Managing Cybersecurity in Transit Agencies
Transit agencies manage a large number of control and communication systems that need to interoperate to allow them to seamlessly provide service. A transit agency is a very complex organization that has assets and equipment controlled by supervisory systems with communications mechanisms in the station and along railroad tracks. These systems used to both control …
Transit agencies manage a large number of control and communication systems that need to interoperate to allow them to seamlessly provide service. A transit agency is a very complex organization that has assets and equipment controlled by supervisory systems with communications mechanisms in the station and along railroad tracks. These systems used to both control and communicate, are located along the routes in wayside bungalows, stations, road crossings, signal towers, tunnels, maintenance yards, power stations, refueling depots, equipment storage yards/parking lots, storage depots, local control rooms, and operations control rooms. Key parts of the control systems are also buried under or alongside the rail lines. Signals are transmitted in the rails or via specialized aerial paths as well. Transit organizations interconnect systems to incorporate new technologies and create efficiencies that save money. Many of these interconnected systems were never designed or envisioned as being interconnected. Additionally, they were never meant to be or accessible, either directly or indirectly, via a central powerful network. These systems and equipment, which are now used daily, have a host of vulnerabilities. Neither the components, nor the systems used to control trains, signals, controls, and communications, were not designed with an organized set of cybersecurity criteria. And, most can’t be upgraded to fully thwart cyber- threats. These systems are always on. Leaders struggle to develop strategies show to address the long design life of highly reliable systems. Antivirus software, whitelisting, firewalls and other current cyber-defense technologies that may inject delays in communications or block execution of programs carry the risk of unintentionally disrupting system functions and therefore must be carefully evaluated. Control systems by nature, have real-time and time-sensitive requirements that are not common in traditional IT systems. Control systems are also expected in many cases to have little - to no downtime. Whereas, businesses that do not use industrial control systems (ICS) may replace 100 percent of their systems within a five- to the seven-year window. Transit, which uses ICS, rarely replaces all its systems, and those that are replaced are intended to last much longer than 30 years. This creates cybersecurity management issues.

What to Consider

The first step in getting a handle of the security of the enterprise at transit agencies is to consider the following questions:
  • Can a computer or mobile device be used to collect intelligence about the operational network(s)?
  • Can an outsider use the network to take control of the system(s)?
  • What can an unhappy insider do to the network?
  • How can policies, lines of responsibility, training and compliance audits help secure the agency’s assets?
  • How can software change management lessen the chances of software configuration problems?
  • What could a computer virus do to computer systems?
  • How do I assess the risk to IT and ICS systems and manage it?

Transit Enterprises are Getting More Complex

The truth is transit systems are complex and consist of equipment, people, policies, and processes that work together to transport people safely and in a predictable manner. There are many protections in place today, mostly focused on the physical security of the passengers and the transit system’s assets. In general, any device that uses a digital processor communicates with digital devices, connects to a communication network via a wired and wireless connection, or can be programmed, should be considered for protection. Companies like Max Cybersecurity (DBA Max Services), are skilled at helping transit agencies build their approach for managing cyber issues. We perform risk assessments, vulnerability analysis, and build a culture of cybersecurity to enhance resilience. Max Cybersecurity features former FBI and Secret Service, professionals.  The CEO of Max, Mike Echols, is a former Critical Infrastructure Protection and Cyber Director at the Department of Homeland Security.  We can assist any transit agency to build a better security apparatus and response return on investment. Follow our blog and read more about cybersecurity risk assessment.  

Leave a Reply

Your email address will not be published. Required fields are marked *