Cybersecurity in Transit Systems (2022)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

61   Cybersecurity Guidance This appendix provides a selection of guidance and resources available to transit agencies for cybersecurity. The National Institute of Standards and Technology (NIST), the Federal Infor- mation Processing Standards (FIPS), with transportation-specific guidance available from APTA and FHWA, have developed recommended practices and standards. There are international standards and recommendations from the International Organization for Standardization (ISO), the Information Systems Audit and the Control Association (ISACA), and Control Objectives for Information and related Technology (COBIT). Security working groups such as the Computer Security Incident Response Team (CSIRT) and the Computer Emergency Response Team (CERT), and ICS CERT, which responds to breaches of cybersecurity, have compiled resources of recommended practices that can be applied across all industries. More extensive resources are available in NCHRP Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. NIST Cybersecurity Framework The NIST Cybersecurity Framework identifies key high-level cybersecurity functions and provides standards, guidelines, and best practices to manage cybersecurity risk. The NIST Cybersecurity Framework was developed to complement an organization’s established risk management process and cybersecurity program. An organization can use its current processes and leverage the framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. For organizations with no formal cybersecurity program in place, the framework can provide a foundation upon which to implement a robust cybersecurity program. The current version of the framework can be found on the NIST website at https://www.nist. gov/cyberframework Assistance in implementing the framework in transportation agencies is found in Transporta- tion Systems Sector Cybersecurity Framework Implementation Guidance. The guidance is based on a three phase implementation cycle: (1) determining risk profile; (2) establishing priorities; and (3) implementing solutions. Phase 1: Determining Risk Profile Establishing a cyber-risk profile within an organization is the foundation of the Transporta- tion Systems Sector’s (TSS) implementation of the NIST Framework. A risk profile attempts to determine the corporation’s willingness to take risk (or its aversion to risk), which drives A P P E N D I X B

62 Cybersecurity in Transit Systems the overall decision-making strategy. Upon completion, the risk profile furthers an orga- nization’s understanding of its current cyber-risk posture and promotes mitigation strategies for improvement. Phase 2: Establishing Priorities Upon completion of Phase 1, the organization will be ready to pinpoint where opportunities reside and how to prioritize solutions to reduce its overall risk profile. When developing a strategy to implement solutions, the organization should take resource allocation (both personnel and financial) into account. Phase 3: Implementing Solutions The guidance does not provide any recommendations on any solutions or how to imple- ment them, leaving free space for TSS organizations to choose the one that fits their needs. However, there are many publications and standards, such as NIST SP 800-53, NIST SP 800-82 and CIS Controls, that should be reviewed to ensure that the guidance most suitable to reducing the organization’s specific risk profile is selected. Agencies can use the implementation guidance to • Characterize their current cybersecurity posture. • Identify opportunities for enhancing existing cyber-risk management programs. • Find existing tools, standards, and guides to support framework implementation. • Communicate their risk management issues to internal and external stakeholders. Organizations that lack a formal cybersecurity risk management program could use the guidance to establish risk-based cyber priorities. The Transportation Systems Sector Cybersecurity Framework Implementation Guidance is found on the CISA website at https://www.cisa.gov/sites/default/files/publications/tss- cybersecurity-framework-implementation-guide-2016-508v2_0.pdf Transit-Specific Guidance APTA has a series of Recommended Practice Guides on various aspects of cybersecurity— control and communications security and enterprise cybersecurity. The guidance includes considerations for transit agencies in developing cybersecurity strategies and details practices and standards that address vulnerability assessment and mitigation, system resiliency and redun- dancy, and disaster recovery. APTA Standards Development Program Recommended Practice: Securing Control and Communications Systems in Transit Environments APTA-SS-CCS-RP-001-10 Securing Control and Communications Systems in Transit Environments Part 1: Elements, Organization and Risk Assessment/Management APTA-SS-CCS-RP-002-13 Securing Control and Communications Systems in Rail Transit Environments Part  2: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones

Cybersecurity Guidance 63   APTA-SS-CCS-WP-003-15 Securing Control and Communications Systems in Rail Transit Environments Part IIIa: Attack Modeling Security Analysis White Paper APTA SS-CCS-RP-004-16 Securing Control and Communications Systems in Rail Transit Environments Part IIIb: Operationally Critical Security Zone APTA SS-CCS-WP-005-19 Securing Control and Communications Systems in Transit Bus Vehicles and Supporting Infrastructure Enterprise Cyber Security APTA SS-ECS-RP-001-14 Cybersecurity Considerations for Public Transit APTA SS-ESC-RP-002-19 Enterprise Cybersecurity Training and Awareness APTA SS-ECS-RP-003-19 Enterprise Cybersecurity Involving the Board of Directors and the Executive Suite Federal Transportation Cybersecurity Resources TSA Surface Transportation Cybersecurity Resource toolkit is a collection of documents designed to provide cyber-risk management information to surface transportation operators who have fewer than 1,000 employees. The materials are drawn from three primary sources: • National Institute of Standards and Technology Framework for Improving Critical Infrastruc- ture Cybersecurity: A voluntary framework for reducing cyber risks in critical infrastructure. • Stop.Think.Connect: A national public awareness campaign aimed at increasing the under- standing of cyber threats and empowering the American public to be safer and more secure online. • United States Computer Emergency Readiness Team: Responsible for improving the nation’s cybersecurity posture, coordinating cyber information sharing, and managing cyber risks. Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essential Toolkits Information designed for IT and C-suite leadership to build cyber readiness and to create an organizational culture of cyber readiness. The Toolkits can be found at https://www.cisa.gov/ publication/cyber-essentials-toolkits Information Sharing and Analysis Centers (ISAC) The purpose of ISAC is to serve as the conduit for cross-modal lessons learned and best practices in ICS cybersecurity, and to provide a forum for partnership, outreach, and infor- mation sharing. Surface Transportation Information and Sharing Analysis Center https://www.surfacetransportationisac.org/ The ST-ISAC was formed at the request of the Department of Transportation. The ISAC provides a secure cyber and physical security capability for owners, operators and users of

64 Cybersecurity in Transit Systems critical infrastructure. Security and threat information is collected from worldwide resources, then analyzed and distributed to members to help protect their vital systems from attack. The ISAC also provides a vehicle for the anonymous or attributable sharing of incident, threat, and vulnerability data among the members. Members have access to information and analytical reporting provided by other sources, such as the U.S. and foreign governments; law enforcement agencies, technology providers and international computer emergency response teams (CERTs). Public Transportation Information Sharing and Analysis Center http://www.apta.com/resources/safetyandsecurity/Pages/ISAC.aspx The PT-ISAC is a trusted, sector-specific entity that provides to its constituency a 24/7 security operating capability that establishes the sector’s specific information/intelligence requirements for incidents, threats, and vulnerabilities. Based on its sector-focused subject matter analytical expertise, the ISAC then collects, analyzes, and disseminates alerts and incident reports that it provides to its membership and that help the government understand impacts for the sector. It provides an electronic, trusted ability for the membership to exchange and share information on all threats—physical and cyber—in order to defend public transportation systems and critical infrastructure. This includes analytical support to the government and other ISACs regard- ing technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions, whether caused by intentional or natural events. NIST Cybersecurity Guidance The NIST Computer Security Division’s Computer Security Resource Center (CSRC) is a resource for security standards, guidelines, and resources. It can be found at http://csrc.nist.gov/ publications/PubsSPs.html. NIST has published over 300 Information Security guides that include Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IR). Key NIST Resources Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST SP 800-161 Draft Cyber Supply Chain Risk Management Practices for Systems and Organization, NIST SP 800-161 Rev. 1 Secure Software Development Framework (SSDF) NIST: Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 NIST: SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations Defending Against Software Supply Chain Attacks (joint CISA-NIST publication issued by CISA) Key Practices in Cyber Supply Chain Risk Management: Observations from Industry, NISTIR 8276 Other Industry Cybersecurity Guidance BSIMM: Building Security in Maturity Model (BSIMM) Version 11 BSA: The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle, Version 1.1 International Organization for Standardization/International Electrotechnical Commission (ISO/IEC): Information technology—Security techniques—Application security—Part  1: Overview and Concepts, ISO/IEC 27034-1:2011

Cybersecurity Guidance 65   Microsoft: Microsoft Security Development Lifecycle OWASP: Software Assurance Maturity Model Version 1.5 Payment Card Industry (PCI) Security Standards Council: Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures Version 1.1 Software Assurance Forum for Excellence in Code (SAFECode): Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Lifecycle Program, Third Edition Institute for Defense Analyses (IDA): State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation Open Web Application Security Project (OWASP): OWASP Application Security Verification Standard 4.0.2 SAFECode: Managing Security Risks Inherent in the Use of Third-Party Components SAFECode: Practical Security Stories and Security Tasks for Agile Development Environments SAFECode: Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain SAFECode: Tactical Threat Modeling US/International Cyber Standards The section is a selection of U.S. and international cybersecurity standards and organizations. Risk Assessment. ISA99/IEC 62443 approach, based on equipment zones or locations, and equipment conduits or communication paths. Information Security. ISO/IEC 27001:2013 internationally recognized framework and guidelines for companies to keep customer information secure. In September 2020, NJ Transit became the first public transit agency in the nation to achieve ISO/IEC 27001:2013 certification.

Abbreviations and acronyms used without denitions in TRB publications: A4A Airlines for America AAAE American Association of Airport Executives AASHO American Association of State Highway Officials AASHTO American Association of State Highway and Transportation Officials ACI–NA Airports Council International–North America ACRP Airport Cooperative Research Program ADA Americans with Disabilities Act APTA American Public Transportation Association ASCE American Society of Civil Engineers ASME American Society of Mechanical Engineers ASTM American Society for Testing and Materials ATA American Trucking Associations CTAA Community Transportation Association of America CTBSSP Commercial Truck and Bus Safety Synthesis Program DHS Department of Homeland Security DOE Department of Energy EPA Environmental Protection Agency FAA Federal Aviation Administration FAST Fixing America’s Surface Transportation Act (2015) FHWA Federal Highway Administration FMCSA Federal Motor Carrier Safety Administration FRA Federal Railroad Administration FTA Federal Transit Administration GHSA Governors Highway Safety Association HMCRP Hazardous Materials Cooperative Research Program IEEE Institute of Electrical and Electronics Engineers ISTEA Intermodal Surface Transportation Efficiency Act of 1991 ITE Institute of Transportation Engineers MAP-21 Moving Ahead for Progress in the 21st Century Act (2012) NASA National Aeronautics and Space Administration NASAO National Association of State Aviation Officials NCFRP National Cooperative Freight Research Program NCHRP National Cooperative Highway Research Program NHTSA National Highway Traffic Safety Administration NTSB National Transportation Safety Board PHMSA Pipeline and Hazardous Materials Safety Administration RITA Research and Innovative Technology Administration SAE Society of Automotive Engineers SAFETEA-LU Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users (2005) TCRP Transit Cooperative Research Program TDC Transit Development Corporation TEA-21 Transportation Equity Act for the 21st Century (1998) TRB Transportation Research Board TSA Transportation Security Administration U.S. DOT United States Department of Transportation

Transportation Research Board 500 Fifth Street, NW Washington, DC 20001 ADDRESS SERVICE REQUESTED ISBN 978-0-309-09454-2 9 7 8 0 3 0 9 0 9 4 5 4 2 9 0 0 0 0