National Academies Press: OpenBook

Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report (2023)

Chapter: Front Matter

Get This Book
Unfortunately, this book can't be printed from the OpenBook. If you need to print pages from this book, we recommend downloading it as a PDF.

Visit NAP.edu/10766 to get more information about this book, to buy it in print, or to download it as a free PDF.
Page i
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R1
Page ii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R2
Page iii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R3
Page iv
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R4
Page v
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R5
Page vi
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R6
Page vii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R7
Page viii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R8
Page ix
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page R9

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

N C H R P Web-Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs Volume 1: Program Summary Report M a r i s a C . R a m o n A u s t i n T . D o d s o n J o h n P . W o l f f J o a h R . S a p p h i r e S o u t h w e s t R e s e a r c h I n s t i t u t e S a n A n t o n i o , T X Guide for NCHRP Project 23-03 Submitted February 2022 © 2023 by the National Academy of Sciences. National Academies of Sciences, Engineering, and Medicine and the graphical logo are trademarks of the National Academy of Sciences. All rights reserved. N A T I O N A L C O O P E R A T I V E H I G H W A Y R E S E A R C H P R O G R A M Systematic, well-designed, and implementable research is the most effective way to solve many problems facing state departments of transportation (DOTs) administrators and engineers. Often, highway problems are of local or regional interest and can best be studied by state DOTs individually or in cooperation with their state universities and others. However, the accelerating growth of highway transportation results in increasingly complex problems of wide interest to highway authorities. These problems are best studied through a coordinated program of cooperative research. Recognizing this need, the leadership of the American Association of State Highway and Transportation Officials (AASHTO) in 1962 initiated an objective national highway research program using modern scientific techniques—the National Cooperative Highway Research Program (NCHRP). NCHRP is supported on a continuing basis by funds from participating member states of AASHTO and receives the full cooperation and support of the Federal Highway Administration (FHWA), United States Department of Transportation, under Agreement No. 693JJ31950003. C O P Y R I G H T I N F O R M A T I O N Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and not-for-profit purposes. Permission is given with the understanding that none of the material will be used to imply TRB, AASHTO, FAA, FHWA, FTA, GHSA, NHTSA, or TDC endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and not-for-profit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP. D I S C L A I M E R The opinions and conclusions expressed or implied in this report are those of the researchers who performed the research. They are not necessarily those of the Transportation Research Board; the National Academies of Sciences, Engineering, and Medicine; the FHWA; or the program sponsors. The Transportation Research Board does not develop, issue, or publish standards or specifications. The Transportation Research Board manages applied research projects which provide the scientific foundation that may be used by Transportation Research Board sponsors, industry associations, or other organizations as the basis for revised practices, procedures, or specifications. The Transportation Research Board, the National Academies, and the sponsors of the National Cooperative Highway Research Program do not endorse products or manufacturers. Trade or manufacturers’ names appear herein solely because they are considered essential to the object of the report. The information contained in this document was taken directly from the submission of the author(s). This material has not been edited by TRB.

e National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, non- governmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president. e National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. John L. Anderson is president. e National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president. e three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. e National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine. Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org. e Transportation Research Board is one of seven major programs of the National Academies of Sciences, Engineering, and Medicine. e mission of the Transportation Research Board is to provide leadership in transportation improvements and innovation through trusted, timely, impartial, and evidence-based information exchange, research, and advice regarding all modes of transportation. e Board’s varied activities annually engage about 8,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. e program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individuals interested in the development of transportation. Learn more about the Transportation Research Board at www.TRB.org.

C O O P E R A T I V E R E S E A R C H P R O G R A M S CRP STAFF FOR NCHRP WEB-ONLY DOCUMENT 355 Christopher J. Hedges, Director, Cooperative Research Programs Waseem Dekelbab, Deputy Director, Cooperative Research Programs, and Manager, National Cooperative Highway Research Program Camille Crichton-Sumners, Senior Program Officer Mazen Alsharif, Senior Program Assistant Natalie Barnes, Director of Publications Heather DiAngelis, Associate Director of Publications Jennifer J. Weeks, Publishing Projects Manager NCHRP PROJECT 23-03 PANEL Field of Administration—Area of Agency Administration Xianding Tao, District Department of Transportation, Washington, DC (Chair) Mike G. Bousliman, Montana Department of Transportation, Helena, MT Michael Chandler, South Carolina Department of Transportation, Columbia, SC Subasish Das, Texas State University, San Antonio, TX Rodney R. DeLisle, New York State Department of Transportation, Albany, NY Karl L. Kopper, California Department of Transportation (CALTRANS), Sacramento, CA Kara A. Larsen, University of Rhode Island, Kingston, RI Cindy L. Owings-Hutchison, Maine Department of Transportation, Augusta, ME Jeffrey A. Rockower, New Jersey Department of Transportation, Trenton, NJ Joseph E. Gregory, FHWA Liaison Robert Thomas White, AASHTO Liaison

TABLE OF CONTENTS 1. SUMMARY................................................................................................................................ 1 2. INTRODUCTION ........................................................................................................................ 3 Pr o j e c t B a c k g r o u n d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Pr o j e c t Go a l s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Pr o j e c t Sc o p e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Pr o j e c t Sc h e d u l e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. SUMMARY OF TASKS ................................................................................................................ 5 Ta s k 1 : Id e n t i f y a n d Su m m a r i z e St a t e Tr a n s p o r t a t i o n Ag e n c i e s ’ Cy b e r s e c u r i t y In i t i a t i v e s . . . . . . . . . . . . . 5 Ta s k 2 : Co n d u c t a Re v i e w o f Re l e v a n t Cy b e r s e c u r i t y L i t e r a t u r e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Ta s k 3 : Id e n t i f y Tr a n s p o r t a t i o n Te c h n o l o g y a n d Cy b e r s e c u r i t y Su b j e c t Ma t t e r Ex p e r t s . . . . . . . . . . . . . . . . . 9 Ta s k 4 : In t e r i m Re p o r t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Ta s k 5 : D e v e l o p Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d a n c e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0 4. PRIORITIZED RECOMMENDATIONS FOR FUTURE RESEARCH .....................................................13 5. CONCLUSION ..........................................................................................................................15 APPENDIX A TASK 1 - IDENTIFY AND SUMMARIZE STATE TRANSPORTATION AGENCIES’ CYBERSECURITYINITIATIVES ........................................................................................................... A-1 1 Ta s k Ov e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 1 . 1 Ta s k F i n d i n g s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 2 U SD OT Cy b e r s e c u r i t y In i t i a t i v e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 2 3 Re l a t e d In f o r m a t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 3 4 Pu b l i c Cy b e r s e c u r i t y In i t i a t i v e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 4 5 St a t e Cy b e r s e c u r i t y In i t i a t i v e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 5 5 . 1 Al a b a m a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 6 5 . 2 Al a s k a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 6 5 . 3 Ar i z o n a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 6 5 . 4 Ar k a n s a s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 6 5 . 5 Ca l i f o r n i a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 6 5 . 6 Co l o r a d o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 9 5 . 7 Co n n e c t i c u t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 9 5 . 8 D e l a w a r e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 0 5 . 9 F l o r i d a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 0 5 . 1 0 Ge o r g i a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 2 5 . 1 1 Ha w a i i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 3 5 . 1 2 Id a h o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 4 5 . 1 3 Il l i n o i s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 4 5 . 1 4 In d i a n a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 5 5 . 1 5 Io w a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 5 5 . 1 6 K a n s a s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 6 5 . 1 7 K e n t u c k y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A- 1 6

5.18 Louisiana .................................................................................................................................. A-16 5.19 Maine ....................................................................................................................................... A-16 5.20 Maryland .................................................................................................................................. A-18 5.21 Massachusetts ......................................................................................................................... A-18 5.22 Michigan .................................................................................................................................. A-19 5.23 Minnesota ................................................................................................................................ A-19 5.24 Mississippi ................................................................................................................................ A-20 5.25 Missouri ................................................................................................................................... A-20 5.26 Montana .................................................................................................................................. A-21 5.27 Nebraska .................................................................................................................................. A-21 5.28 Nevada ..................................................................................................................................... A-22 5.29 New Hampshire ....................................................................................................................... A-22 5.30 New Jersey ............................................................................................................................... A-24 5.31 New Mexico ............................................................................................................................. A-25 5.32 New York .................................................................................................................................. A-26 5.33 North Carolina ......................................................................................................................... A-27 5.34 North Dakota ........................................................................................................................... A-28 5.35 Ohio ......................................................................................................................................... A-28 5.36 Oklahoma ................................................................................................................................. A-28 5.37 Oregon ..................................................................................................................................... A-29 5.38 Pennsylvania ............................................................................................................................ A-29 5.39 Rhode Island ............................................................................................................................ A-30 5.40 South Carolina ......................................................................................................................... A-30 5.41 South Dakota ........................................................................................................................... A-31 5.42 Tennessee ................................................................................................................................ A-33 5.43 Texas ........................................................................................................................................ A-34 5.44 Utah ......................................................................................................................................... A-35 5.45 Vermont ................................................................................................................................... A-35 5.46 Virginia ..................................................................................................................................... A-36 5.47 Washington .............................................................................................................................. A-39 5.48 West Virginia............................................................................................................................ A-40 5.49 Wisconsin ................................................................................................................................. A-40 5.50 Wyoming .................................................................................................................................. A-40 6 Federal District ............................................................................................................................... A-40 6.1 District of Columbia ................................................................................................................. A-40 7 Unincorporated Territories ............................................................................................................ A-41 7.2 Puerto Rico .............................................................................................................................. A-41 7.3 U.S. Virgin Islands .................................................................................................................... A-41 7.4 Guam ....................................................................................................................................... A-41 8 Conclusions of Study of Initiatives ................................................................................................. A-41

APPENDIX B TASK 2 - CONDUCT A REVIEW OF RELEVANT CYBERSECURITY LITERATURE .................. B-1 1 Task Overview .................................................................................................................................. B-1 1.1 Task Findings .............................................................................................................................. B-1 2 Analysis ............................................................................................................................................. B-2 3 Literature .......................................................................................................................................... B-2 3.2 Standards ................................................................................................................................... B-2 3.2.1 ISO/IEC JTC 1/SC 27 – IT Security Techniques ..................................................................... B-2 3.3 Capability Models and Frameworks .......................................................................................... B-4 4 NIST Cyber Physical Systems Framework ......................................................................................... B-4 5 DHS Cybersecurity Capability Maturity Model (C2M2).................................................................... B-5 6 Center for Internet Security's (CIS) Critical Security Controls (CSC) ................................................ B-5 7 NIST Cybersecurity Framework (CSF) ............................................................................................... B-6 7.1 Federal Information Processing Standards (FIPS) Publication 200............................................ B-6 7.2 Framework for Improving Critical Infrastructure Cybersecurity ............................................... B-7 8 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37) ..................................................................... B-10 9 Guidelines on Securing Public Web Servers (NIST SP 800-44) ....................................................... B-10 10 Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53) ....... B-10 11 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers (NIST SP 800-70) .......................................................................................................... B-10 12 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) .................................................................................................... B-10 13 Supply Chain Risk Management Practices for Federal Information Systems and Organizations (NIST SP 800-161) .................................................................................................... B-11 13.1 Best Practices and Guidance ................................................................................................... B-11 14 DHS Roadmap to Secure Control Systems in the Transportation Sector ....................................... B-11 15 Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy ...................... B-13 16 TSS Cybersecurity Framework Implementation Guidance ............................................................ B-13 17 TRB Guidebook on Best Practices for Airport Cybersecurity ......................................................... B-13 18 National Infrastructure Protection Plan (NIPP) .............................................................................. B-13 19 APTA Cybersecurity Considerations for Public Transit ................................................................... B-14 20 Protection of Transportation Infrastructure from Cyber Attacks: A Primer .................................. B-14 21 Airport Cooperative Research Program Guidebook on Best Practices for Airport Cybersecurity ..................................................................................................................... B-15 22 Cybersecurity and Intelligent Transportation Systems: A Best Practice Guide ............................. B-15 23 NCHRP 930 - Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies ................................................................................................................ B-15 24 Payment Card Industry (PCI) Data Security Standard (DSS) Best Practices for Securing E- commerce .................................................................................................................... B-15 25 Institute of Transportation Engineers (ITE) Infrastructure Standards Security Assessment ........... B-16 25.1 Working Groups ....................................................................................................................... B-16 26 United States Computer Emergency Readiness Team (US-CERT) .................................................. B-16 27 Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) .............................. B-16

28 Critical Infrastructure Partnership Advisory Council (CIPAC) .......................................................... B-17 29 Transportation System Cybersecurity Framework (TSCF) Partnership ......................................... B-18 30 Harmonization Task Groups (HTGs) ............................................................................................... B-18 30.1 HTG1 & HTG3: ITS Security and Communication Protocols .................................................... B-18 30.2 HTG2: Harmonization of US Basic Safety Message (BSM) and EU Cooperative Awareness Message (CAM) ........................................................................... B-19 30.3 HTG4/5: Infrastructure Messages ........................................................................................... B-19 30.4 HTG6: Cooperative ITS Security Policy .................................................................................... B-19 30.5 HTG7: Standards Selection, Gap Analysis, and Identifiers for Connected Vehicle (CV) architectures ..................................................................................... B-19 31 TRB Security and Emergencies Related Committees ..................................................................... B-19 31.1 Critical Transportation Infrastructure Protection Standing Committee (ID: AMR10) ............. B-20 31.2 Systems, Enterprise, and Cyber Resilience Standing Committee (ID: AMR40) ....................... B-20 31.3 United States Department of Transportation (USDOT) Related Pilot Programs and Artifacts ....................................................................................... B-21 32 National Highway Traffic Safety Administration (NHTSA) ............................................................. B-21 33 Federal Highway Administration (FHWA) ...................................................................................... B-22 34 Multi-State Information Sharing and Analysis Center (MS-ISAC) ................................................... B-22 35 US-CERT Critical Infrastructure Cyber Community (C3) Voluntary Program .................................. B-22 35.1 Nationwide Cybersecurity Review (NCSR) ............................................................................... B-22 35.2 State and Local Related Programs and Artifacts ..................................................................... B-22 36 California Departmental Cybersecurity Policy ............................................................................... B-22 37 Enhancing Cybersecurity in Public Transportation – Florida ......................................................... B-23 38 Colorado DOT Cyber Incident – After-Action Report ..................................................................... B-23 39 Maryland DOT Information Security Plan ...................................................................................... B-23 39.1 Other Related Technologies and Data Sources ....................................................................... B-24 40 Cyber security challenges in Smart Cities: Safety, Security, and Privacy ....................................... B-24 41 IoT-Enabled Highway Maintenance: Understanding Emerging Cybersecurity Threats ................. B-24 42 Investigating Cybersecurity Issues in Active Traffic Management Systems .................................. B-24 43 Cyber Risk and Insurance for Transportation Infrastructure ......................................................... B-25 44 Reliance on Technology and the Increased Cybersecurity Vulnerabilities It Poses to Our Transportation Industry ........................................................................................ B-25 45 Cybersecurity in Intelligent Transportation Systems ..................................................................... B-25 46 Protection of Transportation Infrastructure from Cyber Attacks: A Primer .................................. B-25 47 Intelligent Transportation System Security: Hacked Message Signs 11-01-02-0004..................... B-26 48 OT Security Best Practices .............................................................................................................. B-26 APPENDIX C TASK 3 - IDENTIFY TRANSPORTATION TECHNOLOGY AND CYBERSECURITY SUBJECT MATTER EXPERTS ................................................................................................................................. C-1 1 Task Overview .................................................................................................................................. C-1 1.1 Task Findings .............................................................................................................................. C-1 2 Information Security Practitioners ................................................................................................... C-2 2.1 Tom Alongi, Senior Network Engineer, Coranet ........................................................................ C-2

2.2 Thomas Amato, Enterprise Technology Manager, Oregon DOT ............................................... C-2 2.3 Johnny Olson, Colorado Director of Transportation and Operations, Horrocks Engineers ....... C-2 2.4 Steven Humphrey, Senior Project Manager, Muller Engineering ............................................. C-2 2.5 Alec Birmingham, Security Engineer, Iowa DOT ........................................................................ C-2 2.6 Matt Boell, Security Engineer, Iowa DOT .................................................................................. C-2 2.7 Nick Moore, Security Engineer, Iowa DOT ................................................................................ C-3 2.8 Travis Olson, Security Engineer, Iowa DOT ................................................................................ C-3 2.9 Kevin Hartman, CTO, Ohio DOT Division of IT ........................................................................... C-3 2.10 Simon Herring, Security Operations Lead, Ohio DOT Division of IT .......................................... C-3 2.11 Devin Townsend, Nebraska Department of Transportation, Chief Technology Officer/Director of IT, Nebraska ................................................................... C-3 2.12 Michael Chandler, Chief Information Security Officer (CISO) South Carolina DOT ................... C-3 2.13 Thomas Branham, Cyber Security & Privacy Officer, Arizona DOT ........................................... C-3 2.14 2.14 Charles Brown, IT Security Analyst, Arkansas DOT ............................................................ C-3 2.15 Ben Cohen, CIO, Mississippi DOT ............................................................................................... C-4 3 Transportation Practitioners ............................................................................................................ C-4 3.1 Carolyn Morehouse, Chief Engineer, Design and Engineering Services, Alaska ........................ C-4 3.2 Corey Coulam, Utah Department of Transportation, Control Room Manager, Utah ............... C-4 3.3 James Sullivan, State Traffic Engineer, Mississippi DOT ............................................................ C-4 4 Academics & Researchers ................................................................................................................ C-4 4.1 Dr. Sanjay Goel, Professor of Information Security and Digital Forensics, University at Albany ..................................................................................................... C-4 4.2 Steve Johnson, HNTB Corp., Connected Vehicle Pilot Program Management Lead ................. C-5 4.3 Dr. Richard White, Tennessee Department of Transportation, Cybersecurity Architect, Tennessee .......................................................................................... C-5 5 Operation Technology Practitioners ................................................................................................ C-5 5.1 Murali Rao, Virginia Department of Transportation, Chief Information Officer, Virginia ........ C-5 5.2 Chrissie Collins, FMS/AMS Specialist IV Florida DOT ................................................................. C-5 5.3 Steven Pryor, CISO, TxDOT ........................................................................................................ C-5 5.4 Tom Booth, Principal/Solutions Architect, GTS Solutions, Inc. ................................................. C-6 5.5 Andrew Green, Information Security Officer, Virginia DOT ...................................................... C-6 5.6 Dave Anderson, Director of Network and Cybersecurity, Iowa DOT ........................................ C-6 5.7 Chris Pelton, Engineer, Iowa DOT .............................................................................................. C-6 5.8 Jerry Groom, Security Engineer, Iowa DOT ............................................................................... C-6 5.9 Rick Tiene, VP Business Development, Government & Critical Infrastructure, Mission Secure Inc. .................................................................................................................... C-6 APPENDIX D REFERENCES ................................................................................................................... D-1

LIST OF FIGURES Figure 1. Cybersecurity Initiatives Identified .................................................................................... 6 Figure 2. Seven Cybersecurity Initiative Knowledge Categories ...................................................... 6 Figure 3. Framework Implementation Tiers ..................................................................................... 8 Figure 4. NIPP Risk Management Framework and Data Flow [39] ................................................... 8

Next: 1. SUMMARY »
Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report Get This Book
×
Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Chief executive leadership of transportation agencies have placed substantial emphasis on the protection of IT systems against cyber threats. Less focus has been devoted to the risks to operational technology (OT) and equipment or in protecting transportation business operations.

The TRB National Cooperative Highway Research Program's NCHRP Web-Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs seeks to mitigate that imbalance, especially as physical OT assets become increasingly connected through electronic networks and managed remotely by software. Volume 1, Project Summary Report provides details of the research project that developed the Transportation Cyber Risk Guide, which is found in NCHRP Web-Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 2.

Supplemental to the document is a presentation of an overview of the research.

READ FREE ONLINE

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!