{"id":1840,"date":"2020-08-26T08:00:59","date_gmt":"2020-08-26T08:00:59","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=1840"},"modified":"2021-04-12T05:26:49","modified_gmt":"2021-04-12T05:26:49","slug":"transportation-systems-sector-cybersecurity-framework-implementation-guide","status":"publish","type":"post","link":"https:\/\/itegriti.com\/staging\/2020\/cybersecurity\/transportation-systems-sector-cybersecurity-framework-implementation-guide\/","title":{"rendered":"Transportation Systems Sector Cybersecurity Framework Implementation Guide"},"content":{"rendered":"<p>[fusion_builder_container hundred_percent=&#8221;no&#8221; hundred_percent_height=&#8221;no&#8221; hundred_percent_height_scroll=&#8221;no&#8221; hundred_percent_height_center_content=&#8221;yes&#8221; equal_height_columns=&#8221;no&#8221; hide_on_mobile=&#8221;small-visibility,medium-visibility,large-visibility&#8221; status=&#8221;published&#8221; background_position=&#8221;center center&#8221; background_repeat=&#8221;no-repeat&#8221; fade=&#8221;no&#8221; background_parallax=&#8221;none&#8221; enable_mobile=&#8221;no&#8221; parallax_speed=&#8221;0.3&#8243; video_aspect_ratio=&#8221;16:9&#8243; video_loop=&#8221;yes&#8221; video_mute=&#8221;yes&#8221; border_style=&#8221;solid&#8221; type=&#8221;legacy&#8221; admin_toggled=&#8221;yes&#8221;][fusion_builder_row][fusion_builder_column type=&#8221;1_1&#8243; layout=&#8221;1_1&#8243; spacing=&#8221;&#8221; center_content=&#8221;no&#8221; link=&#8221;&#8221; target=&#8221;_self&#8221; min_height=&#8221;&#8221; hide_on_mobile=&#8221;small-visibility,medium-visibility,large-visibility&#8221; class=&#8221;&#8221; id=&#8221;&#8221; background_color=&#8221;&#8221; background_image=&#8221;&#8221; background_image_id=&#8221;&#8221; background_position=&#8221;left top&#8221; background_repeat=&#8221;no-repeat&#8221; hover_type=&#8221;none&#8221; border_color=&#8221;&#8221; border_style=&#8221;solid&#8221; border_position=&#8221;all&#8221; border_radius=&#8221;&#8221; box_shadow=&#8221;no&#8221; dimension_box_shadow=&#8221;&#8221; box_shadow_blur=&#8221;0&#8243; box_shadow_spread=&#8221;0&#8243; box_shadow_color=&#8221;&#8221; box_shadow_style=&#8221;&#8221; padding_top=&#8221;&#8221; padding_right=&#8221;&#8221; padding_bottom=&#8221;&#8221; padding_left=&#8221;&#8221; margin_top=&#8221;&#8221; margin_bottom=&#8221;&#8221; animation_type=&#8221;&#8221; animation_direction=&#8221;left&#8221; animation_speed=&#8221;0.3&#8243; animation_offset=&#8221;&#8221; last=&#8221;true&#8221; border_sizes_top=&#8221;0&#8243; border_sizes_bottom=&#8221;0&#8243; border_sizes_left=&#8221;0&#8243; border_sizes_right=&#8221;0&#8243; first=&#8221;true&#8221; type=&#8221;1_1&#8243;][fusion_text columns=&#8221;&#8221; column_min_width=&#8221;&#8221; column_spacing=&#8221;&#8221; rule_style=&#8221;default&#8221; rule_size=&#8221;&#8221; rule_color=&#8221;&#8221; hide_on_mobile=&#8221;small-visibility,medium-visibility,large-visibility&#8221; class=&#8221;&#8221; id=&#8221;&#8221;]<\/p>\n<p>In a recent <a href=\"http:\/\/72.52.228.46\/~itegriti\/2020\/blog\/intelligent-transportation-and-shipping-pose-security-and-privacy-risks\/\">post<\/a>, we discussed the new and expanded threat landscape the transportation sector is facing due to the digitalization of the sector. The creation of smart ticketing systems and Internet of Things (IoT) sensors to monitor and manage traffic presents great benefits both for customers and cities. Even so, they create new security risks and challenges that transportation organizations need to address. The lack of an effective and robust cybersecurity framework can open these organizations to new vulnerabilities, and their exploitation could disrupt the provision of essential services to the public.<\/p>\n<p>Following the U.S. President Executive Order (EO) 13636, \u201cImproving Critical Infrastructure Cybersecurity,\u201d the National Institute of Standards and Technology (NIST) developed the voluntary Cybersecurity Framework. This framework aims to reduce cyber risks that threaten critical infrastructure, including those systems operated by the transportation sector.<\/p>\n<h2 class=\"navy\">TSS Cybersecurity Framework Implementation Guidance<\/h2>\n<p>The <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/tss-cybersecurity-framework-implementation-guide-2016-508v2_0.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Transportation Systems Sector Cybersecurity Framework Implementation Guidance<\/a> and its <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/tss-cybersecurity-framework-workbook-2016-508.xlsx\" rel=\"noopener noreferrer\">companion workbook<\/a> operate under the understanding that a \u201cone size fits all\u201d methodology for the implementation of the NIST Cybersecurity Framework is impractical. Acknowledging that reality, these documents provide an approach by which Transportation Systems Sector (TSS) owners and operators can apply the principles of NIST\u2019s Cybersecurity Framework to help reduce cyber risks. This approach consists of guidance, resource direction, and a directory of options that all assist a TSS organization in adopting the NIST Framework.<\/p>\n<p>Specifically, organizations may use the implementation guidance to perform the following security tasks:<\/p>\n<ul>\n<li>Characterize their current and target cybersecurity posture.<\/li>\n<li>Identify steps and practices for enhancing their existing cybersecurity risk management programs.<\/li>\n<li>Find existing tools, standards, and guides to support Framework implementation.<\/li>\n<li>Communicate their risk management issues to internal and external stakeholders.<\/li>\n<\/ul>\n<p>The implementation guidance identified above can be used by TSS organizations regardless of their current cybersecurity maturity level. For organizations that do not have a formal cybersecurity risk management program, the guidance can help them to comprehend, evaluate, and establish their cyber risk priorities. On the other hand, those organizations that already have a formal cyber risk management program in place, the can leverage this guidance to review and evaluate existing programs, identify areas for improvement, and align their efforts to the Cybersecurity Framework.<\/p>\n<h2 class=\"navy\">Align TSS strategic goals with Cybersecurity Framework<\/h2>\n<p>The Transportation Systems Sector Cybersecurity Framework Implementation Guide serves as the foundation to align TSS strategic goals for improving the sector\u2019s cybersecurity posture with the NIST Cybersecurity Framework categories. The table below can help TSS organizations implement this alignment.<\/p>\n<div class=\"table-1\">\n<table width=\"100%\">\n<tbody>\n<tr>\n<td bgcolor=\"#002868\" width=\"325\"><span style=\"color: #fff;\"><strong>TSS Strategy Goals<\/strong><\/span><\/td>\n<td bgcolor=\"#002868\" width=\"325\"><span style=\"color: #fff;\"><strong>NIST Categories<\/strong><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"325\"><strong>Goal 1:\u00a0 Define Conceptual Environment<\/strong><\/td>\n<td width=\"325\">Access Control<\/p>\n<p>Asset Management<\/p>\n<p>Information Protection Processes and Procedures<\/p>\n<p>Maintenance<\/p>\n<p>Response Planning<\/p>\n<p>Recovery Planning<\/p>\n<p>Risk Management Strategy<\/p>\n<p>Risk Assessment<\/td>\n<\/tr>\n<tr>\n<td width=\"325\"><strong>Goal 2: Improve and Expand Voluntary Participation<\/strong><\/td>\n<td width=\"325\">Communications<\/td>\n<\/tr>\n<tr>\n<td width=\"325\"><strong>Goal 3: Maintain Continuous Cybersecurity Awareness<\/strong><\/td>\n<td width=\"325\">Awareness and Training<\/p>\n<p>Improvements<\/p>\n<p>Protective Technology<\/td>\n<\/tr>\n<tr>\n<td width=\"325\"><strong>Goal 4: Enhance Intelligence and Security Information Sharing<\/strong><\/td>\n<td width=\"325\">Analysis<\/p>\n<p>Anomalies and Events<\/p>\n<p>Data Security<\/p>\n<p>Detection Processes<\/p>\n<p>Mitigation<\/p>\n<p>Security Continuous Monitoring<\/td>\n<\/tr>\n<tr>\n<td width=\"325\"><strong>Goal 5: Ensure Sustained Coordination and Strategic Implementation<\/strong><\/td>\n<td width=\"325\">Business Environment<\/p>\n<p>Governance<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>Table 1: Alignment of TSS Strategic Goals with NIST Cybersecurity Framework. Table courtesy of CISA.<\/em><\/p>\n<h2 class=\"navy\">Implementation Guidance<\/h2>\n<p>The main objective of the Implementation Guidance is to strengthen the organization\u2019s risk management program and to communicate the use of cybersecurity practices to internal and external stakeholders. The following diagram illustrates the three phases of implementing the TSS Guidance:<\/p>\n<p><img decoding=\"async\" class=\"size-full wp-image-1854 aligncenter\" src=\"http:\/\/72.52.228.46\/~itegriti\/wp-content\/uploads\/2020\/08\/Itegriti_Blog26_figure1.jpg\" alt=\"\" width=\"800\" height=\"456\" srcset=\"https:\/\/itegriti.com\/staging\/wp-content\/uploads\/2020\/08\/Itegriti_Blog26_figure1-200x114.jpg 200w, https:\/\/itegriti.com\/staging\/wp-content\/uploads\/2020\/08\/Itegriti_Blog26_figure1-400x228.jpg 400w, https:\/\/itegriti.com\/staging\/wp-content\/uploads\/2020\/08\/Itegriti_Blog26_figure1-600x342.jpg 600w, https:\/\/itegriti.com\/staging\/wp-content\/uploads\/2020\/08\/Itegriti_Blog26_figure1-768x438.jpg 768w, https:\/\/itegriti.com\/staging\/wp-content\/uploads\/2020\/08\/Itegriti_Blog26_figure1.jpg 800w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p><em>Figure 1: TSS Cybersecurity Framework Implementation Guidance Phases. Image courtesy of CISA.<\/em><\/p>\n<p><strong>Phase 1: Determine Risk Profile<\/strong><\/p>\n<p>Determining an organization\u2019s cyber-risk profile is the foundation of the TSS Implementation Guidance. The risk profile provides an assessment of the corporation&#8217;s acceptable risk, which drives the overall decision-making strategy. Organizations must begin by reviewing their internal context, or the cultural factors that influence how organizations manage risk as a means of achieving their business objectives. As part of this process, they must identify internal vulnerabilities (not necessarily software flaws) that could hamper their efforts to realize their objectives. This process will reveal countermeasures that will help the organization remain on track.<\/p>\n<p>At that point, it\u2019s up to an organization to prioritize their security initiatives. The best way to do that is by combining the results of the internal assessment with threat intelligence on cybersecurity trends and adversary tactics and techniques. To this point, TSS organizations could rely on the cybersecurity trends analysis performed by the <a href=\"https:\/\/www.dhs.gov\/xlibrary\/assets\/pso_cat_csc.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Department of Homeland Security\u2019s Cybersecurity and Communications (CS&amp;C) team<\/a>.<\/p>\n<p>Upon completion of this phase, an organization will have a much clearer picture of its risk profile and where opportunities for improvement reside. To determine the existing security posture, the TSS organization will need to use the implementation workbook according to the instructions contained in the Guidance.<\/p>\n<p><strong>Phase 2: Establish Priorities<\/strong><\/p>\n<p>Upon determining the organizational risk profile, the organization is ready to highlight the opportunities for further improvement. It also understands how to prioritize the available solutions to reduce its overall risk. When developing a strategy to implement solutions, the organization should consider personnel and financial resource allocation.<\/p>\n<p>The Guidance offers some considerations for prioritizing solutions. For example, organizations should give the utmost priority to those vulnerabilities with the highest probability of affecting the business. Next, they should place greater emphasis on issues with a higher probability of affecting critical business functions. Conversely, they need not focus as much time and resources on low-risk issues.<\/p>\n<p><strong>Phase 3: Implement Solutions<\/strong><\/p>\n<p>The guidance does not provide any recommendations on which solutions organizations should incorporate into their environments nor on how they can implement them. This leaves TSS organizations free to choose the tools that fit their needs. However, organizations should consider reviewing cybersecurity best practices, such as those discussed NIST SP 800-53, NIST SP 800-82 and CIS Controls, to ensure that whatever security controls they adopt will have the greatest impact on reducing an organization\u2019s risk profile.<\/p>\n<h2 class=\"navy\">How ITEGRITI Helps<\/h2>\n<p>Cybersecurity risk is real. The question is how well you are mitigating business-critical risks. Cybersecurity programs for all sectors, including the transportation sector, should be based on a strategy established through risk assessments and informed by security and vulnerability assessments. <a href=\"http:\/\/72.52.228.46\/~itegriti\">ITEGRITI<\/a> can be your trusted security consultant. It\u2019s time to upgrade your consultant!<\/p>\n<\/div>\n<p>[\/fusion_text][\/fusion_builder_column][\/fusion_builder_row][\/fusion_builder_container]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Intelligent or smart public transportation and shipping systems require more and more data to function efficiently and effectively. Governments and companies alike need to take measures to safeguard the cybersecurity and privacy of these systems.<\/p>\n","protected":false},"author":10,"featured_media":1859,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[1941],"_links":{"self":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/1840"}],"collection":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/comments?post=1840"}],"version-history":[{"count":31,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/1840\/revisions"}],"predecessor-version":[{"id":1979,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/posts\/1840\/revisions\/1979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media\/1859"}],"wp:attachment":[{"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/media?parent=1840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/categories?post=1840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itegriti.com\/staging\/wp-json\/wp\/v2\/tags?post=1840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}