Putting the brakes on transit agency cyberattacks

By Konrad Fellmann, CISO and VP of IT infrastructure, Cubic Corporation

We are living in a time where every person and business is vulnerable to cyberthreats. Mass transit agencies are no exception — in fact, they are appealing targets simply because, as part of the critical infrastructure, they help commerce and cities to run. If a transit agency is shut down and we can’t move people or goods, the criminals claim victory.

In recent years, we’ve seen cyberattacks target the Martha’s Vineyard Ferry; multiple mass transit systems in cities like Philadelphia, Dallas and Ann Arbor; a top bus operator in the UK; and countless others — likely with a partial goal of causing chaos and incapacitating entire cities. However, many attacks have hefty monetary motivations as well.

Another top goal for malicious hacks on transit agencies is getting a ransom paid. This is why we consider ransomware to be a significant threat to not only transit agencies but all enterprises and government agencies. It’s also why we’ve seen cyber liability premiums rise nearly 300 to 400 percent over the past couple years.

The good news is, while most transit agencies already have some cybersecurity measures in place, the new regulations put forth by the TSA are helping to further establish a standard for security in the transit sector — encouraging increased hiring for the cybersecurity side of the agencies, faster speed of incident reporting, proactive incident response plans and performance of ongoing vulnerability assessments.

Plus, a report by the Mineta Transportation Institute doubled down on the need for C-level security and technical expertise — for instance, hiring a chief security officer (CSO) or chief information security officer (CISO). This not only gets cybersecurity a seat at the table to gather the budget they need to keep up with evolving cyberattacks but immediately matures the entire security organisation.

To gain and keep rider trust, as we have at Cubic, we recommend that organisations handling transit rider data refine their agility and focus on adversarial threat analysis across every part of their business in order to detect and mitigate security events at a rapid pace. Often, transit agencies work with several technology partners to keep their fare payment systems and rider apps moving. Thus, supply chain security should be a key area of focus at all times.

In addition, we certify to industry standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and ISO 27001 in order to ensure and verify the effective implementation of strong security controls. We also maintain close working relationships with multiple cyber industry associations and government agencies to stay aware of ongoing trends and gather threat intelligence to continually improve our security posture.

No singular step will prevent advancing cyberattacks, but combining all of these elements at all levels of the transit supply chain will give these organisations a major advantage against digital adversaries. We hope these recommendations will help both agencies and technology providers in the transportation space strengthen their cybersecurity and data protection stances.

Brought to you by: