Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs: Volume 2, Transportation Cyber Risk Guide (2023)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

8 of risk. Next, CEOs must Manage Impact through the NIST capabilities of Detect, Respond, and Recover but must also prepare the agency to Withstand adverse cyber incidents by preparing agency responsiveness for the occurrence of such events. Finally, CEOs must Manage Programs by Defining and Developing the ongoing agency practices to support risk and impact management. 3. TRANSPORTATION CYBER RISK GUIDE The following section presents the Transportation Cyber Risk Guide that transportation agency CEOs should follow to address cybersecurity issues and protection strategies for OT and is organized according to the seven management functions identified in Section 2.1. Through the lens of each management function, these recommended practices incorporate how CEOs should achieve sufficiency for each of the 10 Cybersecurity Transportation Agency Capabilities for Executive Leadership. The recommendations forgo technical guidance aimed at cybersecurity professionals and instead focus on supporting CEOs in their role facilitating the development, implementation and execution of programs that achieve sufficient cybersecurity preparedness. Governance Governance refers to how a CEO defines and communicates the strategic and operational priorities across the agency to fulfill its mission and mandate for safe and secure public transportation. Regarding OT cybersecurity, Governance refers to how and the degree to which a CEO sets OT cybersecurity as a critical strategic and operational priority for the agency, and how and to what degree the CEO establishes the agency’s culture of behavior around OT cybersecurity by establishing and by supporting cybersecurity initiatives. Current State OT cyber risk poses an immediate and substantial threat to core agency operations and mission. For example, a cybersecurity attack on OT could cripple an agency’s connected traffic signal devices, takeover dynamic message signs with profane language and cause substantial disruption in roadway traffic and traffic management operations. Ongoing rapid advancement and adoption of technology in transportation sector has rendered agency operations and assets increasingly vulnerable, particularly when OT assets are electronically connected. Although many chief executives of state DOT agencies recognize this, many have not fully elevated OT cybersecurity as a critical strategic or holistic operational priority. Initiatives aimed at cybersecurity have typically been focused on protecting IT assets. Exceptions notwithstanding, in agency operations, policies and procedures, most state DOTs have not achieved OT cybersecurity program maturity nor an agency culture reflecting pervasive cyber safety as a key priority. What Do CEOs Need to Know? To address the existing level of threat to core agency operations and mission, elevating OT cybersecurity to the level required as a critical strategic and holistic operational priority does not require technical expertise. Rather, CEOs are uniquely positioned to establish a clear and strong intention to make OT cybersecurity a strategic priority. In doing so, the role of the CEO is three-fold: First, the CEO sets the level of tolerable cyber risk and defines corresponding metrics of success that qualified technical staff will achieve. Second, through delegation, the CEO manages the organization and its resources toward achieving the defined level of tolerable cyber risk through the implementation of mitigation strategies. Third, to support the first two actions, the CEO must therefore understand at a high level the nature and level of OT cyber risk and consequences in order to make informed cost-benefit choices and to steer agency direction as conditions change.

9 What do CEOs Need to Do? • CEOs must recognize that OT cyber risk poses an existing threat to core agency operations and mission. • CEOs should undertake a comprehensive risk-assessment process to quantify the threat and the potential consequences of OT cyber risk to the agency and general public. • CEOS should communicate and reinforce the importance of OT cybersecurity as a critical agency priority. • CEOs, working through qualified technical staff, must establish goals to achieve OT cybersecurity maturity in agency capabilities and operations. • CEOs should create a culture of OT and IT cyber hygiene across all agency departments, business functions and operations. • In developing a process for security protocols, CEOs should establish standards and practices that are comprehensive and holistic to replace ad-hoc methods to all cybersecurity practices. • CEOs can externally support all cybersecurity program implementation by communicating and advocating for agency priorities and corresponding needs among other branches of government, with other agencies, and between departments to achieve funding, support initiatives, resolve governance issues, and to address legislative or regulatory issues as needed. “How” and “Why” and Other Tactical Considerations For governance, a CEO is concerned with implementing policies or procedures that help to identify and establish risks applicable to their organization. Multiple key cybersecurity standards and frameworks exist that directly address this issue, including: • ISO 27001 • ISO/IEC 15408 – Common Criteria • ISO/IEC JTC 1/SC 27 – IT Security Techniques To help CEOs conform to and achieve these standards, multiple capability maturity models (CMMs) and frameworks exist, with some specifically tailored to OT like NIST’s Framework for Cyber Physical Systems (CPS) (conceptual model shown in Figure 2). This figure highlights the potential interactions of devices and systems in a system of systems (SoS) (e.g., OT infrastructure). A CPS may be as simple as an individual OT device, or a CPS can consist of one or more OT devices that form a system or can be a SoS, consisting of multiple systems that consist of multiple OT devices.

10 Figure 2. CPS Conceptual Model1 When using these frameworks, CEOs can begin to create policies that represent the full stack of cybersecurity issues as they pertain to OT. For example, to understand risks to their OT equipment, CEOs should establish a policy to regularly audits their networks and devices. With the results of these audits, CEOs, with the help of CISOs and other deputies, can begin to understand and categorize risks applicable to their OT deployments. With risks understood, CEOs can then establish a risk tolerance which will act as the basis for all future policy and procedure implemented at their transportation agency. Managing OT Assets Managing assets is the acquisition, deployment, monitoring, maintaining, valuing, protecting, modifying, repairing and retiring of physical and virtual assets and equipment. While this includes fleets and equipment, it also extends to both IT and OT infrastructure, such as traffic signals, cameras, Advanced Traffic Management System (ATMS) software, and others in the Table of Key OT assets outlined in Section 2.2. Regarding cybersecurity, managing assets means identifying the OT and other physical and virtual assets subject to cyber risk, assessing their current state of risk, and defining corresponding requirements for their cyber protection, risk mitigation, and response, resiliency, and recovery in the event of cyber- related attack or incident. Although CEOs delegate the responsibility of direct management of OT assets to appropriate staff, the CEO retains primary responsibility to ensure the proper management of these assets, which includes ensuring that proper cybersecurity risk mitigation has been achieved. Current State Many assets managed by transportation agencies, including OT assets, have become increasingly connected electronically within operational systems. This includes physical equipment, off-line and other traditionally non-electronic assets. This has precipitated profound advancements in productivity and 1 https://www.nist.gov/el/cyber-physical-systems

11 system intelligence. It has also produced a corresponding set of ongoing risks and vulnerabilities due to cyber threats at the asset level. Because many agency assets are now connected or exposed electronically in some way, they are each rendered vulnerable, irrespective of their network environment, connectivity or operational function. Because CEOs delegate direct management responsibilities, each OT asset is often managed by the individual departments in which it is utilized, sometimes within a centralized function, or even by a third-party. As a result, the degree of understanding of asset level cyber risk and vulnerability and corresponding security protection and mitigation strategies can vary from department to department, and hence, across the agency. This variance renders the agency at risk since the presence of any vulnerability in any single asset can be exploited if not protected. Further, we found that a high priority and key barrier to risk mitigation has been the lack of sufficient inventory control as it relates to managing points of vulnerability. This is also critical for network access control (NAC). What do CEOs Need to Know? The ongoing and omnipresent cyber risk to agency operations extends to the asset level, and this includes physical, electronic and virtual OT as well as IT assets. While an agency is only as strong as its weakest link (i.e., it’s most vulnerable asset), the size of the risk and potential consequences are always greater than the value of the individual asset at risk. Cyber risk must be vigilantly managed at the asset level at each life cycle stage. For example, an agency with robust OT cybersecurity practices is still vulnerable to weak practices by vendors and consultants whose work for the agency extends to OT assets. Further, CEOs should also distinguish the level of risk from the degree of potential harm. For example, the impact of a breech on a snowplow’s telematics software could result in lost performance data but would probably not affect the actual performance of the snowplow. These points apply equally to both IT and OT assets irrespective of any operational differences. Protecting some assets while leaving others vulnerable is an incomplete strategy. To ensure efficacy and consistency, agencies should take a holistic agency-wide approach to managing asset level cyber risk and mitigation programs to eliminate potential weakest link vulnerabilities. This should include an assessment of non-connected physical assets which, in some cases, might still pose an incremental risk. What do CEOs Need to Do? • CEOs can promote agency-wide understanding that every agency OT (and IT) asset is vulnerable, irrespective of its network environment or connectivity, and should be included as part of holistic cybersecurity monitoring, mitigation and response planning and strategy at the operational level. • To assess and quantify risk initially, CEOs should requisition a baseline census and evaluation of all agency OT assets to define their value, role, risk, and potential impact to organization operations. This assessment should include externally controlled assets which affect DOT operations. • CEOs should define which OT (and IT) assets support business functions and operations and should understand how assets are used to fulfill each service, so that mission-critical assets may be prioritized. A CEO should ensure that cyber professionals in their organization are aware of the technologies a DOT currently has and what technologies are needed. • CEOs should work with cyber professionals in their organization develop a dashboard of critical OT assets and agency processes at risk to monitor the ongoing presence and degree of risks and vulnerabilities. • A CEO should work with cyber professionals in their organization to implement a holistic, agency- wide process to manage the cybersecurity of all OT and IT assets from asset acquisition to retirement, starting with effective inventory control and asset management. CEO should designate a clear prioritization of “security first” within the DOT in how devices, equipment, services or other assets are procured, utilized and supported post-acquisition, such as the

12 inclusion of clear and consistent requirements to adhere to strict cybersecurity standards in all external contracts. • Cybersecurity requirements may need to override the authority of any one individual, including department heads. For example, decisions about who should have access to OT assets and other security protocols should be developed based on security requirements and the role of the person accessing the asset, not based on that person’s authority. • The development of an OT asset management system should begin with consideration of the cyber physical security of the endpoints of infrastructure as the first point of vulnerability and then move inward to consider remaining OT assets. • CEOs need to address the fact that legacy OT infrastructure may be vulnerable and needs to be secured since even a low-effort incident could be devastating in its degree of impact and damage. “How” and “Why” and Other Tactical Considerations When developing an asset management plan, CEOs can leverage existing guidance provided by the CIS 18 controls. These controls classify asset management as part of “Basic Cyber Hygiene” and categorize it into three core controls: “Inventory and Control of Enterprise Assets,” “Inventory and Control of Software” Assets, and “Secure Configuration of Enterprise Assets and Software.” The CIS controls point to the NIST Cybersecurity Framework, NIST SP 800-171, and NIST SP 800-53 Revision 5 to provide guidance and requirements for the establishment of and maintenance of both an inventory control system and also a secure configuration process for assets and endpoints. Strategic Planning The following sections corresponds to CEOs responsibilities regarding the strategic planning with respect to OT cybersecurity. This involves defining the agency’s strategic priorities and objectives and then acquiring the required resources and determining how these resources should be allocated across the agency to support the operations and department functions to achieve these strategic objectives. In cybersecurity, this involves developing the plans, initiatives, programs, and policies required to address cybersecurity needs and ensure the right levels of resource allocation to successfully fulfill cybersecurity risk and mitigation requirements. Current State Strategic planning processes are generally underleveraged as a mechanism for state DOTs to assess and address holistic cyber security threats and vulnerabilities. Current strategic priorities are geared toward fulfilling the core objectives and mission of state DOTs to provide safe and secure mobility. Although cybersecurity is for some state DOTs a critical priority, very few have elevated it into a core strategic agency-wide objective despite the fact that agencies face existing cybersecurity threats around OT (as well as IT) assets and critical agency functions. As a result, CEOs pay insufficient attention and do not allocate enough resources toward OT cybersecurity-related needs. Despite numerous examples of successful programs, people responsible for OT cybersecurity typically do not get the resources or support they need to sufficiently address critical cybersecurity-related needs or to achieve a requisite level of operational maturity in their respective agencies. For example, most cybersecurity planning efforts have been narrowly oriented toward IT. Further, state DOTs only informally and infrequently measure the value of the transportation services, systems and other agency assets subject to cybersecurity risk, and very few have quantified the extent of potential impact to dimensionalize what is at stake (e.g., a calculation of how vulnerability existing in OT equipment could affect IT networks and result in damages worth $X and which require Y time to respond and recover.)

13 What do CEOs Need to Know? CEOs of state DOTs should establish achieving agency-wide cybersecurity maturity in agency operations and capabilities as a core strategic objective for both OT and IT. This is not a strategic option but a critical necessity as cyber threats are ever-present. Bad actors continuously seek and exploit vulnerabilities and it only takes one. Hence, irrespective of their current state of cybersecurity preparedness, all transportation agencies must achieve and sustain OT cybersecurity sufficiency. Further, as agencies continue to adopt advanced transportation technologies, CEOs should consider that the resulting benefits of capacity, productivity, capabilities and efficiency can only be realized if accompanied by a corresponding sufficiency in OT cybersecurity. Smaller and larger DOTs, regardless of their advancements, face the same level of OT cybersecurity threats. Agency leadership must also re-think investments in cybersecurity programs as a form of insurance, not as an operational cost. In this approach, the cost of cybersecurity is considered an investment and is measured according to the value of the assets and systems protected, not in the amount of budget allocated. Also, in some DOTs, the concept of insurance was literal as they used the implementation of robust cybersecurity programs as a way to extract concessions from insurance providers and as a means to draw down federal dollars for cost mitigation support. This further necessitates a process to define the value of the transportation services, systems and other OT assets in terms of the public mission each one helps fulfill. What do CEOs Need to Do? • CEOs should establish OT cybersecurity maturity as a core agency objective and ensure each business unit is aware of how they fit into that objective. • Strategic planning in the development of COOP plans should prioritize cybersecurity considerations particularly around OT threats. • While implementing new technology initiatives may be part of a CEO’s long term goal for an organization, CEOs should require that OT cybersecurity operations and support be specified as part of any project budget estimation or strategic plan. Budgeting for OT cybersecurity has an upfront cost, but the potential losses from not having proper OT cybersecurity operations is much greater. • CEOs should consider OT and IT cybersecurity as part of critical infrastructure, not as novel or extra. CEOs should evaluate cybersecurity program costs in terms of the value of the assets, operations and services being protected. • In the strategic planning process, CEOs ensure that agency priorities are aligned with risk. As new technologies and functionalities are always becoming available, which leads to ongoing changes in the threat environment, the agency’s risk, vulnerability and priorities should be continuously re-evaluated. • CEOs need to understand the risk and consequences of a potential incident and how these would affect agency assets and operations in order to make informed decisions involving trade-offs of cost-benefits in the context of a response to, resiliency during or recovery from a cyber-related incident. • The strategic planning process should include regular high-level risk and vulnerability assessments (e.g., low, medium or high) of key OT assets and agency operations to ensure a common understanding across all departments. • Each agency principal (CEO, CIO, CTO, CSO, etc.) should be hands-on and directly involved in the strategic planning process. A successful technology, security or cybersecurity strategic plan, requires each principal to have a direct relationship and ongoing communication directly with each other.

14 • The process of developing plans to mitigate OT cybersecurity risk and vulnerabilities should include input from multiple agency perspectives. Cybersecurity strategic planning should involve operational technology teams as well as information technology staff. • Each agency department should establish its own strategic plans to contribute to meeting agency cybersecurity objectives. “How” and “Why” and Other Tactical Considerations Because the increasing use of connected virtual systems and “smart” technologies within transportation has led to increased levels of cybersecurity risks, CEOs need to make assessing cyber risks a key part of strategic planning. This can be done by working with key organizational leadership to implement appropriate cybersecurity initiatives. When implementing new cybersecurity initiatives, organizations can take advantage of federal financial incentive programs for implementing cyber requirements. FHWA’s proposed FY 2022 budget has $44.5 million allocated toward improving cybersecurity protections across the agency, and USDOT has committed to providing support for implementing NIST framework cybersecurity practices into ITS into 2022. FHWA’s STIC program2 can provide up to $100k per state towards transportation innovations. Additionally, while there is currently no requirement for cybersecurity insurance in DOTs, DOTs with external cybersecurity insurance plans may benefit from insurance discounts after implementing improved cybersecurity protections that can help offset the cost of implementing these plans. Distribution of Authority Distributing or delegating of authority means organizing agency departments and offices and authorizing designated executives with a mandate to deploy resources and manage DOT operations to achieve strategic priorities set by the CEO. For cybersecurity, this means formally designating key executive leadership with the authority to control and allocate necessary resources to establish and enforce the standards, rules, policies, processes and procedures, etc. which achieve cybersecurity objectives set by the CEO. We further note that the ways in which cybersecurity functions are organized and managed varies from state to state and thus, in some states, the authority for cybersecurity operations may not always reside solely with the CEO and might be shared with other state entities. Current State State DOTs vary widely in the organization of operations related to cybersecurity, technology and asset management. Most cybersecurity efforts are oriented around protecting IT assets. OT is often an afterthought given that an OT-related incident could adversely affect public safety. Further, like other government agencies, the authority of the CEO in state transportation agencies extends to those, such as department heads, who have been formally designated and authorized to operationalize agency priorities and key objectives. Nearly all state DOTs have designated cyber security champions who are knowledgeable and technically competent but typically lack authority and resources to bring an agency to the requisite level of maturity in its cybersecurity capabilities. Agency staff and other executives sublimate other agency priorities at the expense of OT cybersecurity, particularly in the procurement of technology and vendor services. As a result, in instances where the CEO has not fully invested their own authority and intention, agency response is piecemeal and inadequate. 2 https://www.fhwa.dot.gov/innovation/stic/guidance.cfm

15 What do CEOs Need to Know? CEOs cannot overvalue the importance of their visibility to the organization downstream. The extent to which a CEO demonstrates engagement in OT and IT cybersecurity establishes it as an agency priority, provides support to the authority of those formally tasked with its implementation and imbues it into agency culture. Although the agency’s approach to OT cybersecurity should be developed and managed by a technically competent senior executive who reports directly to the CEO, the CEO must remain hands- on and engaged in all facets of development and execution. The CEO must sustain a balance between delegating OT cybersecurity to authorized deputies while remaining prepared to steer the agency in response to issues which warrant hands-on management and decision-making at only the highest levels. For the former, a CEO monitors performance outcomes via dashboards and progress reports of process implementation and operational compliance as a mechanism of feedback and enforcement to ensure cybersecurity objectives are met. For the latter, the CEO continuously monitors the state of cyber threats and agency vulnerabilities to inform strategic decisions pertaining to risk assessment, planning, mitigation and response. What do CEOs Need to Do? • The CEO needs to communicate the priority of OT as well as IT cybersecurity to the whole organization including a clear designation of authority for executives with the mandate to lead the development and implementation of cybersecurity policies and programs. • CEOs should put into place a risk reporting structure as part of a incident response plan, such as in the COOP plan, which delineates the actions to take and who is authorized to undertake both preparation and response to cyber incidents, such as the incident command structure used under Federal NIMS, or other emergency operations as appropriate. For example, a designated incident commander might need to be preauthorized to take required measures under certain crisis conditions to enable timely response and to sustain management clarity. • The authority for planning and enforcing cybersecurity policy should be vested in a single individual or office whose sole purpose is achieving agency maturity to remove potential conflict with other priorities. Further, it is critical to have a dedicated staff for cybersecurity who have no other responsibilities or focus that might detract or conflict with achieving agency cybersecurity objectives. • The formal authority vested by the CEO must also be accompanied with an allocation of ample resources and enforcement mechanisms. For example, CEOs should allocate an independent budget to the staff teams charged with implementing and enforcing OT cybersecurity programs agency-wide to ensure staff have the resources to achieve required objectives. • Due to the prevalence of cyber threat and vulnerability in every facet of agency operations, in which the approach to cybersecurity must necessarily be holistic, agency-wide, and not narrowed to technology or excluded from any single function, the agency lead must possess sufficient authority to enforce compliance with consideration of potential risk versus operational impact. • As a key mechanism for OT cybersecurity program implementation and enforcement, when needed, CEOs should extend greater authority to senior cybersecurity executives while reducing responsibilities from others, such as over budget expenditures, contracts and procurement decisions. • CEOs should consider assigning a qualified group dedicated to monitoring the cybersecurity maturity of the organization. For example, such a group could assess, prioritize, and quantify current OT and IT cybersecurity risks. This group would make informed decisions on how to best manage cyber risks, and the appropriate levels of risk for the organization. The CEO should use

16 metrics obtained from the group’s assessments (e.g., Nationwide Cybersecurity Review) to distribute resources as appropriate to manage cyber risks. “How” and “Why” and Other Tactical Considerations In NIST SP 800-50 “Building an Information Technology Security Awareness and Training Program,” the authors detail multiple methods to distribute authority when designing and implementing an information technology security awareness and training program. Though not directly applicable, it parallels the need for a CEO or central authority to deputize members of their teams with authority. One such model they highlight is the “Partially Decentralized Management Model,” as shown in Figure 3. Figure 3. NIST SP 800-50 "Partially Decentralized Program Management Model3 As stated in the document, “In this model, security awareness and training policy and strategy are defined by a central authority, but implementation is delegated to line management officials in the organization.” This structure provides for the CEO to establish the overall strategy and policy of OT cybersecurity (and IT by extension), while not directly managing the various “organizational units.” Investing in People Investing in people refers to the hiring, training, supervision, and seamless retirement of human resources as a strategic asset. In the context of cybersecurity, this means that CEOs of state DOTs must ensure that the agency retains the right levels of staff, tools, and technical capabilities to support cybersecurity- related operations at the required level of proficiency. Current State Most state DOT workforces are not yet adequately prepared to prevent or respond to both OT and IT cybersecurity threats. Current OT cybersecurity training among state DOTs is inadequate. Agency CEOs face three challenges which impede their agency’s capacity to achieve organizational preparedness. First, cybersecurity training occurs but not at the scope, level of depth, consistency or repetition required. Most state DOTs have not defined a required level of proficiency for staff agency-wide pertaining to OT cybersecurity much less devoted the resources for the corresponding training that would be required to 3 https://csrc.nist.gov/publications/detail/sp/800-50/final

17 achieve it. For example, the required level of cybersecurity information provided in the training of traffic engineers and field technicians will differ in both the level of depth and OT equipment mentioned. Traffic engineers will receive training on how to ensure that OT equipment (e.g. variable message signs) is accessed in a secure manner, while field technicians may need training on ensuring that OT equipment (e.g. traffic signal cabinets, traffic signal controllers) are installed in a manner that complies with security specifications. Second, staff tend to resist cybersecurity requirements that add complexity or extra steps to their tasks. This may undermine successful program implementation and process adoption, but can be averted by the consideration of risk and impact of a certain vulnerability that a program is looking to manage and conversations with staff on the impact this addition of the vulnerability management process may have. Third, state DOTs need to hire staff with a level of technical proficiency to develop and implement cybersecurity programs but generally cannot compete for talent with the private sector. What do CEOs Need to Know? The role of the CEO is to allocate the human resources required to achieve cybersecurity objectives, and then manage the performance of deputies to achieve desired cybersecurity outcomes. State DOTs face a moving target due to the innovation of new, ever-expanding cyber threats. The gap between agency workforce capabilities and degree of threat vulnerability also increases each time an agency procures new technologies or tools. Each bring new opportunities for vulnerability. Given the natural trend toward digitalization and connected systems, these factors underscore the importance of both having a technically proficient staff and in sustaining the technical proficiency of the staff agency-wide. Technical skills can be supplemented through on-demand agreements with third-party vendors. The technical proficiency of agency-wide staff can be enhanced through training involving frequent, hands-on practice to reinforce best practices through repetition such as tabletop exercises and participation in scenario planning, not just training as informational learning. Finally, strong agency culture around OT and IT cybersecurity hygiene is the most potent way to sustain adherence by thousands of individual DOT staff members to good practices. Threats reside at the local user level since every individual presents a source of risk and vulnerability. Achieving culture change is a substantial challenge and the addition of cybersecurity-related processes without consulting or training staff may be detrimental to achieving cybersecurity culture change. For example, those responsible for managing infrastructure but who experience a loss of authority or control as a result of new cybersecurity initiatives may become adversaries to the adoption process. Change management techniques are available and may be required. What do CEOs Need to Do? • CEOs should conduct objective, independent audits, vulnerability assessments, and penetration testing of staff capabilities and OT and IT cybersecurity awareness. CEOs should further consider the importance and benefits of using objective third-parties to conduct these assessments to ensure complete and unbiased results. • CEOs must invest in OT as well as IT cybersecurity training to address vulnerabilities at the user level. Increased training for staff will often have a greater impact than hiring more cybersecurity personnel. • CEOs should prioritize the active types of training which emphasize repetitive hands-on practice, including participation in tabletop exercises, to prepare staff for incidence response, etc. • Mechanisms to assess staff and departmental performance must elevate adherence to cybersecurity requirements and implementation of cybersecurity programs as a key element for recognizing success, providing remedial support when needed, and for enforcing accountability when performance lags. • CEOs can promote a culture of cybersecurity hygiene across the agency by recognizing and supporting OT cybersecurity champions.

18 • CEOs can overcome agency personnel shortages or limitations in staff capacity and capabilities via third-party consultants to implement cybersecurity programs. • CEOs should adopt a management approach for direct reports and subordinates by using performance measurements to hold them accountable for outcomes and performance for operations, including those pertaining to cybersecurity. • CEOs should focus on setting the human resource outcomes to be achieved for the agency, and should avoid involvement in the details of managing agency staff or in setting specific cybersecurity standards or requirements for training and capabilities. “How” and “Why” and Other Tactical Considerations Part of establishing a culture for cybersecurity is establishing good training policies for staff. See NIST SP 800-50 for “Building an Information Technology Security Awareness Training Program.” For specific training materials, a good starting point is the National Initiative for Cybersecurity Education’s (NICE) “Low Cost Online Cybersecurity Content” (hosted at https://www.nist.gov/itl/applied- cybersecurity/nice/resources/online-learning-content). By establishing cybersecurity training and awareness, the CEO can establish the “culture” of cybersecurity (https://www.nist.gov/blogs/manufacturing-innovation-blog/creating-culture-security) that provides employee assistance on topics like: • Stopping risky behavior: Help employees know what decisions can lead to a bad outcome. For example, opening email attachments from unknown sources. • Encouraging less risky behavior: Help employees understand and care about implementing processes that increase security. For example, how to make strong passwords. • Promote “culture of awareness”: Help employees recognize and respond to a cybersecurity event through cyber hygiene training. For example, what to do if a guest plugs an unauthorized USB drive into a machine. Managing Operations Managing operations is the execution, monitoring or improving of business functions, activities, and processes to achieve business objectives. For CEOs, this means deploying the plans, programs and policies designed to fulfill cybersecurity requirements and ensuring their effective and ongoing implementation. The following sections corresponds to the CEO’s responsibilities regarding managing operations. Current State Although state DOTs recognize that a cyber incident affecting IT assets will impede agency operations, and that an incident affecting OT assets has additional consequences for public safety, operations devoted to protecting OT assets are generally immature across most state DOTs. Because the physical and virtual assets which state DOTs manage remain highly vulnerable to a variety of dynamic cybersecurity threats, agency operations are also insufficiently cyber secure. Vulnerability and failure at the asset level -- for even just one asset at a small level of risk -- ladders up to important cybersecurity implications for agency operations. Currently, operations focused on cybersecurity often touch all business areas and functions of an agency, such as requirements and policies regarding procurement, vendor contracts, networks, software, data exchange, and other IT infrastructure and processes, and most agencies follow industry best practices. Nevertheless, these operations are not holistic and typically focus narrowly on protecting IT assets. Hence, as many DOTs deploy cybersecurity programs, processes and requirements that have rendered their high-priority and critical operations secure, other assets remain insecure.

19 What do CEOs Need to Know? Transportation agency CEOs should pursue the objective of achieving agency-wide OT and IT cybersecurity maturity in their agency’s operations and capabilities of which there are two facets. First, the cyber protection of mission-critical and other agency operations vulnerable to cyber threats. Second, operations which themselves are devoted to the planning and implementation of cybersecurity mitigation strategies. The effectiveness of the former depends upon the degree to which a CEO prioritizes the latter. As chief executives set and manage the quantifiable cybersecurity objectives and desired outcomes that their empowered deputies are tasked to achieve, it is also critical to recognize that the nature of OT cybersecurity threats is dynamic. The types and scope of threats is constantly changing, and new ones are always emerging. Cybersecurity operations need to be managed in a similar adaptive fashion and cannot be a static process. Therefore, CEOs must understand the dynamic nature of ever-changing cybersecurity threats and the corresponding need for the continuous adaptation of the organization’s operations. Security is a North Star to which the CEO must constantly steer the organization, not a destination that can be definitively arrived at. Operational effectiveness requires a compass, not a roadmap, to guide the agency toward only temporary states cybersecurity protection and risk mitigation along ground that is constantly shifting. What Do CEOs Need to Do? • CEO must understand dynamic nature of ever-changing OT and IT cybersecurity threats. This is about the need for continuous adaptation (e.g., CEO must steer the organization) as conditions change. • CEOs must make OT cybersecurity an early focus in operations to set the agency mind-shift and culture. CEOs should ensure that cybersecurity risk, vulnerability and resulting requirements are factored into everything a DOT does, whether IT or OT or otherwise. • Best practices for cybersecurity operations have already been identified and are well- documented and available for application by appropriate staff; CEOs should ensure these are referenced and followed throughout the agency in operations. • The success of agency operations pertaining to cybersecurity, or the implementation of cybersecurity programs depends on effective staff execution. CEOs should leverage performance measurement systems as a means to manage these processes by holding direct reports accountable for outcomes. • Because the breadth of internal and external agency collaboration eliminates knowledge gaps in the business functions and across departments, particularly when a cyber incident occurs, CEOs should facilitate ongoing inter-agency operational communication and collaboration in advance of and as critical preparation for cyber incident avoidance, response and recovery. • To enable cyber incident management and response on an adaptive basis, CEOs should develop mechanisms that provide situational intelligence to monitor risk and changing conditions for purposes of operational performance, accountability and to have information available as needed. • CEOs should ensure there is a strong COOP in place that’s designed to address active threats and critical issues. CEOs should be able to review a COOP to fully understand the threats, consequences and risks affecting the agency. CEOs should ask, “How good is my COOP?” • CEOs should conduct frequent tabletop exercises and stress tests to assess the organizations preparedness for cyber risks and that business units are able to maintain COOP.

20 “How” and “Why” and Other Tactical Considerations See NIST SP 800-39 “Managing Information Security Risk: Organization, Mission, and Information System View” for guidance on understanding risks to operations and impacts of risks to operations. This, along with other guidance such as the NIST CSF, can help to frame operational risks and establish objectives and goals. For example, an identified risk to OT operations may be that a deployed sensor is compromised by an attacker. This then represents multiple risks to operations: 1) Sensor is brought down, leading to system down-time/loss of sensor data. 2) Attacker has access to the larger OT network (firewalls permitting). 3) IT and OT Engineers now have to shift focus from current tasking to resolve this compromise. To address these risks, a few policies/procedures could be enacted to help lessen the impact: 1) Allow only trusted/verified systems/individuals access to the sensor networks. (Role-based access) 2) Ensure strong firewall policies are enforced at the IT and OT level. 3) Ensure there are human/capital reserves such that engineers do not fall behind on other important tasks or fail to meet cost/schedule deadlines. Measuring Performance Measuring performance involves collecting and assessing data and information to determine when, if, how, why, and what outcomes occur to inform strategic and operational decisions. This includes defining the metrics that correspond to desired outcomes by which progress can be measured. For cybersecurity, CEOs define the desired outcomes and the standards by which these will be measured to quantify the impact and effectiveness of plans, programs and policies deployed to address cybersecurity needs. These also serve as a mechanism to enforce operational accountability among those charged with achieving specific outcomes. The following sections corresponds to the CEO’s responsibilities regarding measuring performance. Current State In recent decades, the focus of transportation agencies has transitioned from one of building roadway and mobility capacity to one of measuring and achieving performance of transportation systems. This has been driven by changing priorities, resources and requirements at the federal level such as via MAP-21 or the new emphasis on equity and sustainability. This has also been facilitated in part by advances in transportation technology and agency capabilities to ascertain progress. The adoption of data-driven tools, particularly ATMS, has enabled transportation agencies to collect and analyze data to produce situational intelligence in real-time about the state of a transportation network or system. This has enabled robust performance measurement and presents a foundation for outcome-based agency management. State DOTs have considered cyber protection for the tools that measure performance since these systems are critical IT assets. However, state DOTs have not established formal performance metrics to measure progress toward agency-wide OT cybersecurity maturity. Consequently, state DOTs do not currently measure OT cybersecurity performance beyond the blunt success metrics of avoiding an attack or in marking the milestones of cybersecurity program deployments and compliance. Most state DOTs measure the performance and effectiveness of cybersecurity programs on an ad-hoc and qualitative basis instead of via a systematic and quantitative process. Some operational areas receive attention and focus because they easily lend themselves to measurement, irrespective of their actual importance or utility. Other areas, which may reflect critical processes, remain unassessed.

21 What do CEOs Need to Know? Performance measurement systems are a powerful mechanism available to CEOs to be used to monitor and ascertain progress toward agency objectives, as a means to inform and steer agency operations in outcome-based management, and as a tool to hold direct reports, departments and other staff accountable. As CEOs define desired outcomes and set the desired level of performance and risk related to cybersecurity for OT and IT that deputies must achieve, it is critical to define the right success metrics and accurate proxy metrics which indicate progress. Organizations always tend to adapt operations to optimize for the outcomes that are measured. Defining the wrong cybersecurity metrics which influence agency operations could result in dire and unintended consequences, particularly when managers conflate outputs for outcomes or process for performance. Performance measurement pertaining to cybersecurity is itself immature. Cybersecurity monitoring is a critical operation that is managed by many state DOTs but it is not viewed in the context of performance. No definitions of cybersecurity sufficiency have been established and translated into Key Performance Indicators or common benchmarks that can used by agencies to ascertain cybersecurity performance as progress toward critical strategic objectives, such as achieving levels of cybersecurity maturity in operations and capabilities. What Do CEOs Need to Do? • CEOs need to establish the desired outcomes, performance levels, and cyber risk levels for reaching the organization’s OT cybersecurity goals. There should be established metrics for progress towards these goals and a way of measuring when goals have been reached, with some form of quantifiable data as part of these metrics. CEOs should also establish baseline measurements from which to ascertain ongoing progress. • CEOs must support efforts to develop and implement performance measurement systems that assess the development, deployment and ongoing operational impact and effectiveness of OT cybersecurity programs, such as in acquiring the requisite data in the required format and on a timely basis. • CEOs should focus on obtaining a high-level status of OT cybersecurity performance and delegate staff to focus on specifics of performance. CEOs should identify the information they need to understand the agency’s state of risk and the effectiveness of its cybersecurity programs in order to respond to potential incidents and make effective management decisions. • CEOs should work with organizational leadership to develop a dashboard of key information relating to OT cybersecurity performance, including current levels of risk, current cyber support of assets, key areas for future cybersecurity improvements or initiatives, and the organization’s preparedness to take on new cybersecurity initiatives. • CEOs should consider the differences and importance of Process Metrics vs. Outcome Measures to ascertain performance versus progress toward achieving capability objectives. Also, CEOs should consider the difference between goals versus the subtasks. The outcome is the true indication of success versus enacting the correct processes and procedures. • CEOs might consider a dual approach of establishing national performance metrics (which are tested and proven) and while also having a localized set of performance metrics which provide a qualitative review of a state DOT’s individual progress. For example, some metrics might be critical must-haves and others might be more about defining aspirational goals to which state DOT performance might strive. • Establishing national performance standards for OT cybersecurity would be beneficial for state DOTs to guide efforts to promote capability maturity. Establishing national Benchmarks and a measurement framework, which establishes general definitions that all DOTs must follow, would also be potentially very beneficial.