With all the news of aggressive attacks on business and critical infrastructure networks in the U.S., it’s clear we’re involved in an active cyber war against enemies that attack from anywhere at any time. These attacks occur for many reasons – theft of intellectual property, to gain competitive advantage, for political motives and hacktivism – just to name a few.
Until recently, there was no standard recommended practice or guideline available for the transit agency ready for “Cyber Security 101” and addressed their particular needs. A guideline is available now along with security professionals and security tools from suppliers who understand the needs of the transit industry.
The APTA Controls and Communication Cyber Security Working Group developed recommended practices to help you walk up the learning curve. An APTA standard titled “Securing Control and Communications Systems in Transit Environments Part 1 and Part 2” offers simple, effective guidance to those who need it. These guidelines explain the processes, practices and methods, and suggest appliances recommended for cyber security at an easy-to-comprehend level. Drawing on many existing industry standards for cyber security, the APTA Recommended Practice for Cyber Security gives current, pertinent and thorough guidance with references to other documents.
IT Enterprise versus Control and Communications
Ask a transit agency executive what security measures their system has in place and a typical response might be, “Oh yes, our IT department handles that and we all use passwords.” The need for education starts here because this is not an effective answer, nor is it a wise way to protect an agency.
There are many differences between IT and operations control and communications. According to the guideline, the business system is most concerned about keeping information confidential while knowing when it obtains the data and that it’s correct and complete. Confidentiality and integrity are both of high importance from the business IT priority, while availability is of lower importance. The control system needs information available, so integrity and availability are important, but confidentiality may be least important.
Without going into extreme detail describing control and communication systems, including the supervisory control and data acquisition (SCADA) systems, there are major differences between IT enterprise systems and control and communications systems. It’s necessary to approach cyber security with these differences in mind. In addition, bear in mind that transit systems differ from a manufacturing site because they’re spread out over distance, numerous communications are required and high voltage power is needed while many people have access to the property.
So What Is Cyber Security?
The APTA Recommended Practice states “Cyber security…is defined as the means to reduce the likelihood of success and severity of impact of a cyber-attack against transportation sector control systems through risk-mitigation activities.” Transit agencies must foster a cyber-security culture similar to the developed safety culture, which changed the ways things are done. Geopolitical events are a major concern, but many times accidental breaches occur when the wrong person is given access to a system; people are careless about what they are doing; or outsiders gain access via a virus, malware or a phishing-type attack. The bottom line is that agencies must take the necessary proactive steps to protect their systems.
An agency must protect all its assets, particularly whatever it defines as the most valuable and important assets. The National Security Agency (NSA) applied the strategy of layering defenses – known as defense-in-depth – to information security and assurance. The strategy has become an adopted recommended practice of the Department of Homeland Security’s Control System Security Program (DHS-CSSP). Defense-in-depth increases the time and number of exploits it would take for would-be attackers or errant employees to successfully compromise a transit system. Defense-in-depth also increases the likelihood of detecting and blocking attacks; allows security policies and procedures to better align with agency organizational structure; and directly supports the identification and implementation of cyber-security risk zones.