“There are so many facets to security, we need to be good at all of them. It takes one small mistake, and then the bad guys can gain access to our network.”
Cyber security is increasingly important for all of us working in the rail and metro industry. And to continue our focus on this crucial area, our Editor Luke Upton spoke to Jonathan Risto, a mentor and community instructor at SANS, a global leader in cyber security. He teaches in the areas of intrusion detection, incident handling, penetration testing and security management. When not teaching for SANS, he works for the federal government performing cyber security research. He has just completed his Masters of Information Security Management degree from SANS Technology Institute and has published numerous papers in cyber security and currently holds a variety of industry certifications that include 11 GIAC certifications and is a licensed Professional Engineer. Jonathan is very well placed to offer some fascinating insights, including the major threats, who should lead security and of course, his favourite rail journey!
Luke Upton (LU): Thanks for your time today, we are looking forward to your training session at the upcoming SafeRail Congress (April 11th-12th Washington DC), could you give us a sneak preview of some of the key areas you’ll be focussing upon?
Jonathan Risto (JR): Thank you for providing me with the opportunity today. The course that SANS is offering at SafeRail is Security 440, Critical Security Controls: Planning, Implementing, and Auditing. This course helps you master specific, proven techniques and tools needed to implement and audit the Critical Security Controls as documented by the Center for Internet Security (CIS). These Critical Security Controls, are rapidly becoming accepted as the highest priority list of what must be done and proven before anything else at nearly all serious and sensitive organizations. For security professionals, the course enables you to see how to put the controls in place in your existing network though effective and widespread use of cost-effective automation. For auditors, CIOs, and risk officers, the course is the best way to understand how you will measure whether the controls are effectively implemented. One of the best features of the course is that it uses offense to inform defence. In other words, you will learn about the actual attacks that you’ll be stopping or mitigating. That ensures the defences very real, and it makes you a better security professional.
LU: You have over 17 years of experience in the technology space, what has brought you into working with digital security?
JR: I have always been interested in computers, even while growing up. That interest carried right though to my university studies, which was in Computer Engineering. With degree in hand, I went to work at a large telecommunications company performing Local Area Network (LAN) and Wide Area Network (WAN) network design, configuration and implementation. At the time, this also tended the include items such as firewalls and the basic controls we had for our networks. This was at the height of the tech boom, and everything was exploding online.
And so were the security concerns. It was fun, it was challenging, and I like a challenge. As time progressed, I focused solely in security. Architecture and design, configuration and implementation, it didn’t matter. Then at one of my jobs, I was the security operations prime, and I went and took a course from the SANS Institute. WOW. From the first few minutes in that class until the end of day 6, it was a constant overflow of information that was completely relevant to and feasible to use when returning back to work. Within a year, I started working with SANS, mentoring and then teaching the classes, and I have loved every minute of it! I have loved every minute of it.
LU: In your professional opinion, what is the single biggest threat to the rail and metro industry from digital attacks?
JR: I think the biggest challenge for any industry relating to cyber security is the organizations ability to understand their digital environment, be able to properly identify and protect their critical assets. We cover this in the SEC440 course, and provide a prioritized listing of the security measures that will help anyone secure their network. There are so many facets to security, we need to be good at all of them. It takes one small mistake, and then the bad guys can gain access to our network. But some items will have a larger impact than others. And while we continue to automate and place things on our network for ease of management for our teams, it also makes it easier for the adversaries to access the networks and devices at the same time.
LU: Cyber-crime is a challenge for all industries, do you think mass transit has been quick enough to focus on solutions?
JR: All industries need to continue to focus, adapt, and improve their cyber security measures -- and mass transit is no different. The adversaries that we all face have different goals. Some desire financial gain, some just want information/knowledge, and others want to cause a disruption of service. While all may use the similar methods to attempt to get into the network, their targets are different once they are there. And while we continue to automate and place things on our network for ease of management for our teams, it also makes it easier for the adversaries to access the networks and devices at the same time.
LU: Within the structure of a mass transit agency (rail / metro) who should be taking the lead on digital security?
JR: I feel that there should be a senior person dedicated to security, and that is the Chief Security Officer (CSO). Depending on the size of the organization, this could even be further refined to the Chief Information Security Officer (CISO). Regardless of the title, the person is the security champion, and should be a senior exec team member and this needs to be someone who is able share and convey the business impact of digital security items, so that they are understood by the complete exec team. Regardless of who is in charge of the structure, everyone, and I do mean everyone, has a part of play in the security of the organization. The employees see so much more than any one security team member is able to, so having employees report when they see strange things, the entire organization becomes the sensor network helping to detect and report things. Proper awareness training is needed to do this, but it greatly increases the security of the organization.
LU: And finally, as we ask all our interviewees, what’s your favourite rail journey?
JR: Any rail trip is a great journey, but for different reasons. Being able to sit back and relax while letting someone else handle the stress of going from point A to point B, is great. From a short commuter trip that removes the stop and go, honking, morning, to the trip through the Rocky Mountains where you can get to see the beauty of nature without having to worry about driving off the road. Choosing just one is hard, but with all of its history, I would have to say the Orient Express
For more on SANS visit www.sans.org. They can also be found on Stand 18 at the SafeRail Congress, Washington D.C. April 11-12 Doug Wylie, CISSP Director of their Industrials & Infrastructure Portfolio will also be an expert speaker.
5 minutes with… You? Each Friday the team here at SmartRail World bring a 5 minutes with... interview. This fun, fast-paced feature will help you get to know more about personalities across the industry, their ideas and experiences and of course their own favourite rail journey! Want to take part? Email: firstname.lastname@example.org to find out more.
Last week's 5 minutes with... 5 Minutes with… Åsa Elm, Head of Corporate Communications, MTR Nordic.
To read more articles about safety and security you might like...