Sector-Specific Adaptation of Intelligent Transportation Systems Cybersecurity Framework Profile Assisted Agencies in Managing Cybersecurity Risks and Enhancing the Resilience of Transportation Systems.
U.S. DOT Study Developed the ITS Cybersecurity Framework Profile to Help Transportation Agencies Meet Specific Cybersecurity Requirements of Intelligent Transportation Systems.
Nationwide, United States
Intelligent Transportation Systems (ITS) Cybersecurity Framework Profile
Summary Information
Cybersecurity is of increasing importance within Intelligent Transportation Systems (ITS), which are critical to national infrastructure due to their integration of information technology and operational technology. This project aimed to apply the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to the ITS ecosystem, developing a tailored ITS Cybersecurity Framework Profile (ITS Profile) to help state and local transportation agencies more effectively manage cybersecurity risks. The ITS Profile outlines 14 ITS-specific mission objectives and prioritizes relevant cybersecurity activities to help organizations and agencies protect the ITS ecosystem. It also provides guidance for stakeholders on applying the profile, including key considerations before adaptation and use of Informative References. Developed collaboratively by the U.S. DOT ITS Joint Program Office (ITS JPO), NIST, and other stakeholders over multiple workshops, the study is designed to be applicable across the entire ITS landscape in the United States.
METHODOLOGY
The study employed a stakeholder-driven framework development methodology, based on a series of virtual workshops conducted between September 2021 and October 2022 with stakeholders from traffic management, transit, and commercial vehicle and freight sectors. These workshops gathered input through structured activities such as brainstorming, mission objective formulation, and prioritization of cybersecurity categories using the NIST CSF. Following the workshops, the research team, led by the National Cybersecurity Center of Excellence (NCCoE), analyzed stakeholder feedback in conjunction with existing resources, such as the Architecture Reference for Cooperative and Intelligent Transportation (ARC-IT). This analysis informed the development of a unified set of mission objectives and the prioritization of relevant CSF subcategories. The process also included a gap analysis to compare current agency cybersecurity postures with target outcomes defined by the ITS Profile.
FINDINGS
- The ITS Profile enabled systematic identification of gaps between current and desired cybersecurity postures, aiding in prioritization and decision-making.
- By guiding agencies through the identification, protection, detection, response, and recovery phases, this sector-specific adaptation can assist agencies in managing cybersecurity risks and enhancing the overall resilience to cybersecurity threats in the ITS ecosystem.
- Practitioners implementing security controls can use the ITS Profile to fit their unique operating needs and risk tolerances and prioritize resources toward the cybersecurity activities most relevant and critical to their organization or program. The profile was also adaptable for desired future states of cybersecurity, allowing flexible planning and implementations.
