Cybersecurity Across U.S. Department of Transportation

The following is a sample (not a complete list) of cybersecurity programs and activities underway at U.S. Department of Transportation modes and offices. Visit each mode’s website for a complete list of cybersecurity activities.

Federal Highway Administration (FHWA)

FHWA Order 1640.3 – This directive establishes the Federal Highway Administration’s (FHWA’s) Cybersecurity Program (CSP) and its policy.

Federal Highway Administration (FHWA) Cybersecurity Program (CSP) Handbook – The FHWA CSP Handbook is comprised of policies, procedures, and guidance for ensuring the security of FHWA information and information systems. It encompasses cybersecurity management, planning, implementation, and performance evaluation.

Federal Rail Administration (FRA)

Cyber Security Risk Management for Connected Railroads (2020) – This research develops a cyber security risk analysis methodology for communications-based connected railroad technologies

Research, Development and Technology Strategic Plan 2020–2024 (2020) – Section in plan addresses safety concerns with data and cybersecurity.

Federal Transit Administration (FTA)

TSA Security Update Cybersecurity at 2019 FTA Joint State Safety Oversight and Rail Transit Agency Workshop –TSA Cybersecurity Road map identifies four major priorities to help agencies achieve cybersecurity goals. They include: Identifying cyber security risks; Reducing vulnerabilities to the system and critical infrastructure across the transportation sector; Strengthening security; and ensuring the resilience of the system.

Federal Motor Carrier Safety Administration (FMCSA)

Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems into Heavy Vehicles (2020) – The goal of this project was to develop a set of best practices and guidelines focused on minimizing cyber risks for telematic units and other components specific to connected heavy trucks. There are two primary focus areas in this document: policy and procedure recommendations and technical recommendations. The primary risk addressed in the document is that of creating a bridge between the Internet—or other networks—and the networks inside the trucks. Also view Tech Brief.

Cybersecurity Research Considerations for Heavy Vehicles (2018) – The objective of this project is to develop a framework to understand common features and differences between passenger vehicle and heavy-duty vehicle cybersecurity in terms of lifecycle, threats and risks, electrical/electronic architectures, control applications, security countermeasures, and industry aspects. The results of this report are intended to provide the National Highway Traffic Safety Administration and the broader industry with information regarding cybersecurity aspects as they currently relate to the state of the commercial heavy vehicle industry.

National Highway Traffic Safety Administration (NHTSA)

Vehicle Cybersecurity on NHTSA website.

University Transportation Centers (UTC), Office of the Secretary of Transportation

Managing Cyber Risks & Business Exposure in the Surface Transportation Ecosystem (2018) – A recent project by the Mineta Transportation Institute (MTI) at San Jose State University takes an in-depth look at not only how to protect against cybersecurity attacks on surface transportation targets, but also what to do when they are successful. The main goal of this project is to create a holistic transportation cybersecurity management model that assigns responsibilities to each transportation department before, during, and after cybersecurity events.

Federal Aviation Administration (FAA)

FAA Cybersecurity Awareness Symposium

Each yearly FAA Cybersecurity Awareness Symposium seeks to promote cybersecurity awareness, collaboration, and partnerships between the FAA, Interagency Stakeholders, Industry, and Academia. The event is an opportunity to discuss current security challenges as well as to network with peers and leading industry experts.

Maritime Administration (MARAD)

Maritime Cyber Security on MARAD website.

Pipeline and Hazardous Materials Safety Administration

Remarks of Acting Administrator Tristan Brown at API's Midstream Committee Meeting about the cyber-attack involving the Colonial Pipeline system. (2021)