Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
C-1 APPENDIX C Task 3 - Identify Transportation Technology and Cybersecurity Subject Matter Experts The following section summarizes Task 3: Identify Transportation Technology and Cybersecurity Subject Matter Experts and the findings from the completion of this task. 1 Task Overview The objective of Task 3 was to identify and organize a set of cybersecurity subject matter experts (SMEs) whose expertise and input would be used to participate in the development of the Transportation Cyber Risk Framework (TCRF) in Task 5. The work our team completed in Task 3, documented in this appendix, identifies and organizes a set of cybersecurity SMEs representing different functions within state transportation agencies or who possessed relevant credentials whom we recruited to assist in the development of the TCRF in Task 5. The SMEs will participate in interviews, workshops and other research activities provide their knowledge, experience, and expertise regarding effective cybersecurity practices in the OT environment. For example, the SMEs will help identify and assess critical assets, cyber risks, and gaps in OT and IT cybersecurity practices among DOTs and will provide their recommendations for action within relevant organizations. This information will ultimately inform the development of the Guide to be undertaken in Task 5 and will help ensure that it will be suited appropriately and effective in helping state transportation agency CEOs understand and address agency- wide cybersecurity needs pertaining to OT. 1.1 Task Findings In this section, we present the 30-state transportation agency and cybersecurity industry practitioners and researchers who, through their work, research and practice and other relevant experience, comprise the cybersecurity SMEs selected to participate in the development of the Transportation Cyber Risk Framework in Task 5. Our team reached out to over 50 representatives for different agencies to ensure the roster of selected SMEs represented a wide range of states, skills, and industry experience most beneficial to the needs of this project. Our team assessed the technical skills, mobility industry expertise, government domain experience, and influence on the development or deployment of cybersecurity practices of each candidate as part of the recruitment process. To reflect the diversity of skills and perspectives, we divided up SMEs into four categories: ⢠Information Security Practitioners ⢠Transportation Practitioners ⢠Academics & Researchers ⢠Operation Technology Practitioners As a result of our efforts, our team was able to successfully assess the skills of fifteen Information Security Practitioners, three Transportation Practitioners, three Academic Researchers, and nine Operation Technology Practitioners from five businesses, one university, and fourteen DOTs, including Texas DOT, Virginia DOT, Iowa DOT, and Alaska DOT. Below, we list each selected SME for each category in alphabetical order by last name. We include background information, affiliations, state and titles for identification and background purposes only.
C-2 2 Information Security Practitioners This group of SMEs included those whose primary professional focus is the development and application of information and communication technology hardware and software, information security, cybersecurity policies, and procedures and training in transportation agencies or in other industries. 2.1 Tom Alongi, Senior Network Engineer, Coranet Tom Alongi is a senior network engineer working with Coranet, an IT firm focused on the âdesign, install and manage your mission-critical infrastructureâ. In Mr. Alongiâs years of experience in this work, he has assisted in the deployment of multiple transportation-related projects, which saw him directly involved in the securing of both IT and OT systems. 2.2 Thomas Amato, Enterprise Technology Manager, Oregon DOT Thomas Amato is an enterprise technology manager for Oregon DOT and has previously worked as a consultant for the DOT. Mr. Amatoâs experience is primarily geared towards IT security. Mr. Amato currently manages a security team that is responsible for the security of some of the DOTâs servers, workstations, service desks, and roadside network. 2.3 Johnny Olson, Colorado Director of Transportation and Operations, Horrocks Engineers Johnny Olson currently works as the Colorado Director of Transportation and Operations for Horrocks Engineers. He retired from the Colorado DOT in 2019 with a 20-year tenure. Mr. Olson worked with Steven Humphrey on the resiliency team for Colorado during the recent SamSam attacks. Mr. Olson further served as the Incident Commander following historic flooding in Northern Colorado in September 2013. 2.4 Steven Humphrey, Senior Project Manager, Muller Engineering Steven Humphrey works as a Senior Project Manager for Muller Engineering. Mr. Humphrey worked with Johnny Olsen on the resiliency team for the Colorado DOT during the recent SamSam attack. Mr. Humphrey worked on recovering business functionality for the DOT during the attack. As a result of his efforts, IT groups were able to concentrate on responding to the cyber security incident. He further participated in recovery efforts after the historic floods in Colorado in 2013. 2.5 Alec Birmingham, Security Engineer, Iowa DOT Alec Birmingham is an engineer on the security team at Iowa DOT. Mr. Birminghamâs security background includes experience in areas such as security architecture, network and firewall, secure coding and data protection, vulnerability assessment, ethical hacking, incident response, and other skills that compose a wide-ranging cyber skillset. 2.6 Matt Boell, Security Engineer, Iowa DOT Matt Boell is an engineer on the security team at Iowa DOT. Mr. Boellâs security background includes experience in areas such as Security Architecture - Infrastructure and Operations, Network and Firewall, Data Protection, Application Security, Compliance, SIEM, Incident Response, Forensics, and other skills that compose a wide-ranging cyber skillset.
C-3 2.7 Nick Moore, Security Engineer, Iowa DOT Nick Moore is an engineer on the security team at Iowa DOT. Mr. Mooreâs security background includes experience in areas such as Security Architecture, Network and Firewall expertise, NAC, Forensics, Investigations, Incident Response, SIEM, Communications Security, and other skills that compose a wide- ranging cyber skillset. 2.8 Travis Olson, Security Engineer, Iowa DOT Travis Olson is an engineer on the security team at Iowa DOT. Mr. Olsonâs security background includes experience in areas such as Security Architecture - Infrastructure and Operations, Network and Firewall, Office 365, Server and Application Security, Compliance, SIEM, Incident Response, and other skills that compose a wide-ranging cyber skillset. 2.9 Kevin Hartman, CTO, Ohio DOT Division of IT Kevin Hartman is the Chief Technology Officer in Ohioâs Division of IT. Part of Mr. Hartmanâs responsibilities include the creation and support of the network, telecommunications, desktops, and servers that make up the ODOT environment. 2.10 Simon Herring, Security Operations Lead, Ohio DOT Division of IT Simon Herring is a Security Operations Lead with Ohioâs Division of IT. Mr. Herring has been focused on developing ODOTâs security operations and technologies for well over a decade and has extensive experience in DOT-specific security. 2.11 Devin Townsend, Nebraska Department of Transportation, Chief Technology Officer/Director of IT, Nebraska Devin Townsend has worked at the Nebraska DOT for over 10 years and is currently the Chief Technology Officer (CTO) and Director of IT. Mr. Townsend has also done work with highway inspections and AASHTO software. 2.12 Michael Chandler, Chief Information Security Officer (CISO) South Carolina DOT Michael Chandler is the Chief Information Security Officer at the South Carolina Department of Transportation. Mr. Chandler has over 20 years of IT experience with the agency and over 30 years of various IT experience. Currently he is focusing on managing cyber security risk within IT and OT of critical infrastructure. He holds a CISSP, a Bachelor of Science Degree in Computer Science, and a Master of Science Degree in Cyber Security. 2.13 Thomas Branham, Cyber Security & Privacy Officer, Arizona DOT Thomas Branham is the Cyber Security & Privacy Officer at Arizona DOT. His areas of focus include Infrastructure Protection, IT Risk Management, Network Security, Disaster Recovery, IT Security Incident Management, Regulatory Compliance, Privacy, Access Control, Audit, Vulnerability Management, Security Event and Incident Management, and Web Application Security. 2.14 Charles Brown, IT Security Analyst, Arkansas DOT Charles Brown is the Chief Information Security Officer for the Arkansas Department of Transportation. He has worked at the Department of Transportation for over 4 years and has served in his current role for
C-4 over 2 years. His previous experience includes five (5) years as a Network and Systems Administrator at FamilyLife. 2.15 Ben Cohen, CIO, Mississippi DOT Ben Cohen is the Chief Information Officer at Mississippi DOT. Mr. Cohenâs experience includes: Application Development and Maintenance, Business Procedure Development, and configuring, building and troubleshooting computer hardware. 3 Transportation Practitioners This group represents those SMEs whose expertise emanates from their direct experience in the transportation domain with a professional focus in the management of broad transportation programs, including both the private and public sector. 3.1 Carolyn Morehouse, Chief Engineer, Design and Engineering Services, Alaska Carolyn Morehouse is the Chief Engineer and Division Director for Alaska DOTâs Department of Statewide Design and Engineering Services. Mrs. Morehouse worked to develop Alaska DOTâs first Transportation Asset Management Plan and has been a member of the American Association of State Highway and Transportation Officials (AASHTO) since 2020. 3.2 Corey Coulam, Utah Department of Transportation, Control Room Manager, Utah Corey Coulam is the Program Manager for the Utah DOT Traffic Operations Center. Mr. Coulam is currently focused on managing operations for the Traffic Operation Center Control Room program, and often has to interface with both executives and security experts at Utahâs Department of Technology Services. He has been at UDOT for over six (6) years and has strong program and project management experience with a B.S. focused on Emergency Services Administration from Utah Valley University. 3.3 James Sullivan, State Traffic Engineer, Mississippi DOT James Sullivan is a State Traffic Engineer at Mississippi. Mr. Sullivanâs experience includes project planning, installation of OT equipment, and other tasks necessary for the successful completion of transportation- related projects. 4 Academics & Researchers This group provides the project with SMEs whose professional focus and technical expertise centers on researching and advancing cybersecurity detection and mitigation practices beyond the domain of transportation agencies to ensure the project work is informed by a broader perspective of needs. 4.1 Dr. Sanjay Goel, Professor of Information Security and Digital Forensics, University at Albany Dr. Sanjay Goel is an Associate Professor at the University of Albany in the Department of Information Technology Management. Within the university, Dr. Goel is the Director of Research for the New York State Center for Information Forensics and Assurance. He has previously worked at the General Electric Global Research Center. His current research projects revolve around cybersecurity, cyber-warfare and critical infrastructure. These projects include fields such as botnets, network forensics, and traffic control. He has further authored over 50 articles, presented at over 30 conferences, and has been the recipient of several awards.
C-5 4.2 Steve Johnson, HNTB Corp., Connected Vehicle Pilot Program Management Lead Steve Johnson is Associate VP and Connected Vehicle Program Manager for HNTB in Tampa Florida. Mr. Johnson has also worked on the Tampa-Hillsborough Expressway Authority (THEA) CV Pilot program. The program began in September 2015 and aims to reduce congestion in downtown Tampa by deploying a variety of vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) applications. 4.3 Dr. Richard White, Tennessee Department of Transportation, Cybersecurity Architect, Tennessee Dr. Richard White is a cybersecurity architect working with the Tennessee DOT. Dr. White is currently focused on the securing of both IT and OT networks with extensive knowledge of the architecture, policies, and actions needed to secure these systems. 5 Operation Technology Practitioners This group of SMEs is comprised of OT practitioners to represent those individuals whose technical expertise and professional focus is specifically in the public sector transportation domain and in the planning, acquisition, deployment and management of the OT assets subject to cybersecurity risk. 5.1 Murali Rao, Virginia Department of Transportation, Chief Information Officer, Virginia Murali Rao is the Chief Information Officer and Cyber Security Officer at the Virginia Department of Transportation (VDOT). He is currently focused on Operational Technology Cybersecurity, Technology Strategic Planning, Business Integration, and Cyber Security. Mr. Rao is a member of the VDOT innovation team that is future focused and looks at technologies and services that impact OT and transportation, including connected and autonomous vehicles and UAS services. Previously, for over 10 years, he directed VDOTâs information technology program with $85 million annual budget and over 150 applications supporting transportation operations, maintenance, construction, and administrative functions. He has been with VDOT for over 24 years and has 35 years of progressive IT management experience. He holds a Bachelor of Science (B.S.) in Physics and an MS in Computer Engineering. [108] 5.2 Chrissie Collins, FMS/AMS Specialist IV Florida DOT Chrissie Collins is a CISSP certified specialist who chairs Florida DOTs ITS Technical Assistance Group. Ms. Collins has been working for FDOT for about 20 years and has been serving in her current role since 2020. She provides guidance and oversight for ITS IT staff and Floridaâs central IT agency. She further serves as a liaison between the two groups. 5.3 Steven Pryor, CISO, TxDOT Steven Pryor is the CISO for TxDOT, currently working in the following OT initiatives: ⢠Security SIEM logging and monitoring of the OT space ⢠Vulnerability and Configuration scanning of the OT space ⢠Supply chain risk management and including security as part of OT purchasing All three are on TxDOTâs roadmap starting Sept 1, 2021 (FY22 for Texas). Another initiative for OT led by Mr. Pryor is directly related to Lonestar, the ATMS software used by TxDOT, which is trying to centralize and ensure Lonestar is deployed in a secure manner.
C-6 5.4 Tom Booth, Principal/Solutions Architect, GTS Solutions, Inc. Tom Booth is a Principal/Solutions Architect at GTS Solutions, Inc. a Cisco Systems Premier Partner specializing in large scale IOT solutions within the transportation space (Intelligent Transportation Systems and Ports), manufacturing, and healthcare. Mr. Booth has over 20+ years of experience within the integrator/hardware manufacturer space and over 30 years of various IT (commercial/federal) experience. Currently he is providing solutions to many IOT customers in the Southeast following industry best practices to provide high-speed reliable and secure infrastructures for IOT customers. He holds many Industry/manufacturer certifications and has a Bachelor of Science Degree in Computer Science. 5.5 Andrew Green, Information Security Officer, Virginia DOT Andrew Green is the ISO for the Virginia Department of Transportation. Mr. Green guides efforts to secure connected devices that are added to the DOTâs network. He is responsible for requesting new security measures for OT from executive level management. 5.6 Dave Anderson, Director of Network and Cybersecurity, Iowa DOT Dave Anderson is the director of the Network and Cybersecurity group at Iowa DOT. Mr. Andersonâs security background includes experience in areas such as IoT/OT Security, Security Architecture, SecOps Leadership, Security Strategy, Infrastructure and Operations, Vulnerability Assessments, Ethical Hacking, Military OpSec, and Physical Security. 5.7 Chris Pelton, Engineer, Iowa DOT: Chris Pelton is an engineer on the security team at Iowa DOT. Mr. Peltonâs security background includes experience in areas such as IoT and OT Security, Security Architecture, Network and Firewall expertise, Strategy, Traffic Operations, Incident Response, Security Ops, Leadership, SIEM, and other skills that compose a wide-ranging cyber skillset. 5.8 Jerry Groom, Security Engineer, Iowa DOT: Jerry Groom is an engineer on the security team at Iowa DOT. Mr. Groomâs security background includes experience in areas such as IoT and OT security, Security Architecture, Network and Firewall expertise, Secure Coding, Forensics, Investigations, SIEM, NAC, Ethical Hacking, Vulnerability Assessments, and other skills that compose a wide-ranging cyber skillset. 5.9 Rick Tiene, VP Business Development, Government & Critical Infrastructure, Mission Secure Inc. Rick Tiene works at Mission Secure Inc. (MSi) as the Vice President of Government and Critical Infrastructure. He has held this position for 3 years. Before taking this role, Mr. Tiene worked as the VP of Homeland Security Solutions/Director of K-12 and Industry Relations for Alertus.
