US DOT Logo
Intelligent Transportation Systems Joint Program Office (ITS JPO)

ITS Cybersecurity Research Program

Additional References and Guides

The information, resources, and tools on this website are disseminated under the sponsorship of the U.S. Department of Transportation’s ITS Joint Program Office in the interest of information exchange and in a manner that promotes public understanding. The U.S. Government assumes no liability for the use of the information contained on this website and information does not constitute a standard, specification, regulation, policy nor does it represent an endorsement of any specific vendor, vendor product or service, or any specific process.

The following resources are specific to penetration testing, ITS cybersecurity in transportation management centers (TMC), and ITS cybersecurity in the area of incident response and management.

Transportation Management Center Information Technology Security

Guidelines for Controlling the Hardware, Software, and Network: Chapter 5 | Controlling hardware with access to the network, which is related to: CIS Control 1: Inventory and Control of Hardware Assets Chapter 6 | Controlling software used on the devices on the network, which is related to: CIS Control 2: Inventory and Control of Software Assets CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers CIS Control 7: Email and Web Browser Protections CIS Control 18: Application Software Security Chapter 7 | Controlling connectivity to the network, which is related to: CIS Control 9: Limitation and Control of Network Ports, Protocols, and Servers CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches CIS Control 12: Boundary Defense CIS Control 13: Wireless Access Controls Guidelines for Controlling Staffing/Training-Related Attributes: Chapter 8 | Controls/Policies for staff with access to the network and systems/software, which is related to: CIS Control 4: Controlled Use of Administrative Privileges CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs CIS Control 14: Controlled Access Based on the Need to Know CIS Control 16: Account Monitoring and Control CIS Control 17: Implement a Security Awareness and Training Program Guidelines for Resiliency/Data Protection and Recovery Chapter 9 | Resiliency/Data Protection and Recovery, which is related to: CIS Control 3: Continuous Vulnerability Management CIS Control 4: Controlled Use of Administrative Privileges CIS Control 8: Malware Defenses CIS Control 10: Data Recovery Capabilities CIS Control 13: Data Protection CIS Control 14: Controlled Access Based on the Need to Know CIS Control 19: Incident Response and Management CIS Control 20: Penetration Tests and Red Team Exercises

Figure 1. Chart showing relationship between Center for Internet Security Controls and Traffic Management Center roles. Source: Federal Highway Administration

The Federal Highway Administration (FHWA) issued the Transportation Management Center Information Technology Security report in September 2019. Developed based on industry best practices that correspond to what transportation management centers (TMCs) routinely face, its primary focus was on the NIST Cybersecurity Framework and Center for Internet Security (CIS) Top 20 Controls version 7.1. The purpose of this report is not to replicate the guidelines in these frameworks, but rather to highlight the most relevant guidelines for TMC IT cybersecurity and to serve as technical guidelines for TMCs on improving IT security for their facilities, networks, workstations, servers, data storage, peripherals, and operations.

The report incorporates the CIS Top 20 Controls in baselining security measures to provide an immediate impact on guiding control of hardware, software, and networks in the TMC, and relies upon the NIST frameworks as a beneficial supplement to Risk Management Plans and Resiliency Plans with strategic visioning. The CIS Top 20 Critical Security Controls correspond to the three functional areas: IT/Systems, Personnel, and Administrative/Contractual data management practices; and each CIS sub-control is relevant to one of the three TMC roles, illustrated in Figure 1. The report also recommends short- and long-term strategies for implementation.

Transportation Cybersecurity Incident Response and Management Framework

As part of the 2017 United States Department of Transportation (U.S. DOT) Federal Highway Administration (FHWA) Roadway Surface Transportation Cybersecurity Framework project with the Institute of Transportation Engineers (ITE), research identified gaps in sharing vulnerability and exploit information among transportation infrastructure owner/operators (IOOs), manufacturers, law enforcement (LE), and independent security researchers. These gaps included many deficits causing limited communication and delays in sharing cybersecurity threat intelligence related to roadway transportation systems. This project developed a framework that improves communication and information sharing with transportation roadway stakeholders when detecting and responding to a cyberattack or vulnerability that spans across devices or other sectors. This framework is described in the following two reports:

Transportation Cybersecurity Incident Response and Management Framework: Final Report (July 2021). This document presents the overall findings of the project, which include:

  • Glossary of terms with examples – Established terminology that should be unified across the transportation and cybersecurity community to improve understanding and conversations about transportation cyber incident information sharing. The Glossary, which is contained within the report is also available in a searchable format.
  • Cybersecurity incident communication procedures and protocols – Identified improvements to procedures and processes for communication and information sharing prior to and during a cyber incident. These improvements are in the form of process flows that demonstrate how a particular transportation stakeholder (e.g., municipal IOOs) should report information when faced with a cyber incident.
  • Incident exercise plan and summary – Tested these procedures in a cyber incident exercise that presented a group of transportation stakeholders with a simulated cyber incident. This task proved that the developed procedures improved metrics such as cyber incident response time and content of information shared. Also, lessons learned and any improvements to the processes were captured during this task.

Transportation Cybersecurity Incident Response and Management Framework: Cybersecurity Incident Exercise Summary Report (May 2021).

This report presents the proposed procedures and all collected data from the completed incident exercise, including the exercises performed and the participants involved. The cyber incident exercise was composed of two parts designed to assess the participants’ current understanding of information sharing and any improvements gained by following the proposed protocols.


REPOSITORY AND OPEN SCIENCE ACCESS PORTAL (ROSAP)

ROSAP provides an extensive list of cybersecurity resources, including publications on connected vehicles and cybersecurity, and heavy vehicles and cybersecurity.