Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Cybersecurity in Transit Systems A SYNTHESIS OF TRANSIT PRACTICE David Fletcher Geographic Paradigm Computing, Inc. Albuquerque, NM Patricia Bye Independent Consultant Holicong, PA 2022 Research sponsored by the Federal Transit Administration in cooperation with the Transit Development Corporation Subject Areas Public Transportation â¢ Security and Emergencies T R A N S I T C O O P E R A T I V E R E S E A R C H P R O G R A M TCRP SYNTHESIS 158
TCRP SYNTHESIS 158 Project J-07, Topic SA-50 ISSN 1073-4880 ISBN 978-0-309-09454-2 Â© 2022 National Academy of Sciences. All rights reserved. COPYRIGHT INFORMATION Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and not-for-profit purposes. Permission is given with the understanding that none of the material will be used to imply TRB, AASHTO, FAA, FHWA, FTA, GHSA, NHTSA, or TDC endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and not-for-profit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP. NOTICE The report was reviewed by the technical panel and accepted for publication according to procedures established and overseen by the Transportation Research Board and approved by the National Academies of Sciences, Engineering, and Medicine. The opinions and conclusions expressed or implied in this report are those of the researchers who performed the research and are not necessarily those of the Transporta- tion Research Board; the National Academies of Sciences, Engineering, and Medicine; or the program sponsors. The Transportation Research Board; the National Academies of Sciences, Engineering, and Medicine; and the sponsors of the Transit Cooperative Research Program do not endorse products or manufacturers. Trade or manufacturersâ names or logos appear herein solely because they are considered essential to the object of the report. Published reports of the TRANSIT COOPERATIVE RESEARCH PROGRAM are available from Transportation Research Board Business Office 500 Fifth Street, NW Washington, DC 20001 and can be ordered through the Internet by going to https://www.mytrb.org/MyTRB/Store/default.aspx Printed in the United States of America TRANSIT COOPERATIVE RESEARCH PROGRAM The nationâs growth and the need to meet mobility, environmental, and energy objectives place demands on public transit systems. Cur- rent systems, some of which are old and in need of upgrading, must expand service area, increase service frequency, and improve efficiency to serve these demands. Research is necessary to solve operating prob- lems, adapt appropriate new technologies from other industries, and introduce innovations into the transit industry. The Transit Coopera- tive Research Program (TCRP) serves as one of the principal means by which the transit industry can develop innovative near-term solutions to meet demands placed on it. The need for TCRP was originally identified in TRB Special Report 213âResearch for Public Transit: New Directions, published in 1987 and based on a study sponsored by the Urban Mass Transportation Administrationânow the Federal Transit Administration (FTA). A report by the American Public Transportation Association (APTA), Transportation 2000, also recognized the need for local, problem- solving research. TCRP, modeled after the successful National Coop- erative Highway Research Program (NCHRP), undertakes research and other technical activities in response to the needs of transit ser- vice providers. The scope of TCRP includes various transit research fields including planning, service configuration, equipment, facilities, operations, human resources, maintenance, policy, and administrative practices. TCRP was established under FTA sponsorship in July 1992. Pro- posed by the U.S. Department of Transportation, TCRP was authorized as part of the Intermodal Surface Transportation Efficiency Act of 1991 (ISTEA). On May 13, 1992, a memorandum agreement outlining TCRP operating procedures was executed by the three cooperating organi- zations: FTA; the National Academies of Sciences, Engineering, and Medicine, acting through the Transportation Research Board (TRB); and the Transit Development Corporation, Inc. (TDC), a nonprofit educational and research organization established by APTA. TDC is responsible for forming the independent governing board, designated as the TCRP Oversight and Project Selection (TOPS) Commission. Research problem statements for TCRP are solicited periodically but may be submitted to TRB by anyone at any time. It is the responsibility of the TOPS Commission to formulate the research program by identi- fying the highest priority projects. As part of the evaluation, the TOPS Commission defines funding levels and expected products. Once selected, each project is assigned to an expert panel appointed by TRB. The panels prepare project statements (requests for propos- als), select contractors, and provide technical guidance and counsel throughout the life of the project. The process for developing research problem statements and selecting research agencies has been used by TRB in managing cooperative research programs since 1962. As in other TRB activities, TCRP project panels serve voluntarily without compensation. Because research cannot have the desired effect if products fail to reach the intended audience, special emphasis is placed on disseminat- ing TCRP results to the intended users of the research: transit agen- cies, service providers, and suppliers. TRB provides a series of research reports, syntheses of transit practice, and other supporting material developed by TCRP research. APTA will arrange for workshops, train- ing aids, field visits, and other activities to ensure that results are imple- mented by urban and rural transit industry practitioners. TCRP provides a forum where transit agencies can cooperatively address common operational problems. TCRP results support and complement other ongoing transit research and training programs.
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, non- governmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president. The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. John L. Anderson is president. The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president. The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine. Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org. The Transportation Research Board is one of seven major programs of the National Academies of Sciences, Engineering, and Medicine. The mission of the Transportation Research Board is to provide leadership in transportation improvements and innovation through trusted, timely, impartial, and evidence-based information exchange, research, and advice regarding all modes of transportation. The Boardâs varied activities annually engage about 8,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individuals interested in the development of transportation. Learn more about the Transportation Research Board at www.TRB.org.
CRP STAFF FOR TCRP SYNTHESIS 158 Christopher J. Hedges, Director, Cooperative Research Programs Lori L. Sundstrom, Deputy Director, Cooperative Research Programs Gwen Chisholm Smith, Manager, Transit Cooperative Research Program Mariela Garcia-Colberg, Senior Program Officer Emily Griswold, Program Coordinator Natalie Barnes, Director of Publications Heather DiAngelis, Associate Director of Publications TCRP PROJECT J-07 PANEL Elizabeth Presutti, Des Moines Area Regional Transit Authority (DART), Des Moines, IA (Chair) Jameson Auten, Kansas City Area Transportation Authority, Kansas City, MO Mallory Avis, Battle Creek Transit, Battle Creek, MI Fabian Cevallos, Tamarac, FL Roderick B. Diaz, Southern California Regional Rail Authority, Los Angeles, CA Mark Donaghy, Petersburg, KY Rachel Dungca, Metro Transit, Minneapolis-St. Paul, St. Anthony, MN Christian T. Kent, Christian T. Kent Transit Management Consulting, LLC, Virginia Beach, VA Ronald J. Kilcoyne, TMD, Walnut Creek, CA Brad J. Miller, Pinellas Suncoast Transit Authority (PSTA), St. Petersburg, FL Beverly Neff, San Diego Metropolitan Transit System, San Diego, CA Jarrett William Stoltzfus, Proterra, Walnut, CA Edward F. Watt, Rockaway Park, NY David C. Wilcock, VHB, Boston, MA Tara Clark, FTA Liaison Arthur L. Guzzetti, APTA Liaison William Terry, Rutgers, The State University of New Jersey Liaison TOPIC SA-50 PANEL Alesia Cain, Marine Tiger Technologies, Hempstead, NY Jasdeep Gill, British Columbia Rapid Transit Company, Burnaby, BC Mark W. Hartong, Federal Aviation Administration (FAA), Washington, DC Kyle N. Malo, Sr., Washington Metropolitan Area Transit Authority, Washington, DC Stephanie M. Murphy, Tidal Basin Government Consulting, LLC, Alexandria, VA Jeffrey Nichols, Port Authority of Allegheny County, Pittsburgh, PA Sarah VanWormer, City of Battle Creek, Battle Creek, MI Polly L. Hanson, APTA liaison Brian Jackson, FTA liaison C O O P E R A T I V E R E S E A R C H P R O G R A M S
ABOUT THE TCRP SYNTHESIS PROGRAM Transit administrators, engineers, and researchers often f ace p roblems f or w hich i nformation already exists, either in documented form or as undocumented experience and practice. This infor- mation may be fragmented, scattered, and unevaluated. As a consequence, full knowledge of what has been learned about a problem may not be brought to bear on its solution. Costly research findings may go unused, valuable experience may be overlooked, and due consideration may not be given to recommended practices for solving or alleviating the problem. There is information on nearly every subject of concern to the transit industry. Much of it derives from research or from the work of practitioners faced with problems in their day-to-day work. To provide a systematic means for assembling and evaluating such useful information and to make it available to the entire transit community, the Transit Cooperative Research Program Oversight and Project Selection (TOPS) Committee authorized the Transportation Research Board to undertake a continuing study. This study, TCRP Project J-07, âSynthesis of Information Related to Transit Practices,â searches out and synthesizes useful knowledge from all available sources and prepares concise, documented reports on specific topics. Reports from this endeavor constitute a TCRP report series, Synthesis of Transit Practice. This synthesis series reports on current knowledge and practice, in a compact format, without the detailed directions usually found in handbooks or design manuals. Each report in the series provides a compendium of the best knowledge available on those measures found to be the most successful in resolving specific problems. FOREWORD By Mariela Garcia-Colberg Staff Officer Transportation Research Board Every transit agency should ensure that it has effective cybersecurity practices in place to protect employees, passengers, and infrastructure from cybersecurity events. However, the current environment, together with the COVID-19 pandemic, has produced unforeseen challenges and made it even harder for transit systems to effectively protect their assets, customers, and employees. This synthesis study focuses on cybersecurity of emerging operational technology, such as teleworking/remote worker offices, contactless customer services, real-time service information, and transit-on-demand services, and on cyber resilience practices of transit and other relevant transportation modes. The report is written for transit organization executives and senior managers who would benefit from an understanding of these terms and practices. A literature review and targeted interviews of qualifying organizations that have implemented mea- sures to improve cybersecurity were completed. The synthesis includes multiple, brief case examples that are representative of emerging transit system cybersecurity programs and practices. These examples highlight innovative approaches, successes, challenges, and lessons learned. Gaps in information and future research needs were also identified. David Fletcher from Geographic Paradigm Computing, Inc., together with Patricia Bye, collected and synthesized the information and wrote the report under the guidance of a panel of experts in the subject area. The members of the topic panel are acknowledged on page iv. This synthesis is an immediately useful document that records emerging cybersecurity practices that were acceptable within the limitations of the knowledge available at the time of its preparation. As progress in research and practice continues, new knowledge will be added to that now at hand.
1 Summary 3 ChapterÂ 1 Introduction 3 Objectives and Scope 4 Definition of Key Terms 5 Technical Approach 5 Organization of the Report 7 ChapterÂ 2 Literature Review 7 Sources of Information 8 Summary of Findings 10 Cyber Incident Actors 11 Sources and Types of Cyber Incidents 12 Case Examples 15 Recent Cyber Incidents and Trends 18 Cost of Cyber Incidents 19 Transit Cybersecurity Legal and Regulatory Requirements 21 Cybersecurity Guidance and Recommended Practices 29 Cybersecurity Capability Maturity Models 31 Gaps in Guidance 32 State of Cybersecurity Practice in Transit 33 Conclusions 34 ChapterÂ 3 Synthesis of Emerging Cybersecurity Practice in Transit 34 Cyber Resilience 38 Cyber Insurance 39 Third-Party Cyber Risk 44 Location-Agnostic Access 45 Zero-Trust Computing 47 Cybersecurity Governance 48 Cybersecurity Workforce 49 ChapterÂ 4 Summary of Findings 49 Findings 50 Suggestions for Further Research 52 References and Bibliography 58 Abbreviations and Acronyms 59 Appendix A Cybersecurity Incidents 61 Appendix B Cybersecurity Guidance C O N T E N T S