Cybersecurity in Transit Systems (2022)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

52 References and Bibliography AASHTO. Understanding Transportation Resilience: A 2016–2018 Roadmap. American Association of State Highway and Transportation Officials, Washington D.C., 2017. https://transportationops.org/publications/ understanding-transportation-resilience-2016–2018-roadmap. Accenture. All Aboard! How Hackers Are Moving in on the Transit Sector. Accenture Blog, June 22, 2020. Available online at https://www.accenture.com/us-en/blogs/cyber-defense/hackers-moving-in-on-transit-sector. Accenture IDefense. 2020 Cyber Threatscape Report. AIG. How to Achieve Cyber Resilience in 7 Steps. AIG, New York, n.d. Available online at https://www.aig.com/ content/dam/aig/america-canada/us/documents/insights/steps-to-cyber-resilience-final.pdf. APTA. Recommended Practice: Securing Control and Communications Systems in Rail Transit Environment, Part 2: Defining a Security Zone Architecture for Rail Transit and Protecting Critical Zones, 2013. APTA. Cybersecurity Considerations for Public Transit. APTA SS-ECS-RP-001-14. American Public Transpor- tation Association, Washington, D.C., 2014. Available online at https://www.apta.com/wp-content/uploads/ Standards_Documents/APTA-SS-ECS-RP-001-14-RP.pdf. Arghire, Ionut. Railroad Construction Firm RailWorks Falls Victim to Ransomware. SecurityWeek, March 2, 2020. Wired Business Media, Boston, MA. Available online at https://www.securityweek.com/railroad- construction-firm-railworks-falls-victim-ransomware. Arghire, Ionut. Microsoft Warns of Attacks on Aerospace, Travel Sectors. SecurityWeek, May 13, 2021. Wired Business Media, Boston, MA. Available online at https://www.securityweek.com/microsoft-warns-attacks- aerospace-travel-sectors. Barbeau, Sean J., Jay Ligatti, Kevin Dennis, and Maxat Alibayev. Enhancing Cybersecurity in Public Transporta- tion. National Center for Transit Research, Center for Urban Transportation Research, Tampa, FL, 2019. Available online at https://www.cutr.usf.edu/enhancingcybersecurity/. Barnes, Shannon, and C. Schumacher. The NIST Framework High Value for ITS. Presentation given September 2015. Belcher, Scott, and Terri Belcher, Eric Greenwald, and Brandon Thomas. Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendations to Enhance Surface Transit Cyber Preparedness. Mineta Transportation Institute, San Jose, CA, 2020. Available online at https://transweb.sjsu.edu/research/ 1939-Transit-Industry-Cyber-Preparedness. Bing, Christopher, and Joseph Menn. U.S. Government Probes VPN Hack within Federal Agencies, Races to Find Clues.” Reuters, April 29, 2021. Available online at https://www.reuters.com/technology/us-government- probes-vpn-hack-within-federal-agencies-races-find-clues-2021-04-29/. Bragdon, B. Pandemic Impact Report: Security Leaders Weigh In. CSO, April 1, 2020. IDG Communications, Needham, MA. Available online at https://www.csoonline.com/article/3535195/pandemic-impact-report- security-leaders-weigh-in.html. Bricata. 10 Statistics That Summarize the State of Cybersecurity in Financial Services. Security Boulevard, November 12, 2019. MediaOps, Boca Raton, FL. Chandler, Kevin, Pamela Sutherland, and Donald Eldredge. Sensitive Security Information (SSI): Designation, Markings, and Control, Resource Document for Transit Agencies. Office of Safety and Security, Federal Transit Administration, Washington, D.C., March 2009. Available at: https://www.transit.dot/oversight- policy-areas/sensitive-security-information-ssi-designation-markings-and-control-march. Cherrington, Geoffrey A. Review of Cybersecurity Requirements in WMATA’s Procurements (OIG 19-08). WMATA Office of the Inspector General, Washington, D.C., 2019. Available online at https://www.wmata. com/about/inspector-general/upload/19-08-Cybersecurity-Requirements-in-WMATA-s-Procurements.pdf.

References and Bibliography 53   Ching, TM. 5 Key Trends That Will Impact Cyber Security in 2021. DXC on Security, January 8, 2021. DXC Technology, Tyson, VA. Available online at https://blogs.dxc.technology/2021/01/08/5-key-trends-that-will- impact-cyber-security-in-2021/. CISA. Transportation Systems Sector Cybersecurity Framework Implementation Guidance. Prepared June 26, 2015. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA). Available online at https://www.cisa.gov/sites/default/files/publications/tss-cybersecurity-framework- implementation-guide-2016-508v2_0.pdf. CISA. MS-ISAC Ransomware Guide. Prepared September 2020. Department of Homeland Security, Cyber- security and Infrastructure Security Agency (CISA). Available online at https://www.cisa.gov/sites/default/ files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf. CISA. Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), 2021a. Available online at https://us-cert.cisa.gov/remediating-apt-compromised-networks. CISA. Analysis Report AR21-013A: Strengthening Security Configurations to Defend against Attackers Targeting Cloud Services. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), 2021b. Available online at https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013. CISA. Assessments: Cyber Resilience Review (CRR). Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) webpage, n.d. https://us-cert.cisa.gov/resources/assessments. Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC. TCRP Web-Only Document 67 and NCHRP Web-Only Document 221: Protection of Transportation Infra- structure from Cyber Attacks: A Primer. Transportation Research Board, Washington, D.C., 2016. https:// doi.org/10.17226/23516. Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC. NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Transportation Research Board, Washington, D.C., 2020. Accessed June 2021. CRS, 2012. Critical Infrastructure Resilience: The Evolution of Policy and Programs and Issues for Congress. Report R42683. Congressional Research Service. Washington, D.C., 2012. https://fas.org/sgp/crs/homesec/ R42683.pdf. Cucuel, Kevin. How States Should Think about Cyberinsurance. StateTech, June 25, 2020. CDW Inc. Vernon Hills, IL. Available online at https://statetechmagazine.com/article/2020/06/how-states-should-think-about- cyberinsurance. Cyberseek U.S. National Initiative for Cybersecurity Education (NICE). National Institute of Standards Grant #60NANB19D124, 2021. Available online at https://www.cyberseek.org/heatmap.html. Day, Greg. Where Should the CISO Sit in the Leadership Team? IDG Connect Opinion, Published on IDGconnect.com October 18, 2018. International Data Group (IDG), Middlesex, UK. DHS. Cyber Resilience and Response. Department of Homeland Security. Washington, D.C., 2018. https://www. dhs.gov/sites/default/files/publications/2018_AEP_Cyber_Resilience_and_Response.pdf. Dorney, C., M. Flood, T. Grose, P. Hammond, M. Meyer, R. Miller, E. R. Frazier Sr., J. L. Western, Y. J. Nakanishi, P. M. Auza, and J. Betak. NCHRP Research Report 970: Mainstreaming System Resilience Concepts into Transportation Agencies: A Guide. Transportation Research Board, Washington, D.C., 2021. https:// doi.org/10.17226/26125. Drinkwater, Doug. Does a Data Breach Really Affect Your Firm’s Reputation? CSO, January 7, 2016. Avail- able online at https://www.csoonline.com/article/3019283/does-a-data-breach-really-affect-your-firm-s- reputation.html. ENO Center for Transportation. Webinar: Transit Innovation in the Time of COVID. Presented on August 4, 2020. Available online at https://www.enotrans.org/event/webinar-transit-innovation-in-the-time-of-covid/. Fearn, Nicolas. Double Extortion Ransomware Attacks and How to Stop Them. ComputerWeekly.com, August 27, 2020. TechTarget, Atlanta GA. Available online at https://www.computerweekly.com/feature/Double- extortion-ransomware-attacks-and-how-to-stop-them. FBI. 2020 Internet Crime Report. Internet Crime Complaint Center, Federal Bureau of Investigation, Washington, D.C., 2021. Available online at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. Finkle, Jim. San Francisco Public Transit System Hit in Ransomware Attack. Reuters, November 28, 2016. Thompson Reuters, Toronto, Canada. Available online at https://www.reuters.com/article/us-california-cyber/ san-francisco-public-transit-system-hit-in-ransomware-attack-idUSKBN13N1LN. FireEye and Mandiant. M-Trends Report 2020. FireEye, Milpitas, CA, 2020. Available online at https://content. fireeye.com/m-trends/rpt-m-trends-2020. FireEye and Mandiant. M-Trends Report 2021. FireEye, Milpitas, CA, 2021. Available online at https://content. fireeye.com/m-trends/rpt-m-trends-2021.

54 Cybersecurity in Transit Systems Fletcher, D. R., and D. S. Ekern. NCHRP Research Report 975: Transportation System Resilience: Research Roadmap and White Papers. Transportation Research Board, Washington, D.C., 2021. https://doi.org/10.17226/26160. Accessed May 10, 2021. Forbes. Forbes Insights Fallout: The Reputational Impact of IT Risk. New York, 2014. Available online at https://images.forbes.com/forbesinsights/StudyPDFs/IBM_Reputational_IT_Risk_REPORT.pdf. Forbes. The Economics of IT Risk and Reputation: What Business Continuity and IT Security Really Mean to Your Organization, Forbes. September 2013. Fortinet. Independent Study Pinpoints Significant SCADA/ICS Security Risks. January 2019. Freed, Benjamin. What Colorado Learned from Treating a Cyberattack Like a Disaster. StateScoop, May 15, 2019. SNG (Scoop News Group), Washington, D.C. https://statescoop.com/what-colorado-learned-from- treating-a-cyberattack-like-a-disaster/. Friedman, Allan 2. Moving toward a More Transparent Software Supply Chain. U.S. Department of Commerce, National Telecommunications and Information Administration, September 30, 2019. Available online at https://www.ntia.doc.gov/blog/2019/moving-toward-more-transparent-software-supply-chain. Garcia, Mike, Matt Oyer, and Meredith Ward. Buyer Be Aware: Integrating Cybersecurity into the Acquisition Process. Center for Internet Security, National Association of State Procurement Officials, and National Association of State Chief Information Officers, Washington D.C., 2021. Available online at https://www. nascio.org/wp-content/uploads/2021/04/NASCIO_NASPO_CIS_CybersecurityAquisition_2021.pdf. Gill, Jessie. Personal Interview, August 14, 2020. Goldbaum, Christina, and William K. Rashbaum. The M.T.A. Is Breached by Hackers as Cyberattacks Surge. New York Times, June 2, 2021. Available online at https://www.nytimes.com/2021/06/02/nyregion/ mta-cyber-attack.html. Gostomelsky, Vlad. Securing Railroads from Cyberattacks, Mass Transit Magazine, December 17, 2019. Available online at https://www.masstransitmag.com/safety-security/article/21116419/securing-the-railroads-from- cyberattacks. Hathaway, Matthew. Software Supply Chain Attacks: From Formjacking to Third-Party Code Changes. Inperva Blog, posted on January 6, 2021. Imperva, San Mateo, CA. Available online at https://www.imperva.com/ blog/software-supply-chain-attacks-from-formjacking-to-third-party-code-changes/. Healthcare and Public Health Sector Coordinating Councils. Health Industry Cybersecurity Supply Chain Risk Management Guide v2.0, 2020. Available online at https://healthsectorcouncil.org/hic-scrim-v2/. IBM. Research Insights: COVID-19 Cyberwar Report. IBM Institute for Business Value, Armonk, N.Y., 2020. Avail- able online at https://www.ibm.com/thought-leadership/institute-business-value/report/covid-19-cyberwar. IBM and Ponemon. Cost of a Data Breach Report 2020. IBM Security, Armonk, N.Y., 2020. Available online at https://www.ibm.com/uk-en/security/data-breach. IBM and Ponemon. Cost of a Data Breach Report 2021. IBM Security, Armonk, N.Y., 2021. Available online at https://www.ibm.com/uk-en/security/data-breach. iDefense Security Intelligence Services. Threat Actor “SHERIFF” Advertises Access to Networks of Undisclosed IT Services Provider. April 7, 2020. Infocyte. Public Transportation Case Study. n.d. Available online at https://www.infocyte.com/case-studies/ transportation-mass-transit/. International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). ISO/IEC 27001 Information Security Management, ISO, Geneva, Switzerland, 2018. Interpol. COVID-19 Cybercrime Analysis Report. Lyon, France, 2020. Available online at https://www.interpol. int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during- COVID-19. Irwin, Luke. The Cyber Security Risks of Working from Home. IT Governance, May 5, 2021. ItGovernance, Ely UK. Available online at https://www.itgovernance.co.uk/blog/the-cyber-security-risks-of-working-from-home. ISACA. State of Cybersecurity Report 2020. ISACA, Schaumburg, IL, 2020. Available online at https://www. isaca.org/go/state-of-cybersecurity-2020. ItGovernance. Top 5 Remote Working Cyber Security Risks. ItGovernance, Ely, UK, n.d. Available online at https://www.itgovernance.co.uk/top-5-remote-working-cyber-security-tips-infographic. Johnston, Simon. Staying Safe in a Digital World. Tramways and Urban Transit Magazine, March 7, 2018. Light Rail Transit Association, Westlyn Garden City, U.K. Available online at http://www.tautonline.com/ staying-safe-digital-world/. Kaspersky. Advanced Threat Predictions for 2020. Kaspersky Security Bulletin, November 20, 2019. SecureList, Kaspersky, Moscow, Russia. Available online at https://www.kaspersky.com/about/press-releases/2019_ advanced-persistent-threats-in-2020-abuse-of-personal-information-and-more-sophisticated-attacks-are- coming. Kaspersky. Advanced Threat Predictions for 2021. Kaspersky Security Bulletin, November 19, 2020. SecureList, Kaspersky, Moscow, Russia. Available online at https://securelist.com/apt-predictions-for-2021/99387/.

References and Bibliography 55   Kent, Karen, and Murugiah Souppaya. Guide to Computer Security Log Management SP 800-92. National Institute of Standards and Technology (NIST), Gaithersburg, MD, 2006. Kerman, Alper. Zero Trust Cybersecurity: “Never Trust, Always Verify.” Taking Measure Blog, posted on October 28, 2020. NIST, Gaithersburg, MD. Available online at https://www.nist.gov/blogs/taking-measure/ zero-trust-cybersecurity-never-trust-always-verify. Lacewell, Linda. 2021. Insurance Circular Letter No. 2 Re: Cyber Insurance Risk Framework. New York Depart- ment of Financial Services. Issued February 4, 2021. Available at https://www.dfs.ny.gov/industry_guidance/ circular_letters/cl2021_02. Levy, E. The Making of a Spam Zombie Army. Dissecting the Sobig Worms. IEEE Security and Privacy, vol. 99, no. 4, 2003, pp. 58–59. Lewis, Joolz, S. Shimpi, S. Grant, and K. Chokshi. Post COVID-19—Will Most Jobs Become Location Agnostic! Webinar held on June 18, 2020. BuildMyTeam, Talent Anywhere, London, U.K. Available online at https:// buildmyteam.co/future-of-work/post-covid19-will-most-jobs-become-location-agnostic. Loffredo, Mathew J. U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs)—Part 1 and Part 2. The Firewall: Emerging Issues in Privacy and Cyber- security Law, June 11, 2020. Privacy and Data Security Group, Dykema, Washington, D.C. Available online at https://www.thefirewall-blog.com/2020/06/u-s-cyber-intelligence-warning-highlights-security-threat- from-nation-sponsored-advanced-persistent-threats-apts-part-1/, and at https://www.thefirewall-blog.com/ 2020/06/u-s-cyber-intelligence-warning-highlights-security-threat-from-nation-sponsored-advanced- persistent-threats-apts-part-2/. Madej, Patricia, 2021. SEPTA Was Attacked by Ransomware, Sources Say. It’s Still Restoring Operations Stifled Since August. The Philadelphia Inquirer, June 10, 2021. The Philadelphia Inquirer, PBC, Philadelphia PA. Avail- able online at https://www.inquirer.com/transportation/septa-malware-attack-ransomware-fbi-employees- cybersecurity-20201007.html. Malo, Kyle. Personal Interview. August 7, 2020. MARTA. Control System Security. 2013. Presentation given during a Transportation Research Board Cyber- security Subcommittee Meeting on October 16, 2013. Mell, P.M., and T. Grance. The NIST Definition of Cloud Computing Special Publication 800-145. National Institute of Standards and Technology, Gaithersburg, MD, 2011. Available online at https://doi.org/10.6028/ NIST.SP.800-145. Miller, Maggie. FBI Sees Spike in Cyber Crime Reports during Coronavirus Pandemic. The Hill, April 16, 2020. Available online at https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports- during-coronavirus-pandemic. Murray, Lance. DART Begins the Search for Its First Chief Innovation Officer. Dallas Innovates, May 15, 2019. Dallas Regional Chamber of Commerce and D Magazine Partners, Dallas, TX. Available online at https:// dallasinnovates.com/dart-begins-search-for-its-first-chief-innovation-officer/. Mutune, George. Work-from-Home Cyber Risks. Cyberexperts Blog, n.d. Available online at https://cyberexperts. com/work-from-home-cyber-risks. Neipow, Daniel. Railroads Focus on Cybersecurity Threats Created—Often Unintentionally—By Employees, Software Vendors. Progressive Railroading Magazine, June 2015. TradePress Media Group, Milwaukee, WI. Available online at https://www.progressiverailroading.com/rail_industry_trends/article.aspx?id=48474. Neveux, Ellen. Reputation Risks: How Cyberattacks Affect Consumer Perception. SecureLink Blog, July 2, 2020. Available online at https://www.securelink.com/blog/reputation-risks-how-cyberattacks-affect-consumer- perception/. New Jersey Transit. NJ Transit Recognized for Cyber Security Safeguards of Customer Data, September 14, 2020. Available online at https://www.masstransitmag.com/safety-security/press-release/21154086/new-jersey- transit-nj-transit-nj-transit-recognized-for-cyber-security-safeguards-of-customer-data. Nigro, Pam. Cybersecurity Governance: A Path to Cyber Maturity. Searchsecurity.com, September 23, 2020. TechTarget, Newton, MA. NIST. Managing Information Security Risk, SP 800-39. National Institute of Standards and Technology, Gaithersburg, MD, 2011. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf. NIST. Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53 Rev 4. National Institute of Standards and Technology, Gaithersburg, MD, 2014. https://csrc.nist.gov/publications/ detail/sp/800-53/rev-4/final. NIST. Guide to Industrial Control Systems (ICS) Security, SP 800-82 Rev. 2. National Institute of Standards and Technology, Gaithersburg, MD, 2015. https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final. NIST. Digital Identity Guidelines, Enrollment and Identity Proofing, Authentication and Lifecycle Management, and Federation and Assertions, Special Publication 800-63. National Institute of Standards and Technology, Gaithersburg, MD, 2017, updated 2020. https://csrc.nist.gov/publications/detail/sp/800-63/3/final.

56 Cybersecurity in Transit Systems NIST. Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. Draft NIST Special Publication 800-160 Volume 2. National Institute of Standards and Technology, Gaithersburg, MD, 2018a. https://csrc.nist.gov/CSRC/media/Publications/sp/800-160/vol-2/draft/documents/ sp800-160-vol2-draft.pdf. NIST. Cybersecurity Framework Version 1.1. National Institute of Standards and Technology, Gaithersburg, MD, 2018b. https://www.nist.gov/cyberframework/framework. NIST. General Access Control Guidance for Cloud Systems, Special Publication 800-210. National Institute of Standards and Technology, Gaithersburg, MD, 2020a. Available online at https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-210.pdf. NIST. Zero-Trust Architecture, SP 800-207. National Institute of Standards and Technology, Gaithersburg, MD, 2020b. https://csrc.nist.gov/publications/detail/sp/800-207/final. Norwood, Candice. Chinese Rail Cars Spark Concern Over Cybersecurity. Government Technology, March 19, 2019. e.Republic, Folsom, CA. Available online at https://www.govtech.com/security/chinese-rail-cars- spark-concern-over-cybersecurity.html. Oberby, Stephanie. It’s Time for CISOs to Become True C-Suite Business Leaders. SecurityRoundtable.org, Palo Alto Networks, Inc., Santa Clara, CA, n.d. Oberby, Stephanie. What’s the Best Reporting Structure for the CISO? SecurityRoundtable.org, Palo Alto Networks, Inc., Santa Clara, CA, n.d. Palmer, Danny. Ransomware as a Service Is the New Big Problem for Business. ZDNet, March 4, 2021. Reid Ventures, Berlin, Germany. Available online at https://www.zdnet.com/article/ransomware-as-a-service-is- the-new-big-problem-for-business/. Pliatsios, D., P. Sarigiannidis, T. Lagkas, and A. G. Sarigiannidis. A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics. IEEE Communications Surveys and Tutorials, 2020, pp. 1–1. Perez, Dan, S. Jones, G. Wood, and S. Eckels. Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. FireEye Threat Research, April 20, 2021. FireEye, Milpitas, CA. Available online at https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage- bypass-techniques-pulse-secure-zero-day.html. Ponemon. The Aftermath of a Data Breach: Consumer Sentiment. Ponemom Institute, Trevose City, MI, 2014. Available online at https://www.ponemon.org/local/upload/file/Consumer%20Study%20on%20Aftermath%20 of%20a%20Breach%20FINAL%202.pdf. Progressive Railroading. San Francisco’s Muni Attacked by “Ransomware” Hacker. Rail News: Security, Novem- ber 29, 2016. TradePress News, Milwaukee, WI. Available online at https://www.progressiverailroading.com/ security/article/San-Franciscos-Muni-attacked-by-ransomware-hacker--50158. PwC. Global Digital Trust Insights Survey, 2021: Cybersecurity Comes of Age. PwC Research, New York, 2021. Available online at https://www.pwc.com/us/en/services/consulting/cybersecurity/library/assets/pwc- 2021-global-digital-trust-insights.pdf ust-insights.html. Rahn, Pete K. Maryland Department of Transportation Cybersecurity Resilience. Presentation given at 2018 Transportation RISE Conference, Denver, CO. Sanger, David E., David Barboza, and Nicole Perlroth. Chinese Army Unit Is Seen as Tied to Hacking against U.S. New York Times, February 18, 2013. Available online at https://www.nytimes.com/2013/02/19/technology/ chinas-army-is-seen-as-tied-to-hacking-against-us.html. Sears, Tara. Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs. ThreatPost, May 4, 2021. ThreatPost Security News, Woburn, MA. Available online at https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day- bugs/165850/. Shanley, Todd. Experience and Lessons Learned from Social Engineering Attack at Cabarrus County, NC. Presentation at Transportation Research Board Cybersecurity Subcommittee [AMR40 (1)] on February 17, 2021. Shavell. Employee Vulnerability to Social Engineering Remains a Key Threat to Government. StateTech, May 17, 2021. CDW LLC, Vernon Hills, MI. Available online at https://statetechmagazine.com/article/2021/05/ employee-vulnerability-social-engineering-remains-key-threat-government. Smith, Max. Why Metro Is Trying to Hack into Its Own Railcars,” WTOP News, March 15, 2019. WTOP, Hubbard News, Washington, D.C. Available online at https://wtop.com/tracking-metro-24-7/2019/03/ why-metro-is-trying-to-hack-into-its-own-railcars/. SolarWinds. Public Sector Cybersecurity Survey Report. SolarWinds Government, February 2020. Austin, TX. Available online at https://www.solarwinds.com/resources/survey/solarwinds-public-sector-cybersecurity- survey-report-2020. Subramanian, Srini, and Meredith Ward. 2020 Deloitte-NASCIO Cybersecurity Study. Deloitte Insights and National Association of State Chief Information Officers (NASCIO), Washington, D.C., 2020. Available online at https://www.nascio.org/wp-content/uploads/2020/10/2020-Deloitte-NASCIO-Cybersecurity- Study-1.pdf.

References and Bibliography 57   Sylte, Allison, and Marshall Zelinger. 2 Iranian Hackers Indicted for Ransomware Attack on CDOT, Other Agencies. 9News KUSA/KTVD, Denver, CO, 2018. Available online at https://www.9news.com/article/ entertainment/television/programs/next-with-kyle-clark/2-iranian-hackers-indicted-for-ransomware- attack-on-cdot-other-agencies/73-618526853. Tapper, Jake. White House Officials Tricked by Email Prankster. CNN Politics, CNN, Atlanta, GA, 2017. Available online at https://www.cnn.com/2017/07/31/politics/white-house-officials-tricked-by-email-prankster/ index.html. TSA. TSA Sensitive Security Information Stakeholder Best Practices Quick Reference Guide. N.D. Available at https://www.tsa.gov/sites/default/files/ssi_best_practices_guide_for_non-dhs_employees.pdf. U.S. Department of Energy. Cybersecurity Capability Maturity Model (C2M2) Version 2.0. Department of Homeland Security, Department of Energy, and Carnegie Mellon University, Washington, D.C., 2019. U.S. Department of Health and Human Services. Cybersercurity Maturity Models. HHS Cybersecurity Program, presentation given on August 6, 2020. Available online at https://www.hhs.gov/sites/default/files/cybersecurity- maturity-model.pdf. U.S. Treasury. Financial Trend Analysis, Financial Crimes Enforcement Network (FinCEN), July 2019. Available at https://www.fincen.gov/sites/default/files/shared/FinCEN_Financial_Trend_Analysis_FINAL_508.pdf. Velocity Smart. Smart Technology Market Research Report. Velocity, London, U.K., 2021. Available online at https://www.velocity-smart.com/en-gb/velocity-smart-technology-market-research-report-2021. Wade, Christian M. Cyber Threats Rise amid Chaos Resulting from Pandemic. Government Technology, April 26, 2021. Available online at https://www.govtech.com/security/cyber-threats-rise-amid-chaos-pandemic?utm_ term=Cyber%20Threats%20Rise%20Amid%20Chaos%20Resulting%20from%20Pandemic&utm_campaign= Oklahoma%20CISO%20On%20Revamping%20the%20State%5Cu2019s%20Defense%20Strategy&utm_ content=email&utm_source=Act-On+Software&utm_medium=email. Wanek-Libman, Mischa. TransLink, STM Experienced Cyber Attacks This Fall. Mass Transit Magazine, December 11, 2020. Available online at https://www.masstransitmag.com/safety-security/article/21202091/ translink-stm-experienced-cyber-attacks-this-fall. WEF. Risk and Responsibility in a Hyperconnected World—Pathways to Global Cyber Resilience. World Economic Forum, Geneva, Switzerland, 2014. http://www3.weforum.org/docs/WEF_RiskResponsibility_ HyperconnectedWorld_Report_2014.pdf. WEF. Advancing Cyber Resilience—Principles and Tools for Boards. World Economic Forum, Geneva, Switzerland, 2017. http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf. The White House. Executive Order 14028 on Improving the Nation’s Cybersecurity. Washington, D.C., 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving- the-nations-cybersecurity/. The White House. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, Issued July 28, 2021. Available at https://www.whitehouse.gov/briefing-room/statements- releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure- control-systems/. WhoisXML. Moving from the Castle-and-Moat to the Zero-Trust Model. Circle ID, November 12, 2019. Iomemo Inc., Vancouver, BC, Canada. Available online at https://www.circleid.com/posts/20191112_moving_from_ the_castle_and_moat_to_the_zero_trust_model/. Willis, Michael. Colorado DOT Offers Lessons Learned after Recovering from Two 2018 Ransomware Attacks. CDOT Cyber Incident After-Action Report, U.S. Department of Transportation, Office of the Assistant Secretary for Research and Technology, Washington, D.C. Posted online January 28, 2019. https://www. itskrs.its.dot.gov/its/benecost.nsf/ID/182bf1869996a8578525838c0070b645. Zorz, Zeljka. The Percentage of Open Source Code in Proprietary Apps Is Rising. Help Net Security, May 22, 2018. https://www.helpnetsecurity.com/2018/05/22/open-source-code-security-risk/).