Below is a summary of noteworthy practices identified by agencies responding to a questionnaire and existing reference literature and correlating them to the CIS Top 20 controls. Following a scan of several TMC operators across the country of varying sizes, the following cybersecurity practices currently are being employed by one or more organizations:

1. Using active and/or passive scanning tools to identify all devices attached to the network on a routine basis (relevant to CIS Control 1). Manually documenting devices on the network can quickly become outdated. Using industry available tools to expedite the initial process, as well as allowing for continued monitoring and updates is worthwhile in a dynamic environment such as TMCs.

2. Vendor-supported software residing on a demilitarized zone (DMZ) section of the network, so that remote support by Secure Sockets Layer (SSL) Virtual Private Network (VPN) access is only granted to the DMZ and not to the enterprise/business network (relevant to CIS Control 2). Some applications often require communications with field devices and other subsystems, but generally do not require direct access to the enterprise environment. Restricting access by remote vendors limits risk exposure and the potential attack surface on the most critical infrastructure/systems.

3. Using Access Control Lists (ACL) or equivalent network access techniques to limit outside access to specific machines or services, so that access is granted only to the devices/networks that need them (relevant to CIS Control 14), or essentially managing the users/devices with a “need to know.” This also is a relevant method for managing insider vulnerabilities, particularly for limiting the range of systems available through remote access configurations.

4. Requiring background checks for personnel that require access to control rooms, particularly with direct administrative/privileged access to software, systems, and data centers (relevant to CIS Control 14). When coupled with enforcing detailed logging of changes to configurations and data, this practice provides a solid basis for data protection and assistance for managing insider vulnerabilities (relevant to CIS Control 13).

5. Leveraging existing security policies governing the entire agency, not just the TMC. In the past, many TMCs operated as an island from all other enterprise network platforms. However, today it is critical to be interconnected with the multitude of data systems internal and external to an agency. Some larger TMCs are nearly self-autonomous from a policy-making standpoint, but a number of those surveyed indicated some level of existing IT policy governing the entire agency, not just the TMC. This is an organizational arrangement that broadly relates to CIS Controls 17 through 20. TMCs may be independently in control of their respective subsystems but should recognize the importance of embracing/incorporating existing policy frameworks for the broader organization while addressing the gaps that are specific/unique to the TMC environment.

6. Updating cybersecurity policies at least once a year to fix anomalies in the procedures based on current trends (relevant to CIS Control 17 and 19). Policies should be evaluated annually or when an incident occurs and should be reviewed against updates to NIST guidelines and relevant policies that the agency is using. During these timeframes, agencies also should assess their achievements with respect to all CIS Controls identified in their respective Risk Management Plan.