Guidelines for State Transportation Agency Chief Executive Officers on Cybersecurity Issues and Protection Strategies

State transportation agencies, like other complex public and private organizations, increasingly rely on information technology (IT) systems and operational technology (OT) assets to fulfill their public mission. In addition to the use of IT for administrative functions, the real-time use of technology to operate and manage transportation facilities and services presents particularly acute challenges. Recent cyber incidents within public agencies highlighted the challenges transportation agencies face with such threats. Significant emphasis has been given to the protection of IT systems against such threats but less is devoted to the risks to OT and equipment and protecting transportation business operations. State transportation agency leadership need more information to explain how the agencies can prevent such incidents, what to do when they occur, and how to recover. This research focuses on state transportation agencies’ unique cybersecurity challenges, in particular OT, and provides direction on cyber-incident management. This research shall (1) identify what executives and senior managers at state transportation agencies need to know about managing the confluence of transportation OT and IT cybersecurity risks, (2) classify transportation functions, services, and assets that may be targets of cyberattacks and cyber incidents, and (3) develop an easy-to-use guide for state transportation agency executives and senior managers that will help assess, classify, and respond to transportation systems cybersecurity risks. Task 1. Identify and summarize the state-of-practice in state transportation agencies’ cybersecurity initiatives, with an emphasis on OT. Include barriers, needs, opportunities, lessons learned, and successful practices. Task 2. Conduct a review of relevant cybersecurity literature to update the existing body of knowledge. Consideration should be given to successful practices in other industries that may be transferrable to state transportation agencies. Task 3. Identify a small group of transportation technology and cybersecurity subject matter experts to help inform development of a transportation asset classification framework for cyber risks. Task 4. Prepare an interim report. Task 5. Develop a high-level framework to assess cyber risk; identify strategies for preparing for, preventing and managing cyber incidents; and link transportation asset classification with cyber risk. Consideration should be given, but not limited to, the following questions or concepts. Task 6. Prepare draft final deliverables covering all topics to meet the research objective(s). 

Language

  • English

Project

  • Status: Active
  • Funding: $350000
  • Contract Numbers:

    Project 23-03

  • Sponsor Organizations:

    National Cooperative Highway Research Program

    Transportation Research Board
    500 Fifth Street, NW
    Washington, DC  United States  20001

    Federal Highway Administration

    1200 New Jersey Avenue, SE
    Washington, DC  United States  20590

    American Association of State Highway and Transportation Officials (AASHTO)

    444 North Capitol Street, NW
    Washington, DC  United States  20001
  • Project Managers:

    Crichton-Sumners, Camille

  • Performing Organizations:

    Southwest Research Institute

    6220 Culebra Road, P.O. Drawer 28510
    San Antonio, TX  United States  78228-0510
  • Principal Investigators:

    Ramon, Marisa

  • Start Date: 20200601
  • Expected Completion Date: 20220531
  • Actual Completion Date: 0

Subject/Index Terms

Filing Info

  • Accession Number: 01707534
  • Record Type: Research project
  • Source Agency: Transportation Research Board
  • Contract Numbers: Project 23-03
  • Files: TRB, RiP
  • Created Date: Jun 3 2019 3:17PM