National Academies Press: OpenBook
Page i
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R1
Page ii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R2
Page iii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R3
Page iv
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R4
Page v
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R5
Page vi
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R6
Page vii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R7
Page viii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R8
Page ix
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R9
Page x
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R10
Page xi
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R11
Page xii
Suggested Citation:"Front Matter." National Academies of Sciences, Engineering, and Medicine. 2016. Protection of Transportation Infrastructure from Cyber Attacks: A Primer. Washington, DC: The National Academies Press. doi: 10.17226/23520.
×
Page R12

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACKNOWLEDGMENT This work was sponsored by the American Administration of State Highway and Transportation Officials (AASHTO), in cooperation with the Federal Highway Administration and the Federal Transit Administration (FTA) in cooperation with the Transit Development Corporation. It was conducted through the National Cooperative Highway Research Program (NCHRP) and the Transit Cooperative Research Program (TCRP), which is administered by the Transportation Research Board (TRB) of the National Academies. COPYRIGHT INFORMATION Authors herein are responsible for the authenticity of their materials and for obtaining written permissions from publishers or persons who own the copyright to any previously published or copyrighted material used herein. Cooperative Research Programs (CRP) grants permission to reproduce material in this publication for classroom and not-for-profit purposes. Permission is given with the understanding that none of the material will be used to imply TRB, AASHTO, FAA, FHWA, FMCSA, FTA, Transit Development Corporation, or AOC endorsement of a particular product, method, or practice. It is expected that those reproducing the material in this document for educational and not-for-profit uses will give appropriate acknowledgment of the source of any reprinted or reproduced material. For other uses of the material, request permission from CRP. DISCLAIMER The opinions and conclusions expressed or implied in this report are those of the researchers who performed the research. They are not necessarily those of the Transportation Research Board, the National Research Council, or the program sponsors. The information contained in this document was taken directly from the submission of the author(s). This material has not been edited by TRB.

The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, non- governmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Ralph J. Cicerone is president. The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. C. D. Mote, Jr., is president. The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president. The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine. Learn more about the National Academies of Sciences, Engineering, and Medicine at www.national-academies.org. The Transportation Research Board is one of seven major programs of the National Academies of Sciences, Engineering, and Medicine. The mission of the Transportation Research Board is to increase the benefits that transportation contributes to society by providing leadership in transportation innovation and progress through research and information exchange, conducted within a setting that is objective, interdisciplinary, and multimodal. The Board’s varied committees, task forces, and panels annually engage about 7,000 engineers, scientists, and other transportation researchers and practitioners from the public and private sectors and academia, all of whom contribute their expertise in the public interest. The program is supported by state transportation departments, federal agencies including the component administrations of the U.S. Department of Transportation, and other organizations and individuals interested in the development of transportation. Learn more about the Transportation Research Board at www.TRB.org.

i Table of Contents Preface .......................................................................................................................................... iv Executive Summary .................................................................................................................... vii Introduction ................................................................................................................................... 1 Chapter 1 Top Myths of Transportation Cybersecurity ................................................................. 4 Chapter 2 Cybersecurity Risk Management, Risk Assessment and Asset Evaluation .................. 8 Chapter 3 Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities ........................................................................................................................... 38 Security Planning ..................................................................................................................... 38 APTA Recommended Security Program ................................................................................. 40 Establishing Priorities .............................................................................................................. 42 NIST Cybersecurity Framework ............................................................................................. 42 Defense in Depth Approach ..................................................................................................... 46 Security Zones Approach ........................................................................................................ 48 Attack Modeling ...................................................................................................................... 51 Organizing Roles and Responsibilities .................................................................................... 52 Relationship with Physical Security ........................................................................................ 52 Chapter 4 Transportation Operations Cyber Systems ................................................................. 56 Introduction ............................................................................................................................. 56 Transportation Operations Cyber Systems .............................................................................. 56 IT Systems used in Transportation Infrastructure Operations ................................................. 58 Industrial Control Systems used in Transportation Operations ............................................... 59 Differences between IT and ICS Cybersecurity ...................................................................... 61 Highways Operational Systems ............................................................................................... 66 Transit Operational Systems .................................................................................................... 69 Surface Transportation Cybersecurity Issues .......................................................................... 75 Emerging Trends in Transportation Control Technologies ..................................................... 75 Transportation Roadmap for Cybersecurity ............................................................................. 80 Chapter 5 Countermeasures: Protection of Operational Systems ................................................ 81 Cyber Hygiene ......................................................................................................................... 83 Access Control ......................................................................................................................... 84 Data Security and Information Protection ............................................................................... 86 Boundary Defense and Network Separation ........................................................................... 88 Configuration Management ..................................................................................................... 91

ii Bring Your Own Device (BYOD) Recommended Security Practices .................................... 92 Monitoring and Detection ........................................................................................................ 94 Chapter 6 Training: Building a Culture of Cybersecurity ........................................................... 98 What is a Culture of Cybersecurity? ........................................................................................ 98 Importance of Awareness and Training ................................................................................... 99 Organizational Support .......................................................................................................... 100 Building upon Safety and Security Cultures ......................................................................... 100 Cybersecurity Awareness and Training Program .................................................................. 101 Functions and User Categories .............................................................................................. 104 Content .................................................................................................................................. 106 Awareness and Training Delivery ......................................................................................... 109 Evaluation .............................................................................................................................. 111 Performance Indicators .......................................................................................................... 113 Continuous Improvement ...................................................................................................... 113 Awareness and Training Resources ....................................................................................... 113 Chapter 7 Security Programs and Support Frameworks ........................................................... 118 Cybersecurity and Critical Infrastructure .............................................................................. 118 Control System Cybersecurity Strategy and Roadmaps ........................................................ 119 National and Regional Support Resources ............................................................................ 121 Appendices ................................................................................................................................ 127

iii Tables Table 1: APTA Cybersecurity Zones ............................................................................................ 49 Table 2: Transportation Operations Systems ................................................................................ 60 Table 3: IT vs. ICS Security Concept Value................................................................................. 61 Table 4: Differences Between IT vs. ICS ..................................................................................... 63 Table 5: : IT vs. ICS Cybersecurity Aspects................................................................................. 65 Table 6: ICS Administrative Level Results .................................................................................. 96 Table 7: Cybersecurity Functions, Elements and Categories ..................................................... 107 Table 8: Sample Training Knowledge and Skills ....................................................................... 109 Table 9: Awareness and Training Subcategories and References .............................................. 117 Figures Figure 1: Risk Management Program for Control System Security ............................................... 8 Figure 2: Risk Management/Risk Mitigation Strategies ................................................................. 9 Figure 3: Risk Scenario Based Process ......................................................................................... 10 Figure 4: Transportation Information Ecosystem. ........................................................................ 34 Figure 5: Transportation Enterprise Information Systems............................................................ 34 Figure 6: Cybersecurity Risk-Based Framework. ......................................................................... 43 Figure 7: NIST Framework Implementation Steps ....................................................................... 44 Figure 8: Example of ITD NIST Framework Quarterly Goal Tracking ....................................... 46 Figure 9: Cyber Defense-in-Depth Strategic Framework ............................................................. 47 Figure 10: Model Control & Communications System Categories .............................................. 50 Figure 11: Model Transit System ................................................................................................. 51 Figure 12: National ITS Architecture 7.1 - Transportation Layer+ .............................................. 67 Figure 13: ITS Security Architecture ............................................................................................ 67 Figure 14: Metrolink’s Positive Train Control ............................................................................. 72 Figure 15: : Security Credential Management System (SCMS) Functionality............................. 77 Figure 16: : Summary of Critical Controls Best Practices ............................................................ 82 Figure 17: Typical Transportation System Network with Countermeasures ................................ 90 Figure 18: Typical Transportation System Network without Countermeasures .......................... 90 Figure 19: CSET Four Step Process ............................................................................................. 96 Figure 20: MARTA Cybersecurity High-Level Timeline ............................................................ 97 Figure 21: Cybersecurity Learning Continuum .......................................................................... 102 Figure 22: Sample Training Module ........................................................................................... 108 Figure 23: Sample Awareness Posters ........................................................................................ 115 Figure 24: Sample Awareness and Training Program Template ................................................ 116

iv Preface Over the past 40 years we have witnessed a never-ending, escalating evolutionary competition between legitimate developers and users of systems that employ cyber technology and those who seek to do harm. Each generation of cybersecurity solutions is countered by ever-more sophisticated threats; each potential threat spawns additional layers of defense. This Darwinian struggle takes place around the clock and around the globe, involving many thousands of adversaries targeting millions of cyber-components. And unfortunately, the future guarantees more of the same: Cyber defenders and attackers continue their complex “survival-of-the fittest” battle while the rest of nation’s noncombatants bear its ever increasing consequences. During much of this time, surface transportation owners, transit operators, motorists and riders were relatively insulated from this arena. Vehicles were “dumb,” roads were even dumber and save for the occasional embarrassment over roadside message signs being hacked, neither transportation engineers nor the traveling public were aware of or concerned with the need for cybersecurity, particularly as it related to the operations of the transportation highway and transit infrastructure. The emergence of Intelligent Transportation Systems (ITS) did little to change things: transit vehicles got smarter, the first generation of digital roadside devices and systems were stand- alone solutions with advisory responsibility only (e.g., variable message signs, road weather systems) and the few technologies that had safety ramifications such as traffic signal controllers remained isolated and difficult to access. Minimal attack exposures coupled with negligible consequences to human safety translated to low risk. Consequently, policy makers and program managers were unconcerned about threats to their investments, their services and their customers. Indeed, during most of this time, there were very few (reported) cybersecurity breaches involving transportation system operations, reinforcing the sector’s complacency. In recent years cloud or network computing has revolutionized every sector of the economy, including transportation; the cloud is now ubiquitous, mobile and hyper-connected. Unsurprisingly, manufacturers of infrastructure control systems thrived in this new environment. Control system components and networks are now accessible from anywhere and are increasingly connected to enterprise data, customer satisfaction and entertainment networks. Analog controls are being replaced by networked digital counterparts, allowing remote monitoring and control of signals, signs, bridges, tunnels and vehicles – public and private. Although core functionality has greatly increased due to this new connectivity, so also has the exposure to multiple threats coming from local and distant sources. The sheer numbers of suddenly visible, interconnected, increasingly vital cyber components now deployed in transportation system and transit operations have created enormous, underappreciated complexity and significantly greater vulnerability across the entire system. Not only are single components at greater risk, but the cascading effects caused by intentional cyber- attacks and also by non-malicious incidents (e.g., component failure, network failure) should give even the most conservative transportation engineer pause. As one cybersecurity expert put it, “Unintentional impact doesn't mean insignificant impact.” This

v situation is poorly understood by transportation system executives, program managers, employees, elected officials and regulators. Paradoxically, the relatively few numbers of catastrophic incidents to date has resulted in a false sense of security within the transportation sector, although it should be kept in mind that few agencies are interested in revealing security breaches and their impacts. Recent work conducted by this research team estimated that as many as 75% of physical security breaches go unreported. The research team has no reason to believe that this estimate is any lower for cyber incidents. The research Team appreciates the difficulty that this situation presents agencies, regulators and elected officials: how can the reassignment of scarce resources to cybersecurity be justified in the absence of a clear and present danger, the pressure of competing priorities with larger constituencies, the complexity of the situation and the confusion resulting from overlapping, splintered responsibility for the situation. In short, transportation managers and employees are wrestling with a novel situation, with little understanding of the contours of the challenge, the parameters of the response or the seriousness of the consequences. As a former Secretary of Defense put it, “There are known knowns; there are things we know that we know. There are known unknowns; that is to say there are things that we now know we don't know. But there are also unknown unknowns – there are things we do not know we don't know.” Many, if not most aspects of cybersecurity across the transportation sector can fairly be characterized as unknown-unknowns at this point. This “Cybersecurity 101” Primer provides transportation organizations basic reference material concerning cybersecurity concepts, guidelines, definitions and standards. The Primer delivers fundamental strategic, management and planning information associated with cybersecurity and its applicability to transit and state DOT operations. The Primer presents fundamental definitions and rationales that describe the principles and practices that enable effective cybersecurity risk management. This Primer aims for concrete and measurable goals: increase awareness of cybersecurity as it applies to highway and public transportation, plant the seeds of organizational culture change, address those situations where the greatest risks lie, and provide industry-specific approaches to monitoring, responding to and mitigating cyber threats. This reference guide seeks to bridge a known knowledge gap by providing transportation managers and employees with greater context and information regarding the principles of information technology and operations systems security planning and procedures. Organization of the Primer This Primer contains seven Chapters discussing various dimensions of transportation cybersecurity and provides numerous references, case studies and examples throughout. With the exception of domain-specific systems discussed in Chapter 4, the material is intended to be of equal interest in highway infrastructure and public transportation settings. Each Chapter provides basic and general information for the novice cybersecurity manager and includes a

vi rich set of resource references more suitable for the seasoned security professional. Chapter 1 Top Myths of Transportation Cybersecurity. Chapter 1 rebuts common misunderstandings that may be impeding enterprise action on cybersecurity. Chapter 2 Cybersecurity Risk Management, Risk Assessment and Asset Evaluation. Chapter 2 presents a systems approach to risk management and discusses various strategies and resources used in Risk Management, Risk Assessment and Asset Evaluation, Threat Assessment, Vulnerability Assessment and Consequence or Impact Assessment Chapter 3 Cybersecurity Plans and Strategies, Establishing Priorities, Organizing Roles and Responsibilities. Chapter 3 presents enterprise-wide approaches to cybersecurity enhancement and governance strategies and includes discussions on security planning, American Public Transit Association’s (APTA) recommended security program, establishing priorities, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a general overview of “Defense in Depth” cybersecurity and “security zones” approaches, attack modeling, organizing roles and responsibilities, relationship with physical security and vendor approaches from a transportation perspective. Chapter 4 Transportation Operations Cyber Systems. Chapter 4 discusses the difference between data and control systems and provides overview of each of these in both the highway infrastructure and public transit domains. The Chapter also discusses emerging trends in transportation systems including connected and automated vehicle technologies. Chapter 5 Countermeasures: Protection of Operational Systems. Chapter 5 presents the basics of cybersecurity and discusses best practices in the areas of cyber hygiene, access control, data security and information protection, boundary defense and network separation, configuration management and Bring Your Own Device (BYOD), system monitoring and intrusion detection. Chapter 6 Training: Building a Culture of Cybersecurity. Chapter 6 discusses the behavioral, cultural, organizational and institutional aspects of cybersecurity and presents a framework for building effective awareness and training programs and follow-up performance evaluations. Chapter 7 Security Programs and Support Frameworks. Chapter 7 introduces National and Federal policies, regulations, frameworks, tools and other resources useful in setting up a comprehensive cybersecurity function that is consistent, coordinated and compatible with activities at other agencies and in other Sectors.

vii Executive Summary Protecting transportation systems from adverse events that would compromise the delivery of services to the passengers and shippers who depend upon them includes eliminating or minimizing the risk and exposure to harm resultant from hazards, accidents, or physical or cyber attacks against critical assets or mission essential activities and resources. Today, transportation agency leadership, management and staff face even greater levels of risk and exposure to these types of events than ever before. In the context of cybersecurity the sheer numbers of interconnected, increasingly vital cyber components now deployed in transportation systems and transit operations has created significantly greater vulnerabilities across systems and networks. Not only are single components at greater risk; the cascading effects caused by both non-malicious incidents (e.g., accidents, component failure, network failure) and also intentional cyber-attacks has created a modern day transportation operating environment that warrants the full attention of senior management and the commitment of significant agency resources to effectively maintain mission critical functions. Consequences of cyber incidents differ widely in their impact, duration, and cost. Events causing catastrophic loss of life or enterprise threatening economic damages remain rare, however they are increasing in frequency. Lesser events that result in actual or perceived risk of harm or increased liability, potential compromise of the safety and security of passengers or employees, short-term financial losses, or that compromise the reputation and goodwill of the agency can occur at any time. Cyber risk also does not exclude smaller or less complex systems. While the scope and comparative impact of an incident at a medium or smaller sized agency may be lessened in severity there is still a potential for the loss of assets and functionality than can disrupt the delivery of essential services or cripple agency operations. There have already been instances of unsafe, curtailed or disrupted service, loss or theft of personal or proprietary data, increased litigation exposure or cost, or unacceptable compromise of customer expectations. And from the standpoint of consequence it does not matter if the harm was deliberately caused. Paradoxically, the relatively few numbers of catastrophic incidents in transportation to date has resulted in a false sense of security within the transportation sector. Recent research estimated that on the physical security side as many as 75% of security breaches go unreported. In terms of cyber much less is known about prospective breach percentages, but there is little reason to believe that the numbers are any better for cyber incidents. What is known is that the ease of compromise of transportation cyber systems is becoming more and more evident, and the likelihood of new or more significant events is increasing along with the per event costs of cyber incidents and cyber-crime. A good working definition of cybersecurity for transportation is one put forth by ISA/IEC-62443 (formerly ISA-99), a baseline security standard for industrial control systems, that defines cybersecurity more broadly as “electronic security” whose compromise could result in any or all of the following situations: • Endangerment of public or employee safety

viii Common Cybersecurity Myths Nobody wants to attack us. It can’t happen to us. It’s all about IT. It’s possible to eliminate all vulnerabilities. Cybersecurity incidents will not impact operations. Control system and IT cybersecurity are same. Cybersecurity needs to be solved only once. • Loss of public confidence • Violation of regulatory requirements • Loss of proprietary or confidential information • Economic loss • Impact on national security There are common myths about cybersecurity and transportation systems that are creating misunderstanding. Dispelling these myths will allow transportation agencies to more efficiently and effectively improve the cybersecurity and resilience of critical transportation infrastructure. There are approaches to reduce transportation cybersecurity risks and mitigate the impacts of cyber incidents. Managing the risks associated with cyber for IT and ICS can prove to be intractably challenging. For transportation agencies the response to the challenge lies in the formulation of a program that both balances and shares responsibility for critical infrastructure system protection among operators and employees, government agencies, industry stakeholders, technology manufacturers and product vendors. The NIST Cybersecurity Framework provides guidance that transportation agencies can utilize. Unlike physical security protection systems where countermeasures can be deployed by an organization to harden a critical asset, “locking down” cyber systems demands that vulnerabilities be identified and eliminated, reduced or mitigated along the entire technological supply chain. Overcoming the global threat posed by international attackers who can exploit from afar adds a dimension to the problem that requires participation by government, and by extension, the entire international community. In addition, cybersecurity is a continual process with evaluation and monitoring as key components to identify and manage changes to systems and environments. Security planning directs a transportation agency towards prevention and mitigation of the effects of security incidents by integrating those approaches that have proven to be successful into the operating environment. Development of a security plan provides an effective means to meet cost-benefit and competitive resource challenges. Cybersecurity planning should incorporate, at the minimum: • Security strategy that expresses management’s commitment to cybersecurity and provides the high-level direction and requirements for cybersecurity in the agency. • Security policies that address the range of management, personnel, operational and technical issues and guide the development, implementation and enforcement of the agency security measures.

ix • Roles and responsibilities that clarify decision- making authority and responsibility for cybersecurity. • Vulnerability and risk assessments to identify the agency-specific security requirements and assist in prioritization of risk management efforts. Although there are variations in application, the risk management process for transportation agencies in this cyber environment requires consideration and adoption of many of the same security principles used in the protection of physical assets. • Development and Maintenance of cybersecurity plans including Risk Mitigation/ Management and Response/Recovery plans. • Active monitoring and evaluation on a continuous basis. • Awareness and Training for all agency employees. When planning for cybersecurity, some principles should be kept in mind: Address cybersecurity planning in a systematic way, with a commitment to a process of continuous improvement. Even with unlimited resources, it is not possible to eliminate all vulnerabilities and risks. Take a balanced approach that focuses on standards and incorporates learning from experience. Any cybersecurity program should be approached using risk management practices as a guide. Evaluate the agency’s specific cyber risks and develop the cybersecurity plan around managing those risks. Security policy and controls must be adaptable to emerging threats in a constantly evolving world. Vulnerabilities are evolving and new risks are growing by the hour. Maintain situational awareness of cyber threats – both intentional and unintentional as part of the plan. Failure will happen so it is important to plan for it, isolate it, contain its damage and recover from it gracefully. It is important to recognize that perfect security is not possible and that everything cannot be mastered. Planning ahead – having a Cyber Response and Recovery Plan - can ensure less damage from an incident. Guidance exists for general cybersecurity plans. To date no comprehensive guidance has been developed to provide support for a transportation agency cybersecurity plan, although APTA has provided a recommended practice that includes security plan elements. The Roadmap to Secure Control Systems in the Transportation Sector (DHS, 2012) was developed to assist transportation APTA Recommended Security Plan Elements Control/Communications systems boundaries • Identify the systems. • Identify the equipment. • Identify the locations. • Identify the stakeholders. Work group • Include all stakeholders. • Identify responsibilities. Policies and procedures • Administrative • Technical • Cyber • Physical • Maintenance Security measures • Management reports • Maintenance issues • Training

x agencies develop plans and the culture needed to sustain those plans. Guidance tailored for other sectors (e.g. nuclear, electrical and water) also has relevance for the transportation sector. Other types of plans that support cybersecurity resiliency include: • Incident Response Plan which addresses the ability to proactively detect, contain, eradicate and recover from a cyber incident. As part of the response plan it is important to be prepared to isolate systems and to preserve forensic evidence for analysis. The robustness of a transit agency’s incident response will vary depending on its budget, size and capability. However, smaller transit agencies can implement basic practices and work with other agencies to foster information sharing. All transit agencies should have some form of incident response. • Business Continuity Plan (BCP) that focuses on sustaining an organization’s mission/business processes during and after a disruption, written for a single business unit or the entire organization’s processes. The Plan can be scoped to address only priority functions. Because mission/business processes use information systems, the business continuity planner must coordinate with information system owners to ensure that the BCP expectations and information system capabilities are matched. • Continuity of Operations Plan (COOP) which focuses on restoring an organization’s mission-essential functions and performing those functions for up to 30 days before returning to normal operations. Additional functions may be addressed by the Business Continuity Plan. • Crisis Communications Plan that provides standard procedures for internal and external communications in the event of a disruption should be documented using a crisis communication plan. The plan provides various formats for communications appropriate to the incident and designates specific individuals as the only authority for answering questions from or who provide information regarding the response. The plan may also include procedures for disseminating reports to agency personnel on the status of the. • Disaster Recovery Plan (DRP) that typically applies to major disruptions to service and is designed to restore operability of the system, application or cyber infrastructure after an emergency. A DRP may support a Business Continuity Plan or a COOP. There is a rich body of cybersecurity guidance and resources from an IT perspective that has developed over the past 40 or so years. There is a growing body of cybersecurity guidance and resources developing today for control system cybersecurity. Practices and countermeasures that are “best practices” from both these perspectives. The Cybersecurity Guide identifies effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an incident or breach occur. Those practices include cyber hygiene, access control, data security and information protection, boundary defense and network separation, configuration management, and monitoring/detection. The Guide is designed for all surface transportation - both transit and highway - agencies and is intended to cover all transportation systems - industrial control, transportation control, communications and enterprise data systems. However, a special focus has been placed on systems associated with the control of transportation infrastructure assets. This approach is a recognition that viewing cybersecurity from an IT perspective alone is proving to be both short- sighted and of limited effectiveness.

Next: Introduction »
Protection of Transportation Infrastructure from Cyber Attacks: A Primer Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB's Protection of Transportation Infrastructure from Cyber Attacks: A Primer provides transportation organizations with reference materials concerning cybersecurity concepts, guidelines, definitions, and standards. The primer is a joint product of two TRB Cooperative Research Programs, and is categorized as Transit Cooperative Research Program (TCRP) Web-Only Document 67 and National Cooperative Highway Research Program (NCHRP) Web-Only Document 221.

The Primer delivers strategic, management, and planning information associated with cybersecurity and its applicability to transit and state DOT operations. It includes definitions and rationales that describe the principles and practices that enable effective cybersecurity risk management. The primer provides transportation managers and employees with greater context and information regarding the principles of information technology and operations systems security planning and procedures.

The report is supplemented with an Executive Briefing for use as a 20-minute presentation to senior executives on security practices for transit and DOT cyber and industrial control systems. A PowerPoint summary of the project is also available.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!