When it comes to data security and breaches, plenty of industries and individuals have had it lousier than transit in recent years. It might not stay that way.
In late 2016, the San Francisco Municipal Transportation Agency was hit with a ransomware attack, which compromised thousands of computers, doled out free rides and even led to the suspected hacker getting hacked. The resulting damage was minimal, but it dragged the transportation industry into the somewhat unfamiliar territory as a headline-grabbing cyber victim.
A handful of industries like financial services or healthcare have carried far greater attention to their data operations – with all of the accompanying risk and regulation — than those in transportation. When sectors like government or retail are compromised, they often strike to the core of aspects of American life.
However, transit hubs across the U.S. are evolving from their disparate, first-generation and sometimes homemade digital systems toward more mobility, signal-driven operations and big data analytics. With this massive shift, experts expect a spike in attention and threats in the months and year ahead.
“Bad guys are generally opportunistic and look for the lowest hanging fruit with the biggest ‘bang for the buck,’” said Garrett Bekker, principal analyst in information security for 451 Research. “Transportation could be a prime target of these types, since it can create big problems and install massive fear.”
The Identity Theft Resource Center, a watchdog group, has tabulated 312 reported data breaches of more than 1.3 million personal records since the beginning of this year. Yet, the Alabama State Port Authority and its 780 records were the only transportation/transit-related enterprise that registered in the group’s most recent weekly round-up of national breaches, which included much bigger names like the Air Force, Equifax, Arby’s and the Coachella music festival.
Randy Clarke, VP of operations and member services for American Public Transportation Association, credited transportation providers for their low instance of threats, especially when juggling “multilayered” systems tethered to finance, infrastructure, power and safety.
“This an evolving field in an industry that isn’t like a tech-firm, per se,” Clarke said. “The fact that we’ve had few instances of public agencies with an exposure suggests to me that people are doing a pretty good job of protecting their systems.”
Clarke acknowledged that the transit industry may have been insulated from cybersecurity threats in the past because of small technology budgets and often “antiquated infrastructure and equipment.” Now, more “smart” systems are being implemented, though Clarke said he does not think we’re in the phase where tech “takeover” type attacks like the movie “Speed” come into practice. Rather, Clarke said routine security challenges related to websites and online portals like ransomware, malware and hacks lead security challenges for many within his 1,500-member association. For instance, the San Francisco Municipal Transit Agency, which did not respond to an email for comment, was compromised through its online portal.
Security analysts and transportation security vendors cited different mounting threats ahead for the industry.
Dominic Keller, V.P. at Willis Towers Watson, co-authored an October report on cyber risks that placed seven of its top-10 threats in the areas of network security and information. With the non-stop flow of information for communications, ticketing, signaling and maintenance, Keller said fluid access to critical and non-critical networks is “fundamental” to smooth operation. That level of interconnectivity exposes transit operators to new and swift challenges from errors or malfeasance.
“Transit agencies are vulnerable to attacks from external actors and, increasingly, ‘rogue’ employees who may be able to access critical systems and affect operations,” he said. “Responding effectively to these threats will be the biggest cybersecurity issue for transit agencies in the next year and beyond,” Keller said.
Bekker noted the drastic increase in information handled by transit providers. He anticipated substantial risks for transit agencies as they bring in more options for apps, mobile payment and data streaming from systems in the emerging “Internet of Things.”
“If they collect customer data, that is always valuable, so they will be targeted,” he said.
Matt Powell manages transportation markets for Convergint, a systems integrator for physical and information security. While the transportation industry is beholden to a few data security standards, like PCI, for payment cards, even those regulations often don’t “match the threat,” Powell said. Laggard standards may effectively lower the bar on protection for everyone, particularly with how fast threats can change.
“In many ways, the threat is evolving exponentially faster than regulations from government or recommendations from professional organizations. This is the same for manufacturers, who's due to product development time may be introducing products that are also behind the threat curve,” he said.
Defense in depth: suggestions for stronger data security from the experts
- Information sharing: “If someone has thwarted an attack in Boston, that’s good for someone in San Francisco or Dallas to know,” Clarke said. “The more we share information and work together, the better for your own agency and the industry.”
- Know what you’ve got: Bekker said data discovery and classifying can help agencies determine information that’s most important. On the protection side, he suggested adding or beefing up protection of the important information with encryption, tokenization and DLP systems.
- On board: Keller said “board-level oversight” on agency cybersecurity will boost both its internal importance and, hopefully, support to develop defenses.
- Data security hiring: Powell said the time is passing when security companies alone could maintain totally seamless infrastructure for its clients. He recommended hiring and training to match internal security expectations.
- Funding from above: Clarke said a fast path toward securing transit data systems would be from a federal funding plan to support the multi-billion-dollar technology and service backlog hindering transit agencies nationwide.
