Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report (2023) / Chapter Skim
Currently Skimming:
Pages 59-85
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 59... ...
We identified information based on how it provided executives and senior managers at state transportation agencies with what they needed to know about managing OT and IT cybersecurity risks. This included current and ongoing cybersecurity research efforts by federal, state and local agencies, transportation working groups, committees, and academia.
|
From page 60... ...
is short for the Common Criteria for Information Technology Security Evaluation, which is international standard ISO/IEC 15408 for computer security certification [39]
|
From page 61... ...
ISO/IEC 27001:2013, ISO/IEC 27002, and ISO/IEC 27005:2011 are the most frequently referenced. ISO/IEC27001:2013 was developed to provide the requirements for establishing and maintaining an ISO/IEC 27000 compliant information security management system.
|
From page 62... ...
The scope for these resources has not been limited to traffic management, but instead expanded to encompass additional industries with similarities to TMSs and their network structure. 4 NIST Cyber Physical Systems Framework Developed through the Cyber Physical Systems working group, the Cyber Physical Systems (CPS)
|
From page 63... ...
The SoS model may offer useful guidance for transportation agencies since they are constructed using a variety of IT and OT systems using many diverse types of communication. 5 DHS Cybersecurity Capability Maturity Model (C2M2)
|
From page 64... ...
W h i l e i n t e n d e d f o r a p p l i c a t i o n t o a t r a d i t i o n a l o r g a n i z a t i o n a l e n v i r o n m e n t , t h e s e c o n t r o l s c a n b e t a i l o r e d t o p r o v i d e a r o b u s t l i s t o f b e s t p r a c t i c e s f o r a n o r g a n i z a t i o n o p e r a t i n g a n d m a n a g i n g a t r a n s p o r t a t i o n a g e n c y s y s t e m . 7 NIST Cybersecurity Framework (CSF)
|
From page 65... ...
The framework is composed of the following: • Framework Core: Cybersecurity activities and references common across many critical infrastructure sectors • Framework Implementation Tiers: Defined levels aimed at helping the critical infrastructure organization understand its current state and approach to managing cybersecurity risk • Framework Profiles: Example profiles designed to help the critical infrastructure organization align itself with cybersecurity goals The NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk-based framework built on industry standards, best practices, and experience in similar industry. The framework core is composed of guidance broken into five functions and shown in Figure 10.
|
From page 66... ...
B - 8 • Identify: D e v e l o p t h e o r g a n i z a t i o n a l u n d e r s t a n d i n g t o m a n a g e c y b e r s e c u r i t y r i s k t o s y s t e m s , a s s e t s , d a t a , a n d c a p a b i l i t i e s . • Protect: D e v e l o p a n d i m p l e m e n t t h e a p p r o p r i a t e s a f e g u a r d s t o e n s u r e d e l i v e r y o f c r i t i c a l i n f r a s t r u c t u r e s e r v i c e s .
|
From page 67... ...
The Framework Profile, also Profile, allows organizations to create a roadmap to reduce cybersecurity risk that align business requirements, risk tolerance, and resources of the organization with industry best practices, legal and regulatory requirements, and reflects risk management priorities. The NIST Framework for Improving Critical Infrastructure Cybersecurity addresses many of the challenges a transportation agency is likely to encounter when undertaking similar cybersecurity implementation efforts in IT and OT.
|
From page 68... ...
NIST SP 800-44 is a guide on planning, securing, and maintaining a secure web server. Such a guide is invaluable in a modern world dominated by the internet, and transportation agencies are increasingly reliant on Internet connected devices [55]
|
From page 69... ...
B-11 procedures in order to be compliant with federal contracts. NIST SP 800-171 describes the methodology used to develop the security requirements as well as a list of 14 security requirements for CUI.
|
From page 70... ...
• General Purpose Controller (GPC) The roadmap outlines the activities and benchmarks an organization can use to identify the cybersecurity features currently in place and to determine the next activities for consideration to improve cybersecurity performance [62]
|
From page 71... ...
The guidance provided in this document will help TMS managers and executives: • Characterize their current cybersecurity posture • Identify opportunities for enhancing existing cyber risk management programs • Find existing tools, standards, and guides to support Framework implementation • Communicate their risk management issues to internal and external stakeholders 17 TRB Guidebook on Best Practices for Airport Cybersecurity The TRB Guidebook on Best Practices for Airport Cybersecurity is a report generated for the Airport Cooperative Research Program under the ACRP Project 05-02 Panel review by Grafton Technologies, Inc., SoftKrypt, and Grafton Information Services, Inc [65]
|
From page 72... ...
The NIPP is: • Driven by Presidential Policy Directive • Established and mature through several revisions • TMSs and CIs identified share many network and process similarities • Has an active community 19 APTA Cybersecurity Considerations for Public Transit The American Public Transportation Agency (APTA) released the Cybersecurity Considerations for Public Transit to inform public transportation organizations about possible methods of implementing cybersecurity controls to public transportation systems.
|
From page 73... ...
It further delineates several different types of penetration tests a DOT may pursue and discusses results reporting and how risks might be mitigated. 23 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies NCHRP Research Report 930 provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation [72]
|
From page 74... ...
B-16 such requires the transportation industry to comply with the published standard. PCI also publishes best practices such as Best Practices for Securing E-commerce, which looks to assist agencies in implementing secure e-commerce systems [73]
|
From page 75... ...
• Providing free virtual training courses in topics like "Cybersecurity within IT & ICS Domains" and "Cybersecurity Risk" [76]
|
From page 76... ...
B-18 • Maritime • Mass Transit • Postal and Shipping • Rail • Transportation Systems o Cybersecurity Working Group o Research and Development Working Group o Surface Transpiration Security Priority Basement Working 29 Transportation System Cybersecurity Framework (TSCF) Partnership The Transportation Systems Cybersecurity Framework (TSCF)
|
From page 77... ...
B-19 • Stakeholder Engagement and Comment Resolution • Observations on GeoNetworking • Summary of Lessons Learned • Status of ITS Security Standards • Testing for ITS Security • Feedback to Standards Development Organizations -- Security • Status of ITS Communication Standards • Testing for ITS Communications • Feedback to Standards Development Organizations -- Communications 30.2 HTG2: Harmonization of US Basic Safety Message (BSM) and EU Cooperative Awareness Message (CAM)
|
From page 78... ...
7. Public Transportation (ID: AP000)
|
From page 79... ...
lists the following priorities: • Standards, Policies and Directives o Ensure DOT implementation of federal cybersecurity initiatives o Ensure DOT implementation of National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23) • Situational Awareness and Incident Response o Enhance support of the DOT Cyber Security Management Center (CSMC)
|
From page 80... ...
Voluntary Program was created to encourage adoption of the NIST Cybersecurity Framework. C3 connects users of the NIST Cybersecurity Framework with other critical infrastructure adopters, as well as providing resources from DHS, NIST, and others [91]
|
From page 81... ...
Existing vulnerabilities were discovered in literature for connected vehicles, autonomous vehicles, electronic ticketing systems, traffic signal controllers, traffic signal priority, and dynamic message signs. Survey participants ranked employee training as the biggest challenge to implementing good cybersecurity practices.
|
From page 82... ...
. 41 IoT-Enabled Highway Maintenance: Understanding Emerging Cybersecurity Threats In this article, IoT-Enabled Highway Maintenance: Understanding Emerging Cybersecurity Threats, the authors discuss the problems inherit in the use of interconnected cyber-physical systems in critical infrastructure such as transportation [100]
|
From page 83... ...
Limited data and models also inhibit the accurate modeling of cyber risk for insurance purposes. Even after improved tools and modeling are developed, insurance purchase can be an important risk management strategy to allow transportation infrastructure systems to recover from cyber incidents.
|
From page 84... ...
It covers risk management and cybersecurity plans, such as the NIST Cybersecurity Framework and the Defense in Depth Approach. The primer also introduces some general concepts associated with the different operations relevant to surface transportation security and explains some potential countermeasures that transportation agencies can use to reduce risks.
|
From page 85... ...
B-27 • Assess the impact that new digital initiatives may have on your security setup, bearing in mind that OT security challenges are impacting all industry verticals.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.