Protection of Transportation Infrastructure from Cyber Attacks: A Primer (2016)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

98 Chapter 6 Training: Building a Culture of Cybersecurity What is a Culture of Cybersecurity? In a security culture, security is an integral part of the daily routine. (NCHRP Report 793, 2014) Similarly, a cybersecurity culture is an environment in which cybersecurity best practices are a way of life and essential in ensuring the information security of state transportation agencies and transit agencies. In fact, the first goal of the Transportation Roadmap (August, 2012) is to build a cybersecurity culture, and the desired end state of this goal is the merging and integration of cybersecurity and ICS. Cybersecurity involves People, Technology, and Process. People, essential in the creation of a cybersecurity culture, are often thought to be the most vulnerable element and therefore require significant attention (e.g., training). NIST SP 800-16 A Role-Based Model for Federal Information Technology/Cybersecurity Training, Revision 1 Third Draft (2014) emphasizes the importance of the human factor and states “Federal agencies and organizations cannot protect the integrity, confidentiality, and availability of information in today’s highly networked systems environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.” Culture is fueled by good basic practices which some describe as “cyber hygiene” and sustained awareness by all employees. Cyber Hygiene is essential as many successful breaches typically employ basic techniques. Cybersecurity practices of an employee during their non-working hours can affect work-related cybersecurity. For example, an employee accustomed to using simple passwords may continue this practice for work-related matters. Cyber hygiene practices identified in the literature review included: • Encouraging staff to follow basic security policies and procedures • Removing unnecessary application and functions from systems • Changing default configuration options and passwords Recent legislation emphasizes the importance of good cybersecurity workforce initiatives. The Homeland Security Workforce Assessment Act which was signed into law December, 2014 requires DHS to assess its cybersecurity workforce and create a strategy “to enhance the readiness, capacity, training, recruitment and retention of its cybersecurity workforce.” Many of the elements of the strategy developed through this legislation may be useful in helping state DOTs and transit agencies address their cybersecurity workforce needs. The development of a cybersecurity culture will also require multi-faceted initiatives which include the following: • Awareness program • Training program • Assessment of threats

99 • Reduction of the attack surface • Addressing threats, mitigations, software/firmware update process • Addressing monitoring and detection methodologies • Ability to be audited for compliance • Change-management systems ( Source: APTA Recommended Practice, Part 2) Existing and planned workforce development initiatives of state DOTs and transit agencies include internship or apprenticeship programs and mentorship programs. Internship or apprenticeship programs offer the opportunity for job advancement for individuals without relevant experience by providing on-the-job experience and training. Mentoring programs match more experienced employees with less experienced ones so that the latter may benefit from knowledge and skills of the former. These programs can strengthen cybersecurity culture and encourage young individuals to seek out cybersecurity career paths within the state DOT or transit agency by delineating training milestones and relationship with job advancement. The culture, once created, must be sustained through continued, heightened focus on good cybersecurity practices and hygiene. Considerable effort may be required to accomplish this due to various demands on the time and resources of senior management and staff. Importance of Awareness and Training The importance of awareness and training with respect to security and safety is well-understood at the federal level and by state transportation agencies and transit agencies. Ensuring that all employees’ key issues involved in cybersecurity including the consequences of a cyber breach and their agency’s policies regarding the use of IT systems and applications is essential for cybersecurity and the creation of a cybersecurity culture as well. As noted in the literature review, the importance of training is discussed in cybersecurity and information security literature. The National Rural Electric Cooperative Association Guide to Developing a Cybersecurity and Risk Mitigation Plan states that Insufficiently trained personnel are often the weakest security link in the organization’s security perimeter and are the target of social engineering attacks. It is therefore crucial to provide adequate security awareness training to all new hires, as well as refresher training to current employees on a yearly basis. The Transportation Roadmap (August, 2012) mentions that training and educating agency employees and new hires on cybersecurity is vital. The Roadmap’s two near-term training- related objectives include the education of transportation executives on the importance of ICS cybersecurity and the development of a cybersecurity awareness training program. The Cybersecurity Framework (Version 1.0, February 12, 2014) contains an Awareness and

100 Training category as a component of the Protect function. (The other four functions are Identify, Detect, Respond, and Recover.) The Awareness and Training category description is as follows: Awareness and Training: The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. The key principle underlying the Awareness and Training category is that all users need awareness education while certain positions require understanding of their roles and responsibilities necessitating role- and/or responsibility-specific training. Organizational Support Organizational support is critical in the development of a cybersecurity culture and should include the allocation of agency resources, senior management leadership and support, and the establishment of appropriate policies and protocols. First, resources are necessary to implement and maintain cybersecurity awareness and training programs. The required funds need to be programmed into the agency’s multi-year budget and cybersecurity programs into the agency’s strategic plan. Second, while cybersecurity is every employee’s responsibility, senior management sets the tone and leads by example. They must demonstrate the significance of cybersecurity by being role models and through active engagement in cyber initiatives. They also need to ensure that the required funds are allocated to cybersecurity programs. Third, cybersecurity incidents need to be identified, reported, and tracked. Agency policies and protocols must be developed in accordance with federal and industry guidance and standards to support these tasks. These policies and protocols then need to be communicated to all agency personnel so that they know how to identify and report a suspicious cyber incident. Those responsible for critical agency infrastructure and assets require additional training and information (including being able to recognize unusual patterns/spikes in incidents and relationships between physical and cyber incidents.) Building upon Safety and Security Cultures Model security and safety awareness and training programs and existing workforce programs and initiatives can be used by agencies to facilitate the development and deployment of cybersecurity awareness and training programs. The tools and initiatives used to construct safety and security cultures within state DOTs and transit agencies can also be used to establish a cybersecurity culture. Over the past few decades, transit agencies have succeeded in building a culture of safety and ingraining safety into the mindsets of transit employees. As stated in APTA Recommended Practices, Part 2, “[j]ust as transit agencies have created a safety-centric culture-saving lives and reducing accidents and accident severity-they need to foster and create a cybersecurity culture.” State DOTs have also developed or are in the process of

101 developing comprehensive safety programs. Because transit systems around the world have been targets of terrorists, security was a concern for senior management of transit agencies even prior to September 11, 2001. After the terrorist attacks on U.S. soil on 9/11, transit agencies stepped up their efforts to establish a security culture with the support of FTA and DHS/TSA and relevant legislation. For example Section 1408, PL 110-53; 121 Stat. 266 directed the DHS Secretary to develop/issue regulations for a security training program. APTA Recommended Practice on Security Awareness Training for Transit Employees (2012) provides minimum guidelines for security awareness training and implemented security awareness and training programs. These actions helped ensure that all transit employees understood the important role that they play in the security of their transit operations. A national security awareness program – “If You See Something, Say Something®” – which was initially developed by the MTA in the New York metro area and the Transit Watch program initiated in 2003 by the FTA that was operated as a partnership with APTA, ATU and DHS may be used as models of successful coordinated approaches to disseminate content and raise and maintain awareness of transit and state DOT employees. The campaigns used a variety of information dissemination techniques and media including video, posters, TV and radio advertisements, etc. Cybersecurity Awareness and Training Program The Federal Information Security Modernization Act (2014) - formerly the Federal Information Security Management Act (FISMA) - governs federal IT and cybersecurity and requires role-based training for federal personnel and other users of federal IT systems. The 2014 FISMA gives DHS authority over government-wide IT operations and management of day-to- day security issues while OMB retains budgetary authority and responsibility for cybersecurity policies for information security within federal agencies. Both agencies are expected to coordinate with NIST and comply with NIST standards and guidance. The required information security program needs to include: • Periodic risk assessments, determination of the risk and magnitude of potential harms, and the development of countermeasures to reduce the information security risks to acceptable levels. • Security awareness training to inform personnel including contractors and other users regarding information security risks associated with their activities and their responsibilities in complying with agency policies and procedures. • Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices no less than annually; the testing includes “management, operational and technical controls of every information system” in the section 3505(c) inventory and may include testing for the evaluation under section 3555. As new guidance for the 2014 FISMA is developed, state DOTs and transit agencies may benefit from consulting the guidance in addition to guidance and regulations of USDOT, FHWA, FTA, and other regulatory agencies in establishing cybersecurity awareness and training programs.

102 It is important to note the differences between Awareness and Training. NCHRP Report 793 states that “security awareness is the cornerstone of a security culture.” NIST SP 800-16 notes that “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security.” NIST SP 800-50 describes awareness efforts as “designed to change behavior or reinforce good security practices.” Having sustainable processes and methods is noted in NCHRP Security 101 as a key objective of a security awareness program. While Awareness focuses attention on specific issues with the learner as a passive recipient of information, Training requires the participation of the learner to generate security skills and competencies. (NIST SP 800-50, 2003) Those who require more specialized knowledge of IT and cybersecurity will pursue education which integrates relevant skills and competencies into a common body of knowledge. In NIST’s cybersecurity learning continuum model, learning progresses from security awareness to cybersecurity essentials to role-based training to education and/or experience. The Cybersecurity Essentials is a new element that was added to the continuum. Figure 21: Cybersecurity Learning Continuum. Source: NIST SP 800-16, Revision 1 (Third Draft) October, 2014 The four key elements of the continuum shown in Figure are summarized below: 1. “Security Awareness” applies to all employees, focuses attention on cybersecurity and cybersecurity issues, and helps employees recognize and respond to the issues. (page 27- 29) “Cybersecurity Essentials” is introduced in the revised NIST SP 800-16 as a foundation of knowledge needed for employees and contractors having access to IT systems to protect electronic information and systems. (page 29) 2. Cybersecurity essentials include: • Technical underpinnings of cybersecurity and its taxonomy, terminology and challenges; • Common information and computer system security vulnerabilities; • Common cyber attack mechanisms, their consequences and motivation for use; • Different types of cryptographic algorithms; • Intrusion, types of intruders, techniques and motivation; • Firewalls and other means of intrusion prevention;

103 • Vulnerabilities unique to virtual computing environments; 3. “Role-Based Training” delivers the knowledge and skills required for specific roles and responsibilities with respect to Federal Organization information systems. Competency differences among users are recognized. NIST SP 800-16 Role-Based Model for Federal Information Technology/Cybersecurity Training describes how to train the Federal workforce that have significant IT/cybersecurity responsibilities. FIPS publications including FIPS 200 Minimum Security Requirements for Federal Information and Information Systems and FIPS 199 Standards for Security Categorization of Federal Information and Information Systems and NIST publications such as NIST SP 800- 37 Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems, and NIST SP 800-50 Building an Information Technology Security Awareness and Training Program are implementers. NIST 800-50 provides guidance on conducting needs assessments which is the first step in creating role-based training. Needs assessments help to identify roles that require training and training gaps. The second step, functions identification, may be found in NIST 800-16, Appendix A, Functions Appendix. The third step is to fill-in the associated outcomes and learning objectives. See Appendix B and C of NIST 800- 16 for guidance on establishing the objectives, and knowledge and skills for specific roles. The trainer can then adjust modules according to the expertise of the learners. 4. “Education” develops the ability and vision for complex and multi-disciplinary tasks and tracking changes to the threat and technology environments. Education is attained through experience, cooperative training, certification and advanced education. (page 31- 34) According to NIST SP 800-50 (2003) prior to the development of a cybersecurity Awareness and Training Program, the following steps should be taken: • Conduct a needs assessment • Develop a strategy • Complete an awareness and training program plan for strategy implementation • Develop awareness and training material • Address funding issues • Communicate plan and its benefits to senior management and support personnel Three possible models of the program are described in NIST SP 800-50 (2003). All three have a centralized policy but can have centralized or distributed strategy as well as centralized or distributed implementation. The model that is selected depends on size and geographic dispersion of the organization, organizational roles and responsibilities, and budget allocations and authority. • Model 1 – Centralized policy, strategy, and implementation • Model 2 – Centralized policy and strategy, distributed implementation

104 • Model 3 – Centralized policy, distributed strategy and implementation NIST SP 800-50 (2003) also discusses how to structure awareness and training activity; how to conduct a needs assessment; how to develop an awareness and training plan; how to establish priorities; how to establish the level of complexity of the subject matter; and how to fund the program. Guidance on evaluating and testing training and exercise programs are found in NIST SP 800-84 and SP 800-16. New legislation enacted in December, 2014, the Cybersecurity Enhancement Act, intends to direct the NIST to further support the 2014 Cybersecurity Framework likely through updates and improvements to the existing Framework. Functions and User Categories While training needs of transit employees depend on agency position functions and responsibilities, all employees require understanding of basic cyber awareness because they may have access to an agency PC, laptop, or mobile device or bring their own device to work. Vendors and contractors would also benefit from the agency’s awareness program. When any transit employee as well as vendors and contractors connect to any part of the network or to any device using any means, they should be aware of basic precautions that should be taken. When any suspicious email or incident occurs, the transit employee needs to be able to detect and observe it, and report it to the proper staff. In most cases basic users need to know when and to whom an incident should be reported but may not need to decide on a course of action or respond to an incident; however, in rare cases in which a cyber breach causes life safety concerns, basic users will need to know what actions they must take. In the typical agency, ICS is the responsibility of engineering and operations personnel but IT is responsible for cybersecurity plan(s) and their implementation. Both units need to work together to create and implement the plan(s) and understand their respective roles and responsibilities. Hence, including personnel from both units in awareness and training activities will enhance interaction and cooperation between the units. Those with lead responsibility need the latest guidance and standards, compliance requirements, and know how to meet them. • The OPM requires users to receive cybersecurity awareness and training on rules and responsibilities prior to accessing IT systems and applications. OPM also requires training for Current employees including IT management and operations personnel; Coos, IT program managers, auditors, and other IT personnel; program and functional managers; executives  New employees within 60 days of hire  When employees start a new position that requires additional role-specific training  Whenever there is a change in the IT security environment or procedures  Periodically as refresher training The following user categories are derived from the Cybersecurity Framework (Version 1.0, February 12, 2014). All users should understand their roles and responsibilities. The Framework also identifies five high-level functions - Identify, Protect, Detect, Respond,

105 and Recover. Each category of user is responsible for all five functions to varying extents. All Users should be informed about agency cybersecurity policies and protocols and receive basic awareness content. Users are individuals requiring access to the agency’s electronic information or systems and “are the single most important group of people who can help reduce unintentional errors and related information system vulnerabilities.” (NIST 800-16 Revision 1 Third Draft, 2014) Users should understand and comply with IT/cybersecurity policies and procedures. They refer to all categories of personnel including frontline employees, supervisors, maintenance workers, and administrative and support staff. Third-Party Stakeholders include suppliers, vendors, partners, and customers. Privileged Users are “authorized (and, therefore, trusted) to perform functions that ordinary users are not authorized to perform.” (2014 Cybersecurity Framework) Therefore, it is important for privileged users to fully understand their roles and responsibilities. Managers and Senior Executives are responsible for complying with and emphasizing the importance of IT/Cybersecurity role-based training requirements. Senior Executives are grouped into a separate category of users in the Cybersecurity Framework as they have greater decision- making roles and responsibilities. The Chief Information Officer (CIO) has overall responsibility to administer training and oversee personnel with IT/cybersecurity responsibilities. Training Personnel seek to deliver necessary training and education to achieve desired awareness levels and understanding of roles and responsibilities. Training personnel also monitor and evaluate the overall effectiveness of the Awareness and Training program as well as individual courses and sessions. The Senior Agency Information Security Officer (SAISO) has tactical-level responsibility for the cybersecurity training and awareness program including its implementation. The Cybersecurity Training Manager/Chief Learning Officer (CLO) is responsible for specific role-based training. The Training Developer/Instructional Design Specialists assist in the development of role-based training materials. IT/Cybersecurity Personnel have a significant impact on the success of IT/cybersecurity awareness and training programs and require more specialized knowledge of IT/cyber systems. They also assist in the design and development and review and evaluation process and procurement of systems and equipment. IT/Cybersecurity personnel include: • Information Technology (IT) Personnel • Technologists • System Administrators • Control System Operators • System Architects • Other Personnel with IT/Cybersecurity Responsibilities Physical Security Personnel include in-house and external police and security and local law enforcement. Physical Security Personnel should be aware of cybersecurity issues and impact of cyber breaches on physical assets and infrastructure as well as the consequences of physical breaches on IT systems. Coordination between physical security and cybersecurity

106 personnel is pertinent in ensuring the security of agency CIKR. Content A Cybersecurity Awareness and Training Program should cover IT security policies and procedures, rules of behavior for IT systems and information use, basic threats employees may encounter and actions that they should employ to counter them. Issues include whether the training content will be developed in-house or outsourced. Considerations include availability of resources and staff with adequate skills, cost, content sensitivity, and training schedules. As noted in NIST SP 800-50 (2003), canned presentations are impersonal and interest in the training may be lost. Therefore, adapting the content to the audience will assist participants in understanding the relevance of the material to their daily work and how it can be integrated into their roles. The three key training areas identified in NIST SP 800-16 are Laws and Regulations, Security Program, and System Life Cycle Security. The IT Security Training Matrix in NIST SP 800-16 maps the three training areas to employee functions. Awareness Content The objective of Awareness activities is to enhance recognition and retention of information. The following topics may be appropriate for Awareness content: • Ability to recognize potential threats including social engineering attempts • Ability to differentiate between real and fake messages • Ability to respond appropriately and report an incident • Knowing when and how to report an incident • Understanding record-keeping procedures • Understanding effective password management techniques • Understanding agency policy on agency mobile phone and tablet security/use • Understanding agency policy on personal mobile phone and table security/use • Understanding the implications of security breaches (Source: NIST SP 800-16, NIST SP 800-50) Awareness content should be updated on a regular basis. Possible sources include NIST Special Publications, APTA Recommended Practices, IT news sources and advisories, professional organizations, conferences and workshops, courses, agency audits and assessments. Training Content Key high-level cybersecurity functions have been identified in the 2014 Cybersecurity Framework. They are: Identify, Protect, Detect, Response, and Recover. Elements (categories) of each of these functions are presented in the following Table.

107 While Awareness and Training resides in the “Protect” function, required training should to be aligned with each of these elements (categories). Table 7: Cybersecurity Functions, Elements and Categories FUNCTION ELEMENTS/CATEGORIES IDENTIFY Asset Management Business Environment Governance Risk Assessment Risk Management Strategy PROTECT Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology DETECT Anomalies and Events Security Continuous Monitoring Detection Processes RESPOND Response Planning Communications Analysis Mitigation Improvements RECOVER Recovery Planning Improvements Communications Source: 2014 Cybersecurity Framework (Version 1.0, February 12, 2014) Resources for training content are provided in the Appendix. Additional resources are expected to be developed as mandated in the new cybersecurity legislation. Training content obtained from these sources may need to be adapted to the requirements of the agency. NIST SP 800-16 Appendices contain helpful information on function areas, knowledge and skills, and roles. Appendix A provides information on Function Areas including a general description of the area and the Learning Objectives for each function. Appendix B contains the Knowledge and Skills Catalog and Appendix C presents the roles matrix using generic roles and titles. Appendix C assists agencies in identifying the competencies, knowledge, knowledge unit, and skills required for specific roles. Generic module outlines and corresponding Knowledge and Skills tables are included in the Appendix. The Knowledge and Skills tables categorize information into four functional perspectives – Manage, Design, Implement, and Evaluate. Knowledge is defined as “the theoretical or practical understanding of the competency.” A Knowledge Unit is the set of competencies associated with a role. A sample module and corresponding table are presented below.

108 Figure 22: Sample Training Module

109 Table 8: Sample Training Knowledge and Skills Awareness and Training Delivery Existing programs may be useful for the delivery of cybersecurity awareness and training. Agencies that offer a security awareness course may choose to incorporate a cybersecurity awareness module into the course. Those that offer tuition reimbursement programs may incorporate cybersecurity training into their programs. Agencies that have existing partnerships with other state DOTs or transit agencies, colleges, universities, LTAP/TTAP or RTAP centers, or with other organizations can leverage these partnerships for the provision of cybersecurity training. Some transit agencies have partnerships with transit unions; these and other partnerships and organization may also be leveraged. Techniques should be aligned with available agency resources and the length and complexity of the messages. Communications strategies for awareness messages include the following:

110 • Senior management can include security awareness in all of their communications to their employees. • Managers and supervisors can talk about security at meetings and events. • Security topics can be discussed at the small unit level. • Awareness messages may be attached to regular agency newsletters, emails, paychecks, reports, etc. or disseminated through posters, reminder sheets, and employee wallet cards. • Security awareness can be incorporated via short modules into new or existing training, or into position-specific training. Or, employees may be directed to the FEMA or DHS training materials. (Source: NCHRP Report 793, Section 4, 2014) NIST provides more specific guidance on delivery of awareness material in NIST SP 800-50 Building An Information Technology Security Awareness and Training Program. NIST recommendations include the following: • Posters, “do and don’t lists,” or checklists • Screensavers and warning banners/messages • Newsletters • Desk-to-desk alerts • Agency wide e-mail messages • Videotapes • Web-based sessions • Computer-based sessions • Teleconferencing sessions • In-person, instructor-led sessions • IT security days or similar events • “Brown bag” seminars • Pop-up calendar with security contact information, monthly security tips, etc. • Mascots • Crossword puzzles • Awards programs (Source: Section 5.2, NIST SP 800-50, 2003) Training implementation is particularly difficult for frontline personnel. The NCHRP Synthesis Report 468 on Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance & Operations Field Personnel (2015) described the training delivery issues for frontline personnel whose schedules are usually inflexible – training typically requires overtime or “backfill” pay expenditures. Limited budgets and resources are an issue such as the lack of qualified training staff and inadequate resources. Other impediments included insufficient information about available training, lack of “mandate” and senior management support, distance issues, union-management issues, and employee turnover. Employee turnover has been an issue for agencies as well since turnover causes increased new-hire training needs. At the same time, a quality-training program can help mitigate

111 turnover issues by improving workforce commitment to the organization. Interactive training solutions have been identified and discussed in NCHRP Synthesis Report 468 (2015). Technologies such as CCTV, web cams, voice over internet protocol (VOIP), Skype, and web chat apps can be used by agencies with dispersed personnel to deliver quality training. Shared resource models and inter-jurisdictional and interagency training activities make the most use of scarce resources through the use of common training content and delivery of training to personnel from multiple agencies and jurisdictions. Examples of shared resource models include • Keystone Transit’s Transit Career Ladder Partnership between SEPTA and Transport Workers Union (TWU) is an example of a successful initiative undertaken by management and the union. The partnership addresses skill and worker shortages and the introduction of new technologies through curriculum development, incumbent worker training, new hire recruitment/training, and assessment. This statewide partnership approach began in Southeastern Pennsylvania with SEPTA and TWU, and then expanded to include smaller regional and local agencies and unions across the state. Additional partner organizations included the Community Transportation Development Center, Amalgamated Transit Union (ATU), the Pennsylvania AFL-CIO, community organizations and training providers. • Santa Clara Valley Transportation Authority (VTA) Joint Workforce Investment (JWI) Program was a joint labor-management partnership between VTA and the ATU. The JWI included three programs – Maintenance Career Ladders Training Project, New Operator/Mentor Pilot Project, and Health and Wellness project. The Maintenance Career Ladders Training Project addressed mechanic shortages by creating mechanic trainee positions. The New Operator/Mentor Pilot Project provided new operators with mentoring on customer service and stress-coping skills by exemplary operators who had been trained by a local university. (Source: NCHRP Report 685 Strategies to Attract and Retain a Capable Transportation Workforce. 2011. NCHRP Report 693. Attracting, Recruiting and Retaining a Skilled Staff for Transportation Systems Operations and Management, 2012. TCRP Report 162 Building a Sustainable Workforce in the Public Transportation Industry – A Systems Approach, 2013.) Evaluation Evaluation of training helps employees and their supervisors assess their on-the-job performance, trainers to improve the training process including content and delivery, and senior management to better allocate resources. Evaluations measure learning conditions and learner’s perceptions about the training; what a student has learned; outcomes in terms of behavior/performance; and value of the training compared with other options. NIST SP 800-84 notes that tests, training, and exercises are developed and implemented to help maintain contingency and incident response plans in a “state of readiness.” (Page ES-1, NIST SP 800-84, 2006) It is essential to have plans that are validated through tests and exercises, personnel that have been trained on how to fulfill their roles and responsibilities,

112 and systems and components tested for their operability. NIST SP 800-84 denotes training as a vehicle for informing and training personnel on their roles and responsibilities within IT plans and preparing them for participation in tests and exercises. Tests – tests are used to evaluate the operability of systems or components including specific cybersecurity measures. Unannounced tests may be used to test employee behavior. For instance, selected personnel may be subjected to social engineering attempts. Personnel that do not respond appropriately to the attempts may be designated for additional cyber training. For ICS testing of new components is essential to ensure that there are no unintended operational impacts. Tests are conducted in the operational environment or as close to it as possible. Appendix C of the NIST SP 800-84 presents the following sample documentation for component, system, and comprehensive tests. • Test structure description • Test plan • Test briefing for participants • Test inject or action • Test validation worksheet • Test evaluation worksheet • Test after action report Exercises – Exercises have been used to validate and improve emergency response plans, allow personnel opportunity to practice what they have learned, and agencies to evaluate team and individual performance. Exercises can help evaluate training effectiveness and identify training needs and gaps. Exercises may be categorized into Discussion-based exercises and Operations- based exercises. Discussion-based exercises (seminars, workshops, tabletop exercises (TTXs), and games) help participants develop as well as understand their roles and responsibilities with respect to new, plans, policies, agreements, and procedures. Operations- based exercises - drills, functional exercises (FEs), and full-scale exercises (FSEs) - are conducted in a simulated operational environment and “validate plans, policies, agreements, and procedures; clarify roles and responsibilities; and identify resource gaps.” (Page 2-5, HSEEP, 2013) Further information on exercise types, their differentiating features, their development and conduct, and evaluation methods can be obtained from the Homeland Security Exercise and Evaluation Program (HSEEP) and the NCHRP Synthesis Report 468 on Interactive Training for All-Hazards Emergency Planning, Preparation, and Response for Maintenance & Operations Field Personnel. NIST SP 800-84 highlights the Tabletop Exercise (TTX), a Discussion-based exercise held in a classroom setting and a Functional Exercise (FE), an Operations-based exercise. The NIST SP 800-84 Appendix A includes sample documentation for a TTX and Appendix B provides the sample documentation including sample scenarios and exercise injects for a Functional Exercise. Evaluation results of tests and exercises are summarized in the After Action Report (AAR). The AAR captures lessons learned, other observations, and recommendations, and can result in updates to the IT plan or other documents, briefings, and additional training. NIST SP 800-84 Appendices provide relevant AAR templates, forms, and information on the conduct of tests, Tabletop Exercises, and Functional Exercises.

113 Performance Indicators Indicators may be used to track and evaluate the performance of the Awareness and Training Program. Indicators may be intermediate indicators that describe the output of the program such as the number of trained personnel or they may be outcome indicators that reflect to what extent the program is meeting its goal(s). Possible intermediate and outcome indicators include percentage of users undergoing awareness training, percentage of those needing role-based training undergoing the training, percentage undergoing recommended refresher training, training delivery rate or number, incident rate, IT policy compliance rate, gap between funding and funding needs, and gap between available skilled personnel and personnel needs. (NIST SP 800-50, 2003) Continuous Improvement Monitoring the implementation and performance of the program is important in assisting decision makers and others in understanding the effectiveness of program activities. Awareness and Training Program content needs to be updated regularly to address any gaps identified in the performance monitoring process and address technology and other changes. Supervision can help in the continuous improvement process by monitoring the Cyber Hygiene of their subordinates. For example, if an employee leaves their password on a notepad, their supervisor may instruct the employee not to do so and provide him or her with cybersecurity awareness material. For comprehensive evaluation techniques refer to NIST SP 800-16. Awareness and Training Resources The cybersecurity content provided in this Section and other Sections of this Guide may serve as the basis for Cybersecurity training. Two national initiatives are the National Initiative for Cybersecurity Careers and Studies (NICCS) and The National Initiative for Cybersecurity Education (NICE). The National Initiative for Cybersecurity Careers and Studies (NICCS) is a national resource on cybersecurity awareness, education, careers, and workforce development opportunities. Previously developed cybersecurity courses or modules can also be accessed via this resource.\ online at http://niccs.us-cert.gov The National Initiative for Cybersecurity Education (NICE) is being led by NIST with the cooperation of 20+ federal departments and agencies. The goal of NICE is a national cybersecurity education program for the development and use of sound cyber practices by federal employees, civilians, and students, and includes the following three components: • Component 1: National Cybersecurity Awareness (Lead: Department of Homeland Security (DHS)) • Component 2: Formal Cybersecurity Education (Co-Lead Department of Education (DoED) and National Science Foundation (NSF)) • Component 3: Cybersecurity Workforce (Lead: DHS, OPM, DoD, DOL)

114 NICE developed the National Cybersecurity Workforce Framework which defines and categorizes the cybersecurity workforce through common taxonomy and lexicon. Thirty-two specialty areas are grouped into one of seven categories; also, the knowledge, skills, and abilities for each area are provided in the Framework. NIST SP 800-16 (1998) provides the IT security learning continuum model including 26 roles and role-based matrices and 46 training matrix cells, terms and concepts for IT security literacy, training content categories, and functional specialties. NIST SP 800-50 Building an Information Technology Security Awareness and Training Program (2003) describes the life cycle of a cybersecurity awareness and training program. The life cycle includes needs assessment and an implementation strategy, DHS through its ICS-CERT program offers cybersecurity control systems courses. The DHS ICS-CERT Control Systems Security Program (CSSP) can be accessed through the following link - ICS-CERT Virtual Learning Portal https://ics-cert-training.inl.gov/ The ICS-CERT program offers varying levels of cybersecurity courses. The CSSP series of ICS cybersecurity courses starts with an introductory course and culminates with a five-day, advanced capstone exercise. • Instructor Led Format—Introductory Level • Introduction to Control Systems Cybersecurity (101)—1 day or 8 hrs • Instructor Led Format—Intermediate Level • Intermediate Cybersecurity for Industrial Control Systems (201)—1 day or 8 hrs • Hands-On Format—Intermediate Level • Intermediate Cybersecurity for Industrial Control Systems (202), with lab/exercises— 1 day or 8 hrs • Hands-On Format—Technical Level • ICS Cybersecurity (301)—5 days FEMA EMI offers an Independent Study course, “IS-0523 Resilient Accord—Exercising Continuity Plans for Cyber Incidents.” FEMA also has a resident workshop entitled “E0553 Resilient Accord Cybersecurity Planning Workshop” and a Virtual Tabletop Exercise with a Cyber Focus available to a limited number of participants. NIST SP 800-16 Appendices contain helpful information on function areas, knowledge and skills, and roles. Appendix A provides information on Function Areas including a general description of the area and the Learning Objectives for each function. Appendix B contains the Knowledge and Skills Catalog and Appendix C presents the roles matrix using generic roles and titles. In addition to the TCRP and NCHRP publications and projects already cited in this Chapter, TCRP F-series projects on workforce development contains various strategies and tips for addressing recruitment, retention, professional development, and related workforce needs of transit personnel. NCHRP Report 693 presents strategies and resources to attract, recruit, and retain transportation system operations and management (SOM) staff and NCHRP Report 685 on Strategies to Attract and Retain a Capable Transportation Workforce discusses recruitment and retention topics.

115 Figure 23: Sample Awareness Posters. Source: NIST SP 800-50, 2003

116 Figure 24: Sample Awareness and Training Program Template

117 Table 9: Awareness and Training Subcategories and References Awareness and Training Subcategories References All users are informed and trained CCS CSC 9 COBIT 5 APO07.03, BAI05.07 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.7.2.2 NIST SP 800-53 Rev. 4 AT-2, PM-13 Privileged users understand roles and responsibilities CCS CSC 9 COBIT 5 APO07.02, DSS06.03 ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 NIST SP 800-53 Rev. 4 AT-3, PM-13 Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities CCS CSC 9 COBIT 5 APO07.03, APO10.04, APO10.05 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 NIST SP 800-53 Rev. 4 PS-7, SA-9 Senior executives understand roles and responsibilities CCS CSC 9 COBIT 5 APO07.03 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP 800-53 Rev. 4 AT-3, PM-13 Physical and information security personnel understand roles and responsibilities CCS CSC 9 COBIT 5 APO07.03 ISA 62443-2-1:2009 4.3.2.4.2 ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP 800-53 Rev. 4 AT-3, PM-13 Source: 2014 Cybersecurity Framework (Version 1.0, February 12, 2014)