Transportation Management Center Information Technology Security

Chapter 1. Introduction

Cybersecurity is a growing concern worldwide. Over the past several years, much focus has been placed on critical infrastructure providers and their ability to implement cybersecurity in order to continue providing critical services. The Department of Homeland Security considers the Transportation Systems Sector to be 1 of 16 critical infrastructure sectors whose "assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.¹" The cybersecurity threat landscape is constantly evolving and new vulnerabilities are discovered every day. Connectivity between different networks, organizations and devices, through the Internet of Things (IoT), further increase exposure to these vulnerabilities.

In particular, Traffic Management Centers (TMC) and Intelligent Transportation Systems (ITS) infrastructure leverage modern communications systems to support transportation management and operations. As a result, TMCs and ITS devices no longer function as closed systems, thus increasing the risk of exposure to cyber threats to these transportation facilities and infrastructure. Today's TMCs are often not only automated but also highly integrated. Information Technology (IT) security for TMCs is further complicated by a variety of stakeholders with diverse skillsets and goals, including manufacturers and vendors of system hardware, software and control units; contractors and integrators; and IT specialists with an increasing variety of specialties (e.g., fiber optics, wireless communications, database experts, software integrators, etc.). Thus, it is necessary to research potential IT security threats and solutions for TMCs, and to develop technical guidelines with recommended strategies and actions that agencies should follow to protect those systems and properly respond to the threats.

TMCs can benefit from the practices, experience and lessons learned from IT and other industries that have a wealth of knowledge and experience in mitigating and responding to IT security attacks.

The material within this report has been developed based on best practices within the industry that correspond to what TMCs face on a routine basis, pushing for improvements where necessary, and with a primary focus on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Top 20 Controls version 7.1. Through this report, TMCs will gain insight into basic practices that all TMCs should adopt as a starting point or baseline for organizations with limited resources and cybersecurity expertise, as well as guidelines for TMCs looking to increase their system maturity.