| CLASSIFIEDS |
| »
The Sacramento Regional Transit District seeks a chief of staff. [More]
|
| »
VIA Metropolitan Transit is looking for a director of innovative services. [More]
|
»
Culver City, CA, requests proposals for wheelchair restraint systems. [More]
|
| View more Classified Ads » |
| TO PLACE AN AD: E-mail the requested date(s) of publication to: ptads@apta.com. Mailing address is: Passenger Transport, 1300 I Street NW, Suite 1200 East,
Washington, DC 20005. Ad copy is not accepted by phone. DEADLINE: 3 p.m. EST, Friday, one week prior to publication date. INFORMATION: Phone (202) 496-4877. |
Effective Cybersecurity Resilience Planning Starts with Employees
|
 October is National Cybersecurity Awareness Month (NCSAM). Sponsored by the National Cyber Security Division within the Department of Homeland Security (DHS) and the non-profit National Cyber Security Alliance, NCSAM encourages vigilance and protection by all computer users. Mike Echols, former director, Cyber Joint Program Management Office, National Protection and Program Directorate, DHS, outlines the important role employees play in enhancing cybersecurity risk management in public transportation.
Public transit agencies are demanding increased levels of cybersecurity awareness and functional training in the face of ever-growing endpoint sensors, smart technologies and customer experience enhancements. |
Employees, stakeholders and passengers play a vital role in identifying disabled functions and in the effective response to cyber incidents that could potentially affect services or operations. The ability to adapt to and overcome emerging cyber challenges will be paramount as transit agencies continuously digitize systems and operations into more dynamic and complex business environments.
The Ponemon 2017 Cost of a Data Breach Study shows that the longer it takes to detect a cyber breach, the more expensive it will be. Organizations are typically notified of breaches by an external source after a period of time; public transit agencies that can detect breaches quickly will save money and minimize negative consequences following a breach.
The Planning Imperative
Adequate planning to address the worst cyber challenges will mark the difference between organizations that survive major cyberattacks and those that are permanently debilitated. However, public transit agencies have yet to fully account for the new paradigm that cybersecurity presents or embrace the importance of the human factor. When they do, we will see the emergence of sector-wide functional cyber-awareness certification programs, while employees, not just leadership, will participate in cyber-based tabletop exercises.
|
| Hackers have the ability to turn critical systems like security cameras or sensors to their advantage, and cyber incidents can be life threatening should an operator lose control of a conveyance or a switch monitoring system provide a false indication. |
Cyber planning requires an acceptance that the hacking environment is expanding. Public transit leaders must acknowledge that technology deployment may create new challenges when those technologies are undermined.
Employees across the transportation network may observe issues before they are identified by technical teams. Thus, they should be empowered to report unusual issues. In 2017, 70 percent of storage devices recording data from Washington, DC, police surveillance cameras were found to contain ransomware. The issue was identified eight days before President Trump’s inauguration—during preparations for the event.
While the malfunctioning of the cameras had been reported by officers prior to inauguration planning, no employee, however, reported the full extent of the inoperable system to senior officials. Related to those same cameras, a murder took place directly beneath one and was not recorded. The cyberattack not only disabled 123 of 187 network video recorders, it also highlighted the challenges of protecting all critical assets—all of the time.
Hackers have the ability to turn critical systems like security cameras or sensors to their advantage. Web cameras have been discovered spying on closed office meetings, with hackers demanding ransom to not share the content with the public. Such scenarios can be prevented by ensuring webcams are deactivated. However, untrained staff lack the knowledge and cyber protocols to properly identify threats and minimize risk.
There are no un-hackable computer systems in the public transit environment or other critical infrastructure sectors. Even the Pentagon lost data related to drone maintenance through a cyber exploit. Hackers took advantage of a military officer’s negligent use of public Wi-Fi. Although the data theft did not occur on a military base, the consequences were the same.
Government and the private sector alike question if they are reasonably doing enough to protect their organization from debilitating cyberattacks and cybercrime in general. A focused and enabled team environment can defuse even complicated cyber events. Building an effective cybersecurity culture can negate hacking efforts before they have a chance to infect the transit environment. And if attacks are successful, the compromised systems will not bring down the organization.
IT-OT
The convergence of Internet Technology (IT) and Operational Technology (OT) makes a holistic approach to cybersecurity risk management paramount. Computer controlled system management and remote connectivity expand the attack surface of formerly un-networked assets. The complexities of the IT-OT environment require better coordination across all public transit agencies to assure cyber resilience.
Cyber incidents can be life threatening should an operator lose control of a conveyance, or a switch monitoring system provide a false indication. Public transit agencies must train employees on when and how to use their own initiative and to leverage on-the-spot capabilities.
|
The ability to adapt to and overcome cyber challenges is paramount as public transit agencies digitize systems and operations. The key to success is to identify vulnerabilities and match response actions. Employees are the flexible mechanism to bring this strategy to life.
|
Newsworthy attacks such as the one against Saudi Aramco in 2010 where more than 30,000 computers were rendered inoperable can also happen to public transportation agencies. Attacks like the one on Sony in 2014 will test an organization’s continuity of operations. Sony was forced to purchase laptop computers from a local store just to keep some communications going. Public transportation agencies can ill afford to lose communications that support safety, security or operations. Better planning and coordination will assure an ability to maintain mission-critical functions should an incident occur.
To mitigate events such as these, public transit experts are working closely with cybersecurity professionals. APTA, for example, has initiated member-led working groups to identify best practices for cyber secure environments. One regional transit agency has implemented a formal information security program, with agency-wide scope, based on the ISO 27001 international standard [specification for an information security management system]. This program will encompass the entire enterprise, including OT, with policies, training and tools.
Cybersecurity can easily be undermined if employees and stakeholders are overlooked as ‘risk mitigators’ in planning efforts. The key to success is to identify system vulnerabilities and match response actions until the vulnerability is resolved. Employees are the flexible mechanism to bring this strategy to life.
Public transit agencies must provide advanced training for the entire team to build field agents, not just sentries. Transit workers who might not be computer savvy should know the potential operational hazards should a critical electronic component fail. Risk managers will find that by engaging these employees and expanding the number of capable players on their team, the organization will become more resilient.
Related Resources
|
