State transportation agencies, like other complex public and private organizations, increasingly rely on information technology (IT) systems and operational technology (OT) assets to fulfill their public mission. In addition to the use of IT for administrative functions, the real-time use of technology to operate and manage transportation facilities and services presents particularly acute challenges.
Recent cyber incidents within public agencies highlighted the challenges transportation agencies face with such threats. Significant emphasis has been given to the protection of IT systems against such threats but less is devoted to the risks to OT and equipment and protecting transportation business operations. State transportation agency leadership need more information to explain how the agencies can prevent such incidents, what to do when they occur, and how to recover. This research focuses on state transportation agencies’ unique cybersecurity challenges, in particular OT, and provides direction on cyber-incident management.
This research shall (1) identify what executives and senior managers at state transportation agencies need to know about managing the confluence of transportation OT and IT cybersecurity risks, (2) classify transportation functions, services, and assets that may be targets of cyberattacks and cyber incidents, and (3) develop an easy-to-use guide for state transportation agency executives and senior managers that will help assess, classify, and respond to transportation systems cybersecurity risks.
Task 1. Identify and summarize the state-of-practice in state transportation agencies’ cybersecurity initiatives, with an emphasis on OT. Include barriers, needs, opportunities, lessons learned, and successful practices.
Task 2. Conduct a review of relevant cybersecurity literature to update the existing body of knowledge. Consideration should be given to successful practices in other industries that may be transferrable to state transportation agencies.
Task 3. Identify a small group of transportation technology and cybersecurity subject matter experts to help inform development of a transportation asset classification framework for cyber risks.
Task 4. Prepare an interim report.
Task 5. Develop a high-level framework to assess cyber risk; identify strategies for preparing for, preventing and managing cyber incidents; and link transportation asset classification with cyber risk. Consideration should be given, but not limited to, the following questions or concepts.
Task 6. Prepare draft final deliverables covering all topics to meet the research objective(s).