Cyber threats to all transportation agencies are increasing at an exponential rate because of the reliance on new technology to support operational needs, process massive amounts of data, and handle complex network connections to more diverse organizations. The technology systems are stressed to just support daily operations and are severely challenged during incidents that disrupt operations or even shut down the business. This stress creates an added cyber risk that transportation leaders must consider and strive to create a cyber-aware transportation organization.
A good example is the multimodal transportation strategies to maximize efficiency, safety, and existing/planned transportation infrastructure through transportation systems management and operations (TSMO). The guidance for these systems recommends a cybersecurity engineer be added to the TSMO team to address cyber policies, communications networks security, and staff training.
A similar need is emerging with the deployment of technology to support construction management systems. It’s driven by the adoption of new tools being adopted for remote bidding, building information management (BIM) systems, electronic ticketing, asset management, survey systems, and field data collection (drones, cameras, rovers, etc.). While these systems are considered core business systems, the cybersecurity skills to protect them reside in the Chief Information Officer (CIO) community.
Whether you are building or operating these interconnected systems, they can become a high cost to operations if lost by the agency through a cyber incident. The loss of data or the access to it impedes operations, services, or privacy. Plus, the cost to restore operations can be exorbitant and divert resources from other transportation needs. Recent cyber incidents have had a major impact on transportation systems, challenging transportation executives to consider how to identify risks, establish programs to reduce the risk, create ways to quickly recover from an attack, and learn from other’s experiences. The question becomes, “What should a transportation leader do to create a cyber-aware organization and reduce the many risks from a cyber-attack?”
1. Be A Leader. Talk with your team about cyber threats and raise awareness. Consider cyber threats and include risk assessments as part of your annual planning activities. Acknowledge there is a serious cyber risk to public entities, including yours, and allocate resources to reducing the risk. Hire a chief information security officer (CISO) or a cybersecurity engineer. Ask questions about new technology security. Add cybersecurity reviews to the purchasing processes. Foster open communication with private sector partners and develop a response plan to use when there is a cyber incidence. Consider lessons learned from other attacks.
2. Invest in Cyber Resilience. Allocate resources to address the highest priority cyber risks identified by annual assessments. The actual need will vary depending on the kind of risks and essential priorities. Consider using a hosting service (cloud) to leverage technical expertise with daily operations and best cybersecurity practices. A hosting service with backup resources offers the quickest way to restore service, creating a more resilient operation.
3. Make Employees Aware of the Risks. Employees are your best defense and also your greatest risk because they are the ones who receive phishing emails or subvert system controls to get the job done. They may also be subject to social engineering attacks that cause them to give up critical business data or make system changes. For example, a recent incident caused an employee to divert contractor payments to a bogus account. Require regular training and test your people. Reduce the risk through regular testing of all employees. Most ransomware attacks start with an email. Train your team to recognize them, resist the temptation to open them, and send them to the cybersecurity team.
4. Conduct Assessments and Exercises. The National Institute of Standards and Technology (NIST) provides excellent guides for creating a cyber aware and more secure organization. Because technology that ages may become vulnerable, use an annual third-party assessment to identify risks and suggest ways to mitigate them. New technology also adds new devices to be exploited. New collaborative partners add a whole new system of risks as these systems are connected. Separate the management of administrative systems from critical operational systems such as the traffic management system. Adopt a systems engineering approach and use the industrial control system standards to protect the operation and safety of these systems.
5. Collaborate with Other Agencies. Take advantage of other organization’s cybersecurity expertise. Since transportation is critical to our daily life and is a major impact to the Nation’s economic wellbeing, there are several ways to get help with your cybersecurity program. The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) has field offices to support each state. They can help with cyber awareness training, assessments, and identifying risks. The FBI InfraGard program focuses on protecting critical infrastructure and offers a way for local organizations to share information about threats and solutions, training employees, and better understanding their own risks. Members receive threat warnings to better prepare for a potential cyber-attack. The Center for Internet Security (CIS) Multi State Information Sharing and Analysis Center (MS-ISAC) supports state and local governments with analysis, risk assessments, recovery, and lessons learned. They understand that you start by recovering the technology, then recover the entire business to restore operations.
Maintaining a consistent, effective approach to your cybersecurity efforts takes vigilance, but the value of protecting your data and systems is priceless.