The National Academies Press

Currently Skimming:

Pages 34-48

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 34... ... 34 This chapter provides information about the importance, applicability, and evolving recommended practices concerning five significant emerging cybersecurity issues. • Cyber resilience, including cyber insurance • Third-party cyber-risk management, including cyber supply chain risk • Cybersecurity of location-agnostic access (e.g., remote work/teleworking/"work-from-home") Read the entire page →
From page 35... ... Synthesis of Emerging Cybersecurity Practice in Transit 35 contrast to cybersecurity, which is focused on protecting the confidentiality, integrity, and availability of digital assets (e.g., data, software, systems, networks, and equipment) from unauthorized access, exploitation, damage, or loss. Read the entire page →
From page 36... ... 36 Cybersecurity in Transit Systems 5. While transit agencies have significant roles to play in restoring customer services and internal functions after a cyber incident, in many cases they will not be the lead agency in the response and will need to closely coordinate, collaborate, and communicate with others, including elected officials, federal representatives, law enforcement, other modal agencies, technology providers and consultants, the media, and, increasingly, with the public directly through various social media platforms (e.g., Twitter, Facebook, and so on) Read the entire page →
From page 37... ... Synthesis of Emerging Cybersecurity Practice in Transit 37 created a new model for state and local governments dealing with cyberattacks by managing the event like it would a natural disaster. From February 21 to 23, 2018, a threat actor, later revealed to be from Iran, executed a ransom ware attack that ultimately infected about half of CDOT's digital assets -- 1,274 laptops, 427 desktops, 339 servers, 158 databases, 154 software applications, and all voice-over-IP phones used by CDOT at 200 locations across the state. Read the entire page →
From page 38... ... 38 Cybersecurity in Transit Systems Lessons Learned CDOT's experience offers various lessons regarding the hardening of networks, creating and rehearsing a cyber incident response plan, and allocating resources to the personnel and technology needed to effectively mitigate, respond to, and recover from future cyber-attacks. The lessons include the following: 1. Read the entire page →
From page 39... ... Synthesis of Emerging Cybersecurity Practice in Transit 39 Recently, New York's regulator for the insurance industry, the Department of Financial Services (NY DFS) , issued its Cyber Insurance Risk Framework (Lacewell, 2021) Read the entire page →
From page 40... ... 40 Cybersecurity in Transit Systems Consequently, agencies are increasingly vulnerable to cyber failures or data breaches caused by parties other than their own employees. This vulnerability may occur in several ways: 1. Read the entire page →
From page 41... ... Synthesis of Emerging Cybersecurity Practice in Transit 41 when vetting third-party vendors was important, especially as agencies were introducing mobile ticketing apps that were often built by third parties (Neipow, 2015) Read the entire page →
From page 42... ... 42 Cybersecurity in Transit Systems A 2020 cybersecurity study (Subramanian and Ward, 2020) found that cybersecurity functions in state governments are increasingly being outsourced and that confidence in third-party vendors is decreasing. Read the entire page →
From page 43... ... Synthesis of Emerging Cybersecurity Practice in Transit 43 In response to the EO, NIST defined critical software in June 2021 as "any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: • Is designed to run with elevated privilege or manage privileges; • Has direct or privileged access to networking or computing resources; • Is designed to control access to data or operational technology; • Performs a function critical to trust; or • Operates outside of normal trust boundaries with privileged access." In addition, NIST recommended that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other categories of software such as • Software that controls access to data; • Cloud-based and hybrid software; • Software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software; • Software components in boot-level firmware; or • Software components in OT. Read the entire page →
From page 44... ... 44 Cybersecurity in Transit Systems Companies and high-level entities such as Microsoft and the DOD were affected by this hack, although investigations as to the scope of the attack are still ongoing. Lessons Learned Although the lessons resulting from SUNBURST are still being developed and internalized, it is clear that companies, agencies, and vendors are rethinking the way they view their software supply chains. Read the entire page →
From page 45... ... Synthesis of Emerging Cybersecurity Practice in Transit 45 Challenges with Location-Agnostic Computing This new approach quickly highlighted a number of cybersecurity issues, including the following common challenges: • Patching and updating software on remote devices became more costly and, in some cases, impossible to perform. • Installing licensed software on personal devices created various licensing issues. Read the entire page →
From page 46... ... 46 Cybersecurity in Transit Systems A zero-trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero-trust principles and designed to prevent data breaches and limit internal lateral movement. Read the entire page →
From page 47... ... Synthesis of Emerging Cybersecurity Practice in Transit 47 • Lack of necessary skill sets to implement properly • Other, higher priority tasks • Users have multiple identities While the same survey documented that nearly a third of the respondents are pursuing ZT initiatives, over two-thirds are not using or considering it and 15 percent of respondents were unfamiliar with the concepts. Similarly, cost, complexity, scale, and scope of the effort and lack of internal expertise, among other factors, were identified as either extremely or very challenging barriers to implementation. Read the entire page →
From page 48... ... 48 Cybersecurity in Transit Systems This strategy incorporates several essential elements: • Management as role models. Although cybersecurity is every employee's responsibility, senior management demonstrates the significance of cybersecurity by being role models and by being actively engaged in cyber initiatives. Read the entire page →

From page 34...

... 34 This chapter provides information about the importance, applicability, and evolving recommended practices concerning five significant emerging cybersecurity issues. • Cyber resilience, including cyber insurance • Third-party cyber-risk management, including cyber supply chain risk • Cybersecurity of location-agnostic access (e.g., remote work/teleworking/"work-from-home")