The report is intended for transit executives and senior management. The consultant shall draft survey questions and correlate output conducive to management decision making. The synthesis will gather information regarding the maturity of current cyber security programs in the following functions:
· Protect, Shield, Defend, and Prevent -- Measure the organization’s staff, policies, processes, practices, and technologies that protect, shield, and defend the enterprise from cyber threats, and prevent the occurrence and recurrence of cybersecurity incidents commensurate with the organization’s risk tolerance.
· Monitor, Detect, and Hunt -- Measure the organization’s staff, policies, processes, practices, and technologies which monitor ongoing operations and actively hunt for and detect adversaries, and report instances of suspicious and unauthorized events as expeditiously as possible.
· Respond, Recover, and Sustain -- When a cybersecurity incident occurs, measure the organization’s staff, policies, processes, practices, and technologies that are deployed to return assets to normal operations as soon as possible. Assets include technologies, information, people, facilities, and supply chains.
· Govern, Manage, Comply, Educate, and Manage Risk -- Measure the organization’s leadership, staff, policies, processes, practices, and technologies which provide ongoing oversight, management, performance measurement, and course correction of all cybersecurity activities. This function includes ensuring compliance with all external and internal requirements and mitigating risk commensurate with the organization’s risk tolerance.
Contractor shall explore and evaluate the extent of a holistic implementation of cyber security practice across both the IT and OT environments. Identify whether it is a single security program or multiple security programs within the organization. Contractor must use/create a system that anonymizes this data and categorizes into four tiers. Further, contractor shall identify:
· Organization staff levels (FTE/contractor) dedicated to the cyber security function
· Associated budget dedicated to the cyber security function in three focus areas:
o personnel costs
o training and awareness
o non-personnel costs
· Outsourced functions (e.g. managed SOC - not component of staff levels but captured in the budget) dedicated to the cyber security function
· Organization demographics and ridership which enable meaningful comparison of cyber security programs.
· Cyber security program categories for use in a prioritization matrix for transit agencies
Information will be gathered by literature review, and a survey of qualifying transit organizations. The synthesis will emphasize four case examples that are representative of transit system cyber security programs for each of the tiers. These should highlight innovative approaches, successes, challenges and lessons learned. Gaps in information and future research needs will also be identified.
• Allen, et al. Structuring the Chief Information Security Officer, Carnegie Mellon University September 2015. https://resources.sei.cmu.edu/asset_files/TechnicalNote/2015_004_001_446198.pdf
• ‘Top Management Challenges for fiscal year 2017’- by Dept. of Transportation Nov 15, 2016
• ‘Cyber Attack on CDOT’ by Tamara Chuang published in Denver Post April 5, 2018
• ‘Ransomware Strikes launched a cyber-cleansing program at transportation’ by Joseph Marks, Senior Correspondent published in ‘Nextgov’, Sept 7, 2018
• ‘Security Concepts and Mechanisms’ – an article at IBM knowledge Center https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009730_.htm
• A Cisco Press chapter ‘Developing Network Security Strategies’ by Priscilla Oppenheimer, Oct 4, 2010
• ‘3 emerging innovations in technology that will impact cyber security’- an article published on The State of Security March 25, 2018
• ‘Single photon generation will boost cyber security’- published on 22 march, 2016 https://optics.org/news/7/3/32
• ‘Cyber jacked’ published in Today’s Trucking on Jan 16, 2018 and posted by Jim Park
• ‘How a group of engineers hacked a 113- old subway system’s signs’ by Ankita Rao on Aug 3, 2017
• Factsheet published on U.S. Dept. of Transportation’s ITS policy and knowledge transfer https://www.its.dot.gov/factsheets/pdf/cybersecurity_factsheet.pdf
• ‘Hacks on a plane’- by Kevin Kelleher, a Fortune article published on June 8, 2018
• ‘Top Management Challenges for fiscal year 2019’- by Dept. of Transportation Nov 15, 2018.
First Panel: September 13, 2019
Teleconference with Contractor: October 17, 2019
Second Panel: May 14, 2020
Sandra Bobek, San Diego Metropolitan Transit System
Alesia Cain, Hampton Roads Transit
Jasdeep Gill, Brithish Columbia Rapid Transit Company
Mark Hartong, John Hopkins University Applied Physics Laboratory
Kyle Malo, WMATA
Stephanie M. Murphy, Tidal Basin Government Consulting, LLC
Jeffrey Nichols, Port Authority of Allegheny County (PA)
Sarah VanWormer, City of Battle Creek
Brian Jackson, Federal Transit Administration
Polly L. Hanson, APTA
Sheila Moore, Transportation Research Board