News Jun 25, 2020

Cybersecurity in Light Rail and Transit Control Systems

Jacobs’ Director Federal ICS Cybersecurity Susan Howard discusses the top reasons to develop a Vulnerabilities, Mitigations and Technology Roadmap with APTA’s Passenger Transport magazine.

Abstract cybersecurity image

Jacobs’ Director Federal ICS Cybersecurity Susan Howard discusses the top reasons to develop a Vulnerabilities, Mitigations and Technology Roadmap with APTA’s Passenger Transport magazine.

The evolution into the Internet Protocol (IP) connected world has introduced significant cyber-security concerns. Consider this: light rail and other transit control system environments have evolved as part of the industrial control system industry over the past 20 years and now include the IP stack in all new components, including substation PLCs, fare payment systems and on-board vehicular sensors.

The House Homeland Security Committee held a hearing Feb. 26, 2019, on “Securing U.S. Surface Transportation from Cyber Attacks.” The hearing focused on how both the Transportation Security Administration and the Department of Homeland Security’s Cyber-security and Infrastructure Security Agency (CISA) office can better protect surface transportation like commuter rail and light rail, among others. Transit cybersecurity has traditionally focused on aviation, but there is concern that the U.S. is not doing enough to protect surface transportation. Some of the challenges discussed include a shortage of cyber personnel, a transportation workforce with little cyber training and awareness and resource constraints at transit agencies. Supply chain cyber-security was another main issue of discussion.

In the past year, many transit agencies across the country have developed comprehensive cybersecurity policies and procedures based on the National Institute of Standards and Technology (NIST) 800 series framework or the International Organization of Standardization (ISO) 27000 series standards.

Through these governance, risk and compliance efforts, agencies are finally addressing cybersecurity concerns for the Operational Technology (OT) environment in transit control systems.

Fast forwarding into the next decade, the IoT will play a huge role in predictive maintenance and real-time communications for rolling stock. IoT devices will use technologies like 5G, cloud platform services, Application Program Interfaces (APIs), and a reference architecture based on the evolving Message Queue Telemetry Transport (MQTT) connectivity protocol. These IoT implementations are game changers for the transit control system landscape.

In most cases, the data being collected for rolling stock is transmitted back to the vehicle manufacturers. More sophisticated monitoring tools will be needed for transit agencies to maintain visibility into this new information flow. Funding for these tools will prove challenging in this COVID-19 era of historically low ridership. There are several IoT implementations for light rail control systems across the U.S. already.

Cybersecurity is not yet a prominent part of these implementations for many reasons. Until the new IoT ecosystem is secured, attackers can and will exploit vulnerabilities in these new IoT-enabled infrastructures. In light rail and other transit control systems, these attacks could prove catastrophic. The use of Information Sharing and Analysis Centers (ISACs) such as the Passenger Transportation (PT) ISAC, the Surface Transportation (ST) ISAC, and the Automotive (Auto) ISAC are more critical now than ever to keep transit agency stakeholders informed of transit control system cybersecurity tactics, techniques and procedures.

Jacobs is working with major transit agencies across the United States to help increase industrial control system cybersecurity awareness and create secure design architectures for multiple system platforms, including fare payment systems, train to wayside communications, IoT integration and other transit system modalities. “It is not a matter of IF our nation’s transit agencies will experience cyber attacks, but WHEN. Our goal is to help agencies maintain a high state of readiness to minimize operations impacts and revenue loss,” says Susan.

 

Susan Howard, Jacobs Director Federal ICS Cybersecurity, is a cybersecurity technical manager with over 20 years of experience in cybersecurity and networks for multiple business sectors. Her team currently focuses on industrial control system cybersecurity for all federal agencies.