State transportation agencies, like other complex public and private organizations, increasingly rely on information technology (IT) systems and operational technology (OT) assets to fulfill their public mission. In addition to the use of IT for administrative functions, the real-time use of technology to operate and manage transportation facilities and services presents particularly acute challenges.
Recent cyber incidents within public agencies highlighted the challenges transportation agencies face with such threats. Significant emphasis has been given to the protection of IT systems against such threats but less is devoted to the risks to OT and equipment and protecting transportation business operations. State transportation agency leadership need more information to explain how the agencies can prevent such incidents, what to do when they occur, and how to recover. This research focuses on state transportation agencies’ unique cybersecurity challenges, in particular OT, and provides direction on cyber-incident management.
This research shall (1) identify what executives and senior managers at state transportation agencies need to know about managing the confluence of transportation OT and IT cybersecurity risks, (2) classify transportation functions, services, and assets that may be targets of cyberattacks and cyber incidents, and (3) develop an easy-to-use guide for state transportation agency executives and senior managers that will help assess, classify, and respond to transportation systems cybersecurity risks.
Accomplishment of the project objective(s) will require at least the following tasks.
The NCHRP is seeking the insights of proposers on how best to achieve the research objectives. Proposers are expected to describe research plans that can realistically be accomplished within the constraints of available funds and contract time. Proposals must present the proposers' current thinking in sufficient detail to demonstrate their understanding of the issues and the soundness of their approach to meeting the research objectives.
The research plan should (1) include a kick-off teleconference with the research team and NCHRP convened within 1 month of the contract’s execution; (2) address how the proposer intends to satisfy the project objectives; (3) be divided logically into detailed tasks that are necessary to fulfill the research objectives and include appropriate milestones and interim deliverables; and (4) incorporate opportunities for the project panel to review, comment on, and approve milestone deliverables.
At a minimum, the research plan should incorporate the following concepts or activities.
Task 1. Identify and summarize the state-of-practice in state transportation agencies’ cybersecurity initiatives, with an emphasis on OT. Include barriers, needs, opportunities, lessons learned, and successful practices.
Note: Proposers are expected to use previously administered surveys if appropriate. If proposed, survey/interview instruments and sampling plans shall be submitted for NCHRP review and approval prior to use.
Task 2. Conduct a review of relevant cybersecurity literature to update the existing body of knowledge. Consideration should be given to successful practices in other industries that may be transferrable to state transportation agencies.
Task 3. Identify a small group of transportation technology and cybersecurity subject matter experts to help inform development of a transportation asset classification framework for cyber risks.
Task 4. Prepare an interim report.
Note: The interim report shall document the findings from Tasks 1, 2, and 3, which will be will be discussed at a face-to-face meeting with the NCHRP project panel. NCHRP approval of the interim report is required prior to performing subsequent tasks.
Task 5. Develop a high-level framework to assess cyber risk; identify strategies for preparing for, preventing and managing cyber incidents; and link transportation asset classification with cyber risk. Consideration should be given, but not limited to, the following questions or concepts.
- What relevant case law, national standards, training materials, and cybersecurity frameworks are applicable to transportation OT cybersecurity?
- Which if any existing cybersecurity framework(s) are appropriate for each transportation asset classification?
- What impact will emerging and evolving technologies (i.e., 5G, connected and automated vehicles, cloud computing, Information Technology Systems, and Internet of Things) have on transportation cybersecurity programs?
- How can transportation agencies understand the risks and facilitate appropriate cybersecurity governance of non-agency owned assets (e.g., utilities)?
- What process can transportation agencies use to categorize cybersecurity risk levels?
- What are the current cybersecurity threat intelligence sources and what opportunities currently exist for information sharing?
- How does the relationship between OT and IT impact cybersecurity risks?
- What type of coordination is required between IT and OT for appropriate preparation, prevention, incident response, and recovery?
- Identify successful cyber-incident response practices including those related to managing cyber ransom.
- How can state transportation agencies evaluate the need for ongoing investment in cybersecurity programs and the need for appropriate resources?
Task 6. Prepare draft final deliverables covering all topics to meet the research objective(s).
1. Proposers shall include a variety of options for delivery formats appropriate for state transportation agency executives and senior managers.
2. Following receipt of the draft final deliverables, the remaining 3 months shall be for NCHRP review and comment and for research agency preparation of the final deliverables.
Task 7. Prepare final deliverables.
Final deliverables should include, at a minimum (1) a final report documenting the entire research effort; (2) prioritized recommendations for future research; (3) executive summary; (4) a PowerPoint-style presentation describing the background, objectives, research approach, findings, and conclusions; (5) guidelines for state transportation chief executive officers on cybersecurity issues and protection strategies; (6) a stand-alone technical memorandum titled “Implementation of Research Findings and Products” (see Special Note D for additional information); (7) a presentation of the findings at two committee meetings or conferences (e.g., AASHTO Committee on Security and Resilience (TSSR)); and (8) a draft article suitable for publication in TR News (information regarding TR News publication may be found on the TRB webpage http://onlinepubs.trb.org/onlinepubs/trnews/info4contributors.pdf).