Transportation's Road to Zero Trust
The grouping of concepts and ideas in cybersecurity known collectively as Zero Trust received an important endorsement in May 2021, when the White House issued its Executive Order 14028, mandating among other things that "the Federal Government must... advance toward Zero Trust Architecture". Hundreds of representatives from government agencies and industry convened on February 23 at the Zero Trust Summit in Washington to discuss the state of government progress toward this mandate, lessons learned and best practices developed along the way, and challenges and opportunities likely to arise in the near future. Transportation agencies at all levels of government and transportation firms in the private sector can all benefit from the insights shared by Summit participants.
Zero Trust is an attitude; Zero Trust adoption is a process
The fundamental assumption of the Zero Trust mindset is that any request for data or services within an organization's cybersecurity perimeter might be compromised. Architectural implications of this assumption include:
- Secure and continuous authentication. Instead of authenticating users once at the point of access, Zero Trust demands repeated re-authentication as the user requests access to privileged resources. Multi-factor authentication, besides making initial authentication more secure, also facilitates repeated re-authentication.
- Device security. Access to privileged resources requires confirmation of the identity and posture of the accessing device. Organizations maintain an inventory of permitted devices.
- Granular access to resources on the "least-privilege" principle. Each account's access to data and applications is tailored to the minimum required for the user to do their job. This principle applies as well to service accounts responsible for software updates and other automated maintenance.
- Logging and real-time analytics. Traffic across all applications and data spaces is logged and correlated, and suspicious patterns of access requests are flagged for action.
From the scope of this list it should be apparent that Zero Trust is a series of problems with a continuum of solutions, and no organization will be able to adopt it overnight. Robert Holstein (Zero Trust Architect, Bureau of Labor Statistics) cautioned organizations against making knee-jerk reactions to the Zero Trust mandate; instead, adoption of ZT practices should be prioritized according to risk and tied to specific success criteria. Randy Resnick (Department of Defense) and Renata Spinks (U.S. Marine Corps) both recommended incremental adoption: being able to demonstrate visible gains in a short time frame is the best way to get organizational buy-in and avoid inertia.
Zero Trust in Transportation
Resnick and Jeff King (Department of the Treasury) highlighted Zero Trust adoption as an opportunity both to leverage existing assets and to bundle other improvements, such as migrating data to the cloud. This principle applies especially to the transportation sector: for instance, any organization working with Internet of Things (IoT) devices such as traffic sensors, GPS locators, fare collection points, ticket scanners, or autonomous vehicles already has experience with remotely verifying identities and devices. In the other direction, Zero Trust principles will be critical in securing firmware update pipelines. Perhaps most importantly, Zero Trust Architecture will be needed to safeguard the ever-increasing amounts of data in the cloud that will underlie the next generation of advances in intelligent transportation.
In Volanno’s projects, we work with our clients to integrate cybersecurity throughout the development process. For example, the Federal Aviation Administration's enterprise authentication system uses multi-factor authentication (MFA) and incorporates government-furnished equipment (GFE); our air traffic controller training system, which is being deployed to 17,000 end users in over 300 facilities, leverages this authentication system, ensures least-privilege access to application data using a customized system of roles, and audits crucial data transactions. Contact our Technical Services Steering Committee at tssc@volanno.com to consult with us on ZT best practices.