Cyber Security 101 for Transit Agencies

With all the news of aggressive attacks on business and critical infrastructure networks in the U.S., it’s clear we’re involved in an active cyber war against enemies that attack from anywhere at any time. These attacks occur for many reasons – theft of intellectual property, to gain competitive advantage, for political motives and hacktivism – just to name a few.

Until recently, there was no standard recommended practice or guideline available for the transit agency ready for “Cyber Security 101” and addressed their particular needs. A guideline is available now along with security professionals and security tools from suppliers who understand the needs of the transit industry.

The APTA Controls and Communication Cyber Security Working Group developed recommended practices to help you walk up the learning curve. An APTA standard titled “Securing Control and Communications Systems in Transit Environments Part 1 and Part 2” offers simple, effective guidance to those who need it. These guidelines explain the processes, practices and methods, and suggest appliances recommended for cyber security at an easy-to-comprehend level. Drawing on many existing industry standards for cyber security, the APTA Recommended Practice for Cyber Security gives current, pertinent and thorough guidance with references to other documents.

 

IT Enterprise versus Control and Communications

Ask a transit agency executive what security measures their system has in place and a typical response might be, “Oh yes, our IT department handles that and we all use passwords.” The need for education starts here because this is not an effective answer, nor is it a wise way to protect an agency.

There are many differences between IT and operations control and communications. According to the guideline, the business system is most concerned about keeping information confidential while knowing when it obtains the data and that it’s correct and complete. Confidentiality and integrity are both of high importance from the business IT priority, while availability is of lower importance. The control system needs information available, so integrity and availability are important, but confidentiality may be least important.

Without going into extreme detail describing control and communication systems, including the supervisory control and data acquisition (SCADA) systems, there are major differences between IT enterprise systems and control and communications systems. It’s necessary to approach cyber security with these differences in mind. In addition, bear in mind that transit systems differ from a manufacturing site because they’re spread out over distance, numerous communications are required and high voltage power is needed while many people have access to the property.

 

So What Is Cyber Security?

The APTA Recommended Practice states “Cyber security…is defined as the means to reduce the likelihood of success and severity of impact of a cyber-attack against transportation sector control systems through risk-mitigation activities.” Transit agencies must foster a cyber-security culture similar to the developed safety culture, which changed the ways things are done. Geopolitical events are a major concern, but many times accidental breaches occur when the wrong person is given access to a system; people are careless about what they are doing; or outsiders gain access via a virus, malware or a phishing-type attack. The bottom line is that agencies must take the necessary proactive steps to protect their systems.

An agency must protect all its assets, particularly whatever it defines as the most valuable and important assets. The National Security Agency (NSA) applied the strategy of layering defenses – known as defense-in-depth – to information security and assurance. The strategy has become an adopted recommended practice of the Department of Homeland Security’s Control System Security Program (DHS-CSSP). Defense-in-depth increases the time and number of exploits it would take for would-be attackers or errant employees to successfully compromise a transit system. Defense-in-depth also increases the likelihood of detecting and blocking attacks; allows security policies and procedures to better align with agency organizational structure; and directly supports the identification and implementation of cyber-security risk zones.

Its recommended agencies combine defense-in-depth with detection-in-depth, a compliance program and audit program to ensure all parts of the layered defense are in place, configured properly and working. Transit agencies must also put certain security controls found in the recommended practice in place. Security controls are the management, operational and technical safeguards or countermeasures prescribed for an industrial control system to protect the confidentiality, integrity and availability of the system and its information.

Processes include the human element. Consider enlisting the help of certified information systems security professionals (CISSP). CISSPs are trained and certified by the independent, Department of Defense-approved International Information Systems Security Certification Consortium or (ISC2). CISSPs are also ANSI-accredited, and one who is knowledgeable in controls can they are specially trained to help you set up an effective system. Perhaps it is time to consider either hiring one of these trained professionals for your staff or, at a minimum, to support in-depth training for someone on your staff to better understand security.

 

Technology

Technology is an ever-changing part of the security picture. Proper tools are industrial grade and not your average devices from the local office supply store. Today’s industrial devices can provide effective defenses around critical areas and incorporate features that separate the more robust devices from lesser appliances.

Look for a stateful firewall that keeps track of the state of network connections, such as transmission control protocol (TCP) streams and user datagram protocol (UDP) communication traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. The stateful firewall will only allow packets matching a known active connection; others will be rejected. Compare this to a stateless firewall, which can’t distinguish known and legitimate traffic from the “spoof” or imposter attacks.

Virtual private network (VPN) will allow a secure connection to and from the outside world by authenticating users and encrypting data. This is especially valuable for accessing remote support from outside vendors. We all know the consequences of not being able to get support for technical issues.

Virtual local area networks (VLANS) are traffic management tools which are over-relied on for security, but easily faked out or overridden.

System log (Syslog) is an important security auditing standard that logs computer messages. It permits separation of the software generating messages from the system storing them and the software reporting and analyzing. It takes a cyber-security culture willing to look at logs and analyze the findings. An emerging area of managed security services is growing, and these new companies — called managed security service providers — attempt to apply analytics techniques to detect patterns and to alert customers of problems.

Routers are a network handling message transfers between devices. Many robust industrial routers are available and recommended for trackside or other industrial deployment. An agency shouldn’t feel pressured to only use the typical enterprise IT or corporate router when other, more appropriate devices exist.

Other important industrial-grade features include wide temperature specs, DC power, resistance to electrical noise, RF, EMI, shock and vibration resistance, etc. All of these attributes will ensure the device will last a long time and can be deployed in areas outside the computer room. Redundant power should be considered for important security appliances. Copper and fiber variants should be available for devices.

Thorough cyber security will not happen at transit agencies unless top management understands requirements and then creates the right culture to ensure proper deployment. Recommended practices with guidelines exist to walk agencies through the learning curve. Trained professionals, tools and know-how are available to those who seek it. Transit agencies would do well to protect themselves from cyber-attacks and the industry has what it takes to make that happen.

Loading