Promote Information Sharing Between Transportation Management Centers and Stakeholders Upon Receiving Cyber Incident Information for Better Incident Response and Management.
Joint Research Effort Reveals Lessons and Best Practices Dealing with Transportation Cybersecurity Incidents.
Made Public Date


General USA Data,
United States

Transportation Cybersecurity Incident Response and Management Framework


A 2017 Roadway Surface Transportation Cybersecurity Framework of research conducted cooperatively by United States Department of Transportation (USDOT), Federal Highway Administration (FHWA) with Institute of Transportation Engineers (ITE), identified gaps for vulnerability and exploits in information sharing amongst transportation stakeholders. These gaps included limit communication and delay sharing of cybersecurity threat intelligence related to roadway transportation systems. FHWA sought to reduce the identified gaps by establishing processes to promote information sharing, and developing a framework for communication and information sharing with transportation roadway stakeholders. This study examined the existing gaps discovered during the 2017 USDOT FHWA project, and presented a description of problems, challenges, and opportunities as identified by the stakeholders, and needed actions to promote a culture of transportation system cyber resilience and improved information sharing. The study developed proposed improvements by combining the information gained from the findings regarding the current information exchange landscape and the minimum requirements to provide a solution. The proposed improvements included transportation-centric cybersecurity terminology to aid in establishing their consistent usage and a cybersecurity incident communication process to improve the reach and speed of information dissemination during a cybersecurity incident event.

Lessons Learned

  • Facilitate culture changes for transportation system cyber resilience. This could be realized by incorporating new provisions into the architecture and best practices for Intelligent Transportation Systems (ITS) projects addressing cyber resilience issues. 
  • Promote information sharing regarding cyber risks or vulnerabilities between stakeholders. This could be undertaken in various ways including (i) an anonymous tip/information mechanism put in place, (ii) a feedback mechanism for security researchers, (iii) common criterion identified to describe severity and criticality of cybersecurity information, (iv) clear communication channels made available for cyber security information flow between stakeholders, (v) a “challenge coin” system, where security researchers can receive recognition for their security discoveries.
  • Clearly define communication procedures and best practices when responding to cyber incidents. Agency-specific, consistent incident response plans are keys for transportation operators to detect the spread and severity of fast-moving cyber storms and provide stakeholders with the necessary level of support.
  • Clarify existing funding rules, voluntary contracting and procurement language for any necessary organizational changes in the face of cybersecurity issues. This could make for a smooth operation with the role of contractors and system integrators made clear when a cyber incident occurs, and any necessary changes to their roles specifically addressed in contracting documents. 
  • Develop strategies to establish consistent usage of cybersecurity terminology. To develop a common understanding between stakeholder organizations, various terminologies can be consolidated that can help the transportation and cybersecurity community understand conversations related to transportation cyber incident information sharing. 
  • Develop/adapt cybersecurity incident communication protocols. It is imperative for authorities to ensure that traffic operations are maintained within their Traffic Management Centers (TMC) as they serve as a key source of information regarding the exact details of the attack. Reporting those details accurately and rapidly is a key part of ensuring that the proper parties are brought in, both to combat the initial vulnerability and ensure that other parties are alerted and can protect against it.
  • Conduct a cybersecurity incident exercise. With participation from municipalities and state DOTs, these exercises could reveal important details such as the necessity of sharing the cybersecurity incident information as soon as it is received as other TMCs may be affected or are being targeted by the attacker.
System Engineering Elements