The document discusses operational security for transportation, focusing on rail systems and the importance of cybersecurity in critical infrastructure. It outlines risk factors, system vulnerabilities, and the evolving nature of threat models, emphasizing that effective defense relies on understanding attacker value. Additionally, it highlights the necessity of compensating controls and adherence to industry standards to improve security measures in complex systems.

1. Operational Security for
Transportation:
Connectivity to Rails
Frank Marcus
Director of Technology

2. About Wurldtech
2
TIMELINE
• Founded September 2006; Acquired by GE in 2014 as a
wholly-owned independent subsidiary
LOCATIONS
• Vancouver, Canada; San Ramon, California; Netherlands
CUSTOMERS
• System operators, device manufacturers and automation
vendors; 5 of the top 6 global oil& gas companies; 9 of the top
10 automation vendors
VERTICAL
MARKETS
• Utilities, oil & gas, transportation and healthcare
SOLUTIONS
• Products, services, and certifications to secure Operational
Technology

3. Who Am I?
Applied ICS Security Research since 2004
4 patents related to automated vulnerability
discovery in Cyber-Physical Components
ICS Specific Compensating Controls Design
ICS System and Product Assessment
3
• Oil and Gas
• Power Gen &
Transmission
• Smart Grid
• Factory Automation
• Rail• Aviation

4. What’s on the Menu
A definition of Secure Security
Risk as a measure of security
Components of a Threat Model for Rail
Applying Lessons from other Critical
Systems
4

5. What is a Secure System?
The belief that is supposed to do, and does not do
what it is not supposed to do.
A Negative Test is meant to identify unintended
behaviors of System that prevent correctness.
Fault Tree Analysis assume random distribution of
errors that cannot be applied to cyber security.
A System is said to be Secure when it cannot be
intentionally placed in a state that results in a specific
impact.
5

6. Risk is the Probability of an Impact Occurring
Cyber Risk = Impact *(Ease of Exploitation – Compensating Control)
6
Impact
Damage
Potential
No. of Affected
Components
Possibility
Degree of
Mitigation
Ease of
Exploitation
Discoverability
Exploitability
Reproducability
Risk

7. Trust Is Hard
Complex systems are
composed of a series of
abstractions
The trustworthiness of higher
level components depend on
lower level components
No single organization or
entity has access or resources
to assess every aspect of a
system
7

8. Successful Attacks Satisfy Three Conditions
8
1. System
Susceptibility
3. Threat
Capability
2. Threat
Accessibility
Value to Attacker
Vulnerabilities
Attack Surface
Tools
Logical &
Physical
Reachability
Techniques Successful
Attack

9. Value to the Attacker
Why your system is a target is difficult to ascertain.
9
• Direct Financial
• Indirect Financial
• Political Influence
• Social Influence
• Emotional
• Opportunism
The attacker’s ability to realize the desired value
is what the defender can control.
“Thinking Like An Attacker” means
understanding what creates attacker value in your
system.

10. Vulnerabilities
Vulnerabilities in People, Process and Technology are
unexpected behaviors used by an attacker to realize
value.
While every system serves diverse and unique
purposes, they are built using both common and
domain specific components.
Unique components tend to have more errors but are
harder to study, common components are easier to study
so more is known about how to attack and defend them.
10

11. Threat Accessibility
System attack surface defines what people, processes
and technology can be attacked given the set of
capabilities and assets in the attacker’s control.
Rail shares many cases with other critical
infrastructure
11
• Geographically Dispersed
• Assets are difficult to
physically secure
• Multi-modal
communication such as
baseband wireless, cell,
sat, wired
• Assets move in space and
time
• Information shared by
systems managed by different
parties
• Business requirements drives
increased connectivity

12. Threat Capability
The probability of the most capable threat actor
achieving an attack is less than 100%.
Security Through Obscurity is ineffective because it is
based on an assumption of what an attacker knows.
Capabilities do not have to be sophisticated to be
effective.
Compensating controls are used to increase the
required capability to impact an asset.
12

13. Applying Standards
Most industry-specific standards reference NIST-800
and/or ISO-27000 series.
ATPA standards heavily reference NIST-800 and NERC
CIP.
IEC-62443 is the industrial-specific extension of ISO-
27000.
Proscriptive, Descriptive or Risk-Oriented.
Explicitly or implicitly assume a threat model.
13

14. Threat Model is Evolving
Unexpected Access Vector
New Attacker Capability
Newly discovered vulnerability
New system components
Political and Social Change
14

15. Threat Model Essential for Effective Defense
A Threat Model is an Essential Living Document.
Many factors impact the threat model that the operator
cannot control.
Risk cannot be calculated without Threats.
Standards that are Risk-based and Capability-Oriented
are more cost-effective to implement.
15

16. Thanks
Frank Marcus
fmarcus@wurldtech.com
Wurldtech Security Technologies Inc. reserves the right to make changes in specifications and features, or discontinue the product or service
described at any time, without notice or obligation. These materials do not constitute a representation, warranty or documentation regarding the
product or service featured. Illustrations are provided for informational purposes, and your configuration may differ.
This information does not constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please
consult your professional advisors for any such advice.
Wurldtech is a trademark of General Electric Company. Other trademarks and logos are the property of their respective owners.
Copyright © 2016 Wurldtech Security Technologies Inc. All rights reserved.