The information, resources, and tools on this website are disseminated under the sponsorship of the U.S. Department of Transportation’s ITS Joint Program Office in the interest of information exchange and in a manner that promotes public understanding. The U.S. Government assumes no liability for the use of the information contained on this website and information does not constitute a standard, specification, regulation, policy nor does it represent an endorsement of any specific vendor, vendor product or service, or any specific process.
Transportation Management Center Information Technology Security
The following resources are specific to penetration testing, ITS cybersecurity in transportation management centers (TMC), and ITS cybersecurity in the area of incident response and management.
Figure 1. Chart showing relationship between Center for Internet Security Controls and Traffic Management Center roles. Source: Federal Highway Administration
The Federal Highway Administration (FHWA) issued the Transportation Management Center Information Technology Security report in September 2019. Developed based on industry best practices that correspond to what transportation management centers (TMCs) routinely face, its primary focus was on the NIST Cybersecurity Framework and Center for Internet Security (CIS) Top 20 Controls version 7.1. The purpose of this report is not to replicate the guidelines in these frameworks, but rather to highlight the most relevant guidelines for TMC IT cybersecurity and to serve as technical guidelines for TMCs on improving IT security for their facilities, networks, workstations, servers, data storage, peripherals, and operations.
The report incorporates the CIS Top 20 Controls in baselining security measures to provide an immediate impact on guiding control of hardware, software, and networks in the TMC, and relies upon the NIST frameworks as a beneficial supplement to Risk Management Plans and Resiliency Plans with strategic visioning. The CIS Top 20 Critical Security Controls correspond to the three functional areas: IT/Systems, Personnel, and Administrative/Contractual data management practices; and each CIS sub-control is relevant to one of the three TMC roles, illustrated in Figure 1. The report also recommends short- and long-term strategies for implementation.
Transportation Cybersecurity Incident Response and Management Framework
As part of the 2017 United States Department of Transportation (U.S. DOT) Federal Highway Administration (FHWA) Roadway Surface Transportation Cybersecurity Framework project with the Institute of Transportation Engineers (ITE), research identified gaps in sharing vulnerability and exploit information among transportation infrastructure owner/operators (IOOs), manufacturers, law enforcement (LE), and independent security researchers. These gaps included many deficits causing limited communication and delays in sharing cybersecurity threat intelligence related to roadway transportation systems. This project developed a framework that improves communication and information sharing with transportation roadway stakeholders when detecting and responding to a cyberattack or vulnerability that spans across devices or other sectors. This framework is described in the following two reports: Transportation Cybersecurity Incident Response and Management Framework: Final Report (July 2021) and Transportation Cybersecurity Incident Response and Management Framework: Cybersecurity Incident Exercise Summary Report (May 2021).
- Glossary of terms with examples – Established terminology that should be unified across the transportation and cybersecurity community to improve understanding and conversations about transportation cyber incident information sharing.
- Cybersecurity incident communication procedures and protocols – Identified improvements to procedures and processes for communication and information sharing prior to and during a cyber incident. These improvements are in the form of process flows that demonstrate how a particular transportation stakeholder (e.g., municipal IOOs) should report information when faced with a cyber incident.
- Incident exercise plan and summary – Tested these procedures in a cyber incident exercise that presented a group of transportation stakeholders with a simulated cyber incident. This task proved that the developed procedures improved metrics such as cyber incident response time and content of information shared. Also, lessons learned and any improvements to the processes were captured during this task.
REPOSITORY AND OPEN SCIENCE ACCESS PORTAL (ROSAP)
ROSAP provides an extensive list of cybersecurity resources, including publications on connected vehicles and cybersecurity, and heavy vehicles and cybersecurity.