The cyber threat to critical infrastructure (communication, transportation, energy, finance, and vital services) receives a sizeable volume of attention from researchers and policy analysts. This Cyber Brief looks at transportation security in isolation beginning with President Clinton’s Executive Order 13010 and continuing through recent Federal reports on emerging challenges and technologies.
This Executive Order signed by President Clinton established the President's Commission on Critical Infrastructure Protection. Threats to critical infrastructure are categorized as either physical or cyber, and the Commission is directed to pursue public-private cooperation to protect infrastructure owned and operated by the private sector.
This presidential commission report focused on the protection of critical infrastructures - including energy, banking and finance, transportation, and telecommunications - in the context of the "rapid proliferation and integration of telecommunications and computer systems" which "have connected infrastructures to one another in a complex network of interdependence." Its two parts focus on "the case for action" and "a strategy for action."
This report concerned the Federal Aviation Administration's Air Traffic Control computer systems that provide information to air traffic controllers and flight crews. The GAO found that the "FAA is ineffective in all critical areas included in our computer security review."
The introduction to this directive notes that the military and economy of the United States are "increasingly reliant upon certain critical infrastructures and upon cyber-based information systems." The remainder of the 18-page directive specifies the President's intent "to assure the continuity and validity of critical infrastructures" in the face of physical or cyber threats, states a national goal, delineates a public-private partnership to reduce vulnerability, states guidelines, specifies structure and organization, discusses protection of Federal government critical infrastructures, orders a NSC subgroup to produce a schedule for the completion of a variety of tasks, and directs that an annual implementation report be produced.
These FBI responses to questions for the record from various Senators concern the activities and capabilities of the (now-disestablished) FBI National Infrastructure Protection Center, interagency cooperation, specific cyber cases, and legal issues.
Michael A. Vatis, Director, National Infrastructure Protection Center, FBI, Statement for the Record before the Senate Armed Services Committee Subcommittee on Emerging Threats and Capabilities, March 1, 2000. Unclassified.
This testimony from the director of the FBI unit established in 1998 by President Clinton's Presidential Decision Directive 63 (subsequently transferred to the Department of Homeland Security, and later disestablished) provides a year 2000 overview of the organization, a description of the source of cyber threats, an account of interagency cooperation, a review of several incidents and investigations, and the challenges in combating computer intrusions.
This report, produced at Congressional request, evaluates the progress of the FBI's National Infrastructure Protection Center - which was established as a result of Presidential Decision Directive 63. It examines three areas of NIPC operations, including capabilities for responding to cyber attacks.
This report, written in response to Presidential Decision Directive 63, identifies vulnerabilities within the information and communications sector and examines industry and government roles in securing the sector.
This report describes the purpose and objectives of the first CYBER STORM exercise (which tested the response to simulated cyber attacks on the energy, information technology, transportation, and telecommunications sectors), its key achievements, and its major findings.
Among the topics discussed in this study are the nature and psychology of insider threat perpetrators, the consequences of the escalation of technology and network risks combined with growing globalization of supply chains and service providers, and obstacles to addressing the insider threat. In addition, it discusses employee screening and contains recommendations with regard to information sharing, technology and several additional topics.
The CYBER STORM II exercise simulated cyber attacks on critical infrastructure in the information technology, communications, chemical, and transportation sector. The report consolidates findings, observations, and inputs from participants - which included U.S. and foreign participating organizations from the United Kingdom, Australia, Canada, and New Zealand.
This document identifies the three key elements of the Coast Guard cyber strategy - defending cyberspace, enabling Coast Guard operations (including intelligence and law enforcement operations), and protecting infrastructure (including critical maritime infrastructure and the Maritime Transportation System).
Among the topics addressed in this report are the available information about key cybersecurity vulnerabilities in modern vehicles that could impact passenger safety, key practices and technologies that might mitigate cybersecurity vulnerabilities and the impact of attacks, the views of selected stakeholders on challenges, and Department of Transportation efforts to address vehicle cybersecurity.
Office of Inspector General, Department of Transportation, FI-2017-001, DOT Cybersecurity Incident Handling and Reporting is Ineffective and Incomplete, October 13, 2016. Unclassified/For Official Use Only.
This audit details the results of an Inspector General's investigation of the Transportation Department's procedures for (1) monitoring, detecting, and eradicating cyber incidents, and (2) reporting incidents and their resolution to appropriate authorities.
Office of Inspector General, Department of Homeland Security, OIG-17-14, Summary Report on Audits of Security Controls for TSA Information Technology Systems at Airports (Redacted), December 30, 2016. Unclassified.
This report summarizes previous reports concerning deficiencies with regard to security controls for the Transport Security Administration's information technology systems at airports and analyzes the effects of TSA efforts to improve security at the sites.
This assessment examines future safety and security concerns related to autonomous vehicles to include cyber vulnerabilities in autonomous control systems.
This review of challenges includes the need to improve the cybersecurity posture of the DOT to reflect evolving threats to transportation and infrastructure.