State Departments of Transportation (DOTs) Realized Tangible Benefits from Tactical Cybersecurity Measures
Penetration testing, adversarial simulations, employee and contractor training, and secure procurement practices demonstrated cybersecurity benefits at State and Local DOTs.
Nationwide, United States
Cybersecurity Issues and Protection Strategies for State Transportation Agency CEOs, Volume 1: Project Summary Report
Summary Information
State and local DOTs nationwide manage increasingly complex information technology (IT) and operational technology (OT) systems that control traffic signals, roadway sensors, and communications infrastructure. A recent National Cooperative Highway Research Program (NCHRP) report examined the cybersecurity challenges these agencies face. The report assessed vulnerabilities and identified strategies for strengthening cyber resilience across transportation systems. One effective approach has been moving beyond high-level frameworks to adopt tactical measures such as penetration testing, adversarial simulations, and red-team exercises to uncover weaknesses before they are exploited. Other states reported benefits from cybersecurity trainings, which reduced successful phishing attempts, and procurement processes that prioritize pre-hardened devices, lowering costs and improving long-term system security.
METHODOLOGY
The National Cooperative Highway Research Program report compiled findings from interviews with State DOT executives, cybersecurity personnel, and industry experts, as well as surveys and literature reviews. Detailed methodology, including sampling and analysis procedures, is provided in a separate section of the report.
FINDINGS
Agencies have moved beyond high-level frameworks to adopt tactical measures that deliver tangible operational and financial benefits. Some of the benefits from tactical cybersecurity measures at State DOTs are summarized in this section:
- California: Caltrans has strengthened operational and IT/OT security through data governance, endpoint and network protection, annual penetration testing (including OT), a structured NIST-based cybersecurity framework, mandatory employee and contractor training, and lifecycle funding for OT assets, collectively reducing risk and improving system resilience.
- Florida: Florida DOT has improved IT security through state-mandated annual employee training, customized NIST-based cybersecurity standards, periodic penetration testing and risk assessments, and implementation of vulnerability management tools, collectively enhancing IT system resilience and supporting safer operations, while OT security initiatives are gradually being incorporated.
- Illinois: Illinois DOT has strengthened IT and OT security through state-mandated annual cybersecurity training for employees and contractors, centralized audits and penetration testing via the Department of Innovative Technology (DOIT), compliance requirements for vendors, vulnerability monitoring, and collaboration with partner agencies, collectively reducing cyber risk and improving overall system resilience.
- New Mexico: New Mexico DOT has improved IT and OT security through deployment of antivirus software, disabling stale Active Directory accounts, annual and as-needed penetration testing, biweekly vulnerability scans, and employee cybersecurity training including phishing awareness. Enhanced communication with executive leadership has increased support for cybersecurity initiatives.
- North Carolina: North Carolina DOT has strengthened cybersecurity through mandatory employee and contractor training, implementation of NIST-based state policies, continuous monitoring and auditing of devices, participation in information sharing with other states, and risk-informed initiatives following recent cyber incidents, collectively improving IT/OT resilience and overall cyber readiness.
- Tennessee: Contractor training and access controls reduced cybersecurity risk, while annual adversarial simulations allowed vulnerabilities to be patched before exploitation. Internal penetration tests conducted in 2015 led to major network upgrades, and submission of a cybersecurity incident response plan allowed Tennessee DOT to obtain insurance discounts lowering premiums.
- Texas: Texas DOT has strengthened cybersecurity through annual employee training, implementation of NIST-based risk management frameworks, upgraded firewalls and multi-factor authentication following the May 2020 ransomware attack, hardware verification processes with districts, and quantified risk scoring, collectively improving IT network security, device management, and organizational cyber resilience.
- Virginia: Virginia DOT has strengthened cybersecurity through third-party penetration testing, extensive IT and OT system upgrades, continuous monitoring and vulnerability management, mandatory cybersecurity training and certification for employees and contractors, annual and periodic audits, and a secure, approved product procurement list, collectively improving system resilience, operational security, and readiness against cyber threats.
- Washington: Washington DOT has strengthened cybersecurity through OT network penetration testing, mandated state network audits every two years by third parties, assigning unique IP addresses for OT device monitoring, integration of IT and OT cybersecurity standards, and risk reporting to senior management, collectively improving oversight, operational security, and proactive vulnerability management.
These tactical measures such as penetration testing, adversarial simulations, red-team exercises, workforce training, and secure procurement have the potential to strengthen system resilience, mitigate risks, and lower costs across multiple states.
