Transportation Management Center Information Technology Security

Chapter 3. Best Practices for Traffic Management Centers Information Technology Security

Best Practices Discussion

While synthesizing the available resources on Intelligent Transportation Systems (ITS) cybersecurity, sources from the Department of Homeland Security (DHS), the Center for Internet Security (CIS), and the National Institute of Standards and Technology (NIST) were considered for their relevance to Traffic Management Centers (TMC). Several agencies acknowledged and referenced the use of the NIST Cybersecurity Framework, while others used other agency directives to guide their control strategies. As a result of evaluating these different standards, some common themes were identified, including:

• Risk-management approaches should be applied to control center cybersecurity.
• Network segmentation should be maintained between "business" infrastructure (i.e., payroll/accounting systems, human resources, email, and other systems used to manage the business environment of the agency) and industrial control infrastructure. While there are different ways to achieve segmentation using logical (e.g., Virtual Local Access Networks (VLAN)) and physical separation (e.g., firewalled or even air-gapped), it should be noted that logical is not as secure as physical separation.
• Established partnerships with other TMCs, transportation departments and Federal support organizations can serve as a critical support network.
• The deployment of Internet-connected technologies and standard communication protocols within industrial control environments is increasing risk exposure for TMCs.
• The need for increased collaboration between IT and Operations Technology (OT) staff.

From the analysis, it was determined that the NIST Cybersecurity and Risk Management Frameworks were more abstract and strategic in nature, while the CIS Top 20 Controls provide more technical detailed guidelines of immediate benefit to TMC operators. Thus, using the CIS Top 20 Controls in baselining security measures provides an immediate impact on guiding control of hardware, software and networks in the TMC, while the NIST frameworks can play a beneficial role to supplement with strategic visioning of Risk Management Plans and Resiliency Plans. The purpose of this report is not to replicate the guidelines in these frameworks, but rather to highlight the guidelines most relevant to TMC IT cybersecurity.

Risk management begins with the awareness of what vulnerabilities the TMC is exposed to, based on the characteristics of the staffing (employees and contract staff), the types of devices and how they are connected to the network, and the software used throughout to control and management operations. Cybersecurity self-assessments for the organization also are discussed as a prioritization strategy in chapter 5.

Implementing CIS Top 20 building blocks for Internet security provides a layered approach to addressing all areas of risk exposure. The CIS Controls are separated into Basic, Foundational, and Organizational levels of IT security management. A complete list of the controls for IT security is provided in figure 4 below. Controls that can be applied to TMC IT/OT security will be discussed in further detail in subsequent chapters.

The National Institute of Standards and Technology Risk Management Framework

As a primer to establishing the TMC IT Security guidelines in this report, it is worth a quick review of the NIST Risk Management Framework for conducting cybersecurity risk management. This framework provides a set of six (6) steps for managing risk, which are shown within the inner-circle of the figure below. The figure from NIST SP 800-37 illustrates the risk management process in context with other Federal Information Processing Standards (FIPS) and other Special Publication (SP) references.⁴

As this is the most well documented risk management methodology proposed by the Federal Government, it is directly applicable to any TMCs that choose to pursue a risk management-based cybersecurity strategy.

Some agencies, particularly those with connections to the Federal sector also will need to stay apprised of NIST 800-53 (for Federal information systems/organizations) and FedRAMP (for cloud hosting).⁵ While this document focuses on broader guidelines for TMCs, some organizations may find the NIST documentation helpful in evaluating, selecting and specifying information systems or controls for subsystems within the TMC environment. Two relevant NIST documents will be useful for supplementing CIS Top 20 for chapters 8 and 9 for administrative policies and resiliency plan development:

• NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
• NIST 800-82 Guide to Industrial Control Systems (ICS) Security.⁶

Additionally, while most TMCs do not process billing information for credit cards associated with tolling or fare collection systems, it should be noted that agencies having this responsibility also are obligated to comply with Payment Card Industry Data Security Standards (PCI–DSS) for processing back-office toll payments and other credit card financial transactions. The goals of PCI DSS are compatible with NIST Cybersecurity Framework and CIS Top 20, and are built to maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.

Best Practices Scan of Traffic Management Center Operators

This section will summarize noteworthy practices identified by agencies responding to the questionnaire and existing reference literature and correlating them to the CIS Top 20 controls. During a scan of several TMC operators across the country of varying sizes, the following cybersecurity practices currently are being employed by one or more organizations:

1. Using active and/or passive scanning tools to identify all devices attached to the network on a routine basis (relevant to CIS Control 1). Manually documenting devices on the network can quickly become outdated. Using industry available tools to expedite the initial process, as well as allowing for continued monitoring and updates is worthwhile in a dynamic environment such as TMCs.
2. Vendor-supported software residing on a demilitarized zone (DMZ) section of the network, so that remote support by Secure Sockets Layer (SSL) Virtual Private Network (VPN) access is only granted to the DMZ and not to the enterprise/business network (relevant to CIS Control 2). Some applications often require communications with field devices and other subsystems, but generally do not require direct access to the enterprise environment. Restricting access by remote vendors limits risk exposure and the potential attack surface on the most critical infrastructure/systems.
3. Using Access Control Lists (ACL) or equivalent network access techniques to limit outside access to specific machines or services, so that access is granted only to the devices/networks that need them (relevant to CIS Control 14), or essentially managing the users/devices with a "need to know." This also is a relevant method for managing insider vulnerabilities, particularly for limiting the range of systems available through remote access configurations.
4. Requiring background checks for personnel that require access to control rooms, particularly with direct administrative/privileged access to software, systems, and data centers (relevant to CIS Control 14). When coupled with enforcing detailed logging of changes to configurations and data, this practice provides a solid basis for data protection and assistance for managing insider vulnerabilities (relevant to CIS Control 13).
5. Leveraging existing security policies governing the entire agency, not just the TMC. In the past, many TMCs operated as an island from all other enterprise network platforms. However, today it is critical to be interconnected with the multitude of data systems internal and external to an agency. Some larger TMCs are nearly self-autonomous from a policy-making standpoint, but a number of those surveyed indicated some level of existing IT policy governing the entire agency, not just the TMC. This is an organizational arrangement that broadly relates to CIS Controls 17 through 20. TMCs may be independently in control of their respective subsystems but should recognize the importance of embracing/incorporating existing policy frameworks for the broader organization while addressing the gaps that are specific/unique to the TMC environment.
6. Updating cybersecurity policies at least once a year to fix anomalies in the procedures based on current trends (relevant to CIS Control 17 and 19). Policies should be evaluated annually or when an incident occurs and should be reviewed against updates to NIST guidelines and relevant policies that the agency is using. During these timeframes, agencies also should assess their achievements with respect to all CIS Controls identified in their respective Risk Management Plan.

Gaps/Areas of Improvement

More so than trends, the review of several TMC operators during the survey process gave indication of notable areas in need of improvement within the industry. The following areas of concern have been identified, along with the importance of each, though they are not necessarily widespread issues for all organizations:

1. Network port security solutions, and the use of certificates to authenticate devices is not widely adopted (relevant to CIS Control 1).
2. There does not appear to be widespread adoption of software/application whitelisting among TMC operators (relevant to CIS Control 2). This is a technique used to only allow software applications that are acknowledged/approved to be run on the network.
3. The majority of TMC organizations have not performed a skills gap analysis to understanding the skills and behaviors of their workforce (relevant to CIS Control 17).
4. The importance of patch management is not widely acknowledged (relevant to CIS Control 3).
5. Multi-factor authentication is still lacking across many TMC systems (relevant to CIS Control 4 and 16). Weak password practices are a key factor in unauthorized user access, much of which can be mitigated through secondary authentication methods.
6. TMCs need to implement routine incident response exercises (relevant to CIS Control 19). Without going through an example breach, it is difficult to appreciate what will happen when one is encountered, and whether the existing policies are there to address it.
7. There is an identified shortage of dedicated versus consolidated IT staff for TMCs (relevant to CIS Control 17). Partnering with the broader organization to resolve hiring and/or training needs is a critical piece to overcoming this gap. Partnering between OT and IT should be encouraged to increase awareness of the challenges that both ends face with respect to balancing security with ease of operational functionality.

The Role of Construction/Procurement Methods in Traffic Management Center Information Technology Security

Transportation agencies are subject to public procurement guidelines and are accustomed to designing projects and putting them out to bid. However, the TMC environment and the IT portion of that environment have increasingly become classified as sensitive or critical infrastructure information to be guarded from the public domain. Agencies should have policies and guidelines in place for determining what aspects of their construction plans qualify as sensitive information and manage the procurement accordingly. For instance, some agencies establish on-call contracts with vetted contractors that also have executed non-disclosure agreements, and only issue work orders for upgrades to the network or the facility to prevent sensitive information entering the public domain. Others will issue a two-step Invitation for Bid (IFB) to pre-qualify potential contractors before releasing copies of the plans to them. These are examples of the use of procurement methods to mitigate the risks associated with exposing a TMC's critical infrastructure information in the public domain.

Relegating the configuration settings for network devices to installation contractors also should be verified to ensure adherence to TMC network configuration policies identified with CIS Controls. When possible, TMC IT staff should provide configuration files and prevent alterations of those configurations instead of leaving it to the contractors to maintain control of the hardware, software, and network assets in the TMC.

Supply chain attacks against hardware and software vendors are becoming more common. Procurement through reputable sources are a minimum best practice but establishing pre-negotiated periods for responding to security issues with upgrades/patches is an important consideration for procurement of software and hardware contracts, particularly for specialized equipment related to ICS vendors. Additionally, this and other examples of cybersecurity procurement language for control systems has been provided for various subsystems by U.S. Computer Emergency Response Teams (US CERT).⁷ Many medium-to-large TMCs use a dedicated/isolated test environment to validate upgrades and patches before loading into the production environment to minimize risks from supply chain.

You may need the Adobe® Reader® to view the PDFs on this page.