Its recommended agencies combine defense-in-depth with detection-in-depth, a compliance program and audit program to ensure all parts of the layered defense are in place, configured properly and working. Transit agencies must also put certain security controls found in the recommended practice in place. Security controls are the management, operational and technical safeguards or countermeasures prescribed for an industrial control system to protect the confidentiality, integrity and availability of the system and its information.
Processes include the human element. Consider enlisting the help of certified information systems security professionals (CISSP). CISSPs are trained and certified by the independent, Department of Defense-approved International Information Systems Security Certification Consortium or (ISC2). CISSPs are also ANSI-accredited, and one who is knowledgeable in controls can they are specially trained to help you set up an effective system. Perhaps it is time to consider either hiring one of these trained professionals for your staff or, at a minimum, to support in-depth training for someone on your staff to better understand security.
Technology is an ever-changing part of the security picture. Proper tools are industrial grade and not your average devices from the local office supply store. Today’s industrial devices can provide effective defenses around critical areas and incorporate features that separate the more robust devices from lesser appliances.
Look for a stateful firewall that keeps track of the state of network connections, such as transmission control protocol (TCP) streams and user datagram protocol (UDP) communication traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. The stateful firewall will only allow packets matching a known active connection; others will be rejected. Compare this to a stateless firewall, which can’t distinguish known and legitimate traffic from the “spoof” or imposter attacks.
Virtual private network (VPN) will allow a secure connection to and from the outside world by authenticating users and encrypting data. This is especially valuable for accessing remote support from outside vendors. We all know the consequences of not being able to get support for technical issues.
Virtual local area networks (VLANS) are traffic management tools which are over-relied on for security, but easily faked out or overridden.
System log (Syslog) is an important security auditing standard that logs computer messages. It permits separation of the software generating messages from the system storing them and the software reporting and analyzing. It takes a cyber-security culture willing to look at logs and analyze the findings. An emerging area of managed security services is growing, and these new companies — called managed security service providers — attempt to apply analytics techniques to detect patterns and to alert customers of problems.
Routers are a network handling message transfers between devices. Many robust industrial routers are available and recommended for trackside or other industrial deployment. An agency shouldn’t feel pressured to only use the typical enterprise IT or corporate router when other, more appropriate devices exist.
Other important industrial-grade features include wide temperature specs, DC power, resistance to electrical noise, RF, EMI, shock and vibration resistance, etc. All of these attributes will ensure the device will last a long time and can be deployed in areas outside the computer room. Redundant power should be considered for important security appliances. Copper and fiber variants should be available for devices.
Thorough cyber security will not happen at transit agencies unless top management understands requirements and then creates the right culture to ensure proper deployment. Recommended practices with guidelines exist to walk agencies through the learning curve. Trained professionals, tools and know-how are available to those who seek it. Transit agencies would do well to protect themselves from cyber-attacks and the industry has what it takes to make that happen.