The National Academies Press

Currently Skimming:

Pages 17-58

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 17... ... This information has and will inform our ongoing research and the development of project deliverables and resulting guidelines It will also improve state transportation agency leadership's understanding of common cybersecurity concerns, barriers, lessons learned, and successful strategies in today's day-to-day operations. The objective of Task 1 is to inform readers of: • The current state of cybersecurity initiatives and management strategies deployed by state transportation agencies. Read the entire page →
From page 18... ... c y b e r s e c u r i t y i n i t i a t i v e s p e r t a i n i n g t o s t a t e t r a n s p o r t a t i o n a g e n c i e s . 2 USDOT Cybersecurity Initiatives To e x a m i n e h o w U SD OT p o l i c i e s a n d g u i d a n c e p e r t a i n i n g t o OT c y b e r s e c u r i t y m a y o r m a y n o t i n f l u e n c e s t a t e - l e v e l p o l i c i e s , w e e x a m i n e d t r a n s p o r t a t i o n - r e l a t e d c y b e r s e c u r i t y i n i t i a t i v e s a t t h e F e d e r a l l e v e l . Read the entire page →
From page 19... ... . 3 Related Information The following links are information used when assessing the USDOT's cybersecurity initiatives: • https://www.transportation.gov/cio/cybersecurity-privacy-information-assurance • https://www.its.dot.gov/factsheets/cybersecurity.htm • https://rosap.ntl.bts.gov/view/dot/42461 • https://www.transportation.gov/coronavirus • https://www.fmcsa.dot.gov/safety/fy-2020-department-transportation-security-awareness- training Read the entire page →
From page 20... ... In those states, only the legislative documents provided information. In order to gain more information about the state DOT's cybersecurity initiatives, we chose to interview executives and senior level members of the DOTs. Read the entire page →
From page 21... ... OTHER MANDATES What other cybersecurity initiatives, polices, or practices does the state DOT follow that are mandated under federal, state law and regulation? 5 State Cybersecurity Initiatives This section summarizes our research findings related to individual state cybersecurity initiatives presented in alphabetical order. Read the entire page →
From page 22... ... Through collaboration with California's Department of Technology and the office of the governor, the DOT is able to develop cybersecurity initiatives that address cybersecurity at an operational level. These initiatives, though often focused on IT, are increasingly reaching OT devices and are a noted area of improvement. Read the entire page →
From page 23... ... o Vulnerability scanning software used for vulnerability management – also implement "trust but verify" in terms of software patching.  Also working on asset management module. Read the entire page →
From page 24... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 25... ... 5.7 Connecticut Connecticut DOT plans to deploy Americas first automated bussing system in 2021 in collaboration with Robotic Research, an autonomous vehicle research organization. This provides an opportunity to study the behavior of automated vehicles in a real-world environment and potential cybersecurity protections needed. Read the entire page →
From page 26... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 27... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 28... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 29... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 30... ... They identify that high powered and complex systems tend to have higher cybersecurity risks and as such, require the most protection. To handle this, they propose training all staff on cybersecurity risk, using a "consequence driven" engineering mindset and creating a cybersecurity team consisting of those involved in developing the infrastructure for CAV. Read the entire page →
From page 31... ... − DOIT is also monitoring other state cybersecurity initiatives. o There is state mandated annual cybersecurity training for all employees and contractors. Read the entire page →
From page 32... ... In their 2020 Transportation Asset Management Plan, Kansas DOT identified information technology as a major risk category for transportation infrastructure and considered cybersecurity threats and outdated technology to be among the highest risk categories to infrastructure. 5.17 Kentucky The DOT website does not contain any information regarding cybersecurity initiatives, but the Kentucky Office of Homeland Security maintains guidelines for incident response plans, a thorough Security Standard Procedures manual, and several individual cyber-related policies for enterprise (e.g., anti-virus, firewall, social media) Read the entire page →
From page 33... ... o Losses due to cyber incidents and by extension, the risk associated with a specific device, is not measured in dollars but rather impact. For example, a risky device will be presented as having a "large impact and costing a lot", if taken offline. Read the entire page →
From page 34... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 35... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 36... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 37... ... These standards are based on the NIST standards, including the NIST Cybersecurity Framework. Each relevant state agency must establish an information security program consistent with this program. Read the entire page →
From page 38... ... The state has several cybersecurity initiatives • Barriers o The team was not aware of any state mandates for OT Penetration testing. • Opportunities o While the New Hampshire DOT its fortunate to have not suffered any major cyberattacks, DOT cybersecurity now being taken more seriously in response to recent cyber incidents in other states. Read the entire page →
From page 39... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 40... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 41... ... Besides this meeting, there is little publicly available information about the state's cybersecurity initiatives. If the panel knows of any other useful resources, please let us know. Read the entire page →
From page 42... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 43... ... It highlighted cybersecurity requirements for wireless payment card systems (e.g., tools) and presents a goal of being 100% payment card industry (PCI) Read the entire page →
From page 44... ... o Employees and contractors are given mandatory cybersecurity training for all employees with some role-based training for some roles. Executive branch agencies such as the DOT are given bimonthly cybersecurity awareness training. Read the entire page →
From page 45... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 46... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 47... ... Efforts are underway to ensure response and resiliency to potential OT cyber threats, such as in procurement processes and in staff training overseen by the Chief Information Security Officer. However, in interviews, state security professionals have indicated that additional work is required to achieve an agency-wide culture of awareness and vigilance regarding the importance of cybersecurity for OT assets. Read the entire page →
From page 48... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 49... ... Contractors must pass cybersecurity training and sign a privileged user agreement. o In the state's cybersecurity awareness program, they emphasize the importance of the behavioral element in cybersecurity in order to reduce the risk of phishing. Read the entire page →
From page 50... ... 5.43 Texas The Texas DOT (TxDOT) maintains an Information Security functional area that "implements a robust information security program to protect TxDOT systems and data from cybersecurity threats; sub-sections are Risk and Compliance, Cybersecurity Operations, and Toll Information Security" [30] Read the entire page →
From page 51... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 52... ... 5.46 Virginia Virginia hosts a site [33] that discusses different focuses for cybersecurity initiatives within the state. Read the entire page →
From page 53... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 54... ... • VA H 1082 o Bill Status: Enacted o Relates to Emergency Services and Disaster Law, relates to definition of disaster, relates to incidents involving cyber systems, defines cyber incident for purposes of the Emergency Services and Disaster Law as an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems. • VA H 1334 o Bill Status: Enacted o Establishes standards for insurance data security for the investigation of a cybersecurity event and for the notification to the commissioner of insurance and affected consumers of a cybersecurity event. Read the entire page →
From page 55... ... o The State Office of Cybersecurity standards are a unique internal standard separate from NIST or ISO 27000; the DOT combines elements of both. • Opportunities o Further integration of IT and OT cybersecurity operations into a shared enterprise through the IT enterprise board could have mutual benefits to operations. Read the entire page →
From page 56... ... . This is a sample of the full set of cybersecurity initiatives, which have more focus on the topics that the research team feels would impact the cybersecurity policies enacted by state DOTs. Read the entire page →
From page 57... ... If the panel knows of any other useful resources, please let us know. 8 Conclusions of Study of Initiatives Within the 11 categories of cybersecurity initiatives denoted in Figure 1, we found that some states were more advanced than others with respect to the level of maturity and sophistication of their cybersecurity practices development and implementation. Read the entire page →
From page 58... ... In discussion with DOTs, it is noted that these successful practices came from lessons learned, such as discussions with other DOTs, monitoring cybersecurity events in adjacent critical infrastructure sectors, and adaptation of policies and procedures in accordance with cybersecurity standards and best practices. As for endpoint security, each DOT noted that the lack of any current OT-specific security programs unless those devices were connected to the traditional IT enterprise network. Read the entire page →

From page 17...

... This information has and will inform our ongoing research and the development of project deliverables and resulting guidelines It will also improve state transportation agency leadership's understanding of common cybersecurity concerns, barriers, lessons learned, and successful strategies in today's day-to-day operations. The objective of Task 1 is to inform readers of: • The current state of cybersecurity initiatives and management strategies deployed by state transportation agencies.