Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
13 4. PRIORITIZED RECOMMENDATIONS FOR FUTURE RESEARCH This research focused on identifying best practices to help chief executives of state transportation agencies address the unique cybersecurity challenges related to the protection of OT assets. In the course of research activities and in the development of the guide, we identified multiple additional opportunities for how state transportation agencies could potentially operationalize cybersecurity best practices and capabilities. However, the exploration and development of these incremental opportunities remains beyond the scope of this project. Hence, we propose these as future research projects to be considered by TRB, which could potentially promote the ultimate objective of helping transportation agencies more effectively prepare for, mitigate, and respond to cybersecurity threats and risk. Opportunity Concept Relevance Output State of OT Cyber Risk Evaluation Research the current state of OT cybersecurity with state DOTs to identify, evaluate, and quantify current cyber risks to OT across the industry Creating a summary of current threats to OT cybersecurity would help DOT CEOs and other agency leadership to understand, prepare for, mitigate, and respond to threats and risks Document detailing current state of OT Cyber Risk Evaluation Knowledgebase of Cybersecurity Resources Create a knowledgebase of available resources and sources of funding for cybersecurity risk and mitigation projects and guidelines for how to find further funding DOT executive leadership who seek to invest in cybersecurity risk mitigation programs are often unaware of available resources and funding, such as federal programs Knowledgebase of available cybersecurity resources IT/OT Organizational Structure Assessment Conduct research to compare and contrast the differences, efficacy, and comparative benefits of different approaches to organizing cybersecurity efforts within a DOT, e.g., compare a unified state IT or cybersecurity department versus a DOT-specific department, as well as benefits to separating or combining IT and OT leadership There is a variety of strategies for implementing IT, OT, and cybersecurity organizational structures from state to state and even from department to department. Research into the benefits of each model could help CEOs determine which model would work best for their situation Example models of IT/OT organizational structures with benefits highlighted.
14 Opportunity Concept Relevance Output Quantification of Cybersecurity Capability Maturity Levels Research to define and quantify an organizationâs level of capability to develop an appropriate index model for cybersecurity maturity. Currently, no comparative scale exists to help state agencies benchmark their current or desired cybersecurity capabilities Maturity is based on an organizationâs unique security risk and resilience to cyber threat. By utilizing an index model, it could provide a more effective assessment of state DOTs with respect to their own capabilities Capability Maturity Model with fully researched levels Cybersecurity Maturity Self-Assessment Tool Develop a self-assessment tool in which state DOTs can determine their appropriate and current level of maturity based on their existing programs, capabilities, and risk. Creating a self-assessment could produce a more proactive security position by providing more immediate feedback and could allow state DOTs to more efficiently identify the areas in which their cybersecurity practices are more or less mature than expected Assessment tool that provides DOTs with level of CMM Cybersecurity of Connected vs. Non- connected OT Devices Research the different cybersecurity requirements between connected and non- connected OT devices and weigh the benefits of introducing new connected OT devices versus the cost of introducing new cyber vulnerabilities. With the increasing number of connected devices, it is imperative to identify the cyber risk involved, determine their security requirements, and distinguish between those of non-connected devices, providing organizations with proper guidance to mitigate cybersecurity threats Document quantifying risk associated with OT devices Cybersecurity Risk Level Quantification Develop a procedure for quantifying the impact of cybersecurity attacks and the risk levels associated with them. Being able to quantify the impact of cyber risks could help DOT leadership better prioritize cyber vulnerability response. Additionally it could help for quantifying monetary damage on insurance claims in the event of an attack. Procedures for providing a risk quantification, for use in securing funding
