Putting the Brakes on Targeted Attacks Against Transit Agencies

By Konrad Fellmann

By Konrad Fellmann, CISO and VP of IT infrastructure, Cubic Corporation

We are living in a time where every person and business is vulnerable to cyberthreats. Mass transit agencies are no exception—in fact, they are appealing targets simply because, as part of the critical infrastructure, they help U.S. (and global) commerce and cities to run. If a transit agency is shut down and we can’t move people or goods, the criminals claim victory.

In recent years, we’ve seen cyberattacks target the Martha’s Vineyard Ferry; multiple mass transit systems in cities like Philadelphia, Dallas and Ann Arbor; a top bus operator in the UK; and countless others—likely with a partial goal of causing chaos and incapacitating entire cities. However, many attacks have hefty monetary motivations as well.

Another top goal for malicious hacks on transit agencies is getting a ransom paid. This is why we consider ransomware to be a significant threat to not only transit agencies but all enterprises and government agencies. It’s also why we’ve seen cyber liability premiums rise nearly 300 to 400% over the past couple years.

The good news is, while most transit agencies already had some cybersecurity measures in place, the new regulations put forth by the TSA are helping to further establish a standard for security in the transit sector—encouraging increased hiring for the cybersecurity side of the agencies, faster speed of incident reporting, proactive incident response plans and performance of ongoing vulnerability assessments.

Plus, a recent report by the Mineta Transportation Institute doubled down on the need for C-level security and technical expertise—for instance, hiring a chief security officer (CSO) or chief information security officer (CISO). This not only gets cybersecurity a seat at the table to gather the budget they need to keep up with evolving cyberattacks but immediately matures the entire security organization.

Programs like National Cybersecurity Awareness Month, which we are celebrating now, are also effective at helping to educate everyone, from agencies to consumers, on proactive measures for preventing breaches.

While internal cybersecurity is critical for agencies to stay on top of, their technology providers are just as responsible for maintaining their own. Our number one priority is maintaining the trust, security and privacy of our customers, their patrons and data. We are very focused on ensuring data protection and supporting the use of security best practices across everything we do.

To gain and keep rider trust, as we have at Cubic, we recommend that organizations handling transit rider data refine their agility and focus on adversarial threat analysis across every part of their business in order to detect and mitigate security events at a rapid pace. Often, transit agencies work with several technology partners to keep their fare payment systems and rider apps moving. Thus, supply chain security should be a key area of focus at all times.

In addition, we certify to industry standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and ISO 27001 in order to ensure and verify the effective implementation of strong security controls. We also maintain close working relationships with multiple cyber industry associations and government agencies to stay aware of ongoing trends and gather threat intelligence to continually improve our security posture.

No singular step will prevent advancing cyberattacks, but combining all of these elements at all levels of the transit supply chain will give these organizations a major advantage against digital adversaries. We hope these recommendations will help both agencies and technology providers in the transportation space strengthen their cybersecurity and data protection stances during NCSAM and well beyond.


No posts to display