Transportation Management Center Information Technology Security

Chapter 10. Short- and Long-Term Strategies for Addressing Issues/Gaps

The Traffic Management Center (TMC) operators manage a large volume of data, which is largely real-time, whereby data losses have significant consequences for their organization as well as others that rely on them. As part of the country's critical infrastructure, TMCs need to assess and classify the criticality of the different datasets that are collected or generated within the TMC as noted previously as a key step for determining steps for data loss prevention. Additionally, TMC's Operations Technology (OT) staff manage the configurations of networked field appliances, which presents a challenge similar to those directly in the industrial controls (i.e., Supervisory Control and Data Acquisition (SCADA)) industry. Handling networked OT equipment (e.g., sensors, signal controllers, message sign controllers, etc.) that does not follow upgrade cycles at the same frequency as the Information Technology (IT) industry requires a different level of care than a traditional business data center to mitigate potential risks in a TMC. TMCs also have exposure to insider vulnerabilities with respect to operators that are subject to social engineering attacks, poor cyber-hygiene, or simply no limitations on what data and controls that operators have access to. This is one of the reasons that approved message libraries for dynamic message signs were established by many organizations to prevent rogue messages being deployed by disgruntled operators and/or hackers that gainfully access the system.

When facing a large obstacle/challenge it can be daunting to know what part to tackle first. Fortunately, the Center for Internet Security (CIS) Controls has been segmented into Basic, Foundational, and Organizational controls of increasing complexity and sophistication. Equally, the sub-controls are organized into implementation groups (1, 2, and 3) for prioritization for organizations of increasing size and sophistication. Based on observations from industry data and results from the questionnaires, in the short-term TMC operators should focus on implementing all the Basic CIS Controls, along with Foundational Controls that address the greatest vulnerabilities to the respective organization based on risk analysis.

It is recommended that agencies conduct a self-assessment, if one already has not been performed, that can provide guidelines on which Foundational and Organizational controls are the most critical to the organization. With that information in hand, the organization can use the priorities within the CIS sub-controls to focus on the outcomes for the associated Implementation Group for the areas of highest risk.

The Department of Homeland Security (DHS) has developed a self-assessment Cybersecurity Resilience Review (CRR) tool based on the National Institute of Standards and Technology (NIST) for State, Local, and Tribal governments, and provides a performance measurement for the individual completing the evaluation with respect to 10 categories based on responses to a series of questions within each category.²⁸ A list of these categories is provided below, connected to the associated CIS Controls for context. This assessment may be conducted as a self-assessment, or as an on-site assessment facilitated by DHS if preferred.

1. Asset Management:
   • CIS Control 1: Inventory and Control of Hardware Assets.
   • CIS Control 2: Inventory and Control of Software Assets.
   • CIS Control 4: Controlled Use of Administrative Privileges.
   • CIS Control 9: Limitation and Control of Network Ports, Protocols and Services.
   • CIS Control 12: Boundary Defense.
   • CIS Control 13: Data Protection.
2. Controls Management:
   • CIS Control 4: Controlled Use of Administrative Privileges.
   • CIS Control 9: Limitations and Control of Network Ports, Protocols and Services.
   • CIS Control 14: Controlled Access Based on the Need to Know.
   • CIS Control 15: Wireless Access Control.
   • CIS Control 16: Account Monitoring and Control.
3. Configuration and Change Management:
   • CIS Control 4: Controlled Use of Administrative Privileges.
   • CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers.
   • CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs.
   • CIS Control 10: Data Recovery Capabilities.
   • CIS Control 13: Data Protection.
   • CIS Control 14: Controlled Access Based on the Need to Know.
4. Vulnerability Management:
   • CIS Control 3: Continuous Vulnerability Management.
   • CIS Control 20: Penetration Tests and Red Team Exercises.
5. Incident Management:
   • CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs.
   • CIS Control 19: Incident Response and Management.
6. Service Continuity Management
   • CIS Control 19: Incident Response and Management.
7. Risk Management:
   • CIS Control 3: Continuous Vulnerability Management.
   • CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs.
   • CIS Control 7: Email and Web Browser Protections.
   • CIS Control 8: Malware Defenses.
   • CIS Control 9: Limitation and Control of Network Ports, Protocols and Services.
   • CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches.
   • CIS Control 12: Boundary Defense.
   • CIS Control 14: Controlled Access Based on the Need to Know.
   • CIS Control 16: Account Monitoring and Control.
   • CIS Control 18: Application Software Security.
   • CIS Control 20: Penetration Tests and Red Team Exercises.
8. External Dependencies Management:
   • CIS Control 3: Continuous Vulnerability Management.
   • CIS Control 4: Controlled Use of Administrative Privileges.
   • CIS Control 14: Controlled Access Based on the Need to Know.
   • CIS Control 16: Account Monitoring and Control.
9. Training and Awareness:
   • CIS Control 17: Implementing a Security Awareness and Training Program.
10. Situational Awareness:
    • CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs.
    • CIS Control 17: Implementing a Security Awareness and Training Program.

Within the Self-Assessment, agencies indicate whether recommended practices within each of the above categories are not performed, incompletely performed, or performed.

Upon completion of the assessment, a report is generated summarizing the responses given. Based on the responses to each question, scores are provided for individual Practices, Goals, and Domains.

• A Practice is associated with each question.
• Goals are comprised of multiple associated Practices.
• Each category listed above is associated with a Domain, which is comprised of multiple associated Goals.

If all Practices within a Goal are indicated as performed, that Goal is achieved. If all Goals within a Domain are performed, that Domain is achieved, and the agency is assigned a Maturity Indicator Level (MIL1-MIL5 corresponding to 1-Performed, 2-Planned, 3-Managed, 4-Measured, and 5-Defined, further defined in the appendix) for the Domain based on answers to questions associated with Practices. For example, if all MIL1 Goals are achieved, the agency will achieve a Domain maturity level of MIL1. If additional maturity Goals are achieved, that agency will achieve a higher maturing rating indicating a higher level of performance for that Domain. If the agency does not achieve every Goal within a Domain and therefore achieve a Domain, they are assigned a maturity score of MIL0 (incomplete). A sample response and associated report results for Domain 9 Training and Awareness can be found in the appendix.

Every organization should at the very least achieve MIL1 in the short-term. Ultimately, agencies should strive to increase their maturity to MIL5 for the respective areas in their risk management plan. The self-assessment can be considered both a report card of where the agency stands, and a means to develop an action plan to address the areas having less management/maturity.

The report then provides information on how the assessment results connect to the NIST Framework, along with options to consider helping agencies achieve goals they currently are not performing along with references to the associated section within NIST to find additional guidelines. Additionally, TMCs can then focus on the CIS Controls associated with each of these Domain categories identified above. Implementation groups 2 and 3, will inherently have more areas to focus on than implementation group 1.

In the long-term, TMCs are encouraged to embrace the remaining Foundational controls and incorporate Organizational Controls to document and memorialize procedures as the agency's capability matures toward a MIL5 level. Furthermore, to provide continuous vulnerability assessment and protection, process improvement and refinement will need to continue and adapt as the industry evolves.