As public transit agencies continue to move towards leveraging digital solutions to enhance operations, provide visibility for the public, and expand their capability to manage their infrastructure, the need for a more robust cybersecurity plan has become essential.
While cybersecurity threats to operational technologies have been a known risk to public infrastructure for years, the issue garnered more attention following the 2021 ransomware attack on Colonial Pipeline in Houston, TX. In this instance, hackers extorted Colonial for $4.4 million by infecting some of the pipeline’s digital systems with malware. While the attack did not impact the organization’s OT systems, Colonial shut down the flow of oil for several days to mitigate the impacts of the attack, subsequently restricting access to fuels for millions of customers, and causing President Biden to declare a state of emergency.
Due to the nature of these threats, escalating international tensions, and the prevalence of criminal organizations turning to digital means to extract payment from organizations, the Transportation Security Administration issued new cybersecurity directives regulating designated passenger and freight railroad carriers to enhance cybersecurity preparedness and resilience for the nation’s railroad operations in October of 2021. These directives include a diverse list of requirements and controls including, but not limited to:
- Appoint a Cybersecurity Coordinator
- Develop, implement, and test a Cybersecurity Incident Response Plan
- Develop network segmentation policies and controls and restrict access to Operational Technology (OT) systems from IT systems to secure and prevent unauthorized access to critical cyber systems
- Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware.
During a recent American Public Transportation Association (APTA) panel that I participated in, we discussed this growing concern for transit agencies. Common cybersecurity incidents that may threaten transit agencies involve phishing, social engineering, business e-mail compromise, data breaches, ransomware, and supply chain and procurement-related risks. There is a recognition throughout the industry that such an attack on our transit infrastructure can pose a financial threat to the operator. We also need to address concerns about impacts on continuity of operations and safety.
At STV, our team of rail systems and cybersecurity experts are currently working with our public transit clients to support the development of cybersecurity programs to better secure OT systems. We have experience providing project management services on behalf of the transit operators for these programs. We’re able to work with agencies of all sizes to help identify program gaps and implement strategies to bolster their cybersecurity posture. Our ability to support secure architecture design, implementation and planning, in addition to understanding the operational security requirements (plans, policies, procedures, training, and exercises) makes STV an ideal partner for agencies looking to improve their cybersecurity and address requirements and recommendations from the TSA.
We understand that cybersecurity is top of mind for transit operators and that they want to understand how to better safeguard their OT systems and sustain operational resilience by addressing gaps or inherent weaknesses within their controls. The world is changing and how OT is implemented and protected should change with it.
Strengthening the perimeter, implementing micro-segmentation – where security zones are created around individual devices, applications or services with an OT network that, in turn, isolates them from other parts of the network – enhancing asset visibility, managing the collection of information, and being able to effectively respond to incidents, are all key items to consider.
While progress is being made, our industry still collectively suffers from a lack of awareness and education that will help in better safeguarding OT systems. Protecting our infrastructure against risk in all its forms is an ever-evolving process. Fortunately, many leaders from throughout our industry are coming together to develop a common language and approach that will help bring more of a culture of cybersecurity into the mainstream for public transit operators.
Matthew Dimmick is a senior security development manager at STV. Throughout his professional career, Dimmick has experience providing security consulting and embedded project management, and has served as owner’s representative for agencies addressing various physical, information, and cyber security projects.