BACKGROUND

The increased focus on cybersecurity threats and attacks requires the transit industry to address the critical vulnerabilities of connected vehicles throughout the lifecycle of new and existing technologies.

Many transit agencies are unaware of the full capabilities of the operational technology (OT) installed by the original equipment manufacturers, and built-in features can present a cyber risk as an avenue of attack for a motivated threat actor. OT vehicle systems rarely undergo cyber testing to identify critical vulnerabilities before deployment. With threat actors aggressively targeting critical infrastructure and the public transit sector, vulnerabilities in OT vehicle systems are unrecognized, untested, and unmitigated. In recent years, experiencing cyberattacks on vehicle OT systems have increased, resulting in service disruptions, safety and security concerns, and reputational risk.

Incident response (IR) is a key process to a healthy cybersecurity program. IR policies and processes must be aligned with compliance frameworks, federal security directives, and cyber best practices. However, there is a need for guidance on structuring and formalizing an effective IR process, along with its associated policies. Establishing consistent and standard IR processes is critical in identifying trends within the transit agency and across the greater transit community. Identifying key metrics and reporting supports the transit agency’s compliance with regulatory mandates and captures trends to better understand gaps in policy, procedure, or technology.

An important aspect of an IR plan involves each transit agency establishing clear criteria for categorizing events and incidents, and the associated reporting timelines and response activities based on severity or impact. The response actions for an event versus an incident varies greatly, including how and when that information is reported to governing bodies such as the Transportation Security Administration (TSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), or Information Sharing and Analysis Centers (ISAC).

Currently, there are no standardized event and incident categories within the transit community, which can result in overreporting and underreporting. Overreporting events can cause undue stress on transit agency’s IR team and skew the metrics collected for future improvements to the IR process. Underreporting incidents affect the ability to meet the requirements of federal directives and could result in decreased IR support from external parties. Each scenario leads to increased costs of incident investigation, root cause analysis, and remediation of the impacts of a cyberattack. Research is needed to assess the vulnerability of cyberattacks on transit agencies how agencies respond to cyberattacks.

OBJECTIVE

The objective of this research is to develop a comprehensive toolkit of actionable practices and strategies to help transit agencies prevent cyberattacks and effectively respond to cyber incidents. This research shall examine (1) cybersecurity threat and attack vulnerability of connected vehicles and (2) cybersecurity incident and event categorization of connected vehicles. The key audiences for this project are state departments of transportation and U.S. public transportation providers in urbanized areas of all sizes, rural areas, and Tribal communities.

RESEARCH PLAN

The study will be organized into distinct volumes, each with associated tasks designed to address and fulfill the research goals. Volume 1 shall focus on assessing the vulnerability of cyberattacks on transit agencies. Volume 2 shall focus on how transit agencies respond to cyberattacks. The volumes and tasks are as follows.

Volume 1: At a minimum, this research shall:

• Conduct a literature scan of research associated with cyber vulnerability and attack vectors in connected vehicle technology (CVT).
• Identify and report the reliance on CVT in making operational decisions.
• Classify and document past cyberattacks targeting CVT.
• Identify and report known cyber vulnerabilities and attack vectors on CVT.
• Identify and report possible mitigations and improvements for cyber vulnerabilities and attack vectors in CVT.

Volume 2: At a minimum, this research shall:

• Conduct a literature scan of research associated with cyber IR.
• Create a draft of the practices for transit IR utilizing the best practices and requirements in other critical infrastructure sectors.
• Conduct a survey of transit agencies to identify how current IR practices compare to the draft practices with a focus on:
  • Maturity of IR processes, policies, and plans in the transit industry;
  • Criteria used by transit agencies to distinguish a cyber event from a cyber incident;
  • Frequency of reporting cyber incidents by transit agencies to an external agency; and
  • Use of standards IR metrics and reporting standards for transit organizations.
• Investigate and report the connections between event/incident categorization and IR process maturity.
• Using the results of the survey, update draft practices for transit IR for public distribution.

Useful TRB resources for this project include:

• TCRP Project J-07/Topic SA-56: Use of Automatic Vehicle Monitoring (AVM) and Vehicle Health Monitoring/Diagnostic Systems by Transit Agencies (In publication)
• NCHRP Web Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs: Volume 2, Transportation Cyber Risk Guide (2023)
• NCHRP Web Only Document 355: Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs: Volume 1, Program Summary Report (2023)
• TCRP Synthesis 158: Cybersecurity in Transit System (2022)
• NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies (2020)
• NCHRP Research Report 845: Advancing Automated and Connected Vehicles: Policy and Planning Strategies for State and Local Transportation Agencies (2017)
• Strategies to Advance Automated and Connected Vehicles: Briefing Document (2017)
• NCHRP Web Only Document 221 and TCRP Web Only Document 67: Protection of Transportation Infrastructure from Cyber Attacks: A Primer (2016)

The research plan will describe appropriate deliverables that include, but are not limited to, the following (which also represent key project milestones): 

• Amplified research plan that responds to comments provided by the project panel at the contractor selection meeting. At a minimum, the research plan should describe the contractor’s approach to achieving the objective in a two-volume report.
• Monthly and quarterly progress reports detailing activities by task, upcoming task activities and issue(s).
• Interim report that includes the analyses and results of completed tasks, an update of the remaining tasks, and a detailed outline of the final research product(s).
• Panel meeting after submission of the interim report. The panel meeting will take place in Washington, DC, after the expenditure of approximately 40 to 50 percent of the project budget.
• Final deliverables that fully address this project’s objective.
• Technical memorandum titled “Implementation of Research Findings and Products”.
• Slide deck that presents the research findings and conclusions that can be used in webinars.

STATUS: Proposals have been received in response to the RFP. The project panel will meet to select a contractor to perform the work.