Transit agencies manage a large number of control and communication systems that need to interoperate to allow them to seamlessly provide service. A transit agency is a very complex organization that has assets and equipment controlled by supervisory systems with communications mechanisms in the station and along railroad tracks. These systems used to both control and communicate, are located along the routes in wayside bungalows, stations, road crossings, signal towers, tunnels, maintenance yards, power stations, refueling depots, equipment storage yards/parking lots, storage depots, local control rooms, and operations control rooms. Key parts of the control systems are also buried under or alongside the rail lines. Signals are transmitted in the rails or via specialized aerial paths as well. Transit organizations interconnect systems to incorporate new technologies and create efficiencies that save money. Many of these interconnected systems were never designed or envisioned as being interconnected. Additionally, they were never meant to be or accessible, either directly or indirectly, via a central powerful network. These systems and equipment, which are now used daily, have a host of vulnerabilities. Neither the components, nor the systems used to control trains, signals, controls, and communications, were not designed with an organized set of cybersecurity criteria. And, most can’t be upgraded to fully thwart cyber- threats. These systems are always on. Leaders struggle to develop strategies show to address the long design life of highly reliable systems. Antivirus software, whitelisting, firewalls and other current cyber-defense technologies that may inject delays in communications or block execution of programs carry the risk of unintentionally disrupting system functions and therefore must be carefully evaluated. Control systems by nature, have real-time and time-sensitive requirements that are not common in traditional IT systems. Control systems are also expected in many cases to have little - to no downtime. Whereas, businesses that do not use industrial control systems (ICS) may replace 100 percent of their systems within a five- to the seven-year window. Transit, which uses ICS, rarely replaces all its systems, and those that are replaced are intended to last much longer than 30 years. This creates cybersecurity management issues.
What to ConsiderThe first step in getting a handle of the security of the enterprise at transit agencies is to consider the following questions:
- Can a computer or mobile device be used to collect intelligence about the operational network(s)?
- Can an outsider use the network to take control of the system(s)?
- What can an unhappy insider do to the network?
- How can policies, lines of responsibility, training and compliance audits help secure the agency’s assets?
- How can software change management lessen the chances of software configuration problems?
- What could a computer virus do to computer systems?
- How do I assess the risk to IT and ICS systems and manage it?