November 2022 - 19

* There are things she doesn't
know that she doesn't know
Like cybersecurity in transit
agencies, we celebrate the first, I
try to help her with the second, we
talk about the third, and the simple
awareness of the last is a win as she
works to discover the unknowns.
In much the same way that my
daughter faces an ever-more-challenging
world, APTA is concerned
with the need for better cybersecurity
preparedness in its member
transit agencies, large and small.
To help alleviate the problem,
one of APTA's many standards
working groups, the Control
and Communications Security
Working Group (CCSWG), has
been writing recommended practices
and white papers for the industry
for the past 14 years. The
CCSWG differentiates Control
and Communications Operational
Technology from IT Enterprise
Technology. Cyberattacks can
cause great harm in ICS areas.
Most recently, in response to
requests from APTA's membership,
the Transportation Security
Administration (TSA) and others,
the working group has developed
an Operational Technology - Cybersecurity
Maturity Framework
(OT-CMF) overview for launching
and maturing an OT program.
This framework enables and empowers
transit agencies to plan,
implement, measure, monitor,
and mature their OT cybersecurity
program, so they can respond
to the evolving cyber threats undermining
critical service delivery
and safety. Transit agencies
will be able to implement the
maturity framework to use what
" they know they know " to work
toward understanding the threats
presented from the unknown and
always with the goal of maturing
and reaching a high state of prepared
The OT-CMF draws from existing
NIST standards like NIST
800-53 (Security and Privacy Controls
for Information Systems and
Organizations), and its overlay,
Physical security
Transit controls
and communications
Logical/administrative security
Existing standards and
practices NERC/CIP,
NIST, IEEE and others
Transit agencies
Transit enterprise
APTA standards
working groups
(DHS, TSA, Volpe, etc.)
Recruitment and expertise
TRANSIT AGENCIES must ensure that their cybersecurity plans address both the
traditional information technology (IT) systems and the operational technology (OT)
or industrial control systems (ICS).
APTA Control and Communications Security Working Group
NIST 800-82 (Guide to Industrial
Control Systems (ICS) Security),
as well as NERC-CIP (National
Electrical Reliability Council -
Critical Infrastructure Protection)
and various IEEE standards.
At this point, there is a need
to differentiate the term requirements
from controls. Whereas
requirements are obligatory,
controls are selected according
to the organization. NIST 80053
describes controls as:
" Controls can be viewed as descriptions
of the safeguards and
protection capabilities appropriate
for achieving the particular
security and privacy objectives of
the organization and reflecting
the protection needs of organizational
stakeholders. Controls are
selected and implemented by the
organization in order to satisfy
the system requirements. "
The CCSWG distilled the 965
controls in NIST 800-53 and
800-82 into 134 controls for the
Cybersecurity Maturity Framework.
Each control is numbered
according to its topic.
Each agency is different in
size, talent and financial resourcing,
so the OT-CMF attempts to
help organizations move past
the " one-size-fits-all " approach
to security. Within these controls
lies the recipe for maturing individual
transit agencies.
With careful, thoughtful work
to build an agency-specific OT
cybersecurity program, transit
agencies can move their organizations
up through the maturity
levels. The goal is better identification
of incidents, detection of
anomalies, protection of systems,
faster response and an organized
approach to recovery.
NOVEMBER 2022 | | Mass Transit | 19

November 2022

Table of Contents for the Digital Edition of November 2022

Editor’s Notebook
People & Places
Best Practices: Data Management
Best Practices for Cybersecurity
2022 Transit Safety & Security Report
GCRTA’s five areas of concentration for a robust DBE program
Mixed Fleets: The future of microtransit and paratransit
Beyond Carbon Reduction: Electric Buses Provide Resilience for Climate Emergencies
November 2022 - 1
November 2022 - 2
November 2022 - 3
November 2022 - 4
November 2022 - 5
November 2022 - Editor’s Notebook
November 2022 - 7
November 2022 - People & Places
November 2022 - 9
November 2022 - 10
November 2022 - 11
November 2022 - 12
November 2022 - 13
November 2022 - Best Practices: Data Management
November 2022 - 15
November 2022 - Best Practices for Cybersecurity
November 2022 - 17
November 2022 - 18
November 2022 - 19
November 2022 - 20
November 2022 - 21
November 2022 - 2022 Transit Safety & Security Report
November 2022 - 23
November 2022 - 24
November 2022 - 25
November 2022 - 26
November 2022 - 27
November 2022 - GCRTA’s five areas of concentration for a robust DBE program
November 2022 - 29
November 2022 - 30
November 2022 - 31
November 2022 - Mixed Fleets: The future of microtransit and paratransit
November 2022 - 33
November 2022 - 34
November 2022 - 35
November 2022 - Beyond Carbon Reduction: Electric Buses Provide Resilience for Climate Emergencies
November 2022 - 37
November 2022 - 38
November 2022 - 39
November 2022 - Products
November 2022 - 41
November 2022 - 42
November 2022 - 43
November 2022 - 44