Safe and secure Operational Technology (OT) systems have become an area of increasing concern for the rail and transit market sector as state and federal regulations continue to roll out. To help guide agencies towards cybersecurity resilience, Matthew Dimmick, CPP, PSP, CPD, STV’s manager of Physical and Cyber Security Consulting services offers his take on evolving industry standards, increasing digital integration and how legacy systems that were not designed with cybersecurity in mind can strength their OT.

1. What are some of the key industry standards that are driving cybersecurity initiatives in the rail and transit market sector? How are we working with clients to help them create a cybersecurity framework for their systems?

We are still in a state of flux as an industry. There are Security Directives (SDs) from the Transportation Security Administration (TSA) that are front of mind for many in rail and transit. That said, there are also standards and frameworks such as those from the National Institute for Standards and Testing (NIST), the American Public Transportation Association (APTA), and the International Electrotechnical Commission (IEC) that individually provide unique views, practices, and direction and each being extremely valid in their own right. Having so many options can lead to decision fatigue resulting in a fog developing over the path ahead. Our Governance, Risk, and Compliance (GRC) specialists have the know-how and the experience to guide clients, helping them navigate the web of standards and frameworks and develop programs that work for them now and evolve as they do into the future.

2. As more rail and transit agencies adopt emerging technologies to enhance passenger experience, increase automation, monitor conditions in near-real time, and optimize scheduling and maintenance operations with big data, deep learning, and AI, how does this impact the threat level as it relates to cybersecurity?

There is no doubt that we are experiencing exponential growth in emerging technologies. Public transit is not much different than any other business in that transit agencies are driven to deliver more and better services for level or lower costs. It is this business focus that is forcing critical infrastructure to look at technologies like deep learning. As stated by Mustafa Suleyman in The Coming Wave, “deep learning can detect cracks in water pipes, manage traffic flow, model fusion reactions for a new source of clean energy, optimize shipping routes, and aid in the design of more sustainable and versatile building materials. It’s being used to drive cars, trucks, and tractors, potentially creating a safer and more efficient transportation infrastructure. It’s used in electrical grids and water systems to efficiently manage scarce resources at a time of growing stress.”

With these potential impacts, it is difficult for the engineering and operations personnel responsible for the security and safe operations of OT systems to hold back the tide of new technology and attempt to keep it from inundating previously isolated systems. With emerging technologies dependent on increased connectivity to the OT environment, it is a challenge to not introduce new vulnerabilities when adding new sensors, data analytics, and information sharing to passengers. STV’s cybersecurity consultants and engineering teams in communications and control systems provide clients with means of implementing new systems while still maintaining reasonable and prudent security controls for the OT systems we are charged with designing and/or protecting.

3. What are some of the main challenges faced by legacy transit systems that were not designed with cybersecurity in mind?

Many of the legacy systems that are in operation in transit systems were not designed with security in mind because they were intended to operate mostly in closed loops and not connect to the outside world where ne’er-do-wells would have pathways to potentially exploit them. If we think about the exponential advancements in technology that we discussed above and the amount of that development that has occurred over the last 20-30 years, we can see why systems designed in the 1980s and built in the 90s, as an example, are not equipped to deal with what adversaries can throw their way in the 2020s. That said, many of these systems still can do what they were designed to do which is to safely and efficiently move people from point A to point B. This means when business leaders and information systems personnel are considering using new technologies to interface with these legacy systems, great care must be taken to maintain boundaries and implement layered security controls to reduce the likelihood of an adversary getting from the information technology (IT) systems into the OT systems. Of course, as systems are redesigned, retrofit, or rebuilt, the control systems and architecture should be designed more securely, allowing for greater precision in who can access the systems, when they can access them, and what they can do once they are there. Manufacturers adding this level of granularity to their components and system designers supporting greater visibility throughout the OT environment will become increasingly important factors as we undergo the modernization of our rail infrastructure. There are no means of putting the legacy modernization genie back into its bottle, but our first wish is that any modernization is done with security and system safety at the front of everyone’s minds.

4. How has your work/involvement with APTA informed our technical approach to cybersecurity services within this market?

I have the benefit of working with the Communications and Control Systems Working Group (CCSWG) and the Enterprise Cybersecurity Working Group (ECSWG) for APTA, as well as being a member of the U.S. National Committee of the IEC as a specialist expert in Railway Cybersecurity for Technical Committee 9 (TC9) which is responsible for the development of IEC 63452 Railway Cybersecurity. I can’t begin to express the amount of information sharing, knowledge density, and expertise the individuals on these teams have. Working with these groups and contributing to standards development has given me the ability to guide STV’s cybersecurity services in a forward-thinking manner and position us to support our clients as they begin to navigate the escalating technological changes that are coming to a railway near you. Perhaps more importantly, participating in these groups has contributed greatly to my industry knowledge, to understanding the challenges agencies face in terms of technology implementation, and to giving a little bit of my knowledge back to the community. I highly recommend getting involved, particularly in the CCSWG and ECSWG from APTA to anyone who is involved from a systems aspect in transportation.