Transportation Management Center Information Technology Security
Chapter 8. Guidelines for Controlling Staffing/Training-Related Attributes (Insider Vulnerabilities)
The next two sections of this chapter pertain to the personnel component of controlling and mitigating risk through methods such as limiting the use of administrative privileges, training staff regarding security awareness initiatives, and account monitoring.
With a smaller organization, it is more likely to have a small number of staff to coordinate with and track activities on a personal level when system configuration changes are noticed. In a larger Traffic Management Center (TMC), where multiple personnel, and potentially multiple shifts are available, isolating who has access and authorization to make changes to systems and the network is important for troubleshooting and follow-up after an event occurs.
Controlling the use of Administrative Privileges and the use of automated logging and monitoring (Center for Internet Security (CIS) Controls 4, 6, and CIS Control 16) is critical for TMCs. This not only pertains to administrative privileges for operating systems, but logging TMC application configuration settings, logging network device configuration changes, and controlling access to network infrastructure (e.g., server data centers, network wiring closets). TMCs commonly have an array of databases gathering and storing information about traffic sensors, incident management, lane/road closures, work zones, and in some cases video recordings. Manipulation of these databases and/or the deletion of this data can have a major impact on the organization. As such, protected logging of operating systems, network device configurations, databases, and data center equipment plays an important role in data loss prevention discussed at the end of this chapter. Limiting administrative privileges to only those with a legitimate business need reduces the attack surface and the potential for inadvertent changes to these systems.
Many TMCs have contract employees supplementing their own staff. To maintain control of the TMCs in this scenario will restrict what portions of the network and applications these individuals can access, particularly restricting from accessing the enterprise portions of the network. TMCs should not solely rely on contract employees for administrative privilege control of hardware and software and network devices. Contract employees with a higher level of responsibility within the TMC should be vetted and put through appropriate background checks (Relevant to CIS Control 14: Controlled Access Based on the Need to Know). Restrictions on changing automated logging should be managed by TMC organization staff, or at the very least limiting those with the capability to make those changes.
Agencies also should consider incorporating policies and practices to routinely scan ports for use of disabled and outdated credentials. All these policies and practices are found to be the most reliable when they are incorporated into the workflow between groups (e.g., human resources and information technology).
It is important for organizations to raise awareness of cybersecurity and potential threats and offer training to reinforce how to protect users, systems, and data. Most organizations have multiple teams leveraging internal training programs and lack the ability for consolidated reporting at an organizational level. To provide a holistic view into employee training it is recommended that a Learning Management System (LMS) be leveraged to provide organizations with a single console easily accessed anywhere, and a reporting tool for organizations and employees to participate in training, track progress, and report on overall organizational requirements. After identifying skills gaps, and threat vectors that require an awareness among employees, the LMS can be used to roll out training initiatives in a timely fashion and monitor compliance. (Relevant to CIS Control 17: Implement a Security Awareness and Training Program.) TMCs that manage Industrial Control Systems, such as SCADA networks for tunnels, are encouraged to further supplement the CIS Controls with section 6.2.2 of National Institute of Standards and Technology (NIST) 800-82r2, and NIST 800-50.17
For TMCs with limited training staff or funding available to provide training, third-party training services and programs are available and should be explored. The following table contains a list of common or popular training sources that may be applicable to security staff with responsibilities in TMC environments that include aspects of industrial control system (ICS)/SCADA infrastructure.
bSANS, "Cyber Security Courses." Retrieved from: https://www.sans.org/courses/. [Return to note b]
cFedVTE, "FedVTE Course Catalog." Retrieved from: https://fedvte.usalearning.gov/coursecat_external.php?group=ALL. [Return to note c]
d Appears to be limited to Federal employees only. [Return to note d]
(Source: Federal Highway Administration.)
The National Initiative for Cybersecurity Careers and Studies (NICCS) Catalog provides a list of cybersecurity courses of all topics from a wide variety of sources.18 It can be used to find relevant courses, and vendors that are local with respect to a given organization.
Employee Exit Process
An essential/basic element of asset control is the removal of account credentials from an employee at the time of departure. Based on the risk management plan for an organization and/or the sensitivity of certain applications and data, a TMC agency might exercise restricted access to some systems before departure. At a minimum, when given notice of an individual's impending departure, lowering their access privileges down to an appropriate "need-to-know" level and revoking full administrative privileges is consistent with guidelines in CIS Control 14: Controlled Access Based on the Need to Know and CIS Control 4: Controlled Use of Administrative Privileges, respectively.
All agency-owned assets loaned to the employee for use should be asset-tagged and returned to the agency as part of the Exit Process. Any software that requires special dongles or keys to access also should be covered by asset management tracking tools and incorporated into the checklist of items to be returned during the Exit Process. Field cabinet access keys/devices also need to be returned.
After considerations for Federal (36 CFR 1220.14), State, or local recordkeeping requirements, agencies should incorporate policies for sanitizing and/or disposing of electronics (e-disposal), personal information/folders.19 It is recommended that any electronics sent out for e-disposal be sanitized beforehand or contracted through a reputable service provider who will be destroying the media altogether. While this is a critical time to deal with e-disposal upon employee exit, this is a broader organizational issue that is worth incorporating into routine e-sanitization policies for risk management practices, and data protection that is discussed below.
17NIST, "SP 800-50 Building an Information Technology Security Awareness and Training Program," 2003. Retrieved from: https://csrc.nist.gov/publications/detail/sp/800-50/final. [Return to footnote 17]
19National Archives and Records Administration (NARA), "NARA Code of Federal Regulations." Retrieved from: https://www.archives.gov/about/regulations/regulations.html. [Return to footnote 19]
United States Department of Transportation - Federal Highway Administration