This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
September 2017
By Lorie West
The security of critical business and operational systems long has been a transportation industry concern. As the rail industry becomes more digitally reliant and connected, the sophisticated computerized devices it uses become more vulnerable to cyber attacks.
Within the past several years, several transit agencies have fallen victim to ransomware incidents. They’ve also dealt with distributed denial of service attacks, in which multiple compromised computer systems attack a target — such as a server, website or other network resource — and disrupt access for users.
Enter cybersecurity, or measures taken to protect against the criminal or unauthorized use of electronic data, or system damage or disruption. Protecting hardware, software and information, as well as preventing disruptions or a misdirection of services, is a high priority for transit agencies.
The problem is many rail systems — including those that transport passengers — were built in a world much different than the digitally connected one we live in today, says Nick Percoco, chief information security officer for Uptake Technologies Inc., which provides data science and predictive analytic services aimed at helping railroads and other industries build a strong cyber-defense strategy.
“They were not designed with the ability to update software in the event of a security issue. In fact, many systems in the industrial world cannot be updated at all,” he says.
Moreover, many organizations don’t know all the vulnerabilities and cybersecurity threats they face, says Percoco, a white-hat hacker who, during 20-plus years of research, has performed just about every possible cyber attack to gain more insight on security breaches, malware and other trends.
A combination of connected infrastructure — devices hooked into the internet, other systems and other networks — plus today’s real threat against these computerized environments have created a “perfect storm” for an attacker or organized criminal group to target industrial environments like a railroad, he says.
One of the biggest vulnerabilities: when different systems are connected without measures in place to prevent the failure of one system from cascading and causing the failure of another, Percoco says.
“The fix for this requires prioritizing separation and isolating critical systems from other, more vulnerable, user networks,” he says. “That’s often something that’s overlooked in many environments because sometimes it’s seen as an efficiency, a cost savings or having one less hoop to jump through.”
Cybersecurity issues extend beyond legacy systems, as well. Autonomous-based computer systems that control a train still are susceptible to programming faults and the cyber threats that go with them, says Brett Kelsey, the chief technical strategist for McAfee LLC, a subsidiary of security solutions and services provider Intel Security.
Two years ago, Intel Security and The Aspen Institute released “Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Report,” which reviewed cybersecurity issues in the transportation, energy, finance and government sectors.
The hacker group Anonymous attacked Bay Area Rapid Transit (BART) in 2011 and gained computerized access to its train system. The hackers easily could have done something horrific, such as send two trains speeding toward each other on the same track, says Kelsey.
But that didn’t happen because, in his opinion, the group didn’t target BART that way.
Late last year, the San Francisco Municipal Transportation Agency (SFMTA) also dealt with a cyberattack that was disruptive, but luckily not as damaging as it could have been. In November, a hacker used ransomware to attack SFMTA’s office computers and demanded bitcoins to relinquish the hold on the system. The agency instead took its Muni subway ticketing machines and fare gates offline as a precautionary measure to protect passengers.
Transit agencies need to be aware of new cyberattack approaches, such as social engineering, says Kelsey.
For example, a piece of bad code could be planted on a USB drive and then given to an individual. Kelsey encountered that situation earlier this year while vacationing with his family in Cancun, Mexico, when he sought to purchase stills from a professional photographer.
“Of course, they gave it to me on a USB drive and, lo and behold, when I plugged it in, the first thing that popped up was the Conficker virus,” he says, referring to a computer worm targeting Microsoft’s operating system that was first detected in 2008. “Now, I work for McAfee — my system identified it, found it and killed it — but if your system is not up to speed, you could be infected and not even know about it.”
So, the future of cybersecurity hinges on ensuring a component is secure from the moment it’s put into place and turned on, he says.
In the near term, transit agencies could create some form of compartmentalization between systems so attackers can’t do such things as gain access to the wireless network on a train and use it to disrupt the control system, says Kelsey.
As transit agencies seek to understand how to best stay protected, they can turn to two organizations for help: the Transportation Security Administration (TSA) and American Public Transportation Association (APTA). Through its Office of Security Policy and Industry Engagement, the TSA aims to work closely with transit agencies to improve cybersecurity awareness and preparedness.
APTA and the TSA sponsor the Control and Communications Security Working Group (CCSWG) and the Enterprise Cyber Security Working Group (ECSWG).
Established in 2007, the CCSWG focuses on transit industrial control systems, including supervisory control and data acquisition systems for trains and buses. Formed in 2011, the ECSWG focuses on transit agencies’ information technology (IT) and enterprise systems.
Working group members include transit agency officials and industry subject matter experts who aim to develop and publish recommended practices and other guidance documents on cyber-security strategy, vulnerability assessments, mitigation, system resilience, redundancy and disaster recovery.
The TSA in 2010 solely formed the Transportation Systems Sector Cyber Working Group (TSSCWG), which includes government and private-sector members representing transit rail and other transportation modes. The TSSCWG strives to identify strategic approaches for enhancing cybersecurity across the transportation sector, as well as implementing national policies and promoting awareness.
The three working groups, which meet regularly, have already paid dividends in the transit-rail community, TSA officials said in an email.
“There has certainly been increased awareness and concern across the transit-rail community resulting in fundamental positive changes, including enhanced cybersecurity awareness training, and improved cyber-hygiene practices for employees at all organizational and operational levels,” they said.
The TSA recommends that transit agencies assess and monitor their operational technology, stay current with evolving threats, engage with information-sharing analysis centers and other similar venues, and participate in working groups at the local and national levels.
Last year, the administration also produced a cybersecurity resource that could prove valuable to transit agencies. The Surface Cybersecurity Awareness Guide describes steps that can be taken to protect data and personal information in computer networks, and outlines the types of threats most commonly found in cyberspace.
In addition, the handbook provides detailed information on the safe use of the internet, social networks and mobile technology.
Topics covered in the guide include cyberattack myths, malware, spam, scams, mobile devices, identity theft, data security and incident response.
With such working groups and resources on hand, transit agencies can better develop a cybersecurity program, says Polly Hanson, APTA’s director of transit security and emergency management.
“You want to see where your risk and vulnerability is, so start with a vulnerability risk assessment, and then see where you are as a baseline and what gaps you need to fill,” she says. “Then that’s when you start to develop a program about how you’re going to close those gaps. Of course, you’re also looking at phasing out your older technology, looking for new technology and hardening the old technology. And then you manage and maintain your program.”
APTA officials are hoping a TSA representative attends the association’s annual conference and expo next month in Atlanta to share some of administration’s information and collection of resources, which include a cybersecurity primer for CEOs.
“We’re looking to create opportunities to educate our members more on cyber,” says Hanson, adding that those efforts include providing more information on it and promoting the two working groups that APTA sponsors with the TSA.
When it comes to defending cyberspace, a strong employee education program on strengthening passwords, ensuring laptops aren’t unattended and employing similar measures can do wonders, as well.
“At the end of the day, it’s going to come down to an employee, whether somebody brings in a thumb drive from home or clicks a link,” Hanson says. “It’s about seeing cybersecurity not as the operations person’s problem, or IT’s problem or the CEO’s problem, but everybody’s problem.”
Transit rail is no different than other industries in that cybersecurity often can default to being an afterthought, says Metropolitan Atlanta Rapid Transit Authority (MARTA) Chief Information Security Officer Dean Mallis. So, protection needs to be fluid.
“Hackers change tactics daily and an organization has to be agile enough to adapt to those changes,” says Mallis. “By staying on the forefront of attacks — watching all attacks and paying specific attention to the ones that affect our industry — and remaining proactive in our posture, we can better prepare for the future.”
MARTA is trying to be fluid and proactive, in part by following a National Institute of Standards and Technology framework and adhering to Payment Card Industry (PCI) data security standards. Agencies that accept credit cards are required to meet PCI requirements annually.
The agency also is relying on best practices to advance its cybersecurity program and continues to “work diligently” to safeguard its information systems, says Mallis. In addition, MARTA keeps evaluating risks from an enterprise-wide perspective and prioritizes based on criticality.
“As the threat landscape evolves and cyberattacks become publicly more prevalent, governments are becoming more focused on securing critical infrastructure,” Mallis says. “As major systems are breached, more attention will be given to cybersecurity as a whole.”
Minding cyberspace is key because about 90 percent of all large industrial operational technologies lack monitoring or backup by security personnel, says Uptake’s Percoco. Conversely, only about 10 percent of all personal IT devices — such as cell phones, computers and laptops — aren’t backed by security professionals or researchers.
“So, you don’t have that same security research community to help build stronger, better defended systems,” Percoco says. “There are members of the security research community that would, as part of what they love to do, want to work with industries like railroads. They would accept the invitation to learn about these systems and help close those gaps.”
It’s all about working together to boost cybersecurity in the transit-rail realm, Percoco says. “This kind of collaboration with the security research community would be a real big benefit to both the manufacturers of trains, and also the railroads themselves,” he says.
Lorie West is a West Allis, Wisconsin-based freelance writer. Email questions or comments to prograil@tradepress.com.
Related Topics: