Transportation Management Center Information Technology Security
Chapter 11. Conclusions and Next Steps
Throughout these guidelines, cybersecurity issues that are unique to the Traffic Management Centers (TMC) Information Technology (IT) environment have been discussed, along with resources to assist with establishing a programmatic system to mitigate identified risks particular to an agency's TMC IT environment. The Center for Internet Security (CIS) Top 20 Controls have been covered as the most relevant framework for the operations environment in TMCs. Cybersecurity is not a one and done issue; it requires programmatic involvement on a recurring basis.
Some agencies already will have a jumpstart on cybersecurity issues, while others may be closer to starting from scratch when reading these guidelines. If an agency is starting from scratch, a Risk Analysis is recommended as the first step towards establishing a cybersecurity program for the TMC. As noted in chapter 10, there are resources available online such as Department of Homeland Security's (DHS) self-assessment Cybersecurity Resilience Review (CRR) tool.
With an understanding of the risks that the TMC environment is exposed to, agencies can then focus on implementing CIS Controls to establish and maintain a program for continuing to improve the resiliency of the TMC IT environment. The initial focus of the CIS Controls should be to address the risks that pose the most immediate concerns based on the risk analysis. For organizations that already have started embracing the National Institute of Standards and Technology (NIST) Framework and are comfortable using that guidance, the CIS Controls documented in these guidelines along with the cross-mapping tools by CIS can be helpful to gauge how mature the organization is with respect to cybersecurity risk management for basic, foundational, and organizational aspects.
In conjunction with addressing immediate risks from the Risk Analysis, TMC agencies will benefit from developing a Risk Management Plan, as noted in chapter 9, to determine courses of action to mitigate and systematically manage those risks.
Part of increasing the cybersecurity maturity of an agency involves incrementally building a more robust process/program for resiliency by developing a Resiliency Plan to harden systems and facilities to improve the ability to recover from an attack or breach.
TMC operations staff are encouraged to collaborate on the risk analysis with IT staff to establish a program that addressed both perspectives for operations functionality while mitigating risks. Developing a cooperative panel comprised of both perspectives has been noted to be beneficial for organizations, especially in advance of incident response when power struggles have been identified as more likely to occur, which then slows the recovery process. The cooperative panel of Operations Technology (OT) and IT staff should lead the charge on routinely testing and improving the program to address existing and newly identified risks. The panel is encouraged to participate in/with peer groups (i.e., Information Sharing and Analysis Centers (ISAC) as noted in chapter 9) to share and learn from identified threats/risks within the TMC community to allow all TMC operators to learn and benefit from the greater body of knowledge.
United States Department of Transportation - Federal Highway Administration