Office of Operations
21st Century Operations Using 21st Century Technologies

Transportation Management Center Information Technology Security

Printable version [PDF 1.6 MB]
You may need the Adobe® Reader® to view the PDFs on this page.

United States Department of Transportation logo.

U.S. Department of Transportation
Federal Highway Administration
Office of Operations
1200 New Jersey Avenue, SE
Washington, DC 20590
www.ops.fhwa.dot.gov

FHWA-HOP-19-059

September 2019


Table of Contents

Executive Summary

Chapter 1. Introduction

Chapter 2. Critical Traffic Management Centers Elements

Size and Staffing

Responsibilities

Device and Network Management

Chapter 3. Best Practices for Traffic Management Centers Information Technology Security

Best Practices Discussion

Gaps/Areas of Improvement

The Role of Construction/Procurement Methods in Traffic Management Center Information Technology Security

Chapter 4. Technical Guidelines and Recommended Practices

Chapter 5. Guidelines for Controlling Hardware with Access to the Network

Chapter 6. Guidelines for Controlling Software Used within the Network

Cloud Hosting

Chapter 7. Guidelines for Controlling Network Connectivity

Chapter 8. Guidelines for Controlling Staffing/Training-Related Attributes (Insider Vulnerabilities)

Organization-Related Attributes

Training/Education

Chapter 9. Guidelines for Resiliency/Data Protection and Recovery

Interagency Information Sharing and Collaboration

Chapter 10. Short- and Long-Term Strategies for Addressing Issues/Gaps

Chapter 11. Conclusions and Next Steps

Appendix A. Sample CyberSecurity Resilience Review Self‑Assessment

Maturity Indicator Levels Defined

Assessment

Results

Appendix B. Center for Internet Security Controls to the National Institute of Standards and Technology Mapping

Inventory and Control of Hardware Assets

Inventory and Control of Software Assets

Continuous Vulnerability Management

Controlled Use of Administrative Privileges

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Maintenance, Monitoring, and Analysis of Audit Logs

Email and Web Browser Protections

Malware Defenses

Limitation and Control of Network Ports, Protocols, and Services

Data Recovery Capabilities

Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Boundary Defense

Data Protection

Controlled Access Based on the Need to Know

Wireless Access Control

Account Monitoring and Control

Implement a Security Awareness and Training Program

Application Software Security

Incident Response and Management

Penetration Tests and Red Team Exercises

Appendix C. References

List of Figures

Figure 1. Chart. Center for Internet Security top 20 critical security controls version 7.1.

Figure 2. Chart. Relationship between Center for Internet Security Controls and Traffic Management Center roles.

Figure 3. Flowchart. National Intelligent Transportation System architecture physical view.

Figure 4. Chart. Center for Internet Security top 20 critical security controls version 7.1.

Figure 5. Flowchart. The National Institute of Standards and Technology risk management framework.

Figure 6. Chart. Relationship between Center for Internet Security Controls and Traffic Management Center roles.

Figure 7. Screenshot. Center for Internet Security controls mapping to the National Institute of Standards and Technology security functions and the National Institute of Standards and Technology cybersecurity framework.

Figure 8. Infographic. Center for Internet Security implementation groups.

Figure 9. Flowchart. Cloud consumers' view of the Risk Management Framework applied to a cloud ecosystem.

Figure 10. Flowchart. The National Institute of Standards and Technology 800-37 risk management approach.

Figure 11. Flowchart. Cyber resiliency engineering framework.

List of Tables

Table 1. List of industrial control systems-related training.

Table 2. Center for Internet Security control 1.

Table 3. Center for Internet Security control 2.

Table 4. Center for Internet Security control 3.

Table 5. Center for Internet Security control 4.

Table 6. Center for Internet Security control 5.

Table 7. Center for Internet Security control 6.

Table 8. Center for Internet Security control 7.

Table 9. Center for Internet Security control 8.

Table 10. Center for Internet Security control 9.

Table 11. Center for Internet Security control 10.

Table 12. Center for Internet Security control 11.

Table 13. Center for Internet Security control 12.

Table 14. Center for Internet Security control 13.

Table 15. Center for Internet Security control 14.

Table 16. Center for Internet Security control 15.

Table 17. Center for Internet Security control 16.

Table 18. Center for Internet Security control 17.

Table 19. Center for Internet Security control 18.

Table 20. Center for Internet Security control 19.

Table 21. Center for Internet Security control 20.

Office of Operations