Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
3Â Â Introduction This chapter provides information about the purpose of the synthesis, issues to be addressed by the synthesis, the scope of the research (i.e., the topics that are included in the synthesis), and the research method used. The chapter concludes with an outline of the reportâs organization. Objectives and Scope The COVID-19 pandemic of 2020â2021 is having a profound effect on every infrastructure sector in North America, including transit systems and on the information technology (IT) and operational technology (OT) systems that are embedded in their ongoing operations. Many of these effects have resulted from public health orders requiring various social distancing and sanitation measures that have disrupted work place and service delivery norms. In response, many enterprisesâincluding transit agenciesâhave accelerated their adoption of innovative business concepts such as remote working, contactless customer services, transit on demand (i.e., microtransit), and so on, supported by a bewildering array of ad hoc communication plat- forms, applications, and devices. Not unexpectedly, many of these innovations have produced unforeseen challenges to existing cybersecurity and cyber resilience approaches. As transit system vulnerabilities increase, so also do the number and sophistication of attacks from a variety of bad actorsânot to mention the unanticipated consequences of employees trying to navigate unfamiliar work flows, work spaces, and work behaviors. This increasing risk is happening while many transit organizations are adjusting to severely reduced budgets and personnel for cybersecurity infrastructure and operations. In other words, not only are cyber- security staff being asked to do more with less, they also are being asked to do things they have never done before. A cursory assessment of this dynamic environment suggests that the transit industry could benefit from the emerging experiences not only from its own members but also from other industries that rely on operational technology or supervisory control and data acquisition (SCADA) systems to conduct their principal business. Unlike more conventional TCRP syntheses, which document existing practices employed by transit agencies, this study identifies emerging cybersecurity practices that have not yet been widely disseminated in the transit community but are of growing importance now and over the near term. Cybersecurity trends affecting transit agencies in 2021 encompass perennial topics such as hacking, ransomware, phishing, and employee errors as well as relatively new issues such as supply chain risks, the acceleration of transformative digital environments, geopolitical cyber- attacks, and many others. An informal survey of 2021 cybersecurity trends identified dozens of potential topicsâsome of which are global, others of which are tied to specific industries C H A P T E R Â 1
4 Cybersecurity in Transit Systems or technology environments such as the cloud. The study team identified five emerging trends that met the following criteria: ⢠The trend was already affecting or likely to significantly affect transit agencies and operations over the near term (1â3 years). ⢠The trend was not already addressed by existing TRB cybersecurity research products or APTA recommendations. ⢠The trend was identified by multiple cybersecurity prognosticators. ⢠The trend was associated with actionable guidance. The five cybersecurity trends included in this synthesis are ⢠Cyber resilience, including cyber insurance ⢠Third-party cyber-risk management, including cyber supply chain risk ⢠Cybersecurity of location-agnostic access (e.g., remote work/teleworking/âwork-from-homeâ) ⢠Zero-trust computing architectures supporting contactless customer applications, including real-time and on-demand information and services ⢠Cybersecurity governance and workforce This synthesis study includes explanations of these trends, best practices, and examples derived not only from the transit community but also from similar transportation modes such as aviation and rail, and from infrastructure sectors with similar cybersecurity challenges such as energy, manufacturing, chemical, and water. The intent of the synthesis is to identify emerging cybersecurity issues and effective practices from other infrastructure sectors that may be applicable to U.S. and Canadian transit operators even though they might not yet be recognized by many transit organizations. The report is written for transit organization executives and for senior technology managers who may be unfamiliar with the latest trends in cybersecurity and cyber resilience. The report may also provide insights for elected and appointed officials charged with transit policy-making, oversight, and funding. Consequently, the treatment of these topics will, of necessity, be both broad and brief. Additional details and technical guidance can be found in the references. Definition of Key Terms In the context of this synthesis study, transit agency refers to any U.S. or Canadian operator or provider of transit services, including passenger rail operators. Cybersecurityâas defined by ISA/IEC-62443 as a baseline industrial control systems security standardâconnotes âelectronic securityâ whose compromise could result in any or all of the following situations: ⢠Endangerment of public or employee safety ⢠Loss of public confidence ⢠Violation of regulatory requirements ⢠Loss of proprietary or confidential information ⢠Economic loss ⢠Impact on national security In this context, cybersecurity encompasses the combination of policies, business processes and practices, and technologies designed to protect digital assets (e.g., data, software, systems, networks, and equipment) from unauthorized access, exploitation, damage, or loss. In contrast, cyber resilience refers to a transit agencyâs ability to preserve or restore uninterrupted digital services, as expected. These services include both operational systems and information systems.
Introduction 5  Operational or control systems include technologies such as SCADA, train controls, signal controls, automatic vehicle location and so forth, that monitor and control the physical world with an emphasis on safety, protection of physical assets, and reliability. Information or data systems include business applications, ride apps, fare collection, and so on, that collect, process, store, and report on data with an emphasis on data confidentiality, integrity, and accessibility. Information systems also include web applications such as email, messaging, smart phone apps, and so forth. A lesson learned, in the context of this report, is a finding that changed personal, operational, or organizational behavior as a result of some experience (e.g., major cyber incident). Findingsâ the precursors to lessons learnedârefer to those actions or activities that went well and those that need to be improved and are usually developed in post-incident briefings (i.e., hotwash exercises) and are documented in incident or event after-action reports. Lessons learned are always specific to a person, a team/workgroup, or an organization. The terms lessons learned and findings are sometimes used interchangeably. Findings may also refer to the study teamâs discoveries or conclusions. In contrast, a suggested practice is an industry-adopted or professional protocol, procedure, or operation that has proved to be effective by multiple persons, workgroups, or organizations. Suggested practices may be derived and promulgated by regulatory agencies, by industry asso- ciations such as APTA, and from commercial sources such as vendors and consultants. A challenge represents a specific difficulty or barrier to responding to a finding or to imple- menting a suggested practice. A list of abbreviations and acronyms used in the synthesis is provided at the end of the report. Technical Approach The team conducted the synthesis study by ⢠Reviewing contemporary news sources to identify emerging and significant trends and inci- dents potentially affecting transit cybersecurity now and in the short term (1â3 years) ⢠Reviewing previous TRB research to identify research applicable to transit cybersecurity ⢠Reviewing government and industry resources to identify guidance for transit cybersecurity ⢠Reviewing recent surveys that included transportation cybersecurity findings ⢠Attending government and industry-oriented cybersecurity briefings and presentations ⢠Interviewing subject matter experts, as appropriate ⢠Identifying and organizing information about significant trends, including definitions, applicability to transit operations, and guidance on effective practices ⢠Documenting multiple brief case examples that are representative of or applicable to emerging transit system cybersecurity programs and practices (These examples may highlight innova- tive approaches, successes, challenges, or lessons learned.) ⢠Identifying and organizing future research needs for transit cybersecurity ⢠Developing the synthesis report Organization of the Report This synthesis report contains four chapters and supporting material, as described. Chapter 1: Introduction. This chapter introduces the synthesis, provides background infor- mation for the study, and summarizes the research approach and the organization of the report.
6 Cybersecurity in Transit Systems Chapter 2: Literature Review. This chapter summarizes key findings concerning cybersecurity trends, threats, incidents, mitigation strategies, and countermeasures from previously published research, from official sources, and from contemporary news accounts. Chapter 3: Synthesis of Emerging Cybersecurity Practice in Transit. This chapter provides information about the importance, applicability, and emerging best practices concerning five significant emerging cybersecurity issues: ⢠Cyber resilience, including cyber insurance ⢠Third-party cyber-risk management, including cyber supply chain risk ⢠Cybersecurity of location-agnostic access (e.g., remote work/teleworking/âwork-from-homeâ) ⢠Zero-trust computing architectures supporting contactless customer applications, including real-time and on-demand information and services ⢠Cyber governance and workforce The chapter also provides brief case examples of organizations where specific illustrations of these topics have been employed. These examples may highlight innovative approaches, successes, challenges, or lessons learned. Chapter 4: Summary of Findings. This chapter concludes the report with summaries of the key findings from the report and suggests additional research in transit cybersecurity and related areas.
