Office of Operations
21st Century Operations Using 21st Century Technologies

Transportation Management Center Information Technology Security

Chapter 8. Guidelines for Controlling Staffing/Training-Related Attributes (Insider Vulnerabilities)

The next two sections of this chapter pertain to the personnel component of controlling and mitigating risk through methods such as limiting the use of administrative privileges, training staff regarding security awareness initiatives, and account monitoring.

Organization-Related Attributes

With a smaller organization, it is more likely to have a small number of staff to coordinate with and track activities on a personal level when system configuration changes are noticed. In a larger Traffic Management Center (TMC), where multiple personnel, and potentially multiple shifts are available, isolating who has access and authorization to make changes to systems and the network is important for troubleshooting and follow-up after an event occurs.

Controlling the use of Administrative Privileges and the use of automated logging and monitoring (Center for Internet Security (CIS) Controls 4, 6, and CIS Control 16) is critical for TMCs. This not only pertains to administrative privileges for operating systems, but logging TMC application configuration settings, logging network device configuration changes, and controlling access to network infrastructure (e.g., server data centers, network wiring closets). TMCs commonly have an array of databases gathering and storing information about traffic sensors, incident management, lane/road closures, work zones, and in some cases video recordings. Manipulation of these databases and/or the deletion of this data can have a major impact on the organization. As such, protected logging of operating systems, network device configurations, databases, and data center equipment plays an important role in data loss prevention discussed at the end of this chapter. Limiting administrative privileges to only those with a legitimate business need reduces the attack surface and the potential for inadvertent changes to these systems.

Relevant Controls for Staffing

  • CIS Control 4: Controlled Use of Administrative Privileges.
  • CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs.
  • CIS Control 16: Account Monitoring and Control.

Many TMCs have contract employees supplementing their own staff. To maintain control of the TMCs in this scenario will restrict what portions of the network and applications these individuals can access, particularly restricting from accessing the enterprise portions of the network. TMCs should not solely rely on contract employees for administrative privilege control of hardware and software and network devices. Contract employees with a higher level of responsibility within the TMC should be vetted and put through appropriate background checks (Relevant to CIS Control 14: Controlled Access Based on the Need to Know). Restrictions on changing automated logging should be managed by TMC organization staff, or at the very least limiting those with the capability to make those changes.

Agencies also should consider incorporating policies and practices to routinely scan ports for use of disabled and outdated credentials. All these policies and practices are found to be the most reliable when they are incorporated into the workflow between groups (e.g., human resources and information technology).

Training/Education

It is important for organizations to raise awareness of cybersecurity and potential threats and offer training to reinforce how to protect users, systems, and data. Most organizations have multiple teams leveraging internal training programs and lack the ability for consolidated reporting at an organizational level. To provide a holistic view into employee training it is recommended that a Learning Management System (LMS) be leveraged to provide organizations with a single console easily accessed anywhere, and a reporting tool for organizations and employees to participate in training, track progress, and report on overall organizational requirements. After identifying skills gaps, and threat vectors that require an awareness among employees, the LMS can be used to roll out training initiatives in a timely fashion and monitor compliance. (Relevant to CIS Control 17: Implement a Security Awareness and Training Program.) TMCs that manage Industrial Control Systems, such as SCADA networks for tunnels, are encouraged to further supplement the CIS Controls with section 6.2.2 of National Institute of Standards and Technology (NIST) 800-82r2, and NIST 800-50.17

For TMCs with limited training staff or funding available to provide training, third-party training services and programs are available and should be explored. The following table contains a list of common or popular training sources that may be applicable to security staff with responsibilities in TMC environments that include aspects of industrial control system (ICS)/SCADA infrastructure.

Table 1. List of industrial control systems-related training.
Source Type Free? Topics
ICS-CERTa Web-based Yes
  • Operational Security (OPSEC) for Control Systems (100W)—1 hour.
  • Differences in Deployments of ICS (210W-1)—1.5 hours.
  • Influence of Common Information Technology (IT) Components on ICS (210W‑2)—1.5 hours.
  • Common ICS Components (210W-3)—1.5 hours.
  • Cybersecurity within IT and ICS Domains (210W‑4)—1.5 hours.
  • Cybersecurity Risk (210W-5)—1.5 hours.
  • Current Trends (Threat) (210W-6)—1.5 hours.
  • Current Trends (Vulnerabilities) (210W-7)—1.5 hours
  • Determining the Impacts of a Cybersecurity Incident (210W-8)—1.5 hours.
  • Attack Methodologies in IT and ICS (210W-9)—1.5 hours.
  • Mapping IT Defense-in-Depth Security Solutions to ICS (210W-10)—1.5 hours.
ICS-CERT Instructor-led Yes
  • Introduction to Control Systems Cybersecurity (101)—8 hours.
  • Intermediate Cybersecurity for Industrial Control Systems (201)—8 hours.
  • Intermediate Cybersecurity for Industrial Control Systems (202)—8 hours.
  • ICS Cybersecurity (301)—5 days.
SANSb Multiple No
  • ICS410: ICS/SCADA Security Essentials.
  • ICS456: Essentials for North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection.
  • ICS515: ICS Active Defense and Incident Response.
FedVTEc, d Web-based Yes Federal Virtual Training Environment (FedVTE):
  • 101 Critical Infrastructure Protection—2 hours.
aNCCIC/ICS-CERT, "Training Available Through ICS-CERT." Retrieved from: https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT. [Return to note a]
bSANS, "Cyber Security Courses." Retrieved from: https://www.sans.org/courses/. [Return to note b]
cFedVTE, "FedVTE Course Catalog." Retrieved from: https://fedvte.usalearning.gov/coursecat_external.php?group=ALL. [Return to note c]
d Appears to be limited to Federal employees only. [Return to note d]

(Source: Federal Highway Administration.)

The National Initiative for Cybersecurity Careers and Studies (NICCS) Catalog provides a list of cybersecurity courses of all topics from a wide variety of sources.18 It can be used to find relevant courses, and vendors that are local with respect to a given organization.

Employee Exit Process

An essential/basic element of asset control is the removal of account credentials from an employee at the time of departure. Based on the risk management plan for an organization and/or the sensitivity of certain applications and data, a TMC agency might exercise restricted access to some systems before departure. At a minimum, when given notice of an individual's impending departure, lowering their access privileges down to an appropriate "need-to-know" level and revoking full administrative privileges is consistent with guidelines in CIS Control 14: Controlled Access Based on the Need to Know and CIS Control 4: Controlled Use of Administrative Privileges, respectively.

All agency-owned assets loaned to the employee for use should be asset-tagged and returned to the agency as part of the Exit Process. Any software that requires special dongles or keys to access also should be covered by asset management tracking tools and incorporated into the checklist of items to be returned during the Exit Process. Field cabinet access keys/devices also need to be returned.

After considerations for Federal (36 CFR 1220.14), State, or local recordkeeping requirements, agencies should incorporate policies for sanitizing and/or disposing of electronics (e-disposal), personal information/folders.19 It is recommended that any electronics sent out for e-disposal be sanitized beforehand or contracted through a reputable service provider who will be destroying the media altogether. While this is a critical time to deal with e-disposal upon employee exit, this is a broader organizational issue that is worth incorporating into routine e-sanitization policies for risk management practices, and data protection that is discussed below.

17NIST, "SP 800-50 Building an Information Technology Security Awareness and Training Program," 2003. Retrieved from: https://csrc.nist.gov/publications/detail/sp/800-50/final. [Return to footnote 17]

18National Initiative for Cybersecurity Careers and Studies (NICCS), "NICCS Education and Training Catalog." Retrieved from: https://niccs.us-cert.gov/training/search. [Return to footnote 18]

19National Archives and Records Administration (NARA), "NARA Code of Federal Regulations." Retrieved from: https://www.archives.gov/about/regulations/regulations.html. [Return to footnote 19]

Office of Operations