Transportation Agencies – Cyberthreats: Is NIST CSF the Right Solution?

Public transportation is deeply intertwined in American society. The operational reliability of these systems is crucial. Transportation agencies are advancing their use of the Internet of Things (IoT) to perform many critical business processes such as detecting traffic flow, fare collection, and state-of-good-repair logging. As a result, this new “attack vector” has increased the cyberthreat and effectiveness of cybercrime due to the lack of a standardized (or “regulated”) industry cybersecurity compliance program.

In 2020, 5% of cyberattacks worldwide targeted the transportation industry. Of those, 25% of attacks involved a malicious insider or misconfiguration. In July 2020, NetWalker, a notorious ransomware group, attacked a regional transportation agency in Texas. The criminals gained access to the agency’s sensitive data, threatening to encrypt and share the information publicly on the web.

Attacks like this are frequent enough that it is only a matter of time before the next target is hit. How can we address some of the basics of cyberhygiene to reduce the impact and damages of a cyberattack? Let’s look at one option for using a standardized cybersecurity program: the National Institute of Standards and Technology – Cybersecurity Framework (NIST CSF). Such a cybersecurity framework is crucial and ideal for the transportation industry’s operational and economic survival.

In 2013, President Obama commissioned NIST to develop the CSF to reduce risk to critical infrastructure while providing a holistic approach to cybersecurity that addresses the people, processes, and technology aspects of a transportation agency. NIST CSF is flexible, repeatable, cost-effective, and can be implemented by small and large entities. It can operate as a foundation for a new cybersecurity program and/or improve a preexisting information protection program. NIST CSF can be applied to the IT/business side of the house as easily and effectively as integration within the IT/OT side of the house. This gives NIST CSF the edge over several other NIST frameworks that cannot apply to many business operations.

The primary focus of this scalable framework is on information technology, industrial control systems, cyberphysical systems, connected devices, and the IoT. There are 108 security controls used. A security control is a safeguard for a cyberasset designed to protect the confidentiality of data. NIST CSF allows for SCADA-specific controls.

NIST CSF is used by the public transportation sector to address risk from cyberthreats, and to better identify, detect, and respond to cyberattacks. Some bad actors attack for financial gain, but others seek purely to disrupt. This framework identifies cybersecurity control gaps within your organization by using the Risk-Probability-Impact equation to assess threats’ potential safety and financial impacts. Some realistic risk remediation or mitigation efforts may include adjusting risk tolerance, performing cost/benefit analyses, determining safety and information security improvements, and ensuring appropriate resource availability. Agencies often have difficulty adding full-time employees to fill the roles; a third party might be needed to fill in the gaps.

In fact, identifying gaps is an important step in determining which areas are most critically in need of bolstering against attacks. But how much time does it take to plan for and implement the framework? It all depends on what processes, documentation, and controls are already in place, if any. Examine where you are in the maturity model. If you are low on the maturity scale, this process will take about three years because security controls must be implemented first. The more you can leverage existing cyber and physical controls already in place, the less time you will need to spend on a self-audit.

Facing a cyberattack is not a matter of if but when. Protections are necessary to defend against the inevitable attempts from bad actors. Having a solution in place like NIST CSF can be the difference between surviving a cyberevent or facing an astronomical collapse.

For a deeper look at NIST CSF and other frameworks, check out our free on-demand webcast for one CEU or PDH credit.