In 2017 travelers waiting for their train in Germany noticed a ransom note scrolling across the information board, demanding $300 in bitcoin to restore service. The “WannaCry” virus – which American intelligence officials have traced back to North Korea – had infected 450 German Rail computers, bringing down the entire network.
It was, and remains, a familiar event to U.S. transit providers. The San Francisco Municipal Transit Authority, the Colorado Department of Transportation, and the Sacramento Regional Transit system have all been hacked in recent years.
The cyber security challenge for transit can only grow from here. Transit systems provide high-visibility targets and entry points for cyber intruders are abundant. For hackers looking to extract ransom, transit provides especially attractive target, given that transit providers must stop service if they cannot assure the safety of passengers.
Now, with transit agencies increasingly reliant on Wi-Fi and cellular data, tension is growing between the need to digitize processes and enable data analytics, and the need to ensure security.
Asset management and labor functions of transportation remain at the early stages of digitization, according to a recent McKinsey report. More and more sensitive information and data will inevitably move into cellular networks and onto the cloud.
For transit agencies operating with software systems that date back to the 1990s, finding cyber solutions is an urgent mandate.
Worse than fiction
According to author Fred Kaplan, America’s cyber security systems were largely built after a 1983 film “WarGames,” a low-budget sci-fi flick which a young man (portrayed by Matthew Broderick) hacks into NORAD’s computer systems and nearly turns the Cold War into a nuclear one. Watching the movie at Camp David, President Ronald Reagan was so alarmed of the possibilities of fiction becoming reality that he ordered his Chairman of the Joint Chiefs of Staff to review the Pentagon’s cyber defenses.
In his book “Dark Territory: The Secret History of Cyber War,” Kaplan recalls General John Vessey a week later returning to the White House to inform the president that not only was the “WarGames” scenario possible, but that “the problem is much worse than you think.” America’s cyber systems, is appeared, were so exposed that a crippling attack could come from the Soviets or just a curious teenager.
Remarkably for some transit agencies, control centers are using software systems that were installed in an era nearer to the world of War Games than that present day. It is not uncommon for transit systems to use payroll, scheduling, dispatching, and vehicle location programs that were installed more than 20 years ago.
This could hardly be a less convenient time to be operating outdated cyber systems. Attacks on supervisory control and data acquisition (SCADA) centers are on the rise, and the vulnerabilities of transit cyber systems are multiplying.
Light rail systems have long relied on fiber-optic lines that are buried beneath the rail line, closed loop and unhackable without physically unearthing the cables. Now rail lines are connecting central communications to train operators through cellular networks, enabling data collection on everything from vehicle maintenance to arrival times, but also leaving lots of entry points for intruders.
Each device presents a potential entry point: radios, tap-card readers, security cameras.
No door can be left unlocked. Hackers responsible for a November 2013 breach of Target’s credit and debit card records were later found by investigators to have entered through a wireless thermostat.
Where are transit agencies exposed?
Answer: From the networking facilities all the way to each bus and train car, with numerous entry points along the way.
Part of the problem is a mismatch of functionality.
For a standard transit agency, the computer-aided dispatching program is interfaced with scheduling application, which is interfaced with finance software, and so forth. They are interconnected and are often provided by different vendors for each program.
Transit agencies have long taken piecemeal approach to acquisitions, making seamless integration difficult.
If, for example, a security camera system installed in the 1990s came from one vendor and another system installed last year came from another, a transit agency would have two separate entry points to defend with two different requirements.
Theoretically, capturing each function under the umbrella of one software program would be valuable. Yet such a program would likely lack variability, exposing clients to another set of cybersecurity challenges.
When hackers can map out “off-the-shelf” software, they have potentially found the way into thousands, even millions, of target systems.
That would increase the value of low-volume, customized products that are not replicated at another transit agencies. The fewer people who have knowledge of how your system works, the harder it is to penetrate.
Transit agencies should be working with software packages that integrate functions of the business into one platform, and with unique application program interfaces (APIs), embedded security functions, and built-in firewalls.
Right now, few are.
The best defense
If transit officials are not yet feeling a sense of urgency, it will soon be thrust upon them.
In Europe, cyber defenses are being built under the force of government mandates. The German government recently enacted a law requiring railway operators to exceed a minimum set of cyber security standards. The European Union issued a similar directive in 2016.
In the United States it has fallen to the Transportation and Security Administration to sure up transit cyber systems.
In 2019 TSA issued its cybersecurity roadmap, pledging to elevate cybersecurity in its policy-development and planning activities, and improve cybersecurity staffing.
To act before mandates for their hands, transit agencies should be rushing to set clear IT standards and build cybersecurity activities directly into processes and services, not hold IT response teams separate from central communications.
When it comes to transforming processes, size matters. Larger transit agencies have more points of exposure and are often slower to evolve. Building integrated software systems and then swapping out old systems to install new ones is a time-consuming process, sometimes as long as 12 to 18 months.