National Academies Press: OpenBook

Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report (2023)

Chapter: 3. SUMMARY OF TASKS

Get This Book
Unfortunately, this book can't be printed from the OpenBook. If you need to print pages from this book, we recommend downloading it as a PDF.

Visit NAP.edu/10766 to get more information about this book, to buy it in print, or to download it as a free PDF.
« Previous: 2. INTRODUCTION
Page 5
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 5
Page 6
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 6
Page 7
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 7
Page 8
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 8
Page 9
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 9
Page 10
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 10
Page 11
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 11
Page 12
Suggested Citation:"3. SUMMARY OF TASKS." National Academies of Sciences, Engineering, and Medicine. 2023. Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report. Washington, DC: The National Academies Press. doi: 10.17226/27024.
×
Save
Cancel
Page 12

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

5 3. SUMMARY OF TASKS Th e f o l l o w i n g s e c t i o n s s u m m a r i z e t h e t a s k s p e r f o r m e d a n d t h e r e s u l t i n g d e l i v e r a b l e s f r o m t h o s e t a s k s . Task 1: Identify and Summarize State Transportation Agencies’Cybersecurity Initiatives Ta s k 1 s u m m a r i z e s o u r r e s e a r c h i n t o t h e c u r r e n t s t a t e - o f - p r a c t i c e o f r e l e v a n t c y b e r s e c u r i t y i n i t i a t i v e s a m o n g s t a t e t r a n s p o r t a t i o n a g e n c i e s . Th i s i n f o r m a t i o n h a s a n d w i l l i n f o r m o u r o n g o i n g r e s e a r c h a n d t h e d e v e l o p m e n t o f p r o j e c t d e l i v e r a b l e s a n d r e s u l t i n g g u i d e l i n e s . It w i l l a l s o i m p r o v e s t a t e t r a n s p o r t a t i o n a g e n c y l e a d e r s h i p ’ s u n d e r s t a n d i n g o f c o m m o n c y b e r s e c u r i t y c o n c e r n s , b a r r i e r s , l e s s o n s l e a r n e d , a n d s u c c e s s f u l s t r a t e g i e s i n t o d a y ’ s d a y - t o - d a y o p e r a t i o n s . Th e o b j e c t i v e o f Ta s k 1 i s t o i n f o r m r e a d e r s o f : • Th e c u r r e n t s t a t e o f c y b e r s e c u r i t y i n i t i a t i v e s a n d m a n a g e m e n t s t r a t e g i e s d e p l o y e d b y s t a t e t r a n s p o r t a t i o n a g e n c i e s • Ho w t h e s e i n i t i a t i v e s a d d r e s s o p e r a t i o n a l a n d t e c h n o l o g i c a l n e e d s w i t h r e s p e c t t o b a r r i e r s , o p p o r t u n i t i e s , l e s s o n s l e a r n e d , a n d s u c c e s s f u l p r a c t i c e s p e r t a i n i n g t o OT c y b e r s e c u r i t y To c o m p l e t e t h e Ta s k , w e c o n d u c t e d t h r e e c o m p l i m e n t a r y r e s e a r c h a c t i v i t i e s . F i r s t , w e i n i t i a l l y e x a m i n e d p u b l i c l y a v a i l a b l e i n f o r m a t i o n , s u c h a s p o l i c i e s p u b l i s h e d o n o f f i c i a l D e p a r t m e n t o f Tr a n s p o r t a t i o n ( D OT) s i t e s o n l i n e t o r e s e a r c h a n d r e v i e w e a c h o f t h e s t a t e ’ s c u r r e n t c y b e r s e c u r i t y i n i t i a t i v e s t o g a i n a b r e a d t h o f c u r r e n t a c t i v i t i e s a n d a w a r e n e s s . Th i s r e v i e w i n c l u d e d t h e U SD OT p o l i c i e s a n d g u i d a n c e p e r t a i n i n g t o c y b e r s e c u r i t y , a s w e l l a s a l l 5 0 s t a t e s p l u s W a s h i n g t o n D . C. a n d U . S. t e r r i t o r i e s . Se c o n d , t o e x a m i n e t h e w o r k o f s e v e r a l s t a t e s i n g r e a t e r d e t a i l , w e i n t e r v i e w e d 1 8 s t a f f r e p r e s e n t i n g 1 4 s t a t e s t o l e a r n h o w e x i s t i n g i n i t i a t i v e s a n d m a n a g e m e n t s t r a t e g i e s w e r e m e e t i n g s t a t e t r a n s p o r t a t i o n a g e n c y ’ s n e e d s p e r t a i n i n g t o OT c y b e r s e c u r i t y . Th e s e s t a f f i n t e r v i e w e d w e r e s e l e c t e d b a s e d o n t h e i r i n v o l v e m e n t i n t h e s e c u r i t y o f t h e i r r e s p e c t i v e D OTs a n d i n c l u d e d D OT Ch i e f In f o r m a t i o n Se c u r i t y Of f i c e r s ( CISOs ) , In f o r m a t i o n Se c u r i t y Ma n a g e r s ( ISMs ) , a n d o t h e r D OT c y b e r s e c u r i t y l e a d e r s h i p . Ea c h w e r e i n t e r v i e w e d a c c o r d i n g t o t h e q u e s t i o n n a i r e s h o w n i n s e c t i o n 1 . 1 o f t h i s d o c u m e n t , w h i c h i n c l u d e s s i x c a t e g o r i e s o f q u e s t i o n s b a s e d u p o n t h e N a t i o n a l In s t i t u t e o f St a n d a r d s a n d Te c h n o l o g y ( N IST) c y b e r s e c u r i t y f r a m e w o r k a n d a n a d d i t i o n a l “ Va l u e ” c a t e g o r y a s a w a y o f s e e i n g t h e a g e n c y ’ s w o r k i n m e a s u r i n g v a l u e l o s s f r o m c y b e r - a t t a c k s Th i r d , w e a n a l y z e d o u r r e s e a r c h f i n d i n g s a n d a s s e s s e d t h e s t a t e c y b e r s e c u r i t y i n i t i a t i v e s a c c o r d i n g t o h o w t h e y a d d r e s s OT a n d IT- r e l a t e d n e e d s w i t h r e s p e c t t o b a r r i e r s , o p p o r t u n i t i e s , l e s s o n s l e a r n e d , a n d s u c c e s s f u l p r a c t i c e s . W e t h e n d o c u m e n t e d a n d s u m m a r i z e d o u r f i n d i n g s i n t o a r e p o r t l o c a t e d i n Ap p e n d i x A. Th r o u g h o u r a n a l y s i s , o u r r e s e a r c h t e a m i d e n t i f i e d 1 1 a r e a s o f c u r r e n t s t a t e t r a n s p o r t a t i o n a g e n c y i n i t i a t i v e s r e l a t e d t o c y b e r s e c u r i t y . Ho w e v e r , w e a l s o o b s e r v e d t h a t t h e s e i n i t i a t i v e s w e r e f o c u s e d p r i m a r i l y o n IT. W h i l e m a n y IT- f o c u s e d c y b e r s e c u r i t y i n i t i a t i v e s h a d a p p l i c a t i o n s t o OT, m a n y o t h e r s d i d n o t . As i d e f r o m a f e w i n d i v i d u a l s w h o u n d e r s t o o d t h e i m p o r t a n c e a n d n e e d s o f OT c y b e r s e c u r i t y s e p a r a t e l y f r o m t h a t o f IT, v e r y f e w s t a t e s f e a t u r e d e x p l i c i t i n i t i a t i v e s e x a m i n i n g t h e c y b e r s e c u r i t y n e e d s o f OT. Th e 1 1 c o m m o n c a t e g o r i e s o f i n i t i a t i v e s r e l a t e d t o c y b e r s e c u r i t y b e i n g u n d e r t a k e n b y s t a t e D OTs a r e d e p i c t e d i n F i g u r e 1 .

6 Id e n t i f y Ot h e r Ma n d a t e s Va l u e Re c o v e r Pr o t e c t Re s p o n d D e t e c t Figure 1. Cybersecurity Initiatives Identified Th e s e c o m m o n i n i t i a t i v e c a t e g o r i e s a s o b s e r v e d b y t h e r e s e a r c h t e a m i n t e n d t o s e c u r e s y s t e m s a s m o r e d e v i c e s t h a t w e r e p r e v i o u s l y u n n e t w o r k e d a r e c o n n e c t e d t o t h e i r o w n o r t o t h e l a r g e r D OT n e t w o r k . As t e c h n o l o g y h a s a d v a n c e d m o r e r a p i d l y t h a n p r o c e d u r e s , D OT’ s a d o p t i o n o f c y b e r s e c u r i t y i n i t i a t i v e s i n b o t h IT a n d OT h a s b e e n d e f e n s i v e a n d r e a c t i v e r a t h e r t h a n p r o a c t i v e . Th i s i s e v i d e n t i n t h a t m a n y s t a t e s t y p i c a l l y i m p l e m e n t e d a c y b e r s e c u r i t y p o l i c y o r i n i t i a t i v e s i n d i r e c t r e a c t i o n t o a n a t t a c k o n a n o t h e r s t a t e D OT, a g o v e r n m e n t o r g a n i z a t i o n , o r t h e i r o w n a g e n c y . W e a l s o o b s e r v e d t h a t v i r t u a l l y a l l s t a t e s l a c k e d a f o r m a l m e t h o d o r p r o c e s s f o r q u a n t i f y i n g o r c o m m u n i c a t i n g t h e r i s k o f a n a d v e r s e c y b e r s e c u r i t y e v e n t , f u r t h e r u n d e r s c o r i n g t h e i r g e n e r a l l y r e a c t i v e a p p r o a c h t o c y b e r s e c u r i t y r e a d i n e s s . W i t h o u t t h e m e a n s t o u n d e r s t a n d h o w a n a t t a c k o n a c e r t a i n d e v i c e w i l l a f f e c t t h e i r D OT, m a n y s t a t e s c a n n o t m a k e a c o n v i n c i n g a r g u m e n t f o r p r o a c t i v e i n i t i a t i v e s . In o r d e r t o g a i n m o r e i n f o r m a t i o n a b o u t t h e s t a t e D OT’ s c y b e r s e c u r i t y i n i t i a t i v e s , w e c h o s e t o i n t e r v i e w e x e c u t i v e s a n d s e n i o r l e v e l m e m b e r s o f t h e D OTs . W e p r o p o s e d s e v e n c a t e g o r i e s o f q u e s t i o n s ( a s s h o w n i n F i g u r e 2 ) b a s e d u p o n t h e N IST c y b e r s e c u r i t y f r a m e w o r k a n d a d d e d a n a d d i t i o n a l “ Va l u e ” c a t e g o r y a s a w a y o f s e e i n g t h e a g e n c y ’ s w o r k i n m e a s u r i n g v a l u e l o s s f r o m c y b e r - a t t a c k s . Figure 2. Seven Cybersecurity Initiative Knowledge Categories W i t h i n t h e 1 1 c a t e g o r i e s o f c y b e r s e c u r i t y i n i t i a t i v e s d e n o t e d i n F i g u r e 1 , w e f o u n d t h a t s o m e s t a t e s w e r e m o r e a d v a n c e d t h a n o t h e r s w i t h r e s p e c t t o t h e l e v e l o f m a t u r i t y a n d s o p h i s t i c a t i o n o f t h e i r c y b e r s e c u r i t y

7 p r a c t i c e s , d e v e l o p m e n t , a n d i m p l e m e n t a t i o n . W e o b s e r v e d t h a t k e y b a r r i e r s p e r t a i n e d t o t h e e x t e n t t o w h i c h e a c h s t a t e ’ s a p p l i c a t i o n o f i t s c y b e r s e c u r i t y e f f o r t s w e r e l i m i t e d t o IT o r e x t e n d e d t o OT. F o r e x a m p l e , w e f o u n d t h a t m a n y D OTs p e r f o r m r o b u s t p e n e t r a t i o n t e s t i n g a n d a u d i t i n g a t r e g u l a r i n t e r v a l s f o r IT a s s e t s , b u t d o n o t a p p l y t h e s e s a m e p r o c e d u r e s t o t h e i r OT. W e o b s e r v e d o t h e r d i f f e r e n c e s i n t h e r e a c h o f s t a t e D OT t r a i n i n g p r o g r a m s . Of t e n , s t a t e s r e q u i r e d a l l e m p l o y e e s t o r e c e i v e y e a r l y c y b e r s e c u r i t y t r a i n i n g , b u t n e i t h e r t h e t r a i n i n g n o r i t s r e q u i r e m e n t e x t e n d e d t o c o n t r a c t o r s i n t e r f a c i n g w i t h OT e q u i p m e n t . Ea c h o f t h e a r e a s d e m o n s t r a t e b o t h b a r r i e r s a n d o p p o r t u n i t i e s f a c i n g D OTs w h e n w i t h c y b e r s e c u r i t y i n i t i a t i v e s . B a s e d o n t h e i n i t i a t i v e s i d e n t i f i e d , i n g e n e r a l , m o s t D OTs h a v e s u c c e s s f u l p r a c t i c e s p e r t a i n i n g t o t h e i m p l e m e n t a t i o n o f c y b e r s e c u r i t y a t t h e IT l e v e l . Ea c h D OT i n t e r v i e w e d h a d s t a t e w i d e i n i t i a t i v e s f o r a n n u a l c y b e r s e c u r i t y t r a i n i n g a n d p e n e t r a t i o n t e s t s / a u d i t s , m a i n t a i n e d p o l i c y d o c u m e n t s t h e y c o u l d e a s i l y f i n d , a n d i m p l e m e n t e d s o m e f o r m o f v u l n e r a b i l i t y m a n a g e m e n t . In d i s c u s s i o n w i t h D OTs , i t i s n o t e d t h a t t h e s e s u c c e s s f u l p r a c t i c e s c a m e f r o m l e s s o n s l e a r n e d , s u c h a s d i s c u s s i o n s w i t h o t h e r D OTs , m o n i t o r i n g c y b e r s e c u r i t y e v e n t s i n a d j a c e n t c r i t i c a l i n f r a s t r u c t u r e s e c t o r s , a n d a d a p t a t i o n o f p o l i c i e s a n d p r o c e d u r e s i n a c c o r d a n c e w i t h c y b e r s e c u r i t y s t a n d a r d s a n d b e s t p r a c t i c e s . As f o r e n d p o i n t s e c u r i t y , e a c h D OT n o t e d t h a t t h e y l a c k e d a n y c u r r e n t OT- s p e c i f i c s e c u r i t y p r o g r a m s u n l e s s t h o s e d e v i c e s w e r e c o n n e c t e d t o t h e t r a d i t i o n a l IT e n t e r p r i s e n e t w o r k . On l y i n t h e c o n t e x t o f t h e IT n e t w o r k c o u l d OT d e v i c e s b e n e f i t f r o m t h e f i r e w a l l s a n d v u l n e r a b i l i t y s c a n s a f f o r d e d t o IT d e v i c e s . Ho w e v e r , w e d i d f i n d t h a t u s e r s e c u r i t y w a s p r o p e r l y i m p l e m e n t e d w i t h e a c h D OT d e t a i l i n g p o l i c i e s f o r a c c e s s m a n a g e m e n t a n d d a t a g o v e r n a n c e . Task 2: Conduct a Review of Relevant Cybersecurity Literature In Ta s k 2 , t h e r e s e a r c h t e a m s u m m a r i z e d t r a n s p o r t a t i o n - r e l e v a n t c y b e r s e c u r i t y r e s e a r c h a n d r e l a t e d i n d u s t r y l i t e r a t u r e . Th e l i t e r a t u r e h i g h l i g h t e d r e c e n t a n d o n g o i n g e f f o r t s t h a t i d e n t i f y w h a t e x e c u t i v e s a n d s e n i o r m a n a g e r s a t s t a t e t r a n s p o r t a t i o n a g e n c i e s n e e d t o k n o w a b o u t m a n a g i n g t r a n s p o r t a t i o n OT a n d IT c y b e r s e c u r i t y r i s k s . Th e o b j e c t i v e o f Ta s k 2 w a s t w o - f o l d : • To r e v i e w a n d s u m m a r i z e r e s e a r c h a n d i n d u s t r y l i t e r a t u r e o n c y b e r s e c u r i t y i s s u e s a n d p r a c t i c e s r e l e v a n t t o t r a n s p o r t a t i o n • To p r o v i d e c h i e f e x e c u t i v e o f f i c e r ’ s ( CEO) a n d s e n i o r m a n a g e m e n t o f D OT’ s w i t h t h e r i g h t r e s o u r c e s a n d g u i d e l i n e s t o h e l p t h e m a s s e s s , c l a s s i f y , a n d r e s p o n d t o t r a n s p o r t a t i o n s y s t e m c y b e r s e c u r i t y r i s k s Th e d e t a i l e d d o c u m e n t a t i o n o f Ta s k 2 c a n b e f o u n d i n Ap p e n d i x B , w h i c h p r e s e n t s a s u m m a r y o f c u r r e n t c y b e r s e c u r i t y r e s e a r c h a n d r e l a t e d i n d u s t r y d o c u m e n t a t i o n r e l e v a n t t o b o t h OT a n d IT a s s e t s m a n a g e d b y s t a t e d e p a r t m e n t s o f t r a n s p o r t a t i o n . Th e t e a m r e v i e w e d o v e r 8 0 s o u r c e s a n d s u m m a r i z e d 5 4 r e l e v a n t g u i d e s , s t a n d a r d s , w o r k i n g g r o u p s , a n d p r o g r a m s . In c o n s i d e r i n g d o c u m e n t s f o r t h i s s u m m a r y , t h e r e s e a r c h t e a m s e l e c t e d l i t e r a t u r e t h a t b e s t a d d r e s s e d t h e p r o b l e m o f c y b e r s e c u r i t y b y a l i g n i n g w i t h N IST p u b l i c a t i o n s . L i t e r a t u r e i d e n t i f i e d i n t h i s e f f o r t i n c o r p o r a t e d t h e c o r e f u n c t i o n s o f t h e N IST Cy b e r s e c u r i t y F r a m e w o r k ( CSF ) : “ Id e n t i f y ” , “ Pr o t e c t ” , “ D e t e c t ” , “ Re s p o n d ” , a n d “ Re c o v e r ” , a n d t h e t w o ( 2 ) a d d i t i o n a l f u n c t i o n s : “ Ot h e r Ma n d a t e s ” a n d “ Va l u e ” w h i c h w e p r e s e n t e d i n Ta s k 1 . Th e “ Ot h e r m a n d a t e s ” f u n c t i o n c o n s i d e r s i n i t i a t i v e s , p o l i c e s , o r p r a c t i c e s m a n d a t e d u n d e r f e d e r a l , s t a t e l a w a n d r e g u l a t i o n . Th e “ Va l u e ” f u n c t i o n c o n s i d e r s h o w t o m a n a g e a n d a s s e s s a d e v i c e ’ s v a l u e t o t h e o v e r a l l o r g a n i z a t i o n a n d a t r a f f i c m a n a g e m e n t s y s t e m ’ s n e t w o r k i n f r a s t r u c t u r e .

8 W e i d e n t i f i e d i n f o r m a t i o n b a s e d o n h o w i t p r o v i d e d e x e c u t i v e s a n d s e n i o r m a n a g e r s a t s t a t e t r a n s p o r t a t i o n a g e n c i e s w i t h w h a t t h e y n e e d e d t o k n o w a b o u t m a n a g i n g OT a n d IT c y b e r s e c u r i t y r i s k s . Th i s i n c l u d e d c u r r e n t a n d o n g o i n g c y b e r s e c u r i t y r e s e a r c h e f f o r t s b y f e d e r a l , s t a t e , a n d l o c a l a g e n c i e s , t r a n s p o r t a t i o n w o r k i n g g r o u p s , c o m m i t t e e s , a n d a c a d e m i a . W e a l s o i n c l u d e d r e l e v a n t s t a n d a r d s a n d b e s t p r a c t i c e s f r o m a d j a c e n t d o m a i n s s u c h a s a i r p o r t o r p u b l i c t r a n s i t . So m e k e y g u i d a n c e g i v e n b y l i t e r a t u r e i n Ta s k 2 i n c l u d e t h e N IST F r a m e w o r k f o r Im p r o v i n g Cr i t i c a l In f r a s t r u c t u r e Cy b e r s e c u r i t y ’ s f i v e f u n c t i o n c a t e g o r i e s a s m e n t i o n e d i n Ta s k 1 , a s w e l l a s i t s F r a m e w o r k Im p l e m e n t a t i o n Ti e r s , c o m p r i s e d o f f o u r ( 4 ) t i e r s r a n g i n g f r o m Pa r t i a l ( Ti e r 1 ) t o Ad a p t i v e ( Ti e r 4 ) . Ea c h Ti e r d e s c r i b e s a n i n c r e a s i n g d e g r e e o f r i g o r a n d s o p h i s t i c a t i o n i n c y b e r s e c u r i t y r i s k m a n a g e m e n t p r a c t i c e s t h a t a n o r g a n i z a t i o n i n t e g r a t e s i n t o i t s b u s i n e s s o p e r a t i o n s . Th e t i e r d e f i n i t i o n s a r e s u m m a r i z e d a s f o l l o w s i n F i g u r e 3 . Figure 3. Framework Implementation Tiers Ot h e r l i t e r a t u r e i n c l u d e s t h e N a t i o n a l In f r a s t r u c t u r e Pr o t e c t i o n Pl a n ( N IPP) , w h i c h r e c o m m e n d s a Ri s k Ma n a g e m e n t F r a m e w o r k w i t h e m p h a s i s o n i n f o r m a t i o n e x c h a n g e b e t w e e n c r i t i c a l i n f r a s t r u c t u r e ( CI) m e m b e r s t o b u i l d a r o b u s t , i n t e r d e p e n d e n t n e t w o r k . Ma n y o f t h e c y b e r s e c u r i t y f i n d i n g s t h r o u g h CI a r e d i r e c t l y a p p l i c a b l e t o t r a n s p o r t a t i o n , a n d a s s u c h , l e a d e r s i n t r a n s p o r t a t i o n s h o u l d i n c o r p o r a t e N IPP t o e n s u r e t h e y a r e u p t o d a t e o n CI t h r e a t s . Th e f r a m e w o r k , a s s h o w n i n F i g u r e 4 , w a s d e v e l o p e d t o b e f l e x i b l e t o w o r k f o r a l l D HS s e l e c t e d CI m o d e s , b u t w e l l d e f i n e d e n o u g h t o p e r m i t s h a r i n g o f r i s k s , t h r e a t s , a n d c o u n t e r m e a s u r e s b e t w e e n m e m b e r s t o b e p r o d u c t i v e . Figure 4. NIPP Risk Management Framework and Data Flow [39] Th r o u g h o u r r e v i e w o f t h e c u r r e n t l i t e r a t u r e i n t r a n s p o r t a t i o n c y b e r s e c u r i t y , w e f o u n d r e l a t i v e l y f e w c y b e r s e c u r i t y s t a n d a r d s t h a t d i r e c t l y a d d r e s s e d t h e u n i q u e c o n s t r a i n t s o f t h e t r a n s p o r t a t i o n i n d u s t r y . F o r

9 e x a m p l e , t h e r e i s n o s t a n d a r d t h a t d e t a i l s w h a t i s n e e d e d t o c e r t i f y a n OT d e v i c e f o r t h e f i e l d n e t w o r k b e f o r e d e p l o y m e n t . Th i s l e a v e s t h e r e s p o n s i b i l i t y o f d e c i d i n g w h a t c y b e r s e c u r i t y i m p l e m e n t a t i o n s s h o u l d b e t o e a c h t r a n s p o r t a t i o n a g e n c y . Th e s e d e c i s i o n s a r e o f t e n a i d e d b y b e s t p r a c t i c e g u i d e s o r o t h e r g u i d a n c e p u b l i s h e d b y o r g a n i z a t i o n s l i k e t h e D HS. As s t a t e t r a n s p o r t a t i o n a g e n c i e s d e v e l o p Sm a r t Ci t y i n i t i a t i v e s a n d i n t e g r a t e m o r e m o b i l i t y - r e l a t e d p r o g r a m s , t r a n s p o r t a t i o n - f o c u s e d c y b e r s e c u r i t y p r o t o c o l s w i l l n e e d t o b e f o r m a l i z e d t o f u r t h e r p r o t e c t e x i s t i n g i n f r a s t r u c t u r e a n d p r e p a r e f o r t h e p u s h t o f u t u r e t e c h n o l o g i e s t o b e i n c o r p o r a t e d . Task 3: Identify Transportation Technology and Cybersecurity Subject Matter Experts Th e o b j e c t i v e o f Ta s k 3 w a s t o i d e n t i f y a n d o r g a n i z e a s e t o f c y b e r s e c u r i t y SMEs w h o s e e x p e r t i s e a n d i n p u t w o u l d b e u s e d t o p a r t i c i p a t e i n t h e d e v e l o p m e n t o f t h e Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d e ( TCRG) i n Ta s k 5 . Th e w o r k o u r t e a m c o m p l e t e d i n Ta s k 3 i s d o c u m e n t e d i n Ap p e n d i x C, w h i c h i d e n t i f i e s a n d o r g a n i z e s a s e t o f c y b e r s e c u r i t y SMEs r e p r e s e n t i n g d i f f e r e n t f u n c t i o n s w i t h i n s t a t e t r a n s p o r t a t i o n a g e n c i e s , o r w h o p o s s e s s e d r e l e v a n t c r e d e n t i a l s w h o m w e r e c r u i t e d t o a s s i s t i n t h e d e v e l o p m e n t o f t h e TCRG i n Ta s k 5 . Th e SMEs w e r e s e l e c t e d t o p a r t i c i p a t e i n i n t e r v i e w s , w o r k s h o p s , a n d o t h e r r e s e a r c h a c t i v i t i e s a n d t o p r o v i d e t h e i r k n o w l e d g e , e x p e r i e n c e , a n d e x p e r t i s e r e g a r d i n g e f f e c t i v e c y b e r s e c u r i t y p r a c t i c e s i n t h e OT e n v i r o n m e n t . F o r e x a m p l e , t h e SMEs w i l l h e l p i d e n t i f y a n d a s s e s s c r i t i c a l a s s e t s , c y b e r r i s k s , a n d g a p s i n OT a n d IT c y b e r s e c u r i t y p r a c t i c e s a m o n g D OTs a n d w i l l p r o v i d e t h e i r r e c o m m e n d a t i o n s f o r a c t i o n w i t h i n r e l e v a n t o r g a n i z a t i o n s . Th i s i n f o r m a t i o n w i l l u l t i m a t e l y i n f o r m t h e d e v e l o p m e n t o f t h e Gu i d e t o b e u n d e r t a k e n i n Ta s k 5 a n d w i l l h e l p e n s u r e t h a t i t w i l l b e s u i t e d a p p r o p r i a t e l y a n d e f f e c t i v e i n h e l p i n g s t a t e t r a n s p o r t a t i o n a g e n c y CEOs u n d e r s t a n d a n d a d d r e s s a g e n c y - w i d e c y b e r s e c u r i t y n e e d s p e r t a i n i n g t o OT. In Ta s k 3 , w e p r e s e n t e d 3 0 - s t a t e t r a n s p o r t a t i o n a g e n c y a n d c y b e r s e c u r i t y i n d u s t r y p r a c t i t i o n e r s a n d r e s e a r c h e r s w h o , t h r o u g h t h e i r w o r k , r e s e a r c h a n d p r a c t i c e a n d o t h e r r e l e v a n t e x p e r i e n c e , c o m p r i s e t h e c y b e r s e c u r i t y SMEs s e l e c t e d t o p a r t i c i p a t e i n t h e d e v e l o p m e n t o f t h e TCRG i n Ta s k 5 . Ou r t e a m r e a c h e d o u t t o o v e r 5 0 r e p r e s e n t a t i v e s f o r d i f f e r e n t a g e n c i e s t o e n s u r e t h e r o s t e r o f s e l e c t e d SMEs r e p r e s e n t e d a w i d e r a n g e o f s t a t e s , s k i l l s , a n d i n d u s t r y e x p e r i e n c e m o s t b e n e f i c i a l t o t h e n e e d s o f t h i s p r o j e c t . Ou r t e a m a s s e s s e d t h e t e c h n i c a l s k i l l s , m o b i l i t y i n d u s t r y e x p e r t i s e , g o v e r n m e n t d o m a i n e x p e r i e n c e , a n d i n f l u e n c e o n t h e d e v e l o p m e n t o r d e p l o y m e n t o f c y b e r s e c u r i t y p r a c t i c e s o f e a c h c a n d i d a t e a s p a r t o f t h e r e c r u i t m e n t p r o c e s s . To r e f l e c t t h e d i v e r s i t y o f s k i l l s a n d p e r s p e c t i v e s , w e d i v i d e d u p SMEs i n t o f o u r c a t e g o r i e s : • In f o r m a t i o n Se c u r i t y Pr a c t i t i o n e r s • Tr a n s p o r t a t i o n Pr a c t i t i o n e r s • Ac a d e m i c s & Re s e a r c h e r s • Op e r a t i o n Te c h n o l o g y Pr a c t i t i o n e r s As a r e s u l t o f o u r e f f o r t s , o u r t e a m w a s a b l e t o s u c c e s s f u l l y a s s e s s t h e s k i l l s o f f i f t e e n In f o r m a t i o n Se c u r i t y Pr a c t i t i o n e r s , t h r e e Tr a n s p o r t a t i o n Pr a c t i t i o n e r s , t h r e e Ac a d e m i c Re s e a r c h e r s , a n d n i n e Op e r a t i o n Te c h n o l o g y Pr a c t i t i o n e r s f r o m f i v e b u s i n e s s e s , o n e u n i v e r s i t y , a n d f o u r t e e n D OTs , i n c l u d i n g Te x a s D OT, Vi r g i n i a D OT, Io w a D OT, a n d Al a s k a D OT. Task 4: Interim Report Th e o b j e c t i v e o f t h i s Ta s k w a s t o s u m m a r i z e t h e r e s e a r c h m e t h o d s a n d f i n d i n g s f r o m t h e p r o j e c t w o r k t h a t o u r Te a m h a d c o m p l e t e d t o d a t e f o r Ta s k s 1 – 3 , a n d t o p r e s e n t p l a n n e d r e s e a r c h a c t i v i t i e s t o b e u n d e r t a k e n i n t h e d e v e l o p m e n t o f t h e Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d e i n Ta s k 5 . In t h e In t e r i m Re p o r t , w e p r o v i d e a n o v e r v i e w o f e a c h p r o j e c t Ta s k , a d e s c r i p t i o n f o r h o w e a c h Ta s k w a s c o m p l e t e d , a n d

1 0 o u r k e y f i n d i n g s f r o m e a c h c o m p l e t e d Ta s k . F o l l o w i n g t h e s e s u m m a r i e s , w e d e t a i l a p l a n f o r t h e e x e c u t i o n o f Ta s k 5 t o d e v e l o p TCRG. Th i s p l a n i n c l u d e s a n o v e r v i e w o f r e s e a r c h a c t i v i t i e s t o b e c o n d u c t e d a n d h o w w e w o u l d l e v e r a g e t h e g r o u p o f c y b e r s e c u r i t y SME’ s t h a t w e r e c r u i t e d f o r s u p p o r t i n d e v e l o p i n g t h e TCRG. Task 5: Develop a Transportation Cyber Risk Guide Th e o b j e c t i v e o f t h i s Ta s k w a s t o d e v e l o p a Tr a n s p o r t a t i o n Cy b e r Ri s k Gu i d e c o n s i s t i n g o f a h i g h - l e v e l f r a m e w o r k t o a s s e s s c y b e r r i s k , i d e n t i f y s t r a t e g i e s f o r p r e p a r i n g f o r , p r e v e n t i n g , a n d m a n a g i n g c y b e r i n c i d e n t s , a n d l i n k t r a n s p o r t a t i o n a s s e t c l a s s i f i c a t i o n w i t h c y b e r r i s k . F i r s t , w e p r o v i d e t h e c o n c e p t s n e e d e d f o r p r e p a r i n g t h e g u i d e , i n c l u d i n g a CEO’ s f u n c t i o n a l a r e a s o f r e s p o n s i b i l i t y , t h e i n c o r p o r a t i o n o f t h e f u n c t i o n a l a r e a s i n t o c y b e r s e c u r i t y ( N IST CSF ) , k e y OT a s s e t s a n d o p e r a t i o n s , a n d t h e r e s u l t i n g e l e m e n t s o f c y b e r s e c u r i t y g u i d a n c e . U s i n g t h e s e c o n c e p t s , w e t h e n s u m m a r i z e f i n d i n g s a n d c y b e r s e c u r i t y r e c o m m e n d a t i o n s i n e a c h o f t h e f u n c t i o n a l a r e a s w i t h a s p e c i f i c f o c u s o n OT. W e i d e n t i f y t h e k e y b u s i n e s s f u n c t i o n s , o r f u n c t i o n a l a r e a s o f r e s p o n s i b i l i t y f o r s e n i o r e x e c u t i v e l e a d e r s h i p o f s t a t e D OTs i n Ta b l e 2 . F u r t h e r , b e c a u s e o f t h e w i d e v a r i e t y i n h o w a g e n c i e s a r e o r g a n i z e d a n d m a n a g e d , w e n o t e t h a t d e s c r i p t i o n s o f t h e r e s p o n s i b i l i t i e s i n t h e t a b l e w h i c h f o l l o w c a n b e a p p l i e d g e n e r a l l y b u t m a y n o t a p p l y i n a l l c a s e s a n d a r e n o t d e f i n i t i v e o r f i n a l . N e v e r t h e l e s s , f o r p u r p o s e s o f d i s c u s s i n g r e s p o n s i b i l i t i e s p e r t a i n i n g t o OT c y b e r s e c u r i t y , t h e s e a r e s u f f i c i e n t l y i n s t r u c t i v e a n d p r o v i d e a m e a n s t o d e s c r i b e a n d c a t e g o r i z e CEO r e s p o n s i b i l i t i e s . Table 2. CEO Functional Areas FUNCTIONAL AREA PRIMARY CEO RESPONSIBILITY RELATED CYBERSECURITY RESPONSIBILITY GOVERNANCE D e f i n e a n d c o m m u n i c a t e s t r a t e g i c a n d o p e r a t i o n a l o b j e c t i v e s a c r o s s t h e a g e n c y t o f u l f i l l t h e m i s s i o n a n d m a n d a t e f o r t h e D OT Se t t i n g t h e p r i o r i t i e s a n d a g e n c y c u l t u r e r e l a t e d t o c y b e r s e c u r i t y n e e d s b y e s t a b l i s h i n g a n d s u p p o r t i n g i n i t i a t i v e s w i t h d e f i n e d o b j e c t i v e s MANAGING ASSETS Ma n a g i n g a s s e t s i s t h e a c q u i s i t i o n , d e p l o y m e n t , m o n i t o r i n g , v a l u i n g , p r o t e c t i n g , m o d i f y i n g , r e p a i r i n g , a n d r e t i r i n g o f p h y s i c a l a n d v i r t u a l a s s e t s a n d e q u i p m e n t Id e n t i f y i n g t h e OT a s s e t s s u b j e c t t o c y b e r r i s k , a s s e s s i n g t h e i r c u r r e n t s t a t e o f r i s k a n d d e f i n i n g c o r r e s p o n d i n g r e q u i r e m e n t s f o r c y b e r p r o t e c t i o n a n d r i s k m i t i g a t i o n STRATEGIC PLANNING D e t e r m i n i n g t h e a l l o c a t i o n o f r e s o u r c e s ( e . g . , f i n a n c i a l , s t a f f , e q u i p m e n t , c a p a b i l i t i e s , a n d m a n a g e m e n t f o c u s ) D e v e l o p i n g p l a n s , i n i t i a t i v e s , p r o g r a m s , a n d p o l i c i e s r e q u i r e d t o a d d r e s s c y b e r s e c u r i t y n e e d s a n d e n s u r i n g r i g h t l e v e l s o f r e s o u r c e a l l o c a t i o n DISTRIBUTE AUTHORITY Es t a b l i s h i n g t h e o r g a n i z a t i o n a l s t r u c t u r e s w i t h i n t h e a g e n c y e m p o w e r e d w i t h t h e a u t h o r i t y a n d m a n d a t e t o d e p l o y r e s o u r c e s a n d m a n a g e D OT o p e r a t i o n s D e s i g n a t i n g l e a d e r s h i p t o o r g a n i z e a n d d e p l o y r e s o u r c e s a n d e s t a b l i s h a n d e n f o r c e s t a n d a r d s , r u l e s , p o l i c i e s , p r o c e s s e s a n d p r o c e d u r e s , e t c . t o a c h i e v e c y b e r s e c u r i t y o b j e c t i v e s INVESTING IN PEOPLE In v e s t i n g i n p e o p l e i s t h e h i r i n g , t r a i n i n g , s u p e r v i s i o n , a n d s e a m l e s s r e t i r e m e n t o f h u m a n r e s o u r c e s En s u r i n g t h e r i g h t l e v e l s o f s t a f f , t o o l s , a n d t e c h n i c a l c a p a b i l i t i e s t o s u p p o r t c y b e r s e c u r i t y - r e l a t e d o p e r a t i o n s

11 FUNCTIONAL AREA PRIMARY CEO RESPONSIBILITY RELATED CYBERSECURITY RESPONSIBILITY MANAGING OPERATIONS Managing operations is undertaking, monitoring, or improving business functions, activities, and processes to achieve business objectives Deploying the plans, programs and policy designed to address cybersecurity needs and ensuring effective implementation MEASURING PERFORMANCE Measuring performance is collecting and assessing data to determine when, if, how, why, and what outcomes occur Defining success metrics and quantifying the impact and effectiveness of plans, programs, and policy deployed to address cybersecurity needs Building from the NIST Guidance for Improving Critical Infrastructure Cybersecurity and other leading sources of cybersecurity best practices, we determined how each of the five core NIST functions (Identify, Protect, Detect, Respond, and Recover) applied to each of the chief executive-level functional areas in Table 2. From our analysis, we then identified the intersection of cybersecurity best practices with chief executive-level management functions for key OT assets and operations. This analysis enabled us to identify and address gaps in the NIST and other cybersecurity frameworks (e.g., where detailed technical guidance directed at cybersecurity professionals did not apply to the management considerations of agency chief executives). We then built upon the five elements in the NIST framework by incorporating five additional elements to produce the Ten Cybersecurity Transportation Agency Capabilities for Executive Leadership. These 10 elements represent the key cybersecurity management capabilities that a CEO should consider regarding their agency’s requirements to manage areas of cyber vulnerability and risk for OT. Further, as shown below, we organized the 10 Capabilities according to which of the three types of cybersecurity management practices each capability represents: Managing Risks, Managing Impact, and Managing Programs. Managing Risks – Actions to avoid the occurrence of adverse cyber events 1) Identify external threats and internal weaknesses 2) Assess to understand the likelihood of potential threats and risks 3) Quantify the costs and extent of potential impact of threats and risks 4) Protect assets by developing and deploying programs to reduce risk and occurrence of threats Managing Impact – Responsive actions to address the occurrence of adverse cyber events 1) Detect when cyber incidents occur with timeliness and accuracy 2) Respond when cyber incidents occur with speed 3) Withstand to sustain resiliency when cyber incidents occur 4) Recover capabilities and assets when cyber incidents occur Managing Programs – Ongoing practices to support risk and impact management 1) Define standards of risk and preparedness to which the state DOT must comply (including mandates) 2) Develop and sustain management practices for cyber programs and compliance In this context, to achieve sufficient cybersecurity capabilities for their agency, CEOs must Manage Risk through the NIST capabilities of Identify and Protect., but then CEOs must also Assess and Quantify risk to direct the agency to avoid the occurrence of adverse cyber events and to determine tolerable thresholds

12 of risk. Next, CEOs must Manage Impact through the NIST capabilities of Detect, Respond, and Recover, but must also prepare the agency to Withstand adverse cyber incidents by preparing agency responsiveness for the occurrence of such events. Finally, CEOs must Manage Programs by Defining and Developing the ongoing agency practices to support risk and impact management. Using these capabilities and functional areas identified previously, we culminated our findings into the Transportation Cyber Risk Guide that transportation agency CEOs should follow to address cybersecurity issues and protection strategies for OT. For each of the functional areas, the following were addressed: • Current State • What do CEOs Need to Know? • What Do CEOs Need to Do? • “How” and “Why” and Other Tactical Considerations Following this guidance, we introduce an example Cybersecurity Capability Maturity Model (CMM) to outline the different stages of cybersecurity mitigation, detection, response, resiliency, and recovery capabilities that state DOTs have either achieved or to which they should aspire. This example cybersecurity CMM is the result of discussion with SMEs throughout this project, as well as existing CMMs like U.S. DOT Federal Highway Administration’s (FHWA) Transportation Systems Management and Operations (TSMO) CMM and the NIST CSF. As a concept familiar to state DOTs, the CMM process offers a behavioral model that helps agencies streamline process improvement and encourage productive, efficient behaviors that decrease risks in capabilities development. Often, these improvements are noted as a part of the completion of the Nationwide Cybersecurity Review (NCSR), or other self-assessment tools commonly used by DOTs or state’s central IT organizations. Surveys like the NCSR are effective at providing a cybersecurity maturity level to DOTs in relation to the NIST CSF core elements of Identify, Protect, Detect, Respond, and Recover. The provided “level” can assist DOT’s cyber leadership in making the case on cyber maturity, which can then help to secure future funding or resources needed.

Next: 4. PRIORITIZED RECOMMENDATIONS FOR FUTURE RESEARCH »
Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report Get This Book
×
Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Chief executive leadership of transportation agencies have placed substantial emphasis on the protection of IT systems against cyber threats. Less focus has been devoted to the risks to operational technology (OT) and equipment or in protecting transportation business operations.

The TRB National Cooperative Highway Research Program's NCHRP Web-Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs seeks to mitigate that imbalance, especially as physical OT assets become increasingly connected through electronic networks and managed remotely by software. Volume 1, Project Summary Report provides details of the research project that developed the Transportation Cyber Risk Guide, which is found in NCHRP Web-Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 2.

Supplemental to the document is a presentation of an overview of the research.

READ FREE ONLINE

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!