August 30, 2010
Two chief executive positions are among the 12 job opportunities offered in the classifieds!
APTA Takes Steps Toward Creating Standards for Cyber Security
BY MARTIN P. SCHROEDER, P.E., APTA Chief Engineer
Statistics show that every six seconds a computer is hacked, and that such attacks can lead to devastating consequences—ranging from loss of important information to loss of control of the nation’s infrastructure. The problem is so serious that the Department of Homeland Security (DHS) has established working groups to define cyber security protection procedures for such areas as transportation, public water systems, and electrical power grid. APTA is working with DHS on further standards and has developed its own recommended practice specific to public transit train control systems.
The APTA Control and Communications Security Work Group of the Research and Technology Committee—chaired by David Teumim, president of Teumim Technical LLC in Allentown, PA—recently published Part I of an anticipated series of recommended practices on cyber security. Titled Securing Control and Communications Systems in Transit Environments, this report provides a starting point to begin thinking more seriously about cyber threats, especially regarding train control features of transit system operations. Its goals are to share transit agency best practices, set a minimum requirement for control security, and raise awareness of control security concerns.
The areas covered in the Recommended Practice include supervisory control and data acquisition systems, traction power control, train signaling, fire detection systems, public information systems, automatic vehicle location wireless communications, and fare collection, among others. The potential threats to these systems could include Trojan horses, logic bombs, worms, malware, spyware, and other variants of destructive code.
Transit is not immune. Cyber attacks have already occurred in transportation, and there are widening vulnerabilities given how connected many control and communication systems are within modern transit systems. In 2003, the “Sobig” virus struck CSX’s Jacksonville, FL, headquarters, bringing down signaling, train dispatch, and other related systems. The virus also affected Amtrak, delaying trains for six hours. Another attack in Lodz, Poland, in 2007 affected switching operations of a train yard that led to train derailments, resulting in the injury of 12 people. In that case, a 14-year-old had reprogrammed a TV remote control to override the switch control signals.
APTA’s Committee is now initiating development of Part II of the recommended practice, which will set guidelines for applying security controls and countermeasures to mitigate, prevent, and recover from cyber attacks of train control systems. This will further address the tools the industry needs to understand and use to strengthen the infrastructure’s ability to withstand cyber attacks. A meeting of the Control and Communications Security Work Group, hosted by the Southeastern Pennsylvania Transportation Authority, is scheduled for Oct. 20, 2010, in Philadelphia.