BACKGROUND

The increased focus on cybersecurity threats and attacks requires the transit industry to address the critical vulnerabilities of connected vehicles throughout the lifecycle of new and existing technologies.

Many transit agencies are unaware of the full capabilities of the operational technology (OT) installed by the original equipment manufacturers, and built-in features can present a cyber risk as an avenue of attack for a motivated threat actor. OT vehicle systems rarely undergo cyber testing to identify critical vulnerabilities before deployment. With threat actors aggressively targeting critical infrastructure and the public transit sector, vulnerabilities in OT vehicle systems are unrecognized, untested, and unmitigated. In recent years, experiencing cyberattacks on vehicle OT systems have increased, resulting in service disruptions, safety and security concerns, and reputational risk.

Incident response (IR) is a key process to a healthy cybersecurity program. IR policies and processes must be aligned with compliance frameworks, federal security directives, and cyber best practices. However, there is a need for guidance on structuring and formalizing an effective IR process, along with its associated policies. Establishing consistent and standard IR processes is critical in identifying trends within the transit agency and across the greater transit community. Identifying key metrics and reporting supports the transit agency’s compliance with regulatory mandates and captures trends to better understand gaps in policy, procedure, or technology.

An important aspect of an IR plan involves each transit agency establishing clear criteria for categorizing events and incidents, and the associated reporting timelines and response activities based on severity or impact. The response actions for an event versus an incident varies greatly, including how and when that information is reported to governing bodies such as the Transportation Security Administration (TSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), or Information Sharing and Analysis Centers (ISAC).

Currently, there are no standardized event and incident categories within the transit community, which can result in overreporting and underreporting. Overreporting events can cause undue stress on transit agency’s IR team and skew the metrics collected for future improvements to the IR process. Underreporting incidents affect the ability to meet the requirements of federal directives and could result in decreased IR support from external parties. Each scenario leads to increased costs of incident investigation, root cause analysis, and remediation of the impacts of a cyberattack. Research is needed to assess the vulnerability of cyberattacks on transit agencies how agencies respond to cyberattacks.

OBJECTIVE

The objective of this research is to develop a comprehensive toolkit of actionable practices and strategies to help transit agencies prevent cyberattacks and effectively respond to cyber incidents. This research shall examine (1) cybersecurity threat and attack vulnerability of connected vehicles and (2) cybersecurity incident and event categorization of connected vehicles. The key audiences for this project are state departments of transportation and U.S. public transportation providers in urbanized areas of all sizes, rural areas, and Tribal communities.

RESEARCH PLAN

The TCRP is seeking the insights of proposers on how best to achieve the research objective. Proposers are asked to develop and present a detailed research approach for accomplishing the project objective. The work proposed must be divided into tasks, and proposers must describe the work proposed in each task. Proposers are expected to present a research plan that can realistically be accomplished within the constraints of available funds and contract time. Proposals shall: (1) present the proposer’s current thinking in sufficient detail to demonstrate their understanding of the issues and the soundness of their approach for meeting the research objective, (2) identify data and data sources that may be used to undertake this research, and (3) propose a format(s) for the final research product(s).

The study will be organized into distinct volumes, each with associated tasks designed to address and fulfill the research goals. Volume 1 shall focus on assessing the vulnerability of cyberattacks on transit agencies. Volume 2 shall focus on how transit agencies respond to cyberattacks. The volumes and tasks are as follows.

Volume 1: At a minimum, this research shall:

• Conduct a literature scan of research associated with cyber vulnerability and attack vectors in connected vehicle technology (CVT).
• Identify and report the reliance on CVT in making operational decisions.
• Classify and document past cyberattacks targeting CVT.
• Identify and report known cyber vulnerabilities and attack vectors on CVT.
• Identify and report possible mitigations and improvements for cyber vulnerabilities and attack vectors in CVT.

Volume 2: At a minimum, this research shall:

• Conduct a literature scan of research associated with cyber IR.
• Create a draft of the practices for transit IR utilizing the best practices and requirements in other critical infrastructure sectors.
• Conduct a survey of transit agencies to identify how current IR practices compare to the draft practices with a focus on:
  • Maturity of IR processes, policies, and plans in the transit industry;
  • Criteria used by transit agencies to distinguish a cyber event from a cyber incident;
  • Frequency of reporting cyber incidents by transit agencies to an external agency; and
  • Use of standards IR metrics and reporting standards for transit organizations.
• Investigate and report the connections between event/incident categorization and IR process maturity.
• Using the results of the survey, update draft practices for transit IR for public distribution.

Useful TRB resources for this project include:

• TCRP Project J-07/Topic SA-56: Use of Automatic Vehicle Monitoring (AVM) and Vehicle Health Monitoring/Diagnostic Systems by Transit Agencies (In publication)
• NCHRP Web Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs: Volume 2, Transportation Cyber Risk Guide (2023)
• NCHRP Web Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs: Volume 1, Program Summary Report (2023)
• TCRP Synthesis 158: Cybersecurity in Transit System (2022)
• NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies (2020)
• NCHRP Research Report 845: Advancing Automated and Connected Vehicles: Policy and Planning Strategies for State and Local Transportation Agencies (2017)
• Strategies to Advance Automated and Connected Vehicles: Briefing Document (2017)
• NCHRP Web Only Document 221 and TCRP Web Only Document 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer (2016)

The research plan will describe appropriate deliverables that include, but are not limited to, the following (which also represent key project milestones): 

• Amplified research plan that responds to comments provided by the project panel at the contractor selection meeting. At a minimum, the research plan should describe the contractor’s approach to achieving the objective in a two-volume report.
• Monthly and quarterly progress reports detailing activities by task, upcoming task activities and issue(s).
• Interim report that includes the analyses and results of completed tasks, an update of the remaining tasks, and a detailed outline of the final research product(s).
• Panel meeting after submission of the interim report. The panel meeting will take place in Washington, DC, after the expenditure of approximately 40 to 50 percent of the project budget.
• Final deliverables that fully address this project’s objective.
• Technical memorandum titled “Implementation of Research Findings and Products” (see Special Note J).
• Slide deck that presents the research findings and conclusions that can be used in webinars.

Note: The research plan may include additional deliverables as well as additional panel meetings via Microsoft Teams.

SPECIAL NOTES

A. Proposals should demonstrate knowledge of related domestic and international literature and completed and on-going research relevant to this research project.

B. The Information and Instructions for Preparing Proposals for the Transportation Research Board’s Cooperative Research Programs were revised in May 2023. Please take note of the new and revised text which is highlighted in yellow.

C. Proposals must be submitted as a single PDF file with a maximum file size of 10 MB. The PDF must be formatted for standard 8 ˝” X 11” paper, and the entire proposal must not exceed 60 pages (according to the page count displayed in the PDF). Proposals that do not meet these requirements will be rejected. For other requirements, refer to chapter V of the instructions.

D. The Information and Instructions for Preparing Proposals for the Transportation Research Board’s Cooperative Research Programs have been modified to include a revised policy and instructions for disclosing Investigator Conflict of Interest. For more information, refer to chapter IV of the instructions. A detailed definition and examples can be found in the CRP Conflict of Interest Policy for Contractors. The proposer recommended by the project panel will be required to submit an Investigator Conflict of Interest and Disclosure Form as a prerequisite for contract negotiations.

E. Proposals will be rejected if any of the proposed research team members work for organizations represented on the project panel. The panel roster for this project can be found at TCRP Project Panel. Proposers may not contact panel members directly; this roster is provided solely for the purpose of avoiding potential conflicts of interest.

F. Proprietary Products - If any proprietary products are to be used or tested in the project, please refer to Item 6 in the Information and Instructions for Preparing Proposals.

G. Proposals are evaluated by the TCRP staff and project panels consisting of individuals collectively knowledgeable in the problem area. The project panel will recommend their first choice proposal considering the following factors: (1) the proposer's demonstrated understanding of the problem; (2) the merit of the proposed research approach and experiment design; (3) the experience, qualifications, and objectivity of the research team in the same or closely related problem area; (4) the plan for ensuring application of results; (5) how the proposer approaches inclusion and diversity in the composition of their team and research approach, including participation by certified Disadvantaged Business Enterprises; and, if relevant, (6) the adequacy of the facilities. A recommendation by the project panel is not a guarantee of a contract. The National Academy of Sciences (NAS - the contracting authority for the National Academies of Sciences, Engineering, and Medicine) will conduct an internal due diligence review and risk assessment of the panel’s recommended proposal before contract negotiations continue.

Note: The proposer's approach to inclusion and diversity as well as participation by Disadvantaged Business Enterprises should be incorporated in Item 11 of the proposal.

H. Copyrights - All data, written materials, computer software, graphic and photographic images, and other information prepared under the contract and the copyrights therein shall be owned by the National Academy of Sciences. The contractor and subcontractors will be able to publish this material for non-commercial purposes, for internal use, or to further academic research or studies with permission from TRB Cooperative Research Programs. The contractor and subcontractors will not be allowed to sell the project material without prior approval by the National Academy of Sciences. By signing a contract with the National Academy of Sciences, contractors accept legal responsibility for any copyright infringement that may exist in work done for TRB. Contractors are therefore responsible for obtaining all necessary permissions for use of copyrighted material in TRB's Cooperative Research Programs publications. For guidance on TRB's policies on using copyrighted material please consult Section 5.4, "Use of Copyrighted Material," in the Procedural Manual for Contractors.

I. Proposals should include a task-by-task breakdown of labor hours for each staff member as shown in Figure 4 in the Information and Instructions for Preparing Proposals. Proposals also should include a breakdown of all costs (e.g., wages, indirect costs, travel, materials, and total) for each task using Figures 5 and 6 in the brochure. Please note that TRB Cooperative Research Program subawards (selected proposers are considered subawards to the National Academy of Sciences, the parent organization of TRB) must comply with 2 CFR 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. These requirements include a provision that proposers without a "federally" Negotiated Indirect Costs Rate Agreement (NICRA) shall be subject to a maximum allowable indirect rate of 10% of Modified Total Direct Costs. Modified Total Direct Costs include all salaries and wages, applicable fringe benefits, materials and supplies, services, travel, and up to the first $25,000 of each lower tier subaward and subcontract. Modified Total Direct Costs exclude equipment, capital expenditures, charges for patient care, rental costs, tuition remission, scholarships and fellowships, participant support costs and the portion of each lower tier subaward and subcontract in excess of $25,000.

J. The required technical memorandum titled “Implementation of Research Findings and Products” should (a) provide recommendations on how to best put the research findings/products into practice; (b) identify possible institutions that might take leadership in applying the research findings/products; (c) identify issues affecting potential implementation of the findings/products and recommend possible actions to address these issues; and (d) recommend methods of identifying and measuring the impacts associated with implementation of the findings/products. Implementation of these recommendations is not part of the research project and, if warranted, details of these actions will be developed and implemented in future efforts.

K. The text of the final deliverable is expected to be publication-ready when it is submitted. It is strongly recommended that the research team include the expertise of a technical editor as early in the project timeline as possible. See Appendix F of the Procedural Manual for Contractors Conducting Research in the Transportation Research Boards Cooperative Research Program for technical editing standards expected in final deliverables.

L. If the team proposes a Principal Investigator who is not an employee of the Prime Contractor, or if the Prime Contractor is proposed to conduct less than 50% of the total effort (by time or budget), then section five of the proposal should include: (1) a justification of why this approach is appropriate, and (2) a description of how the Prime Contractor will ensure adequate communication and coordination with their Subcontractors throughout the project.

M. All budget information should be suitable for printing on 8˝″ x 11″ paper. If a budget page cannot fit on a single 8˝″ x 11″ page, it should be split over multiple pages. Proposers must use the Excel templates provided in the Information and Instructions for Preparing Proposals for the Transportation Research Boards Cooperative Research Programs.

N. The National Academies have an ethical and legal obligation to provide proper attribution whenever material from other sources is included in its reports, online postings, and other publications and products. TRB will review all Cooperative Research Programs draft final deliverables using the software iThenticate for potential plagiarism. If plagiarized text appears in the draft final deliverable, the research team will be required to make revisions and the opportunity to submit future proposals may be affected.