Security Experts:

ICS-CERT Roadmap Outlines Security Strategy for Transportation Sector

New Guidance Provides a Starting Point and Template for Action as Industry and Government Work Together to Secure Industrial Control Systems in the Transportation Sector

The recently released “Roadmap to Secure Control Systems in the Transportation Sector” describes a plan for voluntarily improving industrial control systems cybersecurity across all transportation modes, including aviation, highway, maritime, pipeline, and surface transportation, the authors wrote.

The Roadmap, released by the U.S. Department of Homeland Security’s National Cybersecurity Division, Control Systems Security Program, highlights major concerns and offers recommendations from transportation industry experts in government and in private sector, according to the document.

Cybersecurity for Transportation IndustrsyThe Transportation Roadmap offers a common set of cybersecurity goals and objectives with associated metrics and milestones for measuring performance and improvement over a ten year period, the authors wrote.

Prepared by The Roadmap to Secure Control Systems in the Transportation Sector Working Group, the recommendations outlined in the roadmap are not intended to be a "one size fits all" plan, and the decision to follow the plan is strictly voluntary.

"Implementation of the information presented in this Roadmap is voluntary, and each organization has the flexibility to review, evaluate, and apply the ideas and concepts presented herein within the context of its overall cybersecurity program, policies, and procedures," the working group wrote.

There are many areas in which the transportation sector relies on industrial control systems. The working group identified several examples in the document.

Within the transportation sector, supervisory control and data acquisition systems are used in distribution systems such as oil and natural gas pipelines and in railway transportation systems. SCADA systems are also used to control all operational aspects of ship-to-shore and rail-mounted gantry cranes at marine ports and terminals, remotely open and close valves and breakers, monitor local environments for alarm conditions, and collect data from sensors used in automated train routings.

Distributed control systems are used in central traffic management systems. Programmable logic controllers control operational activities associated with airport baggage systems, heating, ventilation and air conditioning systems, access gates, and cranes used to load and unload cargo. General purpose controllers are computers that control and meter vehicular flow in freeways and other major road systems.

The 56-page document lists near- (zero to two years), mid- (two to five years), and long-term (five to ten years) milestones and objectives over a ten year period. There are four major goals, to build a "culture of cybersecurity," assess and monitor risk, develop and implement risk reduction and mitigation measures, and manage incidents. The roadmap listed specific objectives for each of the goals.

Near-term objectives for the culture goal include developing an ICS cybersecurity governance model and a cybersecurity awareness training program. Mid-term objectives include developing security assessment capabilities for new and legacy systems and establishing a way for operations, security staff, and ICS engineers to collaborate. The long-term objectives focuses on establishing automated processes to secure ICS and incorporating cybersecurity elements into all ICS-related business and budget decisions.

Industrial Control Systems Security Strategy

Near-term objectives for assessing risk include identifying risk management framework and standards, identifying risk management roles and responsibilities, and developing a risk assessment plan. Mid-term objectives include developing and implementing a risk management model and strategy, assessing real-time security assessment capabilities, and implementing a cyber-risk management training program. Long-term objectives focus on establishing a continuous and automated risk monitoring programs and regularly measuring risk management performance.

Near term objectives for mitigation measures included developing a template protocol for responding to cyber-incidents and establishing an information sharing mechanism between owners, operators and vendors. Mid-term objectives focused on securing interfaces between ICS and other systems as well as reducing time required to deploy patches. Long-term objectives highlighted specialized cybersecurity training and self-defending technologies built-in to the ICS infrastructure.

Finally, near-term objectives for incident management recommended developing procedures for what to do in case of an incident and deploying sensors to detect and report abnormal activity. Mid-term objectives suggested organizations research new effective detection and response tools and periodically update business continuity plans to reflect changes in the environment. Long-term objectives encouraged organizations to use automated self-configuring ICS and implement real-time detection and response tools.

In recent years, roadmaps for other sectors, including energy, water, and chemical, have been developed to outline how to secure industrial control systems in those segments. A cross-sector roadmap, which addresses cybersecurity issues for ICSs owned and operated by agencies and industries part of the nation's critical infrastructure and key resources, was finalized in 2011.

The Transportation Roadmap contains many actionable items, but "it is only useful" so long as organizations "dedicate the financial resources, intellectual capability, commitment, and leadership necessary for translating these goals, objectives, and metrics and milestones" into their respective environments, the working group wrote.

The full 51-page document is available here from the DHS.

Related Reading: A New Cyber Security Model for SCADA

Related Reading: Addressing SCADA Endpoint Protection Concerns

Related Reading:  Are Industrial Control Systems Secure?

Related Reading: Making the Smart Grid Smarter than Cyber Attackers

Related Reading:  The Increasing Importance of Securing The Smart Grid

Related Reading: Stuxnet-Are Grid Providers Prepared for Future Assaults?

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.