Connect with us

Hi, what are you looking for?


Management & Strategy

ICS-CERT Roadmap Outlines Security Strategy for Transportation Sector

New Guidance Provides a Starting Point and Template for Action as Industry and Government Work Together to Secure Industrial Control Systems in the Transportation Sector

New Guidance Provides a Starting Point and Template for Action as Industry and Government Work Together to Secure Industrial Control Systems in the Transportation Sector

The recently released “Roadmap to Secure Control Systems in the Transportation Sector” describes a plan for voluntarily improving industrial control systems cybersecurity across all transportation modes, including aviation, highway, maritime, pipeline, and surface transportation, the authors wrote.

The Roadmap, released by the U.S. Department of Homeland Security’s National Cybersecurity Division, Control Systems Security Program, highlights major concerns and offers recommendations from transportation industry experts in government and in private sector, according to the document.

Cybersecurity for Transportation IndustrsyThe Transportation Roadmap offers a common set of cybersecurity goals and objectives with associated metrics and milestones for measuring performance and improvement over a ten year period, the authors wrote.

Prepared by The Roadmap to Secure Control Systems in the Transportation Sector Working Group, the recommendations outlined in the roadmap are not intended to be a “one size fits all” plan, and the decision to follow the plan is strictly voluntary.

“Implementation of the information presented in this Roadmap is voluntary, and each organization has the flexibility to review, evaluate, and apply the ideas and concepts presented herein within the context of its overall cybersecurity program, policies, and procedures,” the working group wrote.

There are many areas in which the transportation sector relies on industrial control systems. The working group identified several examples in the document.

Within the transportation sector, supervisory control and data acquisition systems are used in distribution systems such as oil and natural gas pipelines and in railway transportation systems. SCADA systems are also used to control all operational aspects of ship-to-shore and rail-mounted gantry cranes at marine ports and terminals, remotely open and close valves and breakers, monitor local environments for alarm conditions, and collect data from sensors used in automated train routings.

Advertisement. Scroll to continue reading.

Distributed control systems are used in central traffic management systems. Programmable logic controllers control operational activities associated with airport baggage systems, heating, ventilation and air conditioning systems, access gates, and cranes used to load and unload cargo. General purpose controllers are computers that control and meter vehicular flow in freeways and other major road systems.

The 56-page document lists near- (zero to two years), mid- (two to five years), and long-term (five to ten years) milestones and objectives over a ten year period. There are four major goals, to build a “culture of cybersecurity,” assess and monitor risk, develop and implement risk reduction and mitigation measures, and manage incidents. The roadmap listed specific objectives for each of the goals.

Near-term objectives for the culture goal include developing an ICS cybersecurity governance model and a cybersecurity awareness training program. Mid-term objectives include developing security assessment capabilities for new and legacy systems and establishing a way for operations, security staff, and ICS engineers to collaborate. The long-term objectives focuses on establishing automated processes to secure ICS and incorporating cybersecurity elements into all ICS-related business and budget decisions.

Industrial Control Systems Security Strategy

Near-term objectives for assessing risk include identifying risk management framework and standards, identifying risk management roles and responsibilities, and developing a risk assessment plan. Mid-term objectives include developing and implementing a risk management model and strategy, assessing real-time security assessment capabilities, and implementing a cyber-risk management training program. Long-term objectives focus on establishing a continuous and automated risk monitoring programs and regularly measuring risk management performance.

Near term objectives for mitigation measures included developing a template protocol for responding to cyber-incidents and establishing an information sharing mechanism between owners, operators and vendors. Mid-term objectives focused on securing interfaces between ICS and other systems as well as reducing time required to deploy patches. Long-term objectives highlighted specialized cybersecurity training and self-defending technologies built-in to the ICS infrastructure.

Finally, near-term objectives for incident management recommended developing procedures for what to do in case of an incident and deploying sensors to detect and report abnormal activity. Mid-term objectives suggested organizations research new effective detection and response tools and periodically update business continuity plans to reflect changes in the environment. Long-term objectives encouraged organizations to use automated self-configuring ICS and implement real-time detection and response tools.

In recent years, roadmaps for other sectors, including energy, water, and chemical, have been developed to outline how to secure industrial control systems in those segments. A cross-sector roadmap, which addresses cybersecurity issues for ICSs owned and operated by agencies and industries part of the nation’s critical infrastructure and key resources, was finalized in 2011.

The Transportation Roadmap contains many actionable items, but “it is only useful” so long as organizations “dedicate the financial resources, intellectual capability, commitment, and leadership necessary for translating these goals, objectives, and metrics and milestones” into their respective environments, the working group wrote.

The full 51-page document is available here from the DHS.

Related Reading: A New Cyber Security Model for SCADA

Related Reading: Addressing SCADA Endpoint Protection Concerns

Related Reading:  Are Industrial Control Systems Secure?

Related Reading: Making the Smart Grid Smarter than Cyber Attackers

Related Reading:  The Increasing Importance of Securing The Smart Grid

Related Reading: Stuxnet-Are Grid Providers Prepared for Future Assaults?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.