In a recent post, we discussed the new and expanded threat landscape the transportation sector is facing due to the digitalization of the sector. The creation of smart ticketing systems and Internet of Things (IoT) sensors to monitor and manage traffic presents great benefits both for customers and cities. Even so, they create new security risks and challenges that transportation organizations need to address. The lack of an effective and robust cybersecurity framework can open these organizations to new vulnerabilities, and their exploitation could disrupt the provision of essential services to the public.

Following the U.S. President Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (NIST) developed the voluntary Cybersecurity Framework. This framework aims to reduce cyber risks that threaten critical infrastructure, including those systems operated by the transportation sector.

The Transportation Systems Sector Cybersecurity Framework Implementation Guidance and its companion workbook operate under the understanding that a “one size fits all” methodology for the implementation of the NIST Cybersecurity Framework is impractical. Acknowledging that reality, these documents provide an approach by which Transportation Systems Sector (TSS) owners and operators can apply the principles of NIST’s Cybersecurity Framework to help reduce cyber risks. This approach consists of guidance, resource direction, and a directory of options that all assist a TSS organization in adopting the NIST Framework.

Specifically, organizations may use the implementation guidance to perform the following security tasks:

  • Characterize their current and target cybersecurity posture.
  • Identify steps and practices for enhancing their existing cybersecurity risk management programs.
  • Find existing tools, standards, and guides to support Framework implementation.
  • Communicate their risk management issues to internal and external stakeholders.

The implementation guidance identified above can be used by TSS organizations regardless of their current cybersecurity maturity level. For organizations that do not have a formal cybersecurity risk management program, the guidance can help them to comprehend, evaluate, and establish their cyber risk priorities. On the other hand, those organizations that already have a formal cyber risk management program in place, the can leverage this guidance to review and evaluate existing programs, identify areas for improvement, and align their efforts to the Cybersecurity Framework.

The Transportation Systems Sector Cybersecurity Framework Implementation Guide serves as the foundation to align TSS strategic goals for improving the sector’s cybersecurity posture with the NIST Cybersecurity Framework categories. The table below can help TSS organizations implement this alignment.

TSS Strategy Goals NIST Categories
Goal 1:  Define Conceptual Environment Access Control

Asset Management

Information Protection Processes and Procedures

Maintenance

Response Planning

Recovery Planning

Risk Management Strategy

Risk Assessment

Goal 2: Improve and Expand Voluntary Participation Communications
Goal 3: Maintain Continuous Cybersecurity Awareness Awareness and Training

Improvements

Protective Technology

Goal 4: Enhance Intelligence and Security Information Sharing Analysis

Anomalies and Events

Data Security

Detection Processes

Mitigation

Security Continuous Monitoring

Goal 5: Ensure Sustained Coordination and Strategic Implementation Business Environment

Governance

Table 1: Alignment of TSS Strategic Goals with NIST Cybersecurity Framework. Table courtesy of CISA.

The main objective of the Implementation Guidance is to strengthen the organization’s risk management program and to communicate the use of cybersecurity practices to internal and external stakeholders. The following diagram illustrates the three phases of implementing the TSS Guidance:

Figure 1: TSS Cybersecurity Framework Implementation Guidance Phases. Image courtesy of CISA.

Phase 1: Determine Risk Profile

Determining an organization’s cyber-risk profile is the foundation of the TSS Implementation Guidance. The risk profile provides an assessment of the corporation’s acceptable risk, which drives the overall decision-making strategy. Organizations must begin by reviewing their internal context, or the cultural factors that influence how organizations manage risk as a means of achieving their business objectives. As part of this process, they must identify internal vulnerabilities (not necessarily software flaws) that could hamper their efforts to realize their objectives. This process will reveal countermeasures that will help the organization remain on track.

At that point, it’s up to an organization to prioritize their security initiatives. The best way to do that is by combining the results of the internal assessment with threat intelligence on cybersecurity trends and adversary tactics and techniques. To this point, TSS organizations could rely on the cybersecurity trends analysis performed by the Department of Homeland Security’s Cybersecurity and Communications (CS&C) team.

Upon completion of this phase, an organization will have a much clearer picture of its risk profile and where opportunities for improvement reside. To determine the existing security posture, the TSS organization will need to use the implementation workbook according to the instructions contained in the Guidance.

Phase 2: Establish Priorities

Upon determining the organizational risk profile, the organization is ready to highlight the opportunities for further improvement. It also understands how to prioritize the available solutions to reduce its overall risk. When developing a strategy to implement solutions, the organization should consider personnel and financial resource allocation.

The Guidance offers some considerations for prioritizing solutions. For example, organizations should give the utmost priority to those vulnerabilities with the highest probability of affecting the business. Next, they should place greater emphasis on issues with a higher probability of affecting critical business functions. Conversely, they need not focus as much time and resources on low-risk issues.

Phase 3: Implement Solutions

The guidance does not provide any recommendations on which solutions organizations should incorporate into their environments nor on how they can implement them. This leaves TSS organizations free to choose the tools that fit their needs. However, organizations should consider reviewing cybersecurity best practices, such as those discussed NIST SP 800-53, NIST SP 800-82 and CIS Controls, to ensure that whatever security controls they adopt will have the greatest impact on reducing an organization’s risk profile.

Cybersecurity risk is real. The question is how well you are mitigating business-critical risks. Cybersecurity programs for all sectors, including the transportation sector, should be based on a strategy established through risk assessments and informed by security and vulnerability assessments. ITEGRITI can be your trusted security consultant. It’s time to upgrade your consultant!