The NCHRP Project 03-127 continuation request identified four areas for further study:
• Update of the Cybersecurity Risk Assessment Web Guidance [$100,000]. As the Web Guidance is used, possible improvements will be identified by users. There will also be a need to keep the information current and an initial investment of NCHRP funds will allow a process to be developed.
• Additional Penetration Testing of TMS Devices [$300,000]. The original project spent $400,000 on penetration testing of 13 devices (3 traffic signal controllers, 3 conflict monitors, 1 changeable message sign controller, 2 V2I roadside units, 4 cameras). Feedback from agencies and vendors indicate that further testing would be valuable in identifying vulnerabilities. This could include more devices (both types of devices and from different vendors) and different configurations (including cabinets).
• Best Practice Guide for Cybersecurity Resilience [$250,000]. This would summarize information gained during the current project and curating best practices (inside and outside of transportation) to produce actionable guidance for agencies and equipment vendors. This may include items such as recommendations for workforce development, development of a controls assessment checklist, recommendations for ways to integrate cybersecurity into equipment designs, methods for hardening legacy systems, and specification recommendations.
• Expansion of the CAV Primer [$100,000]. This would document privacy- and cybersecurity-related lessons learned by the pilot deployments and provide more detailed information on topics such as deploying the Security Credential Management System (SCMS).
However, based on discussions with the NCHRP Project 03-127 project research team, no adequate user feedbacks were effectively collected since the launch of the Cybersecurity Risk Assessment Web Guidance. Therefore, the task of Updating the Cybersecurity Risk Assessment Web Guidance has no ground to perform. Moreover, the Additional Penetration Testing of TMS Devices task requires specific product evaluation, which is not in line with TRB’s business and may not generate publishable research results by TRB. Therefore, more than half of the originally scoped tasks are deemed infeasible based on our preliminary assessment. Large deviation from the approved problem statement by the AASHTO Special Committee on Research and Innovation seems to be inevitable. Furthermore, due to the sensitivity nature of the research results, the Cybersecurity Risk Assessment Web Guidance is presented as a “black box” tool and in lack of creditable information for interested agencies to action upon, which limited the usefulness of the developed tool. Moreover, during a web conference conducted on June 6th, 2022, between NCHRP staff and FHWA representatives, the FHWA representatives expressed deep concerns and objection on the continuation of NCHRP Project 03-127.
After further deliberations and based on the above information, it was recommended that Project 03-127(01), FY 2021 be cancelled and the funds allocated to this project ($750,000) be returned to Program funds for use by the AASHTO Special Committee on Research and Innovation as appropriate.