The importance of cybersecurity in the transit industry cannot be overstated.
The global transit industry experienced a 186 percent year-over-year increase in weekly ransomware attacks between 2020 – 2021, the second highest increase in any sector, behind education, but ahead of retail and healthcare1.
To gain insights on how transit agencies can stay protected in the cyber world, we spoke to two cybersecurity experts, Martin Johansson, Chief Information Security Officer at Icomera, and Michael Knapp, Director of Sales Engineering at Shift5.
Tough Question #1: What are the prime cyber threats affecting the transit industry?
Martin: The transit industry, like many other industries, has experienced multiple threats such as ransomware, data related threat, malware, and denial-of-service (DoS). However, the threat landscape is ever evolving, and daily threat intelligence is crucial.
With ever-increasing threats from cyber criminals and increased digitalization, transit agencies are quickly increasing their cybersecurity capabilities. Traditionally, the principal concern within the industry has focused on protecting the physical safety of passengers; however, there is an ever-growing awareness that there cannot be safety without cybersecurity.
CYBERCRIME CONTINUES TO RISE AND HAS BEEN CLASSIFIED AS THE BIGGEST THREAT BUSINESSES FACE TODAY AND TRANSIT IS NOT IMMUNE.
Michael: Our transit systems become increasingly interconnected and reliant on technology resulting in a larger attack profile for cyber threats. Hackers are actively targeting transit infrastructure, systems, and data, potentially leading to service disruptions, data breaches, or even the compromise of critical control systems. Complicating agencies’ responses to these attacks is the general lack of real-time fleet observability into what’s happening inside their vehicles.
The industry at large is lagging when it comes to updating Operational Technology (OT) strategies to adapt and update solutions quickly, which leaves them vulnerable. In many cases, the arduous nature of complex certification processes or dated service agreements can result in vulnerabilities with known fixes remaining unaddressed and increasing unnecessary risk to the organization.
Tough Question #2: What is the scariest scenario you’ve encountered while serving the transit sector?
Martin: I am new to the transit sector; however, the reality is scary and requires us to do our utmost to prevent and prepare for attacks. According to Check Point Research, it is increasingly difficult to name a transit agency that has not faced a data breach or other disruptive cyber incident. In some cases, transit agencies report clean cyber bills of health only because they are unaware of system breaches.
THE BEST ENGINEERING CAN ONLY GO SO FAR WITHOUT ACTIVE MONITORING, REAL-TIME DETECTION AND RISK-CONTROL POLICIES BEING PUT IN PLACE.
Michael: There are several scary scenarios I’ve personally encountered over my career in the rail industry that are specific to safety—engineers falling asleep or texting during operation, pedestrians failing to follow gate crossings, and crossing the track while locomotives were in operation.
However, what’s become most unsettling in recent years are the additional layers of complexity brought on by the increasing connectedness of locomotives and the simultaneous increased capabilities and general availability of tooling available to adversaries.
The rail industry overall is trying to catch up from a security perspective. Rather than leading with security first—at a time when attacks are continually on the rise, and it’s increasingly difficult to determine whether issues are specific to security or maintenance, security should be the top priority. Additionally, we understand that motivated foreign adversaries are targeting critical infrastructure like rail systems, but worryingly, it would not take the resources of a nation-state to conduct these types of attacks. Even motivated individuals could breach cyber-critical rail systems with generally available tooling and time.
Tough Question #3: What should transit agencies focus on when preparing for an attack?
Martin: There are no shortcuts when it comes to incident management. Solid incident management processes with strong 24/7 capabilities to detect, respond and recover from incidents, and defined playbooks that have been tested by incident management stakeholders are all firm requirements.
Understanding the current security landscape is key to effective protection and risk reduction. With an increase in cyber threats towards transit agencies, it is evident that a cyber resilience plan will continue to play a vital role in maintaining the viability of services. Mitigating these risks requires agencies to be ready to appropriately protect, detect, respond, and recover from a cyber-attack.
Michael: The ability to adapt to change is arguably one of the most important capabilities of an effective cybersecurity program. Unfortunately, many agencies continue to struggle with the changes and modernization required for mature, robust OT security.
Data is the foundational element that is key to achieving modern OT security. Without the data, observability simply isn’t possible, which cripples decision-making where and when it’s most critical. Equally as important, the data needs to be captured, transmitted, and analyzed in near real-time to enable organizations to move left of attack.
MAKING DECISIONS ON OLD DATA WILL NEVER EQUIP ORGANIZATIONS TO MOVE LEFT OF THE INCIDENT.
The problems that have persisted across transit agencies are increasingly coming to light, with new threats to critical infrastructure making headlines at an unsettling cadence, fleet readiness in a state of decline, and the safety of passengers and crew at risk from maintenance failures.
Tough Question #4: What is the biggest challenge when it comes to cybersecurity?
Martin: Critical infrastructure providers such as transit agencies are governed by multiple standards and regulations to ensure the safety, resilience, and reliability of their services. However, the systems that support this are highly interconnected and, in many cases, based on old technology designed without security in mind.
It’s also challenging for transit organizations to learn how to keep pace with rapidly evolving cyber threats when historically their safety and security issues have predominantly been physical, and better understood due to the slower rate at which these emerge and change over time.
Michael: While there are numerous cybersecurity challenges we face, one of the most difficult cybersecurity challenges for transit agencies to overcome is the increasing complexity of their interconnected systems. Interconnected systems are fragile, often developed without security in mind, introduce vulnerabilities, and a breach in one system could potentially allow for lateral movement across the entire network. This complexity, coupled with legacy tools, can make it difficult to act at the speed required for effective cyber detection, mitigation, and response.
Complicating the situation is that our adversaries are often well equipped, motivated, and patient. Staying ahead of these evolving threats requires ongoing monitoring, threat intelligence, and timely patching and updating of systems.
Tough Question #5: What common weaknesses do you see in cyber security programs?
Martin: I’ve seen organizations treat cybersecurity as a 100m sprint from start to finish, and then get lactic acid that impedes further work beyond the initial effort. However, I believe cybersecurity is a continuous effort to ensure that cybersecurity posture is aligned with risk appetite as the threat landscape changes. So, for me, a cybersecurity program is a continuous power walk in the right direction – not a short sprint.
Michael: After surveying 300 operators, maintenance and IT leaders across transit and defense markets, more than half (57%) of rail survey respondents reported that when an issue arises, their organization struggles to determine if the root cause is a maintenance or cybersecurity issue.
It is a problem if you lack the data and observability to determine whether an issue on a locomotive stems from a maintenance or cybersecurity issue because it affects the overall safety, reliability, and efficiency of the rail system. If a cybersecurity problem is mistakenly attributed to maintenance issues, routine maintenance procedures may not address the underlying security vulnerabilities.
MAINTENANCE PERSONNEL NEED TO BE AWARE OF AND TRAINED TO HANDLE POTENTIAL CYBERSECURITY CONCERNS ALONGSIDE TRADITIONAL MAINTENANCE TASKS.
Tough Question #6: What are the safeguards that transit agencies should have in-place?
Martin: Many organizations have a huge number of legacy systems. A challenge is that you cannot protect all the legacy in the same way as you protect new solutions; it’s just not how it works. It’s like an older house: you won’t make an old house new; but you can make it better. Using that philosophy for deploying a new onboard system, that new system should be protected from Day 1. The security strength of that new system is the foundation going forward.
Also, when attempting to protect “everything”, the defense may be too thin on the valuable assets that are most attractive for attackers. If you can identify the most critical and valuable assets and put in place stronger protection around those, then you could have better results.
REMEMBER TO ASK YOURSELF: WHAT IS IT THAT YOU NEED TO PROTECT? WHAT IS THE KEY THING THAT YOU ARE PROTECTING YOUR AGENCY FROM? THE ANSWER CANNOT BE EVERYTHING.
Michael: There isn’t a single safeguard that can ensure complete security, but transit can do two things: First, agencies can enhance their visibility. In my opinion, visibility is the single most important thing because agencies can’t act if they are not aware. Looking through the data can be challenging, but it must be done.
Second, agencies can enhance their cybersecurity posture by focusing on and implementing a multi-layered strategy with complete observability. Observability isn’t just an add-on. It’s fundamental to enhance a strategy’s effectiveness by providing the data and analysis necessary to respond to a rapidly evolving threat landscape.
Tough Question #7: What are some of the low hanging fruits that a transit agency can tackle for the greatest result?
Martin: Defining risks and maintaining a mature level of cybersecurity is essential for every department in an agency. Agencies who rely solely on their technical IT teams to deal with an attack are only considering half the equation.
And since agencies can have many solution suppliers, it is important to ensure that all suppliers are also mature when it comes to cybersecurity. One way to do this is to allow for an always-learning mentality – open forums for sharing best practices.
Michael: The complexity and challenges I’ve detailed can be effectively overcome by focusing on the foundational element to both improved security and maintenance – data.
When you consider the massive volumes of onboard data generated by trains, that data serves as the raw materials for cyber defense. The problem is that much of that onboard data isn’t accessed, collected, translated, contextualized, or analyzed, so when a security decision must be made, it can only be made with a fractional understanding of what’s going on with that particular asset, or across an entire fleet. Modern, effective security requires observability — the ability to make smarter, faster decisions based on complete access to all the onboard data and the ability to analyze that data in context and in real-time.