry is available at www.finra.org/
sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf
17. 17
Cybersecurity Best Practices for Modern Vehicles
efforts would be valuable information for stakeholders and consumers.
6.7 Fundamental Vehicle Cybersecurity Protections
The following recommendations are based on what NHTSA has learned through its
internal applied research as well as from stakeholder experiences shared with NHTSA.
These recommendations do not form an exhaustive list of actions necessary for
securing automotive computing systems, and all items may not be applicable in each
case. These protections serve as a small subset of potential actions which can move the
motor vehicle industry towards a more cyber-aware posture.
6.7.1 Limit Developer/Debugging Access in Production Devices
Software developers have considerable access to ECUs. Such ECU access might be
facilitated by an open debugging port, or through a serial console. However, developer
access should be limited or eliminated if there is no foreseeable operational reason for
the continued access to an ECU for deployed units.
If continued developer access is necessary, any developer-level debugging interfaces
should be appropriately protected to limit access to authorized privileged users.
Physically hiding connectors, traces, or pins intended for developer debugging access
should not be considered a sufficient form of protection.
6.7.2 Control Keys
Any key (e.g., cryptographic) or password which can provide an unauthorized, elevated
level of access to vehicle computing platforms should be protected from disclosure. Any
key obtained from a single vehicle’s computing platform should not provide access to
multiple vehicles.
6.7.3 Control Vehicle Maintenance Diagnostic Access
Diagnostic features should be limited as much as possible to a specific mode of
vehicle operation which accomplishes the intended purpose of the associated feature.
Diagnostic operations should be designed to eliminate or minimize potentially
dangerous ramifications if they are misused or abused outside of their intended
purposes.
18. Cybersecurity Best Practices for Modern Vehicles
18
For example, a diagnostic operation which may disable a vehicle’s individual brakes29
could be restricted to operate only at low speeds. In addition, this diagnostic operation
might not disable all brakes at the same time, and/or it might limit the duration of such
diagnostic control action.
6.7.4 Control Access to Firmware
In many cases, firmware precisely determines the actions of an ECU. Extracting
firmware is often the first stage of discovering a vulnerability or structuring an end-to-
end cyberattack.
Developers should employ good security coding practices and use tools that support
security outcomes in their development processes.
Many platforms may be able to support whole disk encryption of external non-volatile
media. In this case, encryption should be considered as a useful tool in preventing the
unauthorized recovery and analysis of firmware.
Firmware binary images may also be obtained from a firmware updating process.
Organizations should reduce any opportunities for a third party to obtain unencrypted
firmware during software updates.
6.7.5 Limit Ability to Modify Firmware
Limiting the ability to modify firmware would make it more challenging for malware
to be installed on the vehicles. For example, use of digital signing techniques may
make it more difficult and perhaps prevent an automotive ECU from booting modified/
unauthorized and potentially damaging firmware images. In addition, firmware
updating systems which employ signing techniques could prevent the installation of a
damaging software update that did not originate from an authorized motor vehicle or
equipment manufacturer.
29
Valasek., C., & Miller, C. (2014). Adventures in Automotive Networks and Control Units Seattle:
IOActive, Inc. Available at www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_
Networks_and_Control_Units.pdf
19. 19
Cybersecurity Best Practices for Modern Vehicles
6.7.6 Control Proliferation of Network Ports, Protocols and Services
The use of network servers on vehicle ECUs should be limited to essential functionality
only and services over such ports should be protected to prevent use by unauthorized
parties. Any software listening on an internet protocol (IP) port offers an attack vector
which may be exploited. Any unnecessary network services should be removed.
6.7.7 Use Segmentation and Isolation techniques in Vehicle Architecture Design
Privilege separation with boundary controls is important to improving security
of systems.30
Logical and physical isolation techniques should be used to separate
processors, vehicle networks, and external connections as appropriate to limit and
control pathways from external threat vectors to cyber-physical features of vehicles.
Strong boundary controls, such as strict white list-based filtering of message flows
between different segments, should be used to secure interfaces.
6.7.8 Control Internal Vehicle Communications
Critical safety messages are those that could directly31
or indirectly32
impact a safety-
critical vehicle control system’s operations.
When possible, sending safety signals as messages on common data buses should be
avoided. For example, providing an ECU with dedicated inputs from critical sensors
eliminates the common data bus spoofing problem.
If critical safety information must be passed across a communication bus, this
information should reside on communication buses segmented from any vehicle ECUs
with external network interfaces. A segmented communications bus may also mitigate
the potential effects of interfacing insecure aftermarket devices to vehicle networks.
Critical safety messages, particularly those passed across non-segmented
communication buses, should employ a message authentication scheme to limit the
possibility of message spoofing.
30
Some strategies are described in Recommended Practice: Improving Industrial Control
Systems Cybersecurity with Defense-In-Depth Strategies, Department of Homeland Security,
September, 2016. Available at https://ics-cert.us-cert.gov/sites/default/files/recommended_
practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
31
For example, a control command message sent to a traction control actuator; if spoofed, this
could apply the vehicle’s brakes without a driver’s or a legitimate vehicular safety system’s intent.
32
For example, a vehicle speed estimate message; if spoofed, this could make the distributed
vehicle controllers relying on that information to misunderstand the moving state of the vehicle
(e.g., stationary versus moving).
20. Cybersecurity Best Practices for Modern Vehicles
20
6.7.9 Log Events
An immutable log of events sufficient to reveal the nature of a cybersecurity attack or
a successful breach should be maintained and periodically scrutinized by qualified
maintenance personnel to detect trends of cyber-attack.
6.7.10 Control Communication to Back-End Servers
Widely accepted encryption methods should be employed in any IP-based operational
communication between external servers and the vehicle. Consistent with these
methods, such connections should not accept invalid certificates.
6.7.11 Control Wireless Interfaces
In some situations, it may be necessary to exert fine-grained control over a vehicle’s
connection to a cellular wireless network. Industry should plan for and design-in
features that could allow for changes in network routing rules to be quickly propagated
and applied to one, a subset, or all vehicles.
7. Education
NHTSA believes that an educated workforce is crucial to improving the cybersecurity
posture of motor vehicles. The agency’s philosophy is that cybersecurity educational
activities should not be limited to the current workforce or technical individuals, but
should also enrich the future workforce and non-technical individuals. NHTSA supports
educational competitions that include cybersecurity elements such as the SAE/Battelle
Cyber Auto Challenge, NIST’s National Initiative for Cybersecurity Education (NICE)
program called out in the 2014 Cyber Enhancement Act (PL113-274, Title IV),33
and the
Enhanced Safety of Vehicles (ESV) Student Design Competition. NHTSA also encourages
universities that are the foundation of the future workforce to develop curriculums that
target fostering skillsets useful across a range of practical security applications, including
the field of vehicle cybersecurity. NHTSA suggests that manufacturers, suppliers, and
other stakeholders should work together with NHTSA to help support these educational
efforts and more.
8. Aftermarket Devices
The automotive industry should consider that consumers may bring aftermarket
devices (e.g., insurance dongles) and personal equipment (e.g., cell phones) onto cars
and connect them with vehicle systems through the interfaces that manufacturers
33
Csrc.nist.gov/nice
21. 21
Cybersecurity Best Practices for Modern Vehicles
provide (Bluetooth, USB, OBD-II port, etc.). The automotive industry should consider
the incremental risks that could be presented by these devices and provide reasonable
protections.
Aftermarket device manufacturers should consider that their devices are interfaced with
cyber-physical systems and they could impact safety-of-life. Even though the primary
purpose of the system may not be safety-related (e.g., telematics device collecting fleet
operational data), if not properly protected, they could be used as proxy to influence the
safety-critical system behavior on vehicles. Aftermarket devices could be also brought
on to all ages and types of vehicles with varying levels of cybersecurity protections
on the vehicle side of the interface. Therefore, these devices should include strong
cybersecurity protections on the units since they could impact the safety of vehicles
regardless of their intended primary function.
9. Serviceability
The automotive industry should also consider the serviceability of vehicle components
and systems by individuals and third parties. The automotive industry should provide
strong vehicle cybersecurity protections that do not unduly restrict access by authorized
alternative third-party repair services.