The Incident Management Center (IMC) was created as part of the overall enhancements in Cyber Security Governance, Defense-in-Depth and Continuous Monitoring defined for the US Department of Transportation (DOT), effectively combining both the Network Operations Center (NOC) and Security Operations Center (SOC) functions. The IMC Concept of Operations (CONOPS) was designed to ensure that security investments, ongoing remediation and continuous monitoring efforts are implemented and maintained in a compliant manner. The IMC provides a centralized IT service function for cyber security monitoring, performance analysis, fault isolation, maintenance coordination, intrusion detection and incident management, configuration management and system administration.

The Project

As a goal for the system creation, the Department of Transportation specified that the IMC should:

  • Increase communication efficiency between key infrastructure operations staff
  • Contain central support for infrastructure and situational awareness, enabling rapid identification, response to and mitigation of events.
  • Ensure 7x24X365 monitoring of the infrastructure environment that is focused on creating a comprehensive and correlated view of all servers, storage devices and network components within DOT
  • Involve near real-time reporting (continuous monitoring) on service events, allowing the support team to be proactive in managing and correcting issues prior to service degradations or outages
  • Implement immediate action to address cyber security concerns or issues
  • Contain resources to communicate regarding system availability issues and to respond to users regarding service concerns, scam emails, virus issues and appropriate usage inquiries
  • Ensure continued efficiency of resolving security incidents with CSMC via the JAS portal (new CSMC database incident database – JAS was developed in replacement of the decommissioned Security Dashboard and ITSS can view, edit and upload statuses into the system)

Further, the Department of Transportation needed a security governance structure organized to ensure that security investments, ongoing remediation and continuous monitoring efforts are implemented and maintained in a compliant manner. The governance structure established the following activities:

  • Change Management
  • Incident Handling
  • Patch Management
  • Establishment of Effective Structures and Standards
  • Prioritization of IT Cyber Security Investments (part of Portfolio Management Discipline)
  • Development and Implementation of Maturity and Performance Measures

The Solution

ActioNet determined that the best way to implement the system was to utilize existing known vulnerability data to prioritize, mitigate and report on vulnerabilities. In addition, ActioNet decided upon a continuous monitoring platform to ensure that 1) mitigation remains “in effect” and 2) new vulnerabilities are identified and mitigated in a timely manner by:

  • Prioritizing and mitigating vulnerabilities
  • Implementing a continuous compliance and monitoring platform
  • Identifying and incorporating acceptable risk posture
  • Reporting on System and Enterprise Risk
  • Integrating the continuous monitoring platform with the governance structure
  • Implementing coordinated communications with OA’s and CSMC
  • Implementing phased testing against approved baselines
  • Implementing coordinated communications with component agencies and the Cyber Security Monitoring Center

The Result

Overall, the program implementation was successful and the security was and continues to suit the needs of the system. Project results include:

  • Developed and implemented the IMC CONOPS and updated the incident handling procedures and IMC performance metrics
  • Creation of Executive Risk Reporting Dashboard with Performance Metric Compliance Statistics
  • Installed and configured new Check Point hardware: 2 Firewall Managers and 2 Firewalls
  • Added SOURCEfire IDS sensors to DOT infrastructure to enhance security posture
  • Identified the DOT boundaries and systems (network, server and desktop) that are managed within those boundaries
  • Staffed IMC with existing resources including SMEs from the network, server, desktop and mail teams
  • Integrated IMC activities with existing governance process, technical teams and the Cyber Security Management Center (CSMC)
  • Trained IMC staff on existing management and security tools, including Iron Port, Bluecoat, Fidelis, Checkpoint, Cacti, SEP, Unix and DNS queries, and incident handling
  • Changed configurations to redirect all TCP traffic through Blue Coat proxies to intercept well-known traffic excluding HTTPS

ActioNet Cyber Logo

Technology & Partners

  • Iron Port
  • Bluecoat
  • Fidelis
  • Checkpoint
  • Cacti
  • SEP
  • UNIX