Transportation Management Center Information Technology Security
Chapter 5. Guidelines for Controlling Hardware with Access to the Network
To determine if something is out of the ordinary, it is necessary to know/identify what "ordinary" is. That is the premise of Center for Internet Security (CIS) Control #1: Inventory and Control of Hardware Assets. Whether an organization decides to use an active or a passive discovery tool to start or maintain tracking the network-attached devices, maintaining a detailed asset inventory is at the top of the list for Control #1. Without knowing what devices are supposed to be on the network, it is difficult to maintain control of the network.
A detailed inventory of devices connected to the network begins with identifying each device's location, respective IP address, Media Access Control (MAC) address, and manufacturer name. At a minimum, this should consist of anything connected to the Traffic Management Center (TMC) network in the building: servers, workstations, wireless access points, video wall controllers, network video recorders, security/surveillance systems, access control systems, firewalls, switches, routers, printers, copiers, wireless thermostats, any other network appliances or devices.
After identifying the elements of the TMC network environment, the next step is to implement device controls to protect the network and related systems. Port-level access controls (i.e., port management), like IEEE 802.1x and network access control (NAC), are highly recommended for the enforcement of device access policies and to prevent unauthorized devices from connecting to the network through open network ports on the TMC floor or Wireless local area network (LAN) access points.
For further control and protection, devices that do not support port-level access controls can be isolated by Virtual Local Access Network (VLAN), but firewalls are preferable for more critical systems. This also is true for printers, copiers, and other devices (including leased devices from service companies) that contain data storage devices. Mobile devices (phones, tablets, etc.) that are not controlled by an administrative operating system (i.e., bring-your-own-devices (BYOD) or computers with temporary guest access) or port controls noted above should be considered a risk with appropriate connection protection to the enterprise network (e.g., network authentication appliances, firewalls, multi-factor authentication, or equivalent) to prevent rogue devices from directly accessing the enterprise network. Given the wide range of vendors and network appliances in use within a TMC environment, another common best practice is to establish a test environment apart from the production environment. Network appliance vendors and field device vendors for Operations equipment routinely roll out software/firmware updates, which are best to test in the isolated Test environment before putting the Production environment at risk if the vendor's updates have been compromised.
Some TMCs manage tunnels at water crossings or through mountains. As such, ventilation systems, fire suppression systems, flood gates, and/or other Supervisory Control and Data Acquisition (SCADA)-type systems are more likely to be encountered in these environments. For TMCs with SCADA industrial control system (ICS) exposure, limit access to Internet-based devices to the specific protocols/ports necessary, ensure that default username and passwords have been erased or replaced, and evaluate the applicability of National Institute of Standards and Technology (NIST) SP 800-82 for those ICS/SCADA components. Section 4.1.2 of NIST SP 800-82 recommends evaluating the risks on SCADA systems for their physical, economic, and/or social impacts to help the agency decide about isolating these systems from the rest of the network.
Going forward, continually monitor what devices are connected to the network, and quarantine and/or remove unauthorized assets in a timely manner. Larger organizations should employ active asset management tools (e.g., OpenNMS, SolarWinds, Nagios, PRTG, and other industry examples) to scan the network, add/monitor for new devices, and flag them before granting immediate access.
United States Department of Transportation - Federal Highway Administration