Cyber security of trains, trolleys, and subways is an important national priority.
An organization’s information technology (IT) group is usually charged with maintaining digital assets and defending the loss of confidential information.

However, IT may ignore the cyber security ecosystem of the operational technology (OT) (the mechanical and electrical systems that control the rolling stock) side of the agency. The threat to these systems is growing.

Trains and subways rely on industrial control systems (ICSs) to keep them moving. However, ICS devices sometimes have features with inherent vulnerabilities. These devices may have Wi-Fi capability vulnerable to malware intrusion, and while transit agencies may not be using these features, they are still lurking in the background, ready to be exploited by bad actors.

Often, IT and OT teams work together, but differences between IT and OT priorities and culture become apparent. Availability — making the transit system run on time — is the prime directive of operation. IT often lacks understanding that a very small gap in availability is unacceptable in the OT environment.

Vulnerability Awareness
The lack of awareness of the vulnerabilities that have snuck into the OT world blinds decision makers to the need to upgrade, patch, and secure many of the devices that keep a transit system moving. Weak authentication, abuse of access authority, and the prevalence of removable media — often ignored by control engineers in the transit system — are threat vectors that allow intrusion into the transit authority’s OT equipment. In addition, transit systems often rely on legacy devices that have long lifecycles compared to IT appliances and PCs. Unfortunately, legacy systems don’t have cyber security features. This lack of integrated product security must be compensated for by a holistic program within the transit system.

So far, most transit systems have been lucky. But there are real-world examples of breaches. In 2008, a Polish train was remotely diverted to another track by a 14-year-old boy with a radio transmitter and a knowledge of the train system he gained by hanging out around the tracks.

We have found in our role as cyber security assessors that OT managers have often emphatically announced that their area is “air-gapped” and thus invisible to bad actors. These managers may be overlooking several issues, including:

  • Their OT area may include an overlooked historian that moves data from the OT equipment to another business unit.
  • USB ports are present that allow anyone with a memory stick to close this air-gap.
  • Employees may harbor malware in their cell phones, USB devices, or laptops, all of which can come in freely through their gate.
  • Transit agencies should realize there are real vulnerabilities in their OT domain and take steps to improve security defenses.

Improvement Hurdles
Why are transit agencies slow to make improvements? In addition to different OT and IT cultures, a major hurdle to improving transit cyber security is that transit agencies are often divided into silos of responsibility. For example, the electrical power group may have different ICS equipment than the communication and signals group, which has different systems than the dispatch area. This situation prevents a holistic approach to protecting the system.

The lack of awareness of the vulnerabilities that have snuck into the world blinds decision makers to the need to upgrade, patch, and secure many of the devices that keep a transit system moving.

Here are some of the steps successful agencies take for a more holistic approach to cyber security:

1. Provide leadership.
The board of directors or CEO of the transit agency must lead the charge for change to a culture in which cyber security is important and rewarded on the OT side.

2. Be aware of OT.
IT management should realize the importance (and uniqueness) of the OT space.

3. Start a task force.
A group made up of IT and OT departments solves the issues of misunderstanding and inertia, and communication between groups fosters success in any cyber security initiative.

4. Pick a standard.
There are a few good base standards for cyber security. The IT world uses ISO 27000 series standards, but some other standards have more of an OTperspective. The NIST (National Institute of Standards of Technology) Framework for Improving Critical Infrastructure Cyber security provides a roadmap and is free from the Department of Commerce.

5. People. Process. Technology.
The hard work of cyber defense involves multiple depths and includes physical devices or software as well as domains that the OT group alone cannot always change. Things like people and processes must be addressed.

6. Provide governance.
The task of continuous improvement is one of the most important but overlooked topics when discussing cyber security defenses. An institutional effort is necessary to ensure the cyber security of the OT side of transit agencies, remembering that cyber security is ever-changing and evolving. Intelligent adversaries are attacking your system and finding new vulnerabilities all the time. This fact requires constant countermeasures in IT and OT to keep up with the changes in environment. IT is familiar with this drill, but the personnel in dispatch, positive train control, or other OT areas are often unaware of how to do this.

7. Think outside the box.
OT engineers must think like a hacker to realize the vulnerabilities they have around them. Who best to defend a signaling system than signal engineers?

These steps will help any transit agency get ahead of the cyber threats to its operations. Cyber security is not a goal but a well-planned, well-executed, and never-ending journey that must include operations professionals and information professionals working together for the good of the entire transit system.