Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report (2023)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

B-1 APPENDIX B Task 2 - Conduct a Review of Relevant Cybersecurity Literature The following sections summarize Task 2: Review of Cybersecurity Literature Relevant to State Dots in The Protection of Transportation OT and IT and the findings from the execution of this task. 1 Task Overview In Task 2, the research team summarized transportation-relevant cybersecurity research and related industry literature. The literature highlighted recent and ongoing efforts that identify what executives and senior managers at state transportation agencies need to know about managing transportation OT and IT cybersecurity risks. The objective of Task 2 was two-fold: • To review and summarize research and industry literature on cybersecurity issues and practices relevant to transportation. • To provide chief executive officer’s (CEO), and senior management of departments of transportation (DOT) with the right resources and guidelines to help them assess, classify, and respond to transportation system cybersecurity risks. Included in this appendix is a summary of current cybersecurity research and related industry documentation relevant to both OT and IT assets managed by state departments of transportation. The team reviewed over 80 sources and summarized 54 relevant guides, standards, working groups, and programs. In considering documents for this summary, the research team selected literature that best addressed the problem of cybersecurity by aligning with NIST publications. Literature identified in this effort incorporated the core functions of the National Institute Standards and Technology (NIST) Cybersecurity Framework (CSF); “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”, and the two (2) additional functions: “Other Mandates” and “Value” which we presented in Task 1. The “Other mandates” function considers initiatives, polices, or practices mandated under federal, state law and regulation. The “Value” function considers how to manage and assess a device’s value to the overall organization and a traffic management system’s network infrastructure. We identified information based on how it provided executives and senior managers at state transportation agencies with what they needed to know about managing OT and IT cybersecurity risks. This included current and ongoing cybersecurity research efforts by federal, state and local agencies, transportation working groups, committees, and academia. We also included relevant standards and best practices from adjacent domains such as airport or public transit. 1.1 Task Findings Our research team summarized a variety of cybersecurity research and related industry literature that incorporate the core functions of the framework presented in Task 1. Our team specifically summarized three standards, eleven capability models and frameworks, twelve best practice and guidance documents, eleven working groups, including five harmonization task groups, four USDOT pilot programs, four state programs, and nine documents regarding relevant technologies.

B-2 2 Analysis Through our review of the current literature in transportation cybersecurity, we found relatively few cybersecurity standards that directly addressed the unique constraints of the transportation industry. For example, there is no standard that details what is needed to certify an OT device for the field network before deployment. This leaves the responsibility of deciding what cybersecurity implementations should be to each transportation agency. These decisions are often aided by best practice guides or other guidance published by organizations like the Department of Homeland Security (DHS). As state transportation agencies develop Smart City initiatives and integrate more mobility-related programs, transportation-focused cybersecurity protocols will need to be formalized to further protect existing infrastructure and prepare for the push to future technologies to be incorporated. 3 Literature Below, we summarize each of the selected documents organized into seven distinct categories. 3.2 Standards The following sections provide a summary of standards, both draft and released, that may be applicable to this effort. 3.2.1 ISO/IEC JTC 1/SC 27 – IT Security Techniques The joint technical committee (JTC) between the International Organization for Standardization (ISO) and the International Electrotechnical Commission, ISO/IEC JTC 1/SC 27 is a standardization subcommittee focused on standards, guidelines, and best practices development to assist organizations in addressing security and privacy concerns. The SC 27 contains an extensive collection of artifacts covering a wide breadth of security topics. While it would be out of the scope of this document to summarize all artifacts in the set, a selection of potentially relevant ones is summarized below. 3.2.1.1 ISO/IEC 15408 - Common Criteria The Common Criteria (CC) is short for the Common Criteria for Information Technology Security Evaluation, which is international standard ISO/IEC 15408 for computer security certification [39]. Version 3.1, Revision 5, is described in three (3) documents entitled: • Part 1: Introduction and General Model [40] • Part 2: Security Functional Components [41] • Part 3: Security Assurance Components [42] Part 1 describes basic concepts and describes the specification of protection profiles, security targets, and evaluation results. The CC provides a methodology for developing a common set of security functionality requirements and security assurance requirements for classes of products that may be hardware, firmware, or software. The evaluation process is intended to determine whether assurance requirements are satisfied for a specific product undergoing evaluation. The CC does not address OT/administrative security measures or the accreditation and approval process for using the evaluation results. Some of the other specific issues which are not covered include the following: • Physical security • Personnel security

B-3 • Cryptographic algorithms • System integration issues such as the role of the integrator or how the device should work with other devices • Device evaluation outside the laboratory in an operational environment • The role of service organizations who run a system for users and provide operations and maintenance support • How to address newly discovered vulnerabilities The goal of the CC is to develop a standard methodology for specifying, designing, and evaluating IT products that perform security functions. It was to be a full life cycle, consensus-based security engineering standard. The CC is well established and recognized in the IT cybersecurity domain. Though acceptance has not been as widespread as initially planned, it has acted as the basis for a variety of attempts to employ standardized testing to cybersecurity of embedded devices. The applicability of CC to this effort would be in reviewing CC’s process for evaluating equipment and investigating its potential applicability to OT equipment. 3.2.1.2 ISO/IEC 27000 Series - ISMS Family of Standards The ISO/IEC 27000 Series of standards, also known as the Information Security Management System (ISMS) Family of Standards, provides best practices and recommended guidance for implementing organizational information security management and controls [43]. The goal of the ISO/IEC 27000 series of documents was to provide generic best practices applicable to a wide variety of organizations. The ISO/IEC 27000 series is comprised of approximately 45 publications and artifacts that provide guidance and recommendations from a broad range of topics relating to security. Some artifacts developed under the series are tailored to specific organization resources such as wireless networking, cloud computing, or intrusion detection. ISO/IEC 27001:2013, ISO/IEC 27002, and ISO/IEC 27005:2011 are the most frequently referenced. ISO/IEC27001:2013 was developed to provide the requirements for establishing and maintaining an ISO/IEC 27000 compliant information security management system. It uses language and definitions defined in ISO Annex SL which provides commonality with ISO 9001 and ISO 140001, Quality Management and Environment Management standards, respectively. This relationship makes incorporation of an ISO/IEC 27000 series security management system into an organization already practicing 9001 or 140001 require less effort. The high-level processes and organizational guidance provided by ISO/IEC 27000 series could be directly leveraged by the guidance developed under this effort. The ISO/IEC set of standards is employed by a variety of organizations. Some tailoring of the methods and procedures may be required as the ISO/IEC 9001, 140001, and 27001 are intended for originations engaged in manufacturing. SwRI has employed 9001 since approximately 2008 and later SAE AS9100 to improve institutional quality control of engineering services. 3.2.1.3 ISO/IEC 29100:2011 Privacy Framework The ISO/IEC 29100:2011 privacy framework was developed to help organizations safeguard personally identifiable information (PII) [44]. Though not inherently cybersecurity related, privacy controls address the rights an individual has to control their PII and how it’s used, while cybersecurity dictates how their PII is protected (in terms of transit, storage, and accessibility). Often, these privacy controls are used to

B-4 create cybersecurity controls, either in the same framework or influencing other frameworks. ISO/IEC 29100:2011 covers defining roles for different members within the organization, incorporating privacy controls for third parties, risk assessments, and engineering specifications. It is possible that the recommendations made by ISO/IEC 29100:2011 could be useful in helping establish processes and safeguards with respect to collected information on transportation agency’s employees or contractors. 3.3 Capability Models and Frameworks The following sections describe Capability Maturity Models (CMM) and Cybersecurity Frameworks. These models and frameworks will be assessed for applicability to both the IT and OT of transportation agency’s cybersecurity implementations. The scope for these resources has not been limited to traffic management, but instead expanded to encompass additional industries with similarities to TMSs and their network structure. 4 NIST Cyber Physical Systems Framework Developed through the Cyber Physical Systems working group, the Cyber Physical Systems (CPS) Framework was developed to introduce aspects of cybersecurity to Internet of Things (IoT) and “Smart” devices as various industries begin adopting and incorporating these devices [45]. IoT devices are often deployed in transportation agencies to support OT operations. The Framework in Figure 7 describes the construction of a variety of processes for securing cyber-physical systems. Figure 7. CPS Framework Domains [46] Specifically, the framework is built to address Systems of Systems (SoS) and implementing security features and controls at a variety of levels. The framework recommends construction of processes based on understanding the various layers and interactions between equipment and users of a particular domain as shown in Figure 8.

B-5 Figure 8. CPS Conceptual Model [46] The SoS model may offer useful guidance for transportation agencies since they are constructed using a variety of IT and OT systems using many diverse types of communication. 5 DHS Cybersecurity Capability Maturity Model (C2M2) The Department of Homeland Security (DHS) Cybersecurity Capability Maturity Model (C2M2) was developed to provide a framework for improving the cybersecurity posture of infrastructure organizations of all sizes. The C2M2 focuses on IT and OT assets and the environments in which they operate [47]. While the core principles in the C2M2 are intended to be industry agnostic, the program has released three (3) models consisting of: • The Cybersecurity Capability Maturity Model • The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) • The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) The models are freely available and are supported with a variety of other publications including guidelines, roadmap models, and journal articles. As many transportation management systems are composed of IT and OT assets, the C2M2 program is directly applicable to transportation and should be referenced when implementing or updating systems. 6 Center for Internet Security's (CIS) Critical Security Controls (CSC) Through a committee of international experts, CIS has developed a list of the 20 security controls that can most effectively limit an organization's risk (See Figure 9) [48]. An organization implementing all 20 controls and their sub controls would be extremely well protected from most realistic threat scenarios. The suggested 20 controls are oriented to the enterprise level, and run the gamut from inventorying, to email and malware protections, and incident response. The CSCs can provide a useful tool for municipal organizations operating transportation management system (TMS) equipment to determine missing controls, and thereby begin to address them. Several of the control categories are directly relevant to operating a secure transportation agency and OT cybersecurity.

B - 6 Figure 9. CIS Critical Security Controls [49] W h i l e i n t e n d e d f o r a p p l i c a t i o n t o a t r a d i t i o n a l o r g a n i z a t i o n a l e n v i r o n m e n t , t h e s e c o n t r o l s c a n b e t a i l o r e d t o p r o v i d e a r o b u s t l i s t o f b e s t p r a c t i c e s f o r a n o r g a n i z a t i o n o p e r a t i n g a n d m a n a g i n g a t r a n s p o r t a t i o n a g e n c y s y s t e m . 7 NIST Cybersecurity Framework (CSF) Th e N IST CSF p r o v i d e s a s t r u c t u r e f o r o r g a n i z a t i o n s t o a s s e s s t h e i r c u r r e n t r i s k a n d d e t e r m i n e w h a t l e v e l o f s e c u r i t y m a t u r i t y ( a n d i n v e s t m e n t ) i s a p p r o p r i a t e f o r t h e m b a s e d o n t h a t r i s k [ 5 0 ] . Th e q u a n t i f i c a t i o n o f r i s k p r o v i d e d b y t h e f r a m e w o r k i s i m p o r t a n t t o b o t h IT a n d OT a s s e t s . Th e f r a m e w o r k c o n c e p t u a l i z e s s e c u r i t y a s f i v e ( 5 ) f u n c t i o n s o f Id e n t i f y , Pr o t e c t , D e t e c t , Re s p o n d , a n d Re c o v e r . Ea c h f u n c t i o n c a n t h e n b e e v a l u a t e d a c c o r d i n g t o i t s m a t u r i t y , o r i m p l e m e n t a t i o n t i e r , a s 1 ) p a r t i a l , 2 ) r i s k i n f o r m e d , 3 ) r e p e a t a b l e , o r 4 ) a d a p t i v e . Th e f r a m e w o r k p r o v i d e s a m e a n s f o r a n o r g a n i z a t i o n t o e v a l u a t e t h e i r c u r r e n t t i e r f o r e a c h f u n c t i o n , t h e i r t a r g e t t i e r s , a n d t h e n m a k e i n f o r m e d b u s i n e s s d e c i s i o n s a b o u t w h e r e t o m a k e f u r t h e r i n v e s t m e n t a n d i m p r o v e m e n t . Th e N IST CSF i s p r e d o m i n a n t l y t a r g e t e d a t t h e e n t e r p r i s e l e v e l , a n d a s s u c h t a i l o r i n g t o d e p l o y m e n t o f s p e c i f i c OT e q u i p m e n t i s r e q u i r e d . It i s r e l e v a n t t o m u n i c i p a l o r g a n i z a t i o n s o p e r a t i n g OT e q u i p m e n t a s t h e y s e e k t o p r o v i d e h o l i s t i c s e c u r i t y f o r t h e i r e c o s y s t e m s . 7.1 Federal Information Processing Standards (FIPS) Publication 200 In t h e U n i t e d St a t e s i n 2 0 0 2 , Ti t l e III o f t h e E- Go v e r n m e n t Ac t , e n t i t l e d t h e F e d e r a l In f o r m a t i o n Se c u r i t y Ma n a g e m e n t Ac t ( F ISMA) , d i r e c t e d t h e p r o m u l g a t i o n o f f e d e r a l s t a n d a r d s f o r : 1 . Th e s e c u r i t y c a t e g o r i z a t i o n o f f e d e r a l i n f o r m a t i o n a n d i n f o r m a t i o n s y s t e m s . 2 . Mi n i m u m s e c u r i t y r e q u i r e m e n t s f o r i n f o r m a t i o n a n d i n f o r m a t i o n s y s t e m s . Pr i v a t e s e c t o r o r g a n i z a t i o n s t h a t c o m p o s e t h e c r i t i c a l i n f r a s t r u c t u r e o f t h e U n i t e d St a t e s a r e e n c o u r a g e d t o c o n s i d e r t h e u s e o f F IPS PU B 2 0 0 ( Mi n i m u m Se c u r i t y Re q u i r e m e n t s f o r F e d e r a l In f o r m a t i o n a n d In f o r m a t i o n Sy s t e m s ) , a s a p p r o p r i a t e [ 5 1 ] . Or g a n i z a t i o n a l Co n t r o l s • Se c u r i t y a w a r e n e s s a n d t r a i n i n g p r o g r a m s • Ap p l i c a t i o n s o f t w a r e s e c u r i t y • In c i d e n c e r e s p o n s e a n d m a n a g e m e n t • Pe n e t r a t i o n t e s t s a n d r e d t e a m e x e r c i s e s F o u n d a t i o n a l Co n t r o l s • Em a i l a n d w e b b r o w s e r p r o t e c t i o n s • Ma l w a r e d e f e n s e s • L i m i t a t i o n s a n d c o n t r o l o f n e t w o r k p o r t s • D a t a r e c o v e r y c a p a b i l i t i e s • Se c u r e c o n f i g u r a t i o n s f o r n e t w o r k d e f e n s e s • B o u n d a r y d e f e n s e • Co n t r o l l e d a c c e s s b a s e d o n " N e e d t o K n o w " • W i r e l e s s a c c e s s c o n t r o l • Ac c o u n t m o n i t o r i n g a n d c o n t r o l B a s i c Co n t r o l • In v e n t o r y a n d c o n t r o l o f a u t h o r i z e d a n d u n a u t h o r i z e d d e v i c e s • In v e n t o r y a n d c o n t r o l o f a u t h o r i z e d a n d u n a u t h o r i z e d s o f t w a r e • Co n t i n u o u s v u l n e r a b i l i t y a s s e s s m e n t a n d r e m e d i a t i o n • Co n t r o l l e d u s e o f a d m i n i s t r a t i v e p r i v i l e g e s • Se c u r e c o n f i g u r a t i o n s f o r h a r d w a r e a n d s o f t w a r e • Ma i n t e n a n c e , m o n i t o r i n g , a n d a n a l y s i s o f a u d i t l o g s

B-7 The Federal Information Processing Standards (FIPS) Publication Series of NIST is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of FISMA. FISMA tasked NIST with the responsibility of developing security standards and guidelines for the US federal government. FIPS PUB 200 serves as an example of existing open-source minimum security requirements for federal information and information systems that could serve as a useful, high-level reference [52]. Though FIPS 200 is not directly intended for use in OT, the minimum-security requirements are easily applicable to OT networks and devices. 7.1.1 Framework for Improving Critical Infrastructure Cybersecurity NIST released the Framework for Improving Critical Infrastructure Cybersecurity in response to Executive Order (EO) 13636 [53]. This executive order calls for the open development of a cybersecurity framework structured to protect critical infrastructure systems, individual privacy, and civil liberties. It recognizes that increased dependence on aging critical infrastructure has created vulnerabilities that could pose risks to national security interests. The EO calls for voluntary information sharing program for eligible critical infrastructure providers. It also calls for development of a framework and standards consistent with international standards. The framework aims to enable critical infrastructure organizations, regardless of size, risk, or cybersecurity maturity, to identify and apply industry best practices to improve infrastructure resilience. The framework is composed of the following: • Framework Core: Cybersecurity activities and references common across many critical infrastructure sectors • Framework Implementation Tiers: Defined levels aimed at helping the critical infrastructure organization understand its current state and approach to managing cybersecurity risk • Framework Profiles: Example profiles designed to help the critical infrastructure organization align itself with cybersecurity goals The NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk-based framework built on industry standards, best practices, and experience in similar industry. The framework core is composed of guidance broken into five functions and shown in Figure 10. Figure 10. Framework Core Functions [53]

B - 8 • Identify: D e v e l o p t h e o r g a n i z a t i o n a l u n d e r s t a n d i n g t o m a n a g e c y b e r s e c u r i t y r i s k t o s y s t e m s , a s s e t s , d a t a , a n d c a p a b i l i t i e s . • Protect: D e v e l o p a n d i m p l e m e n t t h e a p p r o p r i a t e s a f e g u a r d s t o e n s u r e d e l i v e r y o f c r i t i c a l i n f r a s t r u c t u r e s e r v i c e s . • Detect : D e v e l o p a n d i m p l e m e n t t h e a p p r o p r i a t e a c t i v i t i e s t o i d e n t i f y t h e o c c u r r e n c e o f a c y b e r s e c u r i t y e v e n t . • Respond: D e v e l o p a n d i m p l e m e n t t h e a p p r o p r i a t e a c t i v i t i e s t o a c t r e g a r d i n g a d e t e c t e d c y b e r s e c u r i t y e v e n t . • Recover: D e v e l o p a n d i m p l e m e n t t h e a p p r o p r i a t e a c t i v i t i e s t o m a i n t a i n p l a n s f o r r e s i l i e n c e a n d t o r e s t o r e a n y c a p a b i l i t i e s o r s e r v i c e s t h a t w e r e i m p a i r e d d u e t o a c y b e r s e c u r i t y e v e n t . Th e F r a m e w o r k Im p l e m e n t a t i o n Ti e r s , a l s o Ti e r s , i s c o m p r i s e d o f f o u r ( 4 ) t i e r s r a n g i n g f r o m Pa r t i a l ( Ti e r 1 ) t o Ad a p t i v e ( Ti e r 4 ) . Ea c h Ti e r d e s c r i b e s a n i n c r e a s i n g d e g r e e o f r i g o r a n d s o p h i s t i c a t i o n i n c y b e r s e c u r i t y r i s k m a n a g e m e n t p r a c t i c e s t h a t a n o r g a n i z a t i o n i n t e g r a t e s i n t o i t s b u s i n e s s o p e r a t i o n s . Th e t i e r d e f i n i t i o n s a r e s u m m a r i z e d a s f o l l o w s i n F i g u r e 1 1 . • Ti e r 1 - Pa r t i a l : Figure 11. Framework Implementation Tiers o Ri s k Ma n a g e m e n t Pr o c e s s : Ri s k m a n a g e m e n t p r a c t i c e s a r e f o r m a l i z e d , a n d r i s k i s m a n a g e d i n a n a d h o c a n d s o m e t i m e s r e a c t i v e m a n n e r . o In t e g r a t e d Ri s k Ma n a g e m e n t Pr o g r a m : L i m i t e d a w a r e n e s s o f c y b e r s e c u r i t y r i s k a t t h e o r g a n i z a t i o n l e v e l . Ri s k m a n a g e m e n t o c c u r s o n a n i r r e g u l a r , c a s e - b y - c a s e b a s i s . o Ex t e r n a l Pa r t i c i p a t i o n : Th e o r g a n i z a t i o n d o e s n o t u n d e r s t a n d i t s r o l e i n l a r g e r e c o s y s t e m a n d d o e s n o t c o l l a b o r a t e w i t h , s h a r e , o r r e c e i v e i n f o r m a t i o n f r o m o t h e r e n t i t i e s , s u c h a s s u p p l i e r s a n d r e s e a r c h e r s . • Ti e r 2 - Ri s k In f o r m e d : o Ri s k Ma n a g e m e n t Pr o c e s s : Ri s k m a n a g e m e n t p r a c t i c e s a r e a p p r o v e d b y m a n a g e m e n t h o w e v e r m a y n o t b e p a r t o f a n e s t a b l i s h e d o r g a n i z a t i o n - w i d e p o l i c y . o In t e g r a t e d Ri s k Ma n a g e m e n t Pr o g r a m : Aw a r e n e s s o f c y b e r s e c u r i t y r i s k i s a t a n o r g a n i z a t i o n l e v e l h o w e v e r o r g a n i z a t i o n - w i d e c y b e r s e c u r i t y r i s k m a n a g e m e n t h a s n o t b e e n e s t a b l i s h e d . Ri s k m a n a g e m e n t a n d r i s k a s s e s s m e n t s o c c u r o n a n i n f o r m a l b a s i s t h a t i s n o t t y p i c a l l y r e p e a t a b l e o r r e o c c u r r i n g .

B-9 o External Participation: The organization understands its role in larger ecosystem and partially collaborates with or receives information from other entities, such as suppliers and researchers but may not share information. • Tier 3 - Repeatable: o Risk Management Process: Risk management practices are formally approved and considered policy, and organizational cybersecurity practices are regularly updated based on business requirements and a changing threat and technology landscape. o Integrated Risk Management Program: Organization-wide cybersecurity risk management has been established and consistent methods are in place using risk-informed policies, processes, and procedures. The policies, processes, and procedures are defined, implemented, and reviewed. o External Participation: The organization understands its role in larger ecosystem and may contribute to the community in understanding risks. The organization also collaborates with, shares, and receives information regularly from other entities, such as suppliers and researchers. • Tier 4 - Adaptive: o Risk Management Process: Risk management practices are adaptive through a process of continuous improvement using advanced cybersecurity technologies and are based on previous and current cybersecurity activities, including lessons learned and predictive analytics. o Integrated Risk Management Program: Organization-wide cybersecurity risk management has been established and consistent methods are in place using risk-informed policies, processes, and procedures. The policies, processes, and procedures are defined, implemented, and reviewed. The relationship between organizational objectives and cybersecurity risk is understood and senior executive monitor cybersecurity risk like financial risk. o External Participation: The organization understands its role in larger ecosystem and contributes to the community in understanding risks. The organization also collaborates with, shares, and receives information regularly from other entities, such as suppliers and researchers. The Tiers to do not represent maturity levels, instead they are meant to support organization decision making, including which parts of the organization are of a higher priority and should receive additional resource. The Tiers also provide guidance how to coordinate between cybersecurity risk management and operational risk management. The Framework Profile, also Profile, allows organizations to create a roadmap to reduce cybersecurity risk that align business requirements, risk tolerance, and resources of the organization with industry best practices, legal and regulatory requirements, and reflects risk management priorities. The NIST Framework for Improving Critical Infrastructure Cybersecurity addresses many of the challenges a transportation agency is likely to encounter when undertaking similar cybersecurity implementation efforts in IT and OT. Aside from administrative update, the latest 2017 draft of the Framework enhanced guidance for applying the framework, summarized the relevance and utility of the Frameworks’ measurement for self-assessments, and provided additional accounts for authorization, authentication, and identity proofing.

B-10 8 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37) The NIST Risk Management Framework for Information Systems and Organizations is meant for individuals in an organization tasked with developing and implementing a risk management framework [54]. It is technology agnostic, meaning it can be used in any information system (e.g. both IT and OT). The document provides the fundamental concepts involved in developing a risk management framework and describes the process for implementing a risk management framework in an organization. The goal of this document is to help establish a framework that is efficient and cost effective, while assigning responsibilities for implementing controls in the framework. Per interviews in Task 1 of this project, this document is used by the North Carolina DOT in conjunction with NIST SP 800-53 for their risk management framework. All controls in their organization are in accordance with NIST SP 800-37. 9 Guidelines on Securing Public Web Servers (NIST SP 800-44) NIST SP 800-44 is a guide on planning, securing, and maintaining a secure web server. Such a guide is invaluable in a modern world dominated by the internet, and transportation agencies are increasingly reliant on Internet connected devices [55]. The guide describes some attack vectors web servers face. It provides a guide to configuring and managing a secure web server that meets the security requirements of its organization while securing sensitive information through access control. It also provides a guide to protecting the network infrastructure the web server exists in and establishes a path to maintaining the security of the server. 10 Security and Privacy Controls for Information Systems and Organizations (NIST SP 800- 53) NIST SP 800-53 describes the fundamentals of controls and catalogs a series of security and privacy controls for use in a risk management framework [56]. The document intends to address controls from both a functionality and assurance perspective. These controls can be used in conjunction with NIST SP 800-37 for development of a risk management framework applicable to both the IT and OT systems within a DOT. 11 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers (NIST SP 800-70) NIST SP 800-70 provides a guide for users and developers of security configuration checklists, which consist of instructions and procedures for the configuration of an IT product [57]. The publication provides recommendations to users of the NIST National Checklist Repository, a single repository for checklists. IT also sets for the requirements for developers who wish to participate in the NIST National Checklist Program (NCP). This national checklist provides a useful resource when security a DOT’s infrastructure. 12 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171) NIST SP 800-171 provides procedures for federal agencies in handling controlled unclassified information (CUI) [58]. While this type of information is not classified, there are certain security requirements needed when a nonfederal organization accesses this information. Examples of this data in a transportation context include data collected on drivers and access to documents that detail implementation specifics of transportation management systems. The document provides information for both the federal and nonfederal perspectives of data governance, as nonfederal organizations need to follow these same

B-11 procedures in order to be compliant with federal contracts. NIST SP 800-171 describes the methodology used to develop the security requirements as well as a list of 14 security requirements for CUI. 13 Supply Chain Risk Management Practices for Federal Information Systems and Organizations (NIST SP 800-161) NIST SP 800-161 provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology (ICT) supply chain risks at all levels of their organizations [59]. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities. These practices are key to securing against threats introduced by components key to transportation operations, like the recent SolarWinds attack [60], in which software key to operations was used by attackers to steal sensitive information. 13.1 Best Practices and Guidance The following sections provide summaries of best practices and guidance that could be leveraged in creating cybersecurity guidance for TMSs. Often, cybersecurity tools such as policies and maturity models tend to be highly abstract and difficult to reap immediate benefits. Articles in this section tend to provide solutions to real world experiences in cybersecurity. The incorporation of applicable tools from this section organized under an appropriate maturity model or framework is key to the successful development of TMS cybersecurity guidance. 14 DHS Roadmap to Secure Control Systems in the Transportation Sector The purpose of the DHS roadmap is to produce guidance for securing Industrial Control Systems (ICS), or OT systems, installed in five (5) key CI domains: • Aviation • Highway • Maritime • Pipeline • Surface Transportation Of interest is the guidance provided for Highway ICS networks as illustrated in Figure 12. This figure was originally developed as part of the National ITS Architecture Subsystems and Communications publication via the Federal Transit Administration.

B-12 Figure 12. Highway/Roadway Network System [61] The roadmap covers cybersecurity guidance focusing on four (4) primary technologies: • Supervisory Control and Data Acquisition (SCADA) • Distributed Control System (DCS) • Programmable Logic Controller (PLC) • General Purpose Controller (GPC) The roadmap outlines the activities and benchmarks an organization can use to identify the cybersecurity features currently in place and to determine the next activities for consideration to improve cybersecurity performance [62]. The DHS National Cybersecurity Division (NCSD), Control Systems Security Program (CSSP) sponsored the development of the Roadmap to Secure Control Systems in the Transportation Sector.

B-13 15 Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy The Transportation Industrial Control Systems (ICS) Cybersecurity Standards Strategy is a cooperative effort to improve ICS security across multiple domains. Specifically, they look to roadmap security efforts for highway, maritime, aviation, surface transportation, and pipeline. Though they note that “Highway is the mode of transportation furthest behind in transportation ICS cybersecurity standard development”, they also discuss remedies including a highway ICS working group and standard [63]. 16 TSS Cybersecurity Framework Implementation Guidance The Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance is a collection of resources and direction for assisting TSS organizations in adopting the NIST Cybersecurity Framework [64]. This guidance was created by the Transportation Security Administration, Department of Transportation, United States Coast Guard, and TSS to create implementation NIST Framework guidance specific to the transportation sector. The guidance provided in this document will help TMS managers and executives: • Characterize their current cybersecurity posture • Identify opportunities for enhancing existing cyber risk management programs • Find existing tools, standards, and guides to support Framework implementation • Communicate their risk management issues to internal and external stakeholders 17 TRB Guidebook on Best Practices for Airport Cybersecurity The TRB Guidebook on Best Practices for Airport Cybersecurity is a report generated for the Airport Cooperative Research Program under the ACRP Project 05-02 Panel review by Grafton Technologies, Inc., SoftKrypt, and Grafton Information Services, Inc [65]. Such a guide is relevant to our research efforts as a degree of airport security falls under the purview of some DOTs. The report summarizes the research and findings of cybersecurity investigations of several airport organizations. It attempts to identify the state of the art for airport cybersecurity, best practices, and provide resources of improving the cybersecurity stance of an adopting agency. It leverages the NIST CSF and makes recommendations specific to airport cybersecurity. The recommendations and best practices the report makes could be applied to many organizations that incorporate distributed OT devices, including transportation systems. This report explains topics in a way that is oriented to those not familiar with cybersecurity or are experts in other fields such as transportation. 18 National Infrastructure Protection Plan (NIPP) The purpose of the National Infrastructure Protection Plan (NIPP) is to unify cybersecurity efforts for United States critical infrastructure. There have been several revisions of the NIPP since its initial conception in 1998. The goals of the NIPP are to facilitate information exchange between government, private, and other stakeholders involved with critical infrastructure operations and support. Specifically, the NIPP lists their goals as [66]: • Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to inform risk management activities • Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments

B-14 • Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents through advanced planning and mitigation efforts, and employing effective responses to save lives and ensure the rapid recovery of essential services • Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk informed decision making • Promote learning and adaptation during and after exercises and incidents The NIPP describes recommended Risk Management Framework that has heavy emphasis on information exchange between CI members to build a robust, interdependent network. Many of the cybersecurity findings through CI are directly applicable to transportation, and as such leaders in transportation should incorporate NIPP to ensure they are up to date on CI threats. The framework, as shown in Figure 13, was developed to be flexible to work for all Department of Homeland Security selected CI modes, but well defined enough to permit sharing of risks, threats, and countermeasures between members to be productive. Figure 13. NIPP Risk Management Framework and Data Flow [67] The NIPP and associated cybersecurity framework could provide significant value to this effort as it offers several strong benefits. The NIPP is: • Driven by Presidential Policy Directive • Established and mature through several revisions • TMSs and CIs identified share many network and process similarities • Has an active community 19 APTA Cybersecurity Considerations for Public Transit The American Public Transportation Agency (APTA) released the Cybersecurity Considerations for Public Transit to inform public transportation organizations about possible methods of implementing cybersecurity controls to public transportation systems. [68] The report covers a variety of resources and standards the organization can refer to including ISO, NIST, and others. The ATPA has released several related documents that may offer additional information including “Securing Control and Communications Systems in Transit Environments” and “Securing Control and Communications Systems in Rail Transit Environments.” 20 Protection of Transportation Infrastructure from Cyber Attacks: A Primer The NCHRP and Transit Cooperative Research Program produced the Protection of Transportation Infrastructure from Cyber Attacks: A Primer which provides sound cybersecurity principles and how they apply to modern intelligent transportation systems [69]. The document appears to target the non-

B-15 security-initiated personnel and attempts to provide explanations on foundational cybersecurity principles. The Primer appears to be an excellent resource as a starting point for applying security best practices to transportation agencies. 21 Airport Cooperative Research Program Guidebook on Best Practices for Airport Cybersecurity The Airport Cooperative Research Program (ACRP) published the ACRP Guidebook on Best Practices for Airport Cybersecurity as a result of the studies conducted as part of the TRB Project ACRP 05-02 [70]. The guidebook summarizes findings from the research effort which investigated airport cybersecurity efforts and provides guide for airports looking to start or improve their own programs. Findings and recommendations from this effort are applicable to TMSs as they both share a large, complex IT infrastructure composed of devices from a variety of manufacturers. Both systems manage a variety of systems that exhibit varying levels of data collection, traffic control, and information. Both Airports and traffic management systems are high profile targets that vary greatly in size and budget. The report is freely available from the TRB program site. 22 Cybersecurity and Intelligent Transportation Systems: A Best Practice Guide The United States Department of Transportation published a guide for DOTs in order to inform effective penetration testing of transportation systems [71]. By frequently testing different aspects of the Intelligent Transportation System, a DOT may identify and mitigate risks. The guide provides a basic framework for a penetration test and establishes criteria for success that can be applied to different aspects of a DOT. It provides distinct examples and establishes a few critical areas in a DOT, such as the transportation centers and field devices. It further delineates several different types of penetration tests a DOT may pursue and discusses results reporting and how risks might be mitigated. 23 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies NCHRP Research Report 930 provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation [72]. This includes areas such as: • Risk Management and Risk Assessment • Plans and Strategies • Security Countermeasures • Cyber Security • Workforce Planning and Training/Exercises • Infrastructure Protection and Resilience • Homeland Security Laws, Directives, and Guidelines This primer is intended for use by transportation personnel who lack a security background and are responsible for security or infrastructure protection activities such as managers or executive-level leadership. 24 Payment Card Industry (PCI) Data Security Standard (DSS) Best Practices for Securing E-commerce PCI DSS is an information security standard for organizations that handle e-commerce transactions with major payment card providers. This standard is widely used in transportation for toll collection, and as

B-16 such requires the transportation industry to comply with the published standard. PCI also publishes best practices such as Best Practices for Securing E-commerce, which looks to assist agencies in implementing secure e-commerce systems [73]. This document also provides guidance on: • Different e-commerce methods, including the risks and benefits associated with each implementation, as well as the merchant’s responsibilities. • The selection of public key certificates and certificate authorities appropriate for a merchant’s environment. • Questions a merchant should ask its service providers (certificate authorities, e-commerce solution providers, etc.) • General recommendations for merchants 25 Institute of Transportation Engineers (ITE) Infrastructure Standards Security Assessment At the time of writing this document, the ITE Infrastructure Standards Security Assessment project is still in progress with version 4 being the latest [74]. This project is developing and publishing a guidance on the best way to implement security for the National Transportation Communications for Intelligent Transportation System Protocol (NTCIP) center-to-field communications and NTCIP center-to-center communications in cooperation with American Association of State Highway Transportation Officials (AASHTO), National Electrical Manufacturers Associations (NEMA). The purpose of this project is to analyze existing NTCIP standards and deployments and to provide guidance in the form of a roadmap on the best way to implement security for NTCIP C2F communications and NTCIP C2C communications. As many TMSs make use of this protocol to communicate with their connected devices, it is recommended for TMS managers and executive leadership to review this document as it is finalized to ensure that their implementations of NTCIP are secured. 25.1 Working Groups The following working groups may provide relevant information from discussions or publications. These groups are a mix of public and private. They may provide a platform for engaging industry resources or contacting other groups with experience in cybersecurity that may have experiences or recommendations for implementing security within a TMS. 26 United States Computer Emergency Readiness Team (US-CERT) Originally created by congress as the Federal Computer Incident Response Center, the United States Computer Emergency Readiness team (US-CERT) was created to coordinate and improve US critical infrastructure cybersecurity. US-CERT is funded as part of the Department of Homeland Security (DHS) and was established as a centralized hub for information exchange relating to federal agencies relating to computer security. US-CERT has produced a variety of publications from personal device threats, ransomware, forensics, and others. The publications are typically freely available and provide high-level guidance. The US-CERT website maintains a list of reported alerts, bulletins, and reported vulnerabilities. They also accept incident report via their website. The publications from US-CERT are typically offer easily digestible and actionable guidance. 27 Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) Operating within the National Cybersecurity and Integration Center (NCCIC), a division of the DHS's Office of Cybersecurity and Communications (DHS CS&C), the Industrial Control Systems Cyber Emergency

B-17 Response Team (ICS-CERT) mission is to guide a cohesive effort between government and industry to improve the cyber security posture of control systems within the nation's critical infrastructure [75]. ICS- CERT coordinates control systems related security incidents and information sharing with Federal, State, and local agencies and organizations, the intelligence community, and private sector constituents, including suppliers, owners, and operators. ICS-CERT undertakes several efforts to coordinate sharing and build effective risk management strategies that include [75]: • Responding to and analyzing control systems-related incidents. • Conducting vulnerability, malware, and digital media analysis on samples of infected systems at the Advanced Analytic Lab (AAL). • Providing onsite incident response services in partnership with NCCIC’s Hunt and Incident Response Team (HIRT). • Providing situational awareness in the form of actionable intelligence. • Coordinating responsible disclosure of vulnerabilities and associated mitigations. • Sharing vulnerability information and threat analysis through information products and alerts. • Providing free virtual training courses in topics like “Cybersecurity within IT & ICS Domains” and “Cybersecurity Risk” [76]. Additionally, ICS-CERT partners with US-CERT in support of critical infrastructure stakeholders, providing control systems and cybersecurity technical expertise and incident response capabilities. 28 Critical Infrastructure Partnership Advisory Council (CIPAC) The Critical Infrastructure Partnership Advisory Council (CIPAC) is a collection of 16 Sectors that span a variety of US infrastructure systems identified by the DHS as Critical Infrastructure [77]. Each Sector consists of several working groups that compose the CI. Each working group may have additional sub- groups. The CIPAC consists of 16 CI Sectors including [78]: • Chemical • Commercial Facilities • Communications • Critical Manufacturing • Dams • Defense Industrial Base • Emergency Services • Energy Sector • Financial Services • Food and Agriculture • Government Facilities • Healthcare and Public Health • Nuclear Reactors, Materials, and Waste • Transportation Systems • Water and Wastewater Systems The Transportation Systems Sector, is composed of [79]: • Aviation • Highway Motor Carrier

B-18 • Maritime • Mass Transit • Postal and Shipping • Rail • Transportation Systems o Cybersecurity Working Group o Research and Development Working Group o Surface Transpiration Security Priority Basement Working 29 Transportation System Cybersecurity Framework (TSCF) Partnership The Transportation Systems Cybersecurity Framework (TSCF) partnership is a collaboration between the ITE, AASHTO, ITS America, the National Association of Electrical Equipment and Medical Imaging Manufacturers (NEMA), and the National Association of City Transportation Officials (NACTO) working with USDOT. The TSCF partnership plans to develop dimensions of threats to transportation systems and guidance. To develop content, the TSCF consists of the following working groups [80]: • WG1: Public Sector Workgroup (represents AASHTO, ITS America, NEMA, NACTO and ITE) • WG2: Vendor/Supplier/Industry Workgroup (represents ITS America, NEMA, and ITE) • WG3: Local/Regional Cybercrime/Law Enforcement/Legal WG • WG4: Red Team SME (Testing) 30 Harmonization Task Groups (HTGs) The USDOT collaborates with other governments, industry associations, experts, and standards development organizations (SDOs) when in the public interest to enable [81]: • Shared research, a larger and more detailed set of results, and leveraged/reduced research costs • Common hardware and software across regions • Improved interoperability across borders • Facilitation of a global marketplace In 2009, the USDOT Research and Innovative Technology Administration (now OST-R) and the European Commission's Directorate General for Information Society and Media (now the Directorate General for Communications Networks, Content & Technology, or DG Connect) signed an Implementing Arrangement to develop coordinated research programs. This is known as the EU-US Joint Declaration of Intent on Research Cooperation in Cooperative Systems. Under the effort, a Coordinating Group operates several programs through working groups, of which the Standards Harmonization Working Group (HWG) is one. Most of the HWG activities take place through Harmonization Task Groups (HTGs). The HTGs are a means for focused analysis to lead to harmonization and/or joint development of specific standards, protocols, and policies [81]. These HTG are focused on performing work related to security standards related to ITS and CV. 30.1 HTG1 & HTG3: ITS Security and Communication Protocols Completed in 2013, these two (2) HTGs worked in parallel on analyses of security standards (HTG1) and communications standards (HTG3) for CV systems to provide recommendations to SDOs. Both HTG’s reports are available online and include [81]: • Overview of Harmonization Task Groups 1&3

B-19 • Stakeholder Engagement and Comment Resolution • Observations on GeoNetworking • Summary of Lessons Learned • Status of ITS Security Standards • Testing for ITS Security • Feedback to Standards Development Organizations—Security • Status of ITS Communication Standards • Testing for ITS Communications • Feedback to Standards Development Organizations—Communications 30.2 HTG2: Harmonization of US Basic Safety Message (BSM) and EU Cooperative Awareness Message (CAM) HTG2 sought to harmonize the vehicle-to-vehicle (V2V) safety messages that had been developed separately within the EU and the US. HTG2 completed in 2012 and showcased at 2012 ITS World Congress, demonstrating that the HTG was able to evolve the two (2) message sets in a manner such that simple software translation is sufficient to allow cross-compatibility [81]. 30.3 HTG4/5: Infrastructure Messages Currently in progress, HTG4/5 intends to address the need for standardized Vehicle-to-Infrastructure message sets and interfaces, including [81]: • Signalized intersections applications such as Signal Phase and Timing, Signal Request, Signal Status (ISO 19091) • In-vehicle data message sets (ISO 19321) 30.4 HTG6: Cooperative ITS Security Policy The work of HTG6 substantially completed in late 2015, with publication of documents supporting an end- to-end security policy framework that facilitates harmonization of Connected Vehicle systems. In 2015, the initial set of draft final reports were published [82], and additional reports anticipated to be published soon [81]. 30.5 HTG7: Standards Selection, Gap Analysis, and Identifiers for Connected Vehicle (CV) architectures HTG7 will specify standards in detail throughout CV architectures, identify standards gaps for future cooperative development activity, and facilitate Standards Development Organization (SDO) cooperation on globally unique ITS identifiers. The US, Europe, and Australia are conducting this effort cooperatively [81]. 31 TRB Security and Emergencies Related Committees As of 2020, the TRB has 10 groups that are a part of their Technical Activities Council. These groups each serve to consider issues related to the following group topics [83]: Safety and Operations (ID: AC000) 3. Data, Planning, and Analysis (ID: AE000) 4. Policy and Organization (ID: AJ000) 5. Transportation Infrastructure (ID: AK000)

B-20 6. Sustainability and Resilience (ID: AM000) 7. Public Transportation (ID: AP000) 8. Rail (ID: AR000) 9. Freight Systems (ID: AT000) 10. Aviation (ID: AV000) 11. Marine (ID: AW000) Within the Sustainability and Resilience group, is the Transportation Systems Resilience Section (AMR), which considers security issues. The group contains the following standing committees: 12. Critical Transportation Infrastructure Protection (ID: AMR10) 13. Disaster Response, Recovery, and Business Continuity (ID: AMR20) 14. Transportation for National Defense (ID: AMR30) 15. Systems, Enterprise, and Cyber Resilience (ID: AMR40) *New Committee in 2020 16. Extreme Weather and Climate Change Adaptation (ID: AMR50) In support of this report, the Transportation Infrastructure Protection and Preparedness (ID: AMR10) and Systems, Enterprise, and Cyber Resilience Standing Committee (ID: AMR40) are the cyber-focused committees. These two committees are discussed further in sub-sections following. Additionally, under the Aviation Group, the Aviation Safety, Security and Emergency Management Standing Committee (ID: AV090) considers issues in commercial and general aviation safety, airport security, and emergency management. This committee involves planned and actual responses to safety incidents and accidents; criminal and terrorist activity; and man-made and natural disasters including pandemic events that may affect or be affected by aviation [84]. 31.1 Critical Transportation Infrastructure Protection Standing Committee (ID: AMR10) The scope of the Critical Transportation Infrastructure Protection Standing Committee is to consider issues relating to threats posed by potential physical, chemical, biological, and cyber-attacks on critical transportation infrastructure in the United States. This committee develops activities and provides a forum for discussion among the academic community, the private sector, and appropriate government agencies regarding transportation infrastructure assurance. The committee also looks to be in a position to support outreach efforts of the USDOT and other federal agencies to the owners and operators of the nation's transportation system from states and municipalities to trucking companies, airlines, barge operators, ocean shipping companies, railroads, mass transit, port and airport authorities, pipelines, and shippers. Attention is given to a full range of security issues including risk assessment, prevention, technology, procedures and applications, and emergency preparedness and response, as well as the integration of security considerations in the planning and operation of the nation's transportation systems [85]. This committee last met on June 29, 2020 discussing several topics including the 2021 Annual Meeting, the TRB Re-Alignment, and TRB’s response to the COVID-19 pandemic. The meeting notes are publicly available [86]. 31.2 Systems, Enterprise, and Cyber Resilience Standing Committee (ID: AMR40) The scope of the Systems, Enterprise, and Cyber Resilience Standing Committee considers issues with identifying, replicating, and scaling the factors that contribute to a transportation system’s resilience capacity. Organizational capabilities of interest include evidence-based analysis, decision-making

B-21 processes that recognize the importance of resilience, funding strategies that support resilience-oriented investments, and staff who are trained in knowing what is necessary to improve system, enterprise, and cyber resilience [87]. As this is a newly formed committee during mid-2020, it has not yet had a committee meeting. 31.3 United States Department of Transportation (USDOT) Related Pilot Programs and Artifacts The U.S. Department of Transportation (USDOT) has issued a departmental Cybersecurity Policy, DOT Order 1351.37 as guidance to the USDOT organization itself and not as recommended guidance for state level DOTs [88]. The policy is utilized as guidance of all USDOT information systems, information technology, networks, and data that support USDOT. USDOT posted that they intend to improve cybersecurity, privacy, and Information Assurance Technology operations and infrastructure as a priority moving forward. The Office of the Chief Information Officer (OCIO) lists the following priorities: • Standards, Policies and Directives o Ensure DOT implementation of federal cybersecurity initiatives o Ensure DOT implementation of National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23) • Situational Awareness and Incident Response o Enhance support of the DOT Cyber Security Management Center (CSMC) and cyber incident response. o Enhance situational awareness of the DOT cyber infrastructure o Improve information sharing with DHS • Independent Verification and Validation o Verification and validation (V & V) functions as required by statute o Expand the use of Office of Management and Budget-authorized reporting tools o Increase the use of automation tools to reduce the V & V burden • Certification and Accreditation (C & A) o Modernizes the DOT C & A program and processes o Expand the use of Cyber Security Assessment and Management (CSAM) tool o Enhance data quality reviews to identify and correct performance gaps The USDOT page for the OCIO was last updated in March of 2015. Progress on these initiatives has not been investigated at the time of writing this document. 32 National Highway Traffic Safety Administration (NHTSA) On behalf of the USDOT, the NHTSA has been investigating solutions to protect and harden vehicle’s electronic systems against cyber-attacks to reduce the probability of a successful attack and ensuring the vehicle systems respond appropriately to mitigate potential loss in the event of a successful cyber-attack [89].

B-22 33 Federal Highway Administration (FHWA) The FHWA is working through multiple areas, including outreach and awareness programs in cooperation with the National Highway Institute (NHI), engineering organizations, and transportation agencies to improve cybersecurity resilience of transportation infrastructures. FHWA is currently working with NIST to generate customized risk management and mitigation information using NIST existing works for operating engineers in the highway transportation sector. [89] USDOT is promoting the use and adoption of the NIST Cybersecurity Framework within the transportation sector. Also, NHI conducts transportation cybersecurity focused training courses available to members of the transportation community. 34 Multi-State Information Sharing and Analysis Center (MS-ISAC) MS-ISAC was created in order to improve cybersecurity within governments at state, local, and tribal levels by facilitating the sharing of cyber thread information within the government and between the public and private sector [90]. It further provides information on cybersecurity best practices, tools, and threats. 35 US-CERT Critical Infrastructure Cyber Community (C3) Voluntary Program The US-CERT Critical Infrastructure Cyber Community (C3) Voluntary Program was created to encourage adoption of the NIST Cybersecurity Framework. C3 connects users of the NIST Cybersecurity Framework with other critical infrastructure adopters, as well as providing resources from DHS, NIST, and others [91]. The C³ Voluntary Program focuses on three primary activities: • Use: Understanding the Cybersecurity Framework and application of guidance. • Outreach and Communications: Connect new users with organizations already employing the Framework. Collect and disseminate useful materials. 35.1 Nationwide Cybersecurity Review (NCSR) The Nationwide Cybersecurity Review (NCSR) is an annual, free, private self-assessment taken at the network-level that is intended to evaluate the cybersecurity maturity levels of organizations in all levels of government [92]. It is based on NIST CF and is sponsored by DHS and MS-ISAC, and organizations do not have to be part of MS-ISAC in order to participate [93]. The NCSR gives organizations an opportunity to receive metrics on their cyber posture and develop benchmarks that can be used for later evaluations. While many other assessments are intended to determine compliance to a set of requirements, these metrics are private to the organization and identify gaps that can be used to determine the “next-steps” to prioritize [94]. Completion of an assessment is estimated at two to three hours but may take longer during the initial assessment. Per the FY 2020 Notice of Funding Opportunity, State Homeland Security Program, and Urban Area Security Initiative, recipients are required to complete the NCSR. 35.2 State and Local Related Programs and Artifacts The following sections will summarize efforts and activities that have been performed in State and Local agencies with respect to cybersecurity guidance and resilience programs. 36 California Departmental Cybersecurity Policy California DOT’s Departmental Cybersecurity Policy “establishes the policies, processes, procedures and standards of the Department of Transportation (DOT) Information Systems Security Program” [95]. This document establishes the policy to comply with regulations and laws pertaining to cybersecurity of transportation agencies. In developing a cybersecurity policy, transportation agencies often look to other

B-23 state’s policies and procedures for guidance. This document represents a good example of implementation of cybersecurity policies based on the NIST CSF and other related NIST controls (e.g. 800- 53). 37 Enhancing Cybersecurity in Public Transportation – Florida The report Enhancing Cybersecurity in Public Transportation provides recommendations and suggested policies for transit agencies that may help reduce cybersecurity liabilities [96]. The recommendations are informed by a literature review of existing vulnerabilities, a survey of Florida transit agencies, a taxonomy of transit technologies, outcomes of cybersecurity working groups and workshops, and hands-on analyses of several technologies, all of which were conducted as part of this project. Existing vulnerabilities were discovered in literature for connected vehicles, autonomous vehicles, electronic ticketing systems, traffic signal controllers, traffic signal priority, and dynamic message signs. Survey participants ranked employee training as the biggest challenge to implementing good cybersecurity practices. The report also includes the results of the cybersecurity working group meetings and workshops held during the project and provides a detailed analysis of a vulnerability discovered in a Florida mobile fare payment application by the research team. Important areas of future work include further examining mobile fare payment apps, onboard Wi-Fi, and traffic controller equipment, as well as adding cybersecurity components to the existing management plan processes currently established for safety and security in Florida. 38 Colorado DOT Cyber Incident – After-Action Report In 2018, the Colorado DOT (CDOT) was attacked twice with the popular ransomware SamSam [97]. Though the attack itself is an interesting case study in transportation agency cybersecurity, this document also discusses CDOT’s recovery from the attack and “potential opportunities to prevent or lessen impact of the incident”. These opportunities include: • Implementation of a new Security Analytics and Endpoint Detection and Response toolset. • Implementation of continuous monitoring and logging. • Implementation of security enhancements in privileged access/account management. • Research into what responsibilities cloud service providers should have for alerting when poorly configured cloud services. o Noting that there does not appear to be a good partnership in this area. • Increased training on deploying cloud services securely and mitigating risks related to cloud- based systems. On top of these specific opportunities, CDOT also identified opportunities for improvement and recommendations for implementing these improvements in their transportation agency. Transportation agencies should maintain a working relationship with other agencies and should look to lessons learned by other agencies for improvements that may also be applicable to their agency. 39 Maryland DOT Information Security Plan Maryland DOT’s Information Security Plan looks to provide an overview of the security requirements for the Maryland DOT tangible and intangible assets [98]. When developing this document, Maryland DOT outlined the following seven areas of security useful for policy and planning: 1. Physical Security 2. Environmental Security 3. Personnel Security

B-24 4. Hardware Security 5. Software and Data Security 6. Security Administration 7. Procedural Security On top of this high-level list, this document also goes into great detail on how specific policies should be implemented. This document does not focus on OT and should be referenced when implementing IT policies or looking to apply IT policies to OT. 39.1 Other Related Technologies and Data Sources This section will describe technologies that exist that may not be standardized but should be considered from a future looking perspective (e.g., 5G). 40 Cyber security challenges in Smart Cities: Safety, Security, and Privacy This paper discusses a variety of security and privacy aspects as they relate to PII in an increasingly connected society. It discusses some of the concerns and challenges of using, as well as protecting information gathered through an Intelligent Transportation System (ITS). As transportation agencies incorporate more data collection and analysis, decisions will need to be made regarding how the information is shared. It discusses some of the compromises that will need to be considered when sharing information about driving habits collected from vehicles. Additionally, this paper poses some possible manipulation of these systems by motivated offenders [99]. 41 IoT-Enabled Highway Maintenance: Understanding Emerging Cybersecurity Threats In this article, IoT-Enabled Highway Maintenance: Understanding Emerging Cybersecurity Threats, the authors discuss the problems inherit in the use of interconnected cyber-physical systems in critical infrastructure such as transportation [100]. They begin the discussion through introducing the problem domain with respect to privacy, security, and safety issues. They also discuss the fact that these issues are well studied in IoT transportation systems and autonomous vehicles, but little research relates to highway maintenance systems. 42 Investigating Cybersecurity Issues in Active Traffic Management Systems In this research, a prototype Advanced Traffic Management (ATM) system along with a real-time cyberattack monitoring system were developed for a 1.5-mile section of I-66 in Northern Virginia in order to rigorously evaluate ATM systems for cyberattack vulnerabilities and explore design concepts that provide stability and graceful degradation in the face of cyberattacks [101]. The monitoring system detects deviation from expected operation of an ATM system by comparing lane control states generated by the ATM system with lane control states deemed most likely by the monitoring system. The evaluation results showed that the ATM monitoring system, when operating properly in the absence of attacks, improved average vehicle speed in the system to 60 mph (a 13% increase compared to the baseline case without ATM). However, when subject to cyberattack, the mean speed reduced by 15% compared to the case with the ATM system and was similar to the baseline case. This illustrates that the effectiveness of the ATM system was negated by cyberattacks. These results illustrate the need to revisit ATM system design concepts as a means to protect against cyberattacks in addition to traditional system intrusion prevention approaches.

B-25 43 Cyber Risk and Insurance for Transportation Infrastructure The objective of this study is to inform transportation policy and management in the U.S. by identifying barriers to a robust cyber insurance market and improved cyber resilience for transportation infrastructure [102]. This is accomplished through a mixed-methods approach involving analysis of U.S. cyber incident data for transportation systems and a series of interviews with transportation infrastructure managers and insurers. Contributions include new insights into the nature of cyber risk for transportation infrastructure and recommendations on research needs to improve cyber risk management and insurance. Results indicate that the annual number of transport-related companies affected by cyber incidents and the associated costs are on the rise. The most common incidents involve data breaches, while incidents involving privacy violation have the highest average loss per incident. Cyber risk assessment, mitigation and security measures, and insurance are being implemented to varying degrees in transportation infrastructure systems but are generally inadequate. Infrastructure managers do not currently have the tools to rigorously assess and manage cyber risk. Limited data and models also inhibit the accurate modeling of cyber risk for insurance purposes. Even after improved tools and modeling are developed, insurance purchase can be an important risk management strategy to allow transportation infrastructure systems to recover from cyber incidents. 44 Reliance on Technology and the Increased Cybersecurity Vulnerabilities It Poses to Our Transportation Industry The purpose of this research was to analyze how reliance on technology has led to increased vulnerabilities to our transportation industry [103]. Questions posed and answered in this research include: • What demand is transformative technology having on customer expectations? • What challenges face industry leaders when the convergence of new technology is integrated with existing infrastructure? • How will digital vulnerabilities affect global trade? 45 Cybersecurity in Intelligent Transportation Systems This research paper by Teodora Mecheva and Nikolay Kakanakov examines the general outlines of the ITS architecture and security issues [104]. The main focus of security approaches are: configuration and initialization of the devices during manufacturing at perception layer; anonymous authentication of nodes in Vehicular Ad hoc Network (VANET) at network layer; defense of fog-based structures at support layer and description and standardization of the complex model of data and metadata and defense of systems, based on AI at application layer. The article oversees some conventional methods as network segmentation and cryptography that should be adapted in order to be applied in ITS cybersecurity. The focus is on innovative approaches that have recently been trying to find their place in ITS security strategies. These approaches include blockchain, bloom filter, fog computing, artificial intelligence, game theory and ontologies. In conclusion, a correlation is made between the commented methods, the problems they solve and the architectural layers in which they are applied. 46 Protection of Transportation Infrastructure from Cyber Attacks: A Primer The research project “NCHRP 20-59: Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents” sought to develop a primer and briefing for the owners and operators of transportation systems regarding cybersecurity [105]. The result of this research was Protection of Transportation Infrastructure from Cyber Attacks: A Primer. This primer was designed as a guide for

B-26 surface transportation agencies. It dispels common myths regarding cybersecurity within transportation systems and urges the development of a cybersecurity culture. It covers risk management and cybersecurity plans, such as the NIST Cybersecurity Framework and the Defense in Depth Approach. The primer also introduces some general concepts associated with the different operations relevant to surface transportation security and explains some potential countermeasures that transportation agencies can use to reduce risks. 47 Intelligent Transportation System Security: Hacked Message Signs 11-01-02-0004 This study focuses on the cybersecurity implications of current transportation systems depending on closed proprietary systems which are enhanced by connected cyber-physical systems, specifically Variable Message Signs (VMSs) [106]. VMS hacks can include physical and remote breaches due to the weak protection of the signs and cyber-physical systems. In 2014, multiple cyber-attacks on signs by “Sun Hacker” pushed the Department of Homeland Security (DHS), which includes the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and the Federal Highway Administration (FHWA) to investigate breaches more seriously. This study also employs a risk-based approach to conducting a threat assessment. This threat assessment performs a qualitative vulnerability-oriented threat analysis. The objective is to investigate safety, security, reliability, and operation issues that are triggered by compromised VMS. 48 OT Security Best Practices This report includes information including [107]: • How OT and IT convergence raises new security challenges • Why network segmentation by itself cannot protect you • Best practices to protect OT environments from cyber attack Increasing replacement of OT infrastructure with IT systems is opening new vulnerabilities and risks that are pushing security and risk management leaders to update security approaches and strategies. The organization provides guidance for securing networks and endpoints in converged IT and OT environments. Overview – Key Challenges • The converging of IT and OT systems, combined with increased use of IoT in industrial environments, is challenging many security practices in defining the best security architecture that aligns to transforming and modernizing environments. • Regulatory compliance pressure is mounting, as governments around the world issue new guidelines to enhance the security of critical infrastructures. This pressure comes along with the need to keep costs down and remain competitive. • OT and IT convergence raises new security challenges spanning across a range of new initiatives. This impacts the security of a growing range of industries. Recommendations – Security and risk management leaders who are operating and planning in converging IT/OT environments should: • Strengthen the security strategy with the use of a hybrid approach of traditional security technologies and specialist controls to protect OT environments. • Review and leverage available OT security frameworks as a guidance to update cybersecurity strategy, while making sure not to ignore the coming to market of new regulations.

B-27 • Assess the impact that new digital initiatives may have on your security setup, bearing in mind that OT security challenges are impacting all industry verticals.