This is an article I saw written by Thomas Kritzer, the Head of the Department for Security and Service at Wiener Linien on Intelligent Transports web site which strongly reflects my views.
Cyber security is affecting public transport, like most other business sectors, but it is a threat that is manifesting itself in a way that the public transport sector and security managers are not used to.
The first question approaching the challenge might be: what is cyber security? And what is the threat? Cyber security can be defined as the protection of computers or IT networks from attack, damage or unauthorised access. A more detailed analysis of this includes the reduction of threat and vulnerability, possible deterrence measures, (inter)national engagement, incident response procedures and capabilities, resilience, recovery policies and activities. Looking at it on a wider perspective, it includes computer network operations, information assurance, law enforcement, diplomacy, military and intelligence missions, as they all relate to the security and stability of global information and communications infrastructure.
A good approach to the cyber threat is knowing what will be protected. A few years ago, it was relatively easy to describe the sensible IT systems used in public transport systems. For example, the core of a rail system was, or is the most isolated signalling system and is the backbone of the IT side. Isolated means that there is no (IT) interface to the outer world. Various IT systems were used in the entire company, as in many other business sectors, also with IT safeguards in place. Having analysed this architecture it was relatively easy to describe the landscape and possible threats to the IT system.
Nowadays it has become more challenging to keep an overview on the IT landscape, as systems and services are no longer only in the hands of the company. Mobile devices have become part of our lives and ‘air-gapped’ (physical and logical separation) systems have been replaced by other systems. ICT (Information and Communication Technology) systems are used more and more in rail signalling, like in CBTC systems or Wi-Fi systems, and are based on a communication of system devices via air. Therefore, adequate protection measures need to be installed to safeguard these systems from attacks.
For an overview of the IT landscape, it is useful to categorise the systems, thus enabling adequate approaches and measures.
The most relevant operational systems for public transport operators include signalling systems, SCADA systems, power supply systems, telecom infrastructure, and even communications infrastructure and decision support information infrastructure.
Another group of IT systems might be defined as enterprise businesses or information systems. All information is exchanged inside and outside a company, therefore business systems including resource planning, supply chain systems and ‘normal’ contacts to the external world, like internet and mail interfaces, might be summarised in this group.
More and more systems are hosted and/or managed outside public transport companies, as websites, data storages, web applications, smartphone applications, etc. This can also include sensitive data like financial transactions, customer data, payroll or support of systems maintenance.
Another important factor for the existing IT landscape is that operators today use a lot more mobile and wireless communication. On the one hand, this is carried out via transmitting information for significant systems, such as train control and signalling. However, it can also be carried out through the ‘simple’ use of mobile devices like smartphones etc. with specific company content and here the safeguard ‘air-gapped’ does no longer exist.
Security experts in the public transport sector have been used to having a clear target threat, such as a group of perpetrators, a procedure or the results of a political or global development. However, this has changed due to the latest terrorist approaches. The origin or motivation of the threat was not easy to describe or localise and clear specific targeted measures were difficult to consider. As a result, a broader and holistic risk-based approach had to be found and therefore cooperation with other stakeholders became more important. Analysing the possible circumstances of terrorist threats might be relatively similar to the approach procedure used to source cyber threats.
Cyber threats do not physically attack the public transport system. The attack may not even be focused specifically on the transport system, as attacks might be collateral attacks on various IT systems without there ever being a specific target. Various motivations for an attack might appear, unless a specific attack on a transport system with a clear focus is revealed. Moreover, if the system is vulnerable it can be attacked by a virus or malware, which can affect specific types of IT programmes. Also, a terroristic approach via a cyber-attack cannot be excluded. In the last few years, attacks appear as general attacks on IT system architecture, which is used in various sectors, for example the attack on the Heartbleed Bug. Additionally, the attack is usually anonymous and this is a challenge, as companies may not be able to identify the source or understand the motivation behind the attack. Equally, each attack is unique, which makes implementing the right long-term safeguards even more difficult.
Due to these complex circumstances, sustainable and preventitive measures are difficult to develop and put in place. Exchanging with other affected businesses via existing networks, such as associations or governmental authorities information systems, can improve knowledge and provide possible measures against an attack.
Another unusual field is the way in which the threat might strike. The scenario of an attack might not be a person hacking into your IT systems and producing a derailment of a train in the same moment. The attack may come into your system via an email, attachment, malware or USB-sticks and the messenger may even be a staff member.
What makes identifying cyber-attacks so complicated is that an attack might happen with a technical infiltration, but with a delayed activity start. As a result, the time of the infiltration does not occur at the same time as the attack itself. The attacker affects a system and with the lack of information of the infiltration, it is a lot more difficult to analyse where it came from.
The danger of social engineering may not be something that is typical for public transport, but social engineering can be used to discover someone’s identity, even just IT identity and use if for criminal purposes. Acting then as a possible ‘man-in-the-middle’ can bring undetected damage over a long-term, as people could include them in a procedure and act there with a foreign identity as the middleman. It should be taken into account that staff members might have accessibility to various information and data in the systems of the company. Data collection and misuse of data, no matter if it is personal data or data on company’s contents, are a serious challenge to be faced in our times and can be done by such a ‘man-in-the-middle’.
It is important to know the risks when approaching the security of public transport. Experience of operators show that risk assessment is also in the cyber security field, and is a probate approach to analyse threats and find a good view on the problem. Methods used in vulnerability analysis can also be used in the field of cyber.
In order to analyse the risks, relevant experts need to work close together. IT experts play an important role, but it needs to be taken into account that the awareness and responsbility of avoiding a threat is not stopping at the IT department’s doors, as every user of an IT infrastructure may be affected. Operational and security managers should be involved in the risk management process, together with the IT department, to widen the scope on the necessary approach. It is crucial that the management supports the process and the implementation of adequate measures.
An important part is working together with stakeholders of the same or other businesses and governmental authorities. Most governments have so-called CERTs (Computer Emergency Response Teams) or other organisations in place that can be contacted by the sectors, sometimes even special CERTs, like Energy CERT, etc.
Internal IT policies and general awareness of all staff members is a key link in a functioning security chain. These procedures help explain and direct users how to deal with IT in a responsible way. A specific view should be taken on staff being involved in IT procedures and routines and all other sensitive positions. At the end of the day, in all our procedures a human being is involved, and companies need to be able to trust their staff. Relevant literature and guidelines can provide a lot of information. Various governments published National Cyber Security guidelines or strategies, even for private sectors like public transport. Specific standards, like the ISO 2700x family or public transport association guidelines already exist and are currently being developed.
Approaches on cyber threats need to be very holistic; it is not a single technical measure that wins it all. The threats are as versatile and dynamic as the digital world around us, and public transport operators need to be very much aware that not only IT technology itself is the challenge or point of action. All parts of a public transport operator need to join forces and act in a responsible way to secure the system.
The world is changing more dynamically than it used to and evolutions, like the the ‘Internet of Things’ or Industry 4.0, will rely even more on ICT than we do now. This will affect our whole lives, as well as our public transport system. Risk-based approaches and high awareness of all players can lead to the successful handling of these developments.