U.S. Department of Transportation Publishes Cybersecurity and Intelligent Transportation Systems: A Best Practice Guide
The U.S. Department of Transportation (U.S. DOT) has published a report titled Cybersecurity and Intelligent Transportation Systems: A Best Practice Guide. The report presents best practices in intelligent transportation systems (ITS) cybersecurity -- specifically in planning and conducting a penetration test. The report details the methodology for scoping a penetration test and covers requirements, success criteria, test type, management, and test readiness. It also includes a template test plan to start local and state departments of transportation (DOTs) in their own cybersecurity plans and penetration tests.
The purpose of Cybersecurity and ITS is to facilitate DOT organization efforts to use ITS penetration testing for successful reduction of risks with use and operation of an ITS. While DOT ITS deployments vary in size and complexity, the ITS penetration test planning and execution involves the same structure and activities tailored to the objectives, scope, and execution constraints of each locality penetration test engagement. DOT management can structure the security management program including ITS to use periodic penetration test engagements with continuous monitoring of risk reduction to achieve ground transportation risk reduction for the DOT localities.
Penetration testing can identify vulnerabilities and impacts with ITS systems and technology. Identifying mitigations to successful ITS penetrations enable the DOT to direct actions appropriately. Resilient ITS are designed, installed, operated, and maintained to survive a security incident while sustaining critical functions of a DOT. With systematic planning and execution, ITS penetration testing can uncover exploitable vulnerabilities in the ITS infrastructure and operations and provide estimates of risk impacts from unmitigated weaknesses.
Download the full report for more information.