Public transit is integral to metropolitan areas. The public transit sector ranges from buses to trains, overground systems, underground systems, light rails, ferries, and more. New York’s Subway, London’s Underground, and Paris’ Métro are hallmarks of the cities’ cultures. But the growing dependence on and integration between public transit and technology opens up new areas of risks to cities with public transit systems. If a public transit system is compromised by a cyber attack, how does the city continue to function? Is the city prepared to defend its systems? Does the city pay a ransom, lose data, or hire incident response help?
The Need for Effective Cybersecurity Strategies
The complexity and interconnectivity of transit systems’ infrastructures, matched with evolving technology, increases public transit’s, and the cities they operate in, exposure to cyber risks. APTA’s Cybersecurity Considerations for Public Transit says, “Cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data. Cyberattacks threaten every aspect of modern life that is touched – indirectly or directly – by information technology.” It’s crucial that the public transit sector and its personnel realize these threats are real.
When ransomware hit San Francisco’s light rail system in November 2016, the San Francisco Municipal Transportation Agency (SFMTA) had two choices: shut down the light rail or let consumers ride for free. On one of the busiest shopping weeks of the year, the SFMTA let consumes ride for free. Fortunately, this cybersecurity attack did not impact the functionality of San Francisco’s buses, light rail, street cars, or cable cars. The attacker demanded a $73,000 ransom, but the agency informed the public, “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”
In February 2018, SamSam’s ransomware attacked the Colorado Department of Transportation (CDOT), eventually costing the state an estimated $1.5 million. The attacked impacted about half of CDOT’s computers. They never gave into the hacker’s ransom demands, but it took several weeks and many unexpected resources to investigate, contain, and recover. The incident response team went from 25 IT employees to 150, in addition to CDOT, the FBI, state emergency officials, and private companies getting involved. The state’s Office of Information Technology attributed their recovery to their backup plan and segmentation strategies, which proved to be successful. Governor Hickenlooper did declare a disaster emergency due to this cybersecurity incident, which authorized state agencies to coordinate response efforts, including the deployment of the National Guard.
Key Cybersecurity Challenges for Public Transit
In order to implement an effective cybersecurity strategy, organizations within or serving the public transit sector must understand the challenges they face. The goal is always the same: to achieve information security and cybersecurity by upholding confidentiality, preserving integrity, and providing availability. Several of the key challenges in reaching this goal include:
- There are typically three layers to a public transit system’s infrastructure: operational systems (like SCADA), enterprise information systems, and subscribed systems. All three systems are dependent on one another in order to function properly, which means the attack surface triples in size.
- Software, hardware, and personnel could all be exploited in order to compromise a public transit system. Software infected by malware is often the type of cyber attack we think of, but the attack would also come through intentional manipulation of personnel or physical tampering of hardware that’s connected to software. Once again, the attack surface
- The transition to mobile and wireless communication, from both operators and consumers, expands every day. On-board technology, command and control systems, fare payment technology, traffic signals – with each innovation that makes public transit more accessible, the attack surface
- A public transit system may just be collateral damage in an attack that’s targeting any and every system it can.
- In every industry, the lack of cybersecurity professionals is causing real challenges. In the public transit sector, operators who don’t understand cybersecurity and no cybersecurity professionals to educate them can keep the entire industry from progressing.
As a city with a public transit system, your city must accept the responsibility of implementing effective cybersecurity strategies. By doing so, you will protect your city, technology, consumers, and business partners. Is your city looking to improve your public transit’s cybersecurity posture? Are you meeting the security, privacy, and cybersecurity obligations expected of you? Contact us today to ensure you can deliver secure and reliable public transit.