Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
5 3. SUMMARY OF TASKS Th e f o l l o w i n g s e c t i o n s s u m m a r i z e t h e t a s k s p e r f o r m e d a n d t h e r e s u l t i n g d e l i v e r a b l e s f r o m t h o s e t a s k s . Task 1: Identify and Summarize State Transportation AgenciesâCybersecurity Initiatives Ta s k 1 s u m m a r i z e s o u r r e s e a r c h i n t o t h e c u r r e n t s t a t e - o f - p r a c t i c e o f r e l e v a n t c y b e r s e c u r i t y i n i t i a t i v e s a m o n g s t a t e t r a n s p o r t a t i o n a g e n c i e s . Th i s i n f o r m a t i o n h a s a n d w i l l i n f o r m o u r o n g o i n g r e s e a r c h a n d t h e d e v e l o p m e n t o f p r o j e c t d e l i v e r a b l e s a n d r e s u l t i n g g u i d e l i n e s . It w i l l a l s o i m p r o v e s t a t e t r a n s p o r t a t i o n a g e n c y l e a d e r s h i p â s u n d e r s t a n d i n g o f c o m m o n c y b e r s e c u r i t y c o n c e r n s , b a r r i e r s , l e s s o n s l e a r n e d , a n d s u c c e s s f u l s t r a t e g i e s i n t o d a y â s d a y - t o - d a y o p e r a t i o n s . Th e o b j e c t i v e o f Ta s k 1 i s t o i n f o r m r e a d e r s o f : ⢠Th e c u r r e n t s t a t e o f c y b e r s e c u r i t y i n i t i a t i v e s a n d m a n a g e m e n t s t r a t e g i e s d e p l o y e d b y s t a t e t r a n s p o r t a t i o n a g e n c i e s ⢠Ho w t h e s e i n i t i a t i v e s a d d r e s s o p e r a t i o n a l a n d t e c h n o l o g i c a l n e e d s w i t h r e s p e c t t o b a r r i e r s , o p p o r t u n i t i e s , l e s s o n s l e a r n e d , a n d s u c c e s s f u l p r a c t i c e s p e r t a i n i n g t o OT c y b e r s e c u r i t y To c o m p l e t e t h e Ta s k , w e c o n d u c t e d t h r e e c o m p l i m e n t a r y r e s e a r c h a c t i v i t i e s . F i r s t , w e i n i t i a l l y e x a m i n e d p u b l i c l y a v a i l a b l e i n f o r m a t i o n , s u c h a s p o l i c i e s p u b l i s h e d o n o f f i c i a l D e p a r t m e n t o f Tr a n s p o r t a t i o n ( D OT) s i t e s o n l i n e t o r e s e a r c h a n d r e v i e w e a c h o f t h e s t a t e â s c u r r e n t c y b e r s e c u r i t y i n i t i a t i v e s t o g a i n a b r e a d t h o f c u r r e n t a c t i v i t i e s a n d a w a r e n e s s . Th i s r e v i e w i n c l u d e d t h e U SD OT p o l i c i e s a n d g u i d a n c e p e r t a i n i n g t o c y b e r s e c u r i t y , a s w e l l a s a l l 5 0 s t a t e s p l u s W a s h i n g t o n D . C. a n d U . S. t e r r i t o r i e s . Se c o n d , t o e x a m i n e t h e w o r k o f s e v e r a l s t a t e s i n g r e a t e r d e t a i l , w e i n t e r v i e w e d 1 8 s t a f f r e p r e s e n t i n g 1 4 s t a t e s t o l e a r n h o w e x i s t i n g i n i t i a t i v e s a n d m a n a g e m e n t s t r a t e g i e s w e r e m e e t i n g s t a t e t r a n s p o r t a t i o n a g e n c y â s n e e d s p e r t a i n i n g t o OT c y b e r s e c u r i t y . Th e s e s t a f f i n t e r v i e w e d w e r e s e l e c t e d b a s e d o n t h e i r i n v o l v e m e n t i n t h e s e c u r i t y o f t h e i r r e s p e c t i v e D OTs a n d i n c l u d e d D OT Ch i e f In f o r m a t i o n Se c u r i t y Of f i c e r s ( CISOs ) , In f o r m a t i o n Se c u r i t y Ma n a g e r s ( ISMs ) , a n d o t h e r D OT c y b e r s e c u r i t y l e a d e r s h i p . Ea c h w e r e i n t e r v i e w e d a c c o r d i n g t o t h e q u e s t i o n n a i r e s h o w n i n s e c t i o n 1 . 1 o f t h i s d o c u m e n t , w h i c h i n c l u d e s s i x c a t e g o r i e s o f q u e s t i o n s b a s e d u p o n t h e N a t i o n a l In s t i t u t e o f St a n d a r d s a n d Te c h n o l o g y ( N IST) c y b e r s e c u r i t y f r a m e w o r k a n d a n a d d i t i o n a l â Va l u e â c a t e g o r y a s a w a y o f s e e i n g t h e a g e n c y â s w o r k i n m e a s u r i n g v a l u e l o s s f r o m c y b e r - a t t a c k s Th i r d , w e a n a l y z e d o u r r e s e a r c h f i n d i n g s a n d a s s e s s e d t h e s t a t e c y b e r s e c u r i t y i n i t i a t i v e s a c c o r d i n g t o h o w t h e y a d d r e s s OT a n d IT- r e l a t e d n e e d s w i t h r e s p e c t t o b a r r i e r s , o p p o r t u n i t i e s , l e s s o n s l e a r n e d , a n d s u c c e s s f u l p r a c t i c e s . W e t h e n d o c u m e n t e d a n d s u m m a r i z e d o u r f i n d i n g s i n t o a r e p o r t l o c a t e d i n Ap p e n d i x A. Th r o u g h o u r a n a l y s i s , o u r r e s e a r c h t e a m i d e n t i f i e d 1 1 a r e a s o f c u r r e n t s t a t e t r a n s p o r t a t i o n a g e n c y i n i t i a t i v e s r e l a t e d t o c y b e r s e c u r i t y . Ho w e v e r , w e a l s o o b s e r v e d t h a t t h e s e i n i t i a t i v e s w e r e f o c u s e d p r i m a r i l y o n IT. W h i l e m a n y IT- f o c u s e d c y b e r s e c u r i t y i n i t i a t i v e s h a d a p p l i c a t i o n s t o OT, m a n y o t h e r s d i d n o t . As i d e f r o m a f e w i n d i v i d u a l s w h o u n d e r s t o o d t h e i m p o r t a n c e a n d n e e d s o f OT c y b e r s e c u r i t y s e p a r a t e l y f r o m t h a t o f IT, v e r y f e w s t a t e s f e a t u r e d e x p l i c i t i n i t i a t i v e s e x a m i n i n g t h e c y b e r s e c u r i t y n e e d s o f OT. Th e 1 1 c o m m o n c a t e g o r i e s o f i n i t i a t i v e s r e l a t e d t o c y b e r s e c u r i t y b e i n g u n d e r t a k e n b y s t a t e D OTs a r e d e p i c t e d i n F i g u r e 1 .
6 Id e n t i f y Ot h e r Ma n d a t e s Va l u e Re c o v e r Pr o t e c t Re s p o n d D e t e c t Figure 1. Cybersecurity Initiatives Identified Th e s e c o m m o n i n i t i a t i v e c a t e g o r i e s a s o b s e r v e d b y t h e r e s e a r c h t e a m i n t e n d t o s e c u r e s y s t e m s a s m o r e d e v i c e s t h a t w e r e p r e v i o u s l y u n n e t w o r k e d a r e c o n n e c t e d t o t h e i r o w n o r t o t h e l a r g e r D OT n e t w o r k . As t e c h n o l o g y h a s a d v a n c e d m o r e r a p i d l y t h a n p r o c e d u r e s , D OTâ s a d o p t i o n o f c y b e r s e c u r i t y i n i t i a t i v e s i n b o t h IT a n d OT h a s b e e n d e f e n s i v e a n d r e a c t i v e r a t h e r t h a n p r o a c t i v e . Th i s i s e v i d e n t i n t h a t m a n y s t a t e s t y p i c a l l y i m p l e m e n t e d a c y b e r s e c u r i t y p o l i c y o r i n i t i a t i v e s i n d i r e c t r e a c t i o n t o a n a t t a c k o n a n o t h e r s t a t e D OT, a g o v e r n m e n t o r g a n i z a t i o n , o r t h e i r o w n a g e n c y . W e a l s o o b s e r v e d t h a t v i r t u a l l y a l l s t a t e s l a c k e d a f o r m a l m e t h o d o r p r o c e s s f o r q u a n t i f y i n g o r c o m m u n i c a t i n g t h e r i s k o f a n a d v e r s e c y b e r s e c u r i t y e v e n t , f u r t h e r u n d e r s c o r i n g t h e i r g e n e r a l l y r e a c t i v e a p p r o a c h t o c y b e r s e c u r i t y r e a d i n e s s . W i t h o u t t h e m e a n s t o u n d e r s t a n d h o w a n a t t a c k o n a c e r t a i n d e v i c e w i l l a f f e c t t h e i r D OT, m a n y s t a t e s c a n n o t m a k e a c o n v i n c i n g a r g u m e n t f o r p r o a c t i v e i n i t i a t i v e s . In o r d e r t o g a i n m o r e i n f o r m a t i o n a b o u t t h e s t a t e D OTâ s c y b e r s e c u r i t y i n i t i a t i v e s , w e c h o s e t o i n t e r v i e w e x e c u t i v e s a n d s e n i o r l e v e l m e m b e r s o f t h e D OTs . W e p r o p o s e d s e v e n c a t e g o r i e s o f q u e s t i o n s ( a s s h o w n i n F i g u r e 2 ) b a s e d u p o n t h e N IST c y b e r s e c u r i t y f r a m e w o r k a n d a d d e d a n a d d i t i o n a l â Va l u e â c a t e g o r y a s a w a y o f s e e i n g t h e a g e n c y â s w o r k i n m e a s u r i n g v a l u e l o s s f r o m c y b e r - a t t a c k s . Figure 2. Seven Cybersecurity Initiative Knowledge Categories W i t h i n t h e 1 1 c a t e g o r i e s o f c y b e r s e c u r i t y i n i t i a t i v e s d e n o t e d i n F i g u r e 1 , w e f o u n d t h a t s o m e s t a t e s w e r e m o r e a d v a n c e d t h a n o t h e r s w i t h r e s p e c t t o t h e l e v e l o f m a t u r i t y a n d s o p h i s t i c a t i o n o f t h e i r c y b e r s e c u r i t y
7 p r a c t i c e s , d e v e l o p m e n t , a n d i m p l e m e n t a t i o n . W e o b s e r v e d t h a t k e y b a r r i e r s p e r t a i n e d t o t h e e x t e n t t o w h i c h e a c h s t a t e â s a p p l i c a t i o n o f i t s c y b e r s e c u r i t y e f f o r t s w e r e l i m i t e d t o IT o r e x t e n d e d t o OT. F o r e x a m p l e , w e f o u n d t h a t m a n y D OTs p e r f o r m r o b u s t p e n e t r a t i o n t e s t i n g a n d a u d i t i n g a t r e g u l a r i n t e r v a l s f o r IT a s s e t s , b u t d o n o t a p p l y t h e s e s a m e p r o c e d u r e s t o t h e i r OT. W e o b s e r v e d o t h e r d i f f e r e n c e s i n t h e r e a c h o f s t a t e D OT t r a i n i n g p r o g r a m s . Of t e n , s t a t e s r e q u i r e d a l l e m p l o y e e s t o r e c e i v e y e a r l y c y b e r s e c u r i t y t r a i n i n g , b u t n e i t h e r t h e t r a i n i n g n o r i t s r e q u i r e m e n t e x t e n d e d t o c o n t r a c t o r s i n t e r f a c i n g w i t h OT e q u i p m e n t . Ea c h o f t h e a r e a s d e m o n s t r a t e b o t h b a r r i e r s a n d o p p o r t u n i t i e s f a c i n g D OTs w h e n w i t h c y b e r s e c u r i t y i n i t i a t i v e s . B a s e d o n t h e i n i t i a t i v e s i d e n t i f i e d , i n g e n e r a l , m o s t D OTs h a v e s u c c e s s f u l p r a c t i c e s p e r t a i n i n g t o t h e i m p l e m e n t a t i o n o f c y b e r s e c u r i t y a t t h e IT l e v e l . Ea c h D OT i n t e r v i e w e d h a d s t a t e w i d e i n i t i a t i v e s f o r a n n u a l c y b e r s e c u r i t y t r a i n i n g a n d p e n e t r a t i o n t e s t s / a u d i t s , m a i n t a i n e d p o l i c y d o c u m e n t s t h e y c o u l d e a s i l y f i n d , a n d i m p l e m e n t e d s o m e f o r m o f v u l n e r a b i l i t y m a n a g e m e n t . In d i s c u s s i o n w i t h D OTs , i t i s n o t e d t h a t t h e s e s u c c e s s f u l p r a c t i c e s c a m e f r o m l e s s o n s l e a r n e d , s u c h a s d i s c u s s i o n s w i t h o t h e r D OTs , m o n i t o r i n g c y b e r s e c u r i t y e v e n t s i n a d j a c e n t c r i t i c a l i n f r a s t r u c t u r e s e c t o r s , a n d a d a p t a t i o n o f p o l i c i e s a n d p r o c e d u r e s i n a c c o r d a n c e w i t h c y b e r s e c u r i t y s t a n d a r d s a n d b e s t p r a c t i c e s . As f o r e n d p o i n t s e c u r i t y , e a c h D OT n o t e d t h a t t h e y l a c k e d a n y c u r r e n t OT- s p e c i f i c s e c u r i t y p r o g r a m s u n l e s s t h o s e d e v i c e s w e r e c o n n e c t e d t o t h e t r a d i t i o n a l IT e n t e r p r i s e n e t w o r k . On l y i n t h e c o n t e x t o f t h e IT n e t w o r k c o u l d OT d e v i c e s b e n e f i t f r o m t h e f i r e w a l l s a n d v u l n e r a b i l i t y s c a n s a f f o r d e d t o IT d e v i c e s . Ho w e v e r , w e d i d f i n d t h a t u s e r s e c u r i t y w a s p r o p e r l y i m p l e m e n t e d w i t h e a c h D OT d e t a i l i n g p o l i c i e s f o r a c c e s s m a n a g e m e n t a n d d a t a g o v e r n a n c e . Task 2: Conduct a Review of Relevant Cybersecurity Literature In Ta s k 2 , t h e r e s e a r c h t e a m s u m m a r i z e d t r a n s p o r t a t i o n - r e l e v a n t c y b e r s e c u r i t y r e s e a r c h a n d r e l a t e d i n d u s t r y l i t e r a t u r e . Th e l i t e r a t u r e h i g h l i g h t e d r e c e n t a n d o n g o i n g e f f o r t s t h a t i d e n t i f y w h a t e x e c u t i v e s a n d s e n i o r m a n a g e r s a t s t a t e t r a n s p o r t a t i o n a g e n c i e s n e e d t o k n o w a b o u t m a n a g i n g t r a n s p o r t a t i o n OT a n d IT c y b e r s e c u r i t y r i s k s . Th e o b j e c t i v e o f Ta s k 2 w a s t w o - f o l d : ⢠To r e v i e w a n d s u m m a r i z e r e s e a r c h a n d i n d u s t r y l i t e r a t u r e o n c y b e r s e c u r i t y i s s u e s a n d p r a c t i c e s r e l e v a n t t o t r a n s p o r t a t i o n ⢠To p r o v i d e c h i e f e x e c u t i v e o f f i c e r â s ( CEO) a n d s e n i o r m a n a g e m e n t o f D OTâ s w i t h t h e r i g h t r e s o u r c e s a n d g u i d e l i n e s t o h e l p t h e m a s s e s s , c l a s s i f y , a n d r e s p o n d t o t r a n s p o r t a t i o n s y s t e m c y b e r s e c u r i t y r i s k s Th e d e t a i l e d d o c u m e n t a t i o n o f Ta s k 2 c a n b e f o u n d i n Ap p e n d i x B , w h i c h p r e s e n t s a s u m m a r y o f c u r r e n t c y b e r s e c u r i t y r e s e a r c h a n d r e l a t e d i n d u s t r y d o c u m e n t a t i o n r e l e v a n t t o b o t h OT a n d IT a s s e t s m a n a g e d b y s t a t e d e p a r t m e n t s o f t r a n s p o r t a t i o n . Th e t e a m r e v i e w e d o v e r 8 0 s o u r c e s a n d s u m m a r i z e d 5 4 r e l e v a n t g u i d e s , s t a n d a r d s , w o r k i n g g r o u p s , a n d p r o g r a m s . In c o n s i d e r i n g d o c u m e n t s f o r t h i s s u m m a r y , t h e r e s e a r c h t e a m s e l e c t e d l i t e r a t u r e t h a t b e s t a d d r e s s e d t h e p r o b l e m o f c y b e r s e c u r i t y b y a l i g n i n g w i t h N IST p u b l i c a t i o n s . L i t e r a t u r e i d e n t i f i e d i n t h i s e f f o r t i n c o r p o r a t e d t h e c o r e f u n c t i o n s o f t h e N IST Cy b e r s e c u r i t y F r a m e w o r k ( CSF ) : â Id e n t i f y â , â Pr o t e c t â , â D e t e c t â , â Re s p o n d â , a n d â Re c o v e r â , a n d t h e t w o ( 2 ) a d d i t i o n a l f u n c t i o n s : â Ot h e r Ma n d a t e s â a n d â Va l u e â w h i c h w e p r e s e n t e d i n Ta s k 1 . Th e â Ot h e r m a n d a t e s â f u n c t i o n c o n s i d e r s i n i t i a t i v e s , p o l i c e s , o r p r a c t i c e s m a n d a t e d u n d e r f e d e r a l , s t a t e l a w a n d r e g u l a t i o n . Th e â Va l u e â f u n c t i o n c o n s i d e r s h o w t o m a n a g e a n d a s s e s s a d e v i c e â s v a l u e t o t h e o v e r a l l o r g a n i z a t i o n a n d a t r a f f i c m a n a g e m e n t s y s t e m â s n e t w o r k i n f r a s t r u c t u r e .
8 W e i d e n t i f i e d i n f o r m a t i o n b a s e d o n h o w i t p r o v i d e d e x e c u t i v e s a n d s e n i o r m a n a g e r s a t s t a t e t r a n s p o r t a t i o n a g e n c i e s w i t h w h a t t h e y n e e d e d t o k n o w a b o u t m a n a g i n g OT a n d IT c y b e r s e c u r i t y r i s k s . Th i s i n c l u d e d c u r r e n t a n d o n g o i n g c y b e r s e c u r i t y r e s e a r c h e f f o r t s b y f e d e r a l , s t a t e , a n d l o c a l a g e n c i e s , t r a n s p o r t a t i o n w o r k i n g g r o u p s , c o m m i t t e e s , a n d a c a d e m i a . W e a l s o i n c l u d e d r e l e v a n t s t a n d a r d s a n d b e s t p r a c t i c e s f r o m a d j a c e n t d o m a i n s s u c h a s a i r p o r t o r p u b l i c t r a n s i t . So m e k e y g u i d a n c e g i v e n b y l i t e r a t u r e i n Ta s k 2 i n c l u d e t h e N IST F r a m e w o r k f o r Im p r o v i n g Cr i t i c a l In f r a s t r u c t u r e Cy b e r s e c u r i t y â s f i v e f u n c t i o n c a t e g o r i e s a s m e n t i o n e d i n Ta s k 1 , a s w e l l a s i t s F r a m e w o r k Im p l e m e n t a t i o n Ti e r s , c o m p r i s e d o f f o u r ( 4 ) t i e r s r a n g i n g f r o m Pa r t i a l ( Ti e r 1 ) t o Ad a p t i v e ( Ti e r 4 ) . Ea c h Ti e r d e s c r i b e s a n i n c r e a s i n g d e g r e e o f r i g o r a n d s o p h i s t i c a t i o n i n c y b e r s e c u r i t y r i s k m a n a g e m e n t p r a c t i c e s t h a t a n o r g a n i z a t i o n i n t e g r a t e s i n t o i t s b u s i n e s s o p e r a t i o n s . Th e t i e r d e f i n i t i o n s a r e s u m m a r i z e d a s f o l l o w s i n F i g u r e 3 . Figure 3. Framework Implementation Tiers Ot h e r l i t e r a t u r e i n c l u d e s t h e N a t i o n a l In f r a s t r u c t u r e Pr o t e c t i o n Pl a n ( N IPP) , w h i c h r e c o m m e n d s a Ri s k Ma n a g e m e n t F r a m e w o r k w i t h e m p h a s i s o n i n f o r m a t i o n e x c h a n g e b e t w e e n c r i t i c a l i n f r a s t r u c t u r e ( CI) m e m b e r s t o b u i l d a r o b u s t , i n t e r d e p e n d e n t n e t w o r k . Ma n y o f t h e c y b e r s e c u r i t y f i n d i n g s t h r o u g h CI a r e d i r e c t l y a p p l i c a b l e t o t r a n s p o r t a t i o n , a n d a s s u c h , l e a d e r s i n t r a n s p o r t a t i o n s h o u l d i n c o r p o r a t e N IPP t o e n s u r e t h e y a r e u p t o d a t e o n CI t h r e a t s . Th e f r a m e w o r k , a s s h o w n i n F i g u r e 4 , w a s d e v e l o p e d t o b e f l e x i b l e t o w o r k f o r a l l D HS s e l e c t e d CI m o d e s , b u t w e l l d e f i n e d e n o u g h t o p e r m i t s h a r i n g o f r i s k s , t h r e a t s , a n d c o u n t e r m e a s u r e s b e t w e e n m e m b e r s t o b e p r o d u c t i v e . Figure 4. NIPP Risk Management Framework and Data Flow [39] Th r o u g h o u r r e v i e w o f t h e c u r r e n t l i t e r a t u r e i n t r a n s p o r t a t i o n c y b e r s e c u r i t y , w e f o u n d r e l a t i v e l y f e w c y b e r s e c u r i t y s t a n d a r d s t h a t d i r e c t l y a d d r e s s e d t h e u n i q u e c o n s t r a i n t s o f t h e t r a n s p o r t a t i o n i n d u s t r y . F o r
9 e x a m p l e , t h e r e i s n o s t a n d a r d t h a t d e t a i l s w h a t i s n e e d e d t o c e r t i f y a n OT d e v i c e f o r t h e f i e l d n e t w o r k b e f o r e d e p l o y m e n t . Th i s l e a v e s t h e r e s p o n s i b i l i t y o f d e c i d i n g w h a t c y b e r s e c u r i t y i m p l e m e n t a t i o n s s h o u l d b e t o e a c h t r a n s p o r t a t i o n a g e n c y . Th e s e d e c i s i o n s a r e o f t e n a i d e d b y b e s t p r a c t i c e g u i d e s o r o t h e r g u i d a n c e p u b l i s h e d b y o r g a n i z a t i o n s l i k e t h e D HS. As s t a t e t r a n s p o r t a t i o n a g e n c i e s d e v e l o p Sm a r t Ci t y i n i t i a t i v e s a n d i n t e g r a t e m o r e m o b i l i t y - r e l a t e d p r o g r a m s , t r a n s p o r t a t i o n - f o c u s e d c y b e r s e c u r i t y p r o t o c o l s w i l l n e e d t o b e f o r m a l i z e d t o f u r t h e r p r o t e c t e x i s t i n g i n f r a s t r u c t u r e a n d p r e p a r e f o r t h e p u s h t o f u t u r e t e c h n o l o g i e s t o b e i n c o r p o r a t e d . Task 3: Identify Transportation Technology and Cybersecurity Subject Matter Experts Th e o b j e c t i v e o f Ta s k 3 w a s t o i d e n t i f y a n d o r g a n i z e a s e t o f c y b e r s e c u r i t y SMEs w h o s e e x p e r t i s e a n d i n p u t w o u l d b e u s e d t o p a r t i c i p a t e i n t h e d e v e l o p m e n t o f t h e Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d e ( TCRG) i n Ta s k 5 . Th e w o r k o u r t e a m c o m p l e t e d i n Ta s k 3 i s d o c u m e n t e d i n Ap p e n d i x C, w h i c h i d e n t i f i e s a n d o r g a n i z e s a s e t o f c y b e r s e c u r i t y SMEs r e p r e s e n t i n g d i f f e r e n t f u n c t i o n s w i t h i n s t a t e t r a n s p o r t a t i o n a g e n c i e s , o r w h o p o s s e s s e d r e l e v a n t c r e d e n t i a l s w h o m w e r e c r u i t e d t o a s s i s t i n t h e d e v e l o p m e n t o f t h e TCRG i n Ta s k 5 . Th e SMEs w e r e s e l e c t e d t o p a r t i c i p a t e i n i n t e r v i e w s , w o r k s h o p s , a n d o t h e r r e s e a r c h a c t i v i t i e s a n d t o p r o v i d e t h e i r k n o w l e d g e , e x p e r i e n c e , a n d e x p e r t i s e r e g a r d i n g e f f e c t i v e c y b e r s e c u r i t y p r a c t i c e s i n t h e OT e n v i r o n m e n t . F o r e x a m p l e , t h e SMEs w i l l h e l p i d e n t i f y a n d a s s e s s c r i t i c a l a s s e t s , c y b e r r i s k s , a n d g a p s i n OT a n d IT c y b e r s e c u r i t y p r a c t i c e s a m o n g D OTs a n d w i l l p r o v i d e t h e i r r e c o m m e n d a t i o n s f o r a c t i o n w i t h i n r e l e v a n t o r g a n i z a t i o n s . Th i s i n f o r m a t i o n w i l l u l t i m a t e l y i n f o r m t h e d e v e l o p m e n t o f t h e Gu i d e t o b e u n d e r t a k e n i n Ta s k 5 a n d w i l l h e l p e n s u r e t h a t i t w i l l b e s u i t e d a p p r o p r i a t e l y a n d e f f e c t i v e i n h e l p i n g s t a t e t r a n s p o r t a t i o n a g e n c y CEOs u n d e r s t a n d a n d a d d r e s s a g e n c y - w i d e c y b e r s e c u r i t y n e e d s p e r t a i n i n g t o OT. In Ta s k 3 , w e p r e s e n t e d 3 0 - s t a t e t r a n s p o r t a t i o n a g e n c y a n d c y b e r s e c u r i t y i n d u s t r y p r a c t i t i o n e r s a n d r e s e a r c h e r s w h o , t h r o u g h t h e i r w o r k , r e s e a r c h a n d p r a c t i c e a n d o t h e r r e l e v a n t e x p e r i e n c e , c o m p r i s e t h e c y b e r s e c u r i t y SMEs s e l e c t e d t o p a r t i c i p a t e i n t h e d e v e l o p m e n t o f t h e TCRG i n Ta s k 5 . Ou r t e a m r e a c h e d o u t t o o v e r 5 0 r e p r e s e n t a t i v e s f o r d i f f e r e n t a g e n c i e s t o e n s u r e t h e r o s t e r o f s e l e c t e d SMEs r e p r e s e n t e d a w i d e r a n g e o f s t a t e s , s k i l l s , a n d i n d u s t r y e x p e r i e n c e m o s t b e n e f i c i a l t o t h e n e e d s o f t h i s p r o j e c t . Ou r t e a m a s s e s s e d t h e t e c h n i c a l s k i l l s , m o b i l i t y i n d u s t r y e x p e r t i s e , g o v e r n m e n t d o m a i n e x p e r i e n c e , a n d i n f l u e n c e o n t h e d e v e l o p m e n t o r d e p l o y m e n t o f c y b e r s e c u r i t y p r a c t i c e s o f e a c h c a n d i d a t e a s p a r t o f t h e r e c r u i t m e n t p r o c e s s . To r e f l e c t t h e d i v e r s i t y o f s k i l l s a n d p e r s p e c t i v e s , w e d i v i d e d u p SMEs i n t o f o u r c a t e g o r i e s : ⢠In f o r m a t i o n Se c u r i t y Pr a c t i t i o n e r s ⢠Tr a n s p o r t a t i o n Pr a c t i t i o n e r s ⢠Ac a d e m i c s & Re s e a r c h e r s ⢠Op e r a t i o n Te c h n o l o g y Pr a c t i t i o n e r s As a r e s u l t o f o u r e f f o r t s , o u r t e a m w a s a b l e t o s u c c e s s f u l l y a s s e s s t h e s k i l l s o f f i f t e e n In f o r m a t i o n Se c u r i t y Pr a c t i t i o n e r s , t h r e e Tr a n s p o r t a t i o n Pr a c t i t i o n e r s , t h r e e Ac a d e m i c Re s e a r c h e r s , a n d n i n e Op e r a t i o n Te c h n o l o g y Pr a c t i t i o n e r s f r o m f i v e b u s i n e s s e s , o n e u n i v e r s i t y , a n d f o u r t e e n D OTs , i n c l u d i n g Te x a s D OT, Vi r g i n i a D OT, Io w a D OT, a n d Al a s k a D OT. Task 4: Interim Report Th e o b j e c t i v e o f t h i s Ta s k w a s t o s u m m a r i z e t h e r e s e a r c h m e t h o d s a n d f i n d i n g s f r o m t h e p r o j e c t w o r k t h a t o u r Te a m h a d c o m p l e t e d t o d a t e f o r Ta s k s 1 â 3 , a n d t o p r e s e n t p l a n n e d r e s e a r c h a c t i v i t i e s t o b e u n d e r t a k e n i n t h e d e v e l o p m e n t o f t h e Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d e i n Ta s k 5 . In t h e In t e r i m Re p o r t , w e p r o v i d e a n o v e r v i e w o f e a c h p r o j e c t Ta s k , a d e s c r i p t i o n f o r h o w e a c h Ta s k w a s c o m p l e t e d , a n d
1 0 o u r k e y f i n d i n g s f r o m e a c h c o m p l e t e d Ta s k . F o l l o w i n g t h e s e s u m m a r i e s , w e d e t a i l a p l a n f o r t h e e x e c u t i o n o f Ta s k 5 t o d e v e l o p TCRG. Th i s p l a n i n c l u d e s a n o v e r v i e w o f r e s e a r c h a c t i v i t i e s t o b e c o n d u c t e d a n d h o w w e w o u l d l e v e r a g e t h e g r o u p o f c y b e r s e c u r i t y SMEâ s t h a t w e r e c r u i t e d f o r s u p p o r t i n d e v e l o p i n g t h e TCRG. Task 5: Develop a Transportation Cyber Risk Guide Th e o b j e c t i v e o f t h i s Ta s k w a s t o d e v e l o p a Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d e c o n s i s t i n g o f a h i g h - l e v e l f r a m e w o r k t o a s s e s s c y b e r r i s k , i d e n t i f y s t r a t e g i e s f o r p r e p a r i n g f o r , p r e v e n t i n g , a n d m a n a g i n g c y b e r i n c i d e n t s , a n d l i n k t r a n s p o r t a t i o n a s s e t c l a s s i f i c a t i o n w i t h c y b e r r i s k . F i r s t , w e p r o v i d e t h e c o n c e p t s n e e d e d f o r p r e p a r i n g t h e g u i d e , i n c l u d i n g a CEOâ s f u n c t i o n a l a r e a s o f r e s p o n s i b i l i t y , t h e i n c o r p o r a t i o n o f t h e f u n c t i o n a l a r e a s i n t o c y b e r s e c u r i t y ( N IST CSF ) , k e y OT a s s e t s a n d o p e r a t i o n s , a n d t h e r e s u l t i n g e l e m e n t s o f c y b e r s e c u r i t y g u i d a n c e . U s i n g t h e s e c o n c e p t s , w e t h e n s u m m a r i z e f i n d i n g s a n d c y b e r s e c u r i t y r e c o m m e n d a t i o n s i n e a c h o f t h e f u n c t i o n a l a r e a s w i t h a s p e c i f i c f o c u s o n OT. W e i d e n t i f y t h e k e y b u s i n e s s f u n c t i o n s , o r f u n c t i o n a l a r e a s o f r e s p o n s i b i l i t y f o r s e n i o r e x e c u t i v e l e a d e r s h i p o f s t a t e D OTs i n Ta b l e 2 . F u r t h e r , b e c a u s e o f t h e w i d e v a r i e t y i n h o w a g e n c i e s a r e o r g a n i z e d a n d m a n a g e d , w e n o t e t h a t d e s c r i p t i o n s o f t h e r e s p o n s i b i l i t i e s i n t h e t a b l e w h i c h f o l l o w c a n b e a p p l i e d g e n e r a l l y b u t m a y n o t a p p l y i n a l l c a s e s a n d a r e n o t d e f i n i t i v e o r f i n a l . N e v e r t h e l e s s , f o r p u r p o s e s o f d i s c u s s i n g r e s p o n s i b i l i t i e s p e r t a i n i n g t o OT c y b e r s e c u r i t y , t h e s e a r e s u f f i c i e n t l y i n s t r u c t i v e a n d p r o v i d e a m e a n s t o d e s c r i b e a n d c a t e g o r i z e CEO r e s p o n s i b i l i t i e s . Table 2. CEO Functional Areas FUNCTIONAL AREA PRIMARY CEO RESPONSIBILITY RELATED CYBERSECURITY RESPONSIBILITY GOVERNANCE D e f i n e a n d c o m m u n i c a t e s t r a t e g i c a n d o p e r a t i o n a l o b j e c t i v e s a c r o s s t h e a g e n c y t o f u l f i l l t h e m i s s i o n a n d m a n d a t e f o r t h e D OT Se t t i n g t h e p r i o r i t i e s a n d a g e n c y c u l t u r e r e l a t e d t o c y b e r s e c u r i t y n e e d s b y e s t a b l i s h i n g a n d s u p p o r t i n g i n i t i a t i v e s w i t h d e f i n e d o b j e c t i v e s MANAGING ASSETS Ma n a g i n g a s s e t s i s t h e a c q u i s i t i o n , d e p l o y m e n t , m o n i t o r i n g , v a l u i n g , p r o t e c t i n g , m o d i f y i n g , r e p a i r i n g , a n d r e t i r i n g o f p h y s i c a l a n d v i r t u a l a s s e t s a n d e q u i p m e n t Id e n t i f y i n g t h e OT a s s e t s s u b j e c t t o c y b e r r i s k , a s s e s s i n g t h e i r c u r r e n t s t a t e o f r i s k a n d d e f i n i n g c o r r e s p o n d i n g r e q u i r e m e n t s f o r c y b e r p r o t e c t i o n a n d r i s k m i t i g a t i o n STRATEGIC PLANNING D e t e r m i n i n g t h e a l l o c a t i o n o f r e s o u r c e s ( e . g . , f i n a n c i a l , s t a f f , e q u i p m e n t , c a p a b i l i t i e s , a n d m a n a g e m e n t f o c u s ) D e v e l o p i n g p l a n s , i n i t i a t i v e s , p r o g r a m s , a n d p o l i c i e s r e q u i r e d t o a d d r e s s c y b e r s e c u r i t y n e e d s a n d e n s u r i n g r i g h t l e v e l s o f r e s o u r c e a l l o c a t i o n DISTRIBUTE AUTHORITY Es t a b l i s h i n g t h e o r g a n i z a t i o n a l s t r u c t u r e s w i t h i n t h e a g e n c y e m p o w e r e d w i t h t h e a u t h o r i t y a n d m a n d a t e t o d e p l o y r e s o u r c e s a n d m a n a g e D OT o p e r a t i o n s D e s i g n a t i n g l e a d e r s h i p t o o r g a n i z e a n d d e p l o y r e s o u r c e s a n d e s t a b l i s h a n d e n f o r c e s t a n d a r d s , r u l e s , p o l i c i e s , p r o c e s s e s a n d p r o c e d u r e s , e t c . t o a c h i e v e c y b e r s e c u r i t y o b j e c t i v e s INVESTING IN PEOPLE In v e s t i n g i n p e o p l e i s t h e h i r i n g , t r a i n i n g , s u p e r v i s i o n , a n d s e a m l e s s r e t i r e m e n t o f h u m a n r e s o u r c e s En s u r i n g t h e r i g h t l e v e l s o f s t a f f , t o o l s , a n d t e c h n i c a l c a p a b i l i t i e s t o s u p p o r t c y b e r s e c u r i t y - r e l a t e d o p e r a t i o n s
11 FUNCTIONAL AREA PRIMARY CEO RESPONSIBILITY RELATED CYBERSECURITY RESPONSIBILITY MANAGING OPERATIONS Managing operations is undertaking, monitoring, or improving business functions, activities, and processes to achieve business objectives Deploying the plans, programs and policy designed to address cybersecurity needs and ensuring effective implementation MEASURING PERFORMANCE Measuring performance is collecting and assessing data to determine when, if, how, why, and what outcomes occur Defining success metrics and quantifying the impact and effectiveness of plans, programs, and policy deployed to address cybersecurity needs Building from the NIST Guidance for Improving Critical Infrastructure Cybersecurity and other leading sources of cybersecurity best practices, we determined how each of the five core NIST functions (Identify, Protect, Detect, Respond, and Recover) applied to each of the chief executive-level functional areas in Table 2. From our analysis, we then identified the intersection of cybersecurity best practices with chief executive-level management functions for key OT assets and operations. This analysis enabled us to identify and address gaps in the NIST and other cybersecurity frameworks (e.g., where detailed technical guidance directed at cybersecurity professionals did not apply to the management considerations of agency chief executives). We then built upon the five elements in the NIST framework by incorporating five additional elements to produce the Ten Cybersecurity Transportation Agency Capabilities for Executive Leadership. These 10 elements represent the key cybersecurity management capabilities that a CEO should consider regarding their agencyâs requirements to manage areas of cyber vulnerability and risk for OT. Further, as shown below, we organized the 10 Capabilities according to which of the three types of cybersecurity management practices each capability represents: Managing Risks, Managing Impact, and Managing Programs. Managing Risks â Actions to avoid the occurrence of adverse cyber events 1) Identify external threats and internal weaknesses 2) Assess to understand the likelihood of potential threats and risks 3) Quantify the costs and extent of potential impact of threats and risks 4) Protect assets by developing and deploying programs to reduce risk and occurrence of threats Managing Impact â Responsive actions to address the occurrence of adverse cyber events 1) Detect when cyber incidents occur with timeliness and accuracy 2) Respond when cyber incidents occur with speed 3) Withstand to sustain resiliency when cyber incidents occur 4) Recover capabilities and assets when cyber incidents occur Managing Programs â Ongoing practices to support risk and impact management 1) Define standards of risk and preparedness to which the state DOT must comply (including mandates) 2) Develop and sustain management practices for cyber programs and compliance In this context, to achieve sufficient cybersecurity capabilities for their agency, CEOs must Manage Risk through the NIST capabilities of Identify and Protect., but then CEOs must also Assess and Quantify risk to direct the agency to avoid the occurrence of adverse cyber events and to determine tolerable thresholds
12 of risk. Next, CEOs must Manage Impact through the NIST capabilities of Detect, Respond, and Recover, but must also prepare the agency to Withstand adverse cyber incidents by preparing agency responsiveness for the occurrence of such events. Finally, CEOs must Manage Programs by Defining and Developing the ongoing agency practices to support risk and impact management. Using these capabilities and functional areas identified previously, we culminated our findings into the Transportation Cyber Risk Guide that transportation agency CEOs should follow to address cybersecurity issues and protection strategies for OT. For each of the functional areas, the following were addressed: ⢠Current State ⢠What do CEOs Need to Know? ⢠What Do CEOs Need to Do? ⢠âHowâ and âWhyâ and Other Tactical Considerations Following this guidance, we introduce an example Cybersecurity Capability Maturity Model (CMM) to outline the different stages of cybersecurity mitigation, detection, response, resiliency, and recovery capabilities that state DOTs have either achieved or to which they should aspire. This example cybersecurity CMM is the result of discussion with SMEs throughout this project, as well as existing CMMs like U.S. DOT Federal Highway Administrationâs (FHWA) Transportation Systems Management and Operations (TSMO) CMM and the NIST CSF. As a concept familiar to state DOTs, the CMM process offers a behavioral model that helps agencies streamline process improvement and encourage productive, efficient behaviors that decrease risks in capabilities development. Often, these improvements are noted as a part of the completion of the Nationwide Cybersecurity Review (NCSR), or other self-assessment tools commonly used by DOTs or stateâs central IT organizations. Surveys like the NCSR are effective at providing a cybersecurity maturity level to DOTs in relation to the NIST CSF core elements of Identify, Protect, Detect, Respond, and Recover. The provided âlevelâ can assist DOTâs cyber leadership in making the case on cyber maturity, which can then help to secure future funding or resources needed.