Informative References Tailored for the ITS Environment

The ITS Cybersecurity Research Program supports ITS deployers by conducting research that adopts or adapts implementation practices from other industries, or develops new approaches specific to transportation if needed. The tools and reference materials described in this section are the result of research projects sponsored by the ITS JPO and its modal partners.

The information, resources, and tools on this website are disseminated under the sponsorship of the U.S. Department of Transportation’s ITS Joint Program Office in the interest of information exchange and in a manner that promotes public understanding. The U.S. Government assumes no liability for the use of the information contained on this website and information does not constitute a standard, specification, regulation, policy nor does it represent an endorsement of any specific vendor, vendor product or service, or any specific process.

Cybersecurity Framework Profile for Connected Vehicle Environments

To support the emergence of connected vehicle (CV) deployments across the United States, the U.S. DOT sponsored the creation of the Cybersecurity Framework (CSF) Profile for Connected Vehicle Environments (CVE).

How to Use the CSF Profile for CVE discusses how organizations can use the Cybersecurity Framework Profile for CVE to manage cybersecurity risk. It introduces the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), but focuses on the CSF Profile for CVE. A corresponding worksheet tool, CSF CVE Profile Dot Chart, is also available for organizations to manipulate and customize the mission objectives and prioritize the categories and subcategories of actions in the profile.

This profile is an informative resource for CV technology deployers. It is an application of the NIST CSF, which is voluntary and based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. The CSF is designed to foster risk and cybersecurity management communications among internal and external organizational stakeholders.

In the context of the CSF, mission objectives are specific outcomes that support common objectives in an industry or its subsector; in this case, CV environments. The mission objectives in this profile were developed specifically for CV environment users to identify relevant high and moderate cybersecurity outcomes for each in a targeted, systematic, and comprehensive way. The ability of CV environments to meet their mission objectives depends on the success of cybersecurity activities and outcomes, which correspond to CSF subcategories. Assigning a priority (high, moderate, or low) to each CSF mission objective allows users to customize high- and moderate-priority cybersecurity outcomes for each mission objective and make better decisions about where to focus their cybersecurity activities.

In general, working with any CSF Profile requires input from different departments, individuals, and functions within an organization. For example, individuals from Operational Offices, Information Technology, Cybersecurity, Legal, Risk Management, Finance, and the Executive Suite would each contribute different information and perspectives to the discussion and development of a robust profile and implementation process specific to their organization. Organizational structures and assignment of responsibilities and capabilities vary among organizations, so each organization will need to determine who can or should contribute.

How an organization chooses to use the CSF Profile for CVE will depend on many factors, including how an organization manages risk, its current cybersecurity program, its institutional context, and the stakeholders involved. This industry profile is only a starting point and can be tailored and supplemented as needed to address areas where an organization’s scope or objectives may differ from the hypothetical baseline case provided in this CSF Profile for CVE.

Using the NIST Privacy Risk Assessment Methodology (PRAM) to Assess and Mitigate Risks in a Connected Vehicle Environment (CVE)

In order to support deployers who are implementing connected vehicle (CV) technologies across the country, the U.S. Department of Transportation (U.S. DOT) sponsored the creation of a Privacy Risk Assessment Methodology (PRAM) for Connected Vehicle Environments (CVE). The original PRAM is a tool developed by the National Institute of Standards and Technology (NIST) that applies to the risk model from NIST Interagency/Internal Report (NISTIR) 8062 ("An Introduction to Privacy Engineering and Risk Management in Federal Systems") and helps organizations analyze, assess, and prioritize privacy risks to determine how to respond and select appropriate solutions. The PRAM can help drive collaboration and communication among various components of an organization, including privacy, cybersecurity, business, and IT personnel. Working together with NIST, U.S. DOT adapted the original PRAM and created the PRAM for CVE to help CV deployers apply a systematic approach to identifying and managing privacy risk that is grounded in privacy engineering precepts. The CVE PRAM is a voluntary tool for an organization to determine the best fit for their needs.

In exploring the potential of CVs and other advanced technologies, U.S. DOT understands that privacy is a significant concern. Users of CV technologies, including the public, must feel confident that the accompanying benefits do not come at the expense of their privacy. In particular, geolocation and tracing of an individual’s movements are understood to have profound privacy implications. U.S. DOT is committed to deploying CV technology in a manner that ensures the privacy and security of our connected transportation system. The Department is pursuing this goal through a strategy of “privacy by design” that aims to integrate privacy into CV deployments at multiple levels.

How to Use the CVE PRAM and corresponding worksheets discuss how organizations can use the CVE PRAM to develop:

  • A process for identifying privacy risks within and throughout their CV systems;
  • A consistent language for engaging and facilitating conversations with privacy experts, technical system managers, and decision makers on how to balance privacy with system functionality and operations; and
  • A clear path to identifying appropriate controls and solutions to implement as part of their CV environments.

The PRAM consists of four worksheets to guide users through this process in a clear and systematic way:

The CVE PRAM worksheets referenced above prepopulate many elements of the original NIST PRAM worksheets with examples that are based on a prototypical CV deployment. This provides a context-specific starting point for privacy risk analysis and management, assisting users throughout the PRAM process.

The generic CVE PRAM is not a static tool. Every CV deployment is different and, by extension, every CVE PRAM result is unique. Deployers can use the worksheets to capture and analyze the relevant data flows and processing of their deployment by adding, deleting, and modifying PRAM elements. Working through the specifics of their deployment, ideally while still in the planning stages, deployers can make appropriate decisions regarding the management of privacy risk. Using the generic CVE PRAM template as a starting point can help achieve the level of deployment-specific privacy assurance necessary to secure public confidence and privacy protection.

Intelligent Transportation Systems Penetration Testing

This project developed penetration testing best practices recommendations for ITS. The Cybersecurity and Intelligent Transportation Systems Informative Reference details the methodology of scoping a test, including the objectives, requirements, success criteria, test type, management, and test readiness. The report, which reflects industry best practices at the time of publication, ends with a template test plan for State DOTs, local, and tribal agencies to start their own cybersecurity plan and penetration test. NOTE: The following information is provided as technical guidance. It is not intended as U.S. DOT policy or in relation to policy.

In addition to these references and guides applicable to cybersecurity in ITS and the connected vehicle environment, this site also describes general cybersecurity references and guides developed by other agencies and organizations that assist governmental agencies (federal, state, local, and tribal), businesses, universities, and nonprofit organizations, among other entities, to harden their critical infrastructure.