As a cornerstone of American Infrastructure, The Transportation Industry is a key national asset and a regular target of cyber intruders. According to recent statements by the FBI and NIA, malicious attacks have and will continue to increase at an alarming rate, with magnified results. Threats are moving beyond data breaches to damaging physical infrastructure, posing greater and greater risk to the public at large.
Absent defined government standards, The American Public Transport Association (APTA ) has taken the lead in establishing guidelines and best practices for Operators while assembling and integrating various Compliance requirements provided by different government agencies and departments. The organization has developed a recommended approach to cyber security using Security Zone Architecture that defines and prioritizes criticality, and provides a “Defense-In-Depth” approach to building a procedure for control and communications security program.
Endpoint’s experts have been involved with Transportation Agencies for more than 30 years in installing, commissioning and securing core operating systems including:
Agency Enterprise Network
Agency Communications and
Control Networks Security
Enterprise captures all of the business functions and fare collection data while the communications and control involves both primary and secondary operating systems varying from non critical to critical.
Rail, Bus and People mover systems all rely heavily on IT and automation for:
- Operational systems: These systems integrate supervisory control and data acquisition (SCADA), original equipment manufacturer (OEM) and other critical component technologies responsible for the control, movement and monitoring of transportation equipment and services (i.e., train, track and signal control). Often such systems are interrelated into multimodal systems such as buses, ferries and metro modes.
- Enterprise information systems. This describes the transit agency’s information system, which consist of integrated layers of the operating system, applications system and business system. Holistically, enterprise information systems encompass the entire range of internal and external information exchange and management.
- Subscribed systems: These consist of “managed” systems outside the transportation agency. Such systems may include Internet service providers (ISPs), hosted networks, the agency website, data storage, cloud services, etc.
Common cyber threats that transportation systems must be mindful of include nation-sponsored, recreational or anti-social hacking; phishing attacks; browser attacks; data breaches; data theft from internal or external sources; cloud security; and mobile devices, including bring-your-own device solutions.
All Organizations are at risk as “black hat” hackers continue to improve invasive software and techniques.
Enterprise systems are at risk for sensitive data discovery including employee data and passenger credit information.
Operating Systems when compromised are at risk for malicious control of:
- Train movement;
- Distributed power to the network;
- Control of signaling infrastructure;
- Reporting on the status and condition of the vehicles and associated infrastructure;
- Prescribed operational planning and timetables
Endpoint’s has a unique understanding of each systems operational relationship to the whole between the individual networks and linked operating systems.
Figure 1.0 Model & Communications Control System Categories Note: (Figure 1.0 is a work product of enGenious, consultant to APTA)
- National Institute of Standards and Technology (NIST)
- Federal Information Security Act (FISMA)
- National Security Agency (NSA)
- Department of Homeland Security (DHS)
- Federal Transit Administration (FTA)
- Department of Commerce
- Government Accountability Office Report
- American Public Transportation Association