Cybersecurity in Transit Systems (2022)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

34 This chapter provides information about the importance, applicability, and evolving recom- mended practices concerning five significant emerging cybersecurity issues. • Cyber resilience, including cyber insurance • Third-party cyber-risk management, including cyber supply chain risk • Cybersecurity of location-agnostic access (e.g., remote work/teleworking/“work-from-home”) • Zero-trust computing architectures supporting contactless customer applications, including real-time and on-demand information and services • Cybersecurity governance and workforce The chapter also provides brief case examples of organizations where specific illustrations of these topics have been employed. These examples may highlight innovative approaches, successes, challenges, or lessons learned. Cyber Resilience As is the case with other emerging terminology, no standard definition of “cyber resilience” has been universally adopted. NIST (2018a) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources,” where such systems can refer to some or all of the following, depending on context: • An information or operations system • A mechanism, component, or system element of the above • A shared service, common infrastructure, or system-of-systems identified with a mission or business function • A business unit, organization, or agency • A critical infrastructure sector, mode, or region • A system-of-systems in a critical infrastructure sector or subsector • The nation or any of its governmental subdivisions, such as a state, county, municipality, or tribe Similarly, a recent NCHRP publication, NCHRP Research Report 975: Transportation System Resilience: Research Roadmap and White Papers, defines cyber resilience as “[The] ability of the digital components (i.e., systems, networks, technology, applications and data) of a transportation system to recover and regain functionality after a major disruption or disaster. Cyber resilience also includes the ability to continuously adapt (i.e., change or modify) regular cyber delivery mechanisms as needed in the face of new risks” (Fletcher and Ekern, 2021). In these and related definitions used by other groups, the emphasis is on preserving or restoring agency operations, system functionality, and customer services. This objective is in C H A P T E R   3 Synthesis of Emerging Cybersecurity Practice in Transit

Synthesis of Emerging Cybersecurity Practice in Transit 35   contrast to cybersecurity, which is focused on protecting the confidentiality, integrity, and availability of digital assets (e.g., data, software, systems, networks, and equipment) from unauthorized access, exploitation, damage, or loss. Stated another way, cyber resilience is only meaningful in terms of preserving or restoring cyber-dependent business and transportation operations and is not focused on preventing incidents that are intended to breach data confidentiality or to steal data. Of course, some events such as ransomware attacks are security breaches and also involve significant loss of service (see, for example, the May 2021 Colonial Pipeline attack). One of the defining trends in transit (and other infrastructure sectors) emerging from the events of 2020–2021 is an accelerated adoption of digital business practices encompassing almost every aspect of transit operations, including their back-room business operations and their end-to-end customer experience—particularly in large transit agencies. Consequently, the industry is evolving from being cyber-augmented to being cyber-dependent. That is, each agency’s mission, its workforce, its customers, and its assets are increasingly dependent on increasingly vulnerable and complex technology. This dependency is in spite of equally growing risk factors (i.e., the threats, the exposure, and the consequences of failure). In summary, many agencies are increasingly unable to operate if they lose their digital infrastructure, which is increasingly likely over time. The implication of this is that continuity-of-operations and related plans will need amending to incorporate those additional actions, roles, and responsibilities necessary to ameliorate cyber failure. Examples of cyber resilience plans include • Continuity of transportation and agency operations plans that include cyber failures (COOP) • Crisis communication plans • Risk-driven critical cyber infrastructure protection plan • Risk-driven critical data protection plan • Information and control system contingency plans • Cyber incident response and recovery plans • General disaster recovery plan Additionally, all hazards-based risk management systems need to elevate cyber failures to the same level of importance as natural disasters, criminal/terror attacks, and so on in their planning, training, and staffing strategies. The fusion of cyber and physical security/resilience approaches implies that lessons learned in one context can be applied to the other with little or no modifications necessary. Some of the lessons learned include 1. Cyber resilience is not something that can be made or purchased but is instead a consequence of political, strategic, and operational decisions made by elected officials and senior agency managers that are reflected in agency business policies, plans, processes, and workflows. These decisions integrate multiple, often competing and conflicting interests and influences (Figure 8). 2. Senior leadership needs to establish, promote, and enhance those core values associated with resilience in general and cyber resilience in particular. This needs to occur in formal (e.g., classroom training) and informal (e.g., in on-the-job) settings. 3. The starting point for cyber resilience planning is to assume that cyber incidents will occur and could degrade, disable, or destroy not only digital assets but parts of the physical trans- portation infrastructure as well. 4. Cyber incidents are becoming more frequent, more disruptive, and more costly, and most transit agencies no longer have the ability or the resources to mitigate this situation on their own.

36 Cybersecurity in Transit Systems 5. While transit agencies have significant roles to play in restoring customer services and internal functions after a cyber incident, in many cases they will not be the lead agency in the response and will need to closely coordinate, collaborate, and communicate with others, including elected officials, federal representatives, law enforcement, other modal agencies, technology providers and consultants, the media, and, increasingly, with the public directly through various social media platforms (e.g., Twitter, Facebook, and so on). Cyber Resilience Suggested Practices Techniques (i.e., suggested practices) for improving cyber resilience range from formal engineering approaches, such as outlined in NIST SP 800-160 Vol. 2, to the much more informal seven-step process outlined by AIG (n.d.). NIST report identifies 14 practices and technologies that could be included in an overall cyber resilience strategy, plan, or architecture. Not every technique will be suitable to all transit agencies; no agency is likely to adopt all 14. Consistent with other engineering practice, agencies can expect better results when these techniques are engineered from the beginning as opposed to “bolted-on” to existing systems or processes. Challenges to Cyber Resilience • Systems design, security, and resilience require different—and more expensive—skills than usually exist in a transit agency. Relatively few persons with these skills are attracted to government employment. How do agencies recruit and retain these kinds of employees? • While the risks—hazards, frequency (i.e., exposure), and consequences—to transportation infrastructure are well-known, cyber risks are poorly understood. How can transit agencies better assess this risk? • Relatedly, what is the business case for investing in cyber-risk avoidance and mitigation measures? Case History: 2018 Colorado DOT Ransomware Attacks Background The Colorado Department of Transportation (CDOT) was infected with the SamSam ransomware virus malware in February 2018. While the incident was costly—the state spent about $1.5 million recovering from the damage after refusing to pay the ransom—Colorado also Figure 8. Cyber resilience elements.

Synthesis of Emerging Cybersecurity Practice in Transit 37   created a new model for state and local governments dealing with cyberattacks by managing the event like it would a natural disaster. From February 21 to 23, 2018, a threat actor, later revealed to be from Iran, executed a ransom ware attack that ultimately infected about half of CDOT’s digital assets—1,274 laptops, 427 desktops, 339 servers, 158 databases, 154 software applications, and all voice-over-IP phones used by CDOT at 200 locations across the state. While the state’s traffic operations were not affected, all of the department’s internal business systems—including finance and payroll operations—were affected and unavailable. After-incident analysis revealed several vulnerabilities related to a newly created, internet- accessible virtual server with direct connection into the CDOT network and administrative privileges that did not have Governor’s Office of Internet Technology (OIT) security controls in place. Within a day this server was subjected to over 40,000 brute-force attacks and by the next day the SamSam malware had discovered this vulnerability and used the server’s administrative privileges to penetrate the rest of the CDOT network. Despite immediate action by CDOT and the OIT, CDOT suffered a second attack on March 1, 2018, that was discovered to pose a risk to other state resources. The scale of the attack prompted then-Governor John Hickenlooper to declare a statewide emergency—the first time any state had used this mechanism for a cyberattack—on March 1, 10 days after the initial infection was detected. This declaration permitted officials to bring in resources from the Colorado National Guard and from other states, created a unified command structure, and, perhaps most crucially, relieved the state’s IT workers from having to continuously work 20-hour shifts. The first task after the emergency declaration was to establish “recovery priorities,” starting with CDOT’s financial operations so the agency could make its next payday. Other priorities included protecting highway traffic operations, isolating and recovering the infected portions of CDOT’s network, and, finally, restoring regular operations. Several agencies responding to the incident—CDOT, OIT, and the Colorado Division of Homeland Security and Emergency Management (DHSEM)—formed a Unified Command Group (UCG) led by the DHSEM, which subsequently brought in additional support from the National Guard, the FBI, and DHS. The state’s emergency declaration also allowed Colorado to call on other states for assistance, a common practice following natural disasters but rarely used in cyber incidents. Still, the after-action report documented several missteps as the state took this new approach. Organizing communications among the UCG proved more difficult than expected because of the ad hoc addition of vendors, federal agencies, and spokespeople from multiple agencies talking to the media. IT workers struggled to get a complete picture of the affected systems after discovering the state did not maintain an offline version of its network map. Additionally, one provision in CDOT’s continuity-of-operations plan almost made the crisis worse: employees were instructed to take their laptops to the Department of Public Health’s headquarters, which could have exposed another agency’s network to infected devices. Despite these miscues, the cyber-attack-is-a-disaster approach proved effective. About 80 percent of CDOT’s systems were recovered within a month of the initial SamSam attack. Other governments hit by ransomware, including Alaska’s Matanuska-Susitna Borough, have since issued their own disaster declarations, and many governments are starting to incorporate simulated cyberattacks into their natural disaster drills and into their continuity- of-operations planning.

38 Cybersecurity in Transit Systems Lessons Learned CDOT’s experience offers various lessons regarding the hardening of networks, creating and rehearsing a cyber incident response plan, and allocating resources to the personnel and technology needed to effectively mitigate, respond to, and recover from future cyber-attacks. The lessons include the following: 1. Segment your network to isolate any potential malware. 2. Make the implementation of endpoint detection and response toolsets a top priority. 3. Ensure there are no outdated systems in use that provide easy backdoors to attackers. 4. Initiate protocols for centralized logging. 5. Implement current system backups and segment them from the network. 6. Protect network diagrams and ensure familiarity with the agency network. 7. Employ sufficient firewall personnel. 8. Maintain strong partnerships with cloud service providers to provide higher visibility into the cloud. 9. Ensure that cyber incident response plans are fully integrated and operationalized. Additional details concerning these points are documented in the After-Action Report (Willis, 2019). Cyber Insurance Traditional public sector general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand-alone” line of coverage. Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. Cyber insurance is a rapidly growing sector of the insurance industry and was a $3.15 billion U.S. market in 2019. It is estimated that it will be over $20 billion in 2025 (Cucuel, 2020). Many transit agencies have cybersecurity insurance (Belcher et al., 2020) with varying levels of coverage, as shown in Table 2. This coverage provides protection against a wide range of cyber incident losses that public entities may suffer from directly or may cause to others, including costs arising from data destruction or theft, extortion demands, hacking, denial-of-service attacks, crisis management activity related to privacy and data breaches, and legal claims for defamation, fraud, and privacy violations. However, few cybersecurity insurance policies provide coverage for physical damage and bodily harm that could result from a successful cyberattack against critical infrastructure. Rates and coverages vary widely across issuers because of the lack of robust actuarial data, lack of standard auditable risk management practices, and the rapidly evolving and expanding cyber-physical boundaries defined by an organization’s OT. Cybersecurity Insurance % of Transit Agencies Have insurance 72% Coverage Limit <$1 million $1.1 million–$5 million $5 million–$25 million >$25 million 29% 44% 19% 8% Table 2. Insurance coverage in transit agencies.

Synthesis of Emerging Cybersecurity Practice in Transit 39   Recently, New York’s regulator for the insurance industry, the Department of Financial Services (NY DFS), issued its Cyber Insurance Risk Framework (Lacewell, 2021). This guidance is for the insurers the department regulates and addresses moral hazard head-on: Insurers that don’t effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity, and pass the cost of cyber incidents on to the insurer. Instead of doing the hard work of actually understanding and mitigating cybersecurity risk and the systemic risk that it breeds upon, NY DFS is saying that companies have simply passed on the liability to the insurers. Now, NY DFS is asking the insurers to understand these cyber risks better. This guidance will force the companies they cyber-insure to do the same. This approach will significantly change the cyber insurance industry’s risk assessment processes and the premiums and coverage terms. Regarding systemic risk, the framework also addresses this thinking when it says: As part of their cyber insurance risk strategy, insurers that offer cyber insurance should regularly evaluate systemic risk and plan for potential losses. While cyber premiums continue to rise, concerns about the risks being underwritten are growing, particularly given the sharp increase in the number and severity of cyber breaches, notably ransomware, and also the increased risk associated with remote computing (i.e., work-from-home). This increase in vulnerability has resulted in several negative consequences for agencies seeking to acquire or renew cyber insurance: • Finding and negotiating deals is taking longer. • Insurers have less capacity and are providing more restrictive coverages with lower caps. • Deductibles are increasing. • Premiums are rising steeply, in some cases 100 percent year-over-year. • Many new policies are now excluding ransomware. • Underwriters are taking a much more aggressive posture in auditing agencies for minimal standards, including adoption of the NIST cybersecurity framework, use of multi-factor authentication, segregated backups, and documented incident response plans. Weak adoption of these practices may result in restricted coverage or in canceled coverage. On a more positive note, even a small policy provides access to the underwriter’s network of pre- and post-incident third-party resource networks that may not be available through more direct means, particularly after a large breach affecting many organizations at the same time (e.g., the SolarWinds incident). These resources may include cybersecurity, disaster recovery, and business continuity experts, plus legal and communication specialists and other hard-to- find skill sets and temporary operating assets. This strategy has been successfully adopted by many small and mid-size organizations. Third-Party Cyber Risk Unlike a generation ago, when most agencies developed, deployed, and supported internal software systems that were limited to use by the agencies’ employees, today’s cyber environment is a complex amalgam of in-house, commercial, and open-source software running on a variety of platforms and devices and accessible to a variety of legitimate outsiders, including vendors, contractors and subcontractors, other agencies, and the public. Of course, this accessibility also provides numerous pathways for bad actors.

40 Cybersecurity in Transit Systems Consequently, agencies are increasingly vulnerable to cyber failures or data breaches caused by parties other than their own employees. This vulnerability may occur in several ways: 1. Attackers successfully breach the third party’s cyber defenses and exploit the digital connec- tion between the third party and the agency. Common examples of this style of attack involve vendors that use remote access to monitor and maintain on-site products. For example, a recent study of Washington Metropolitan Area Transit Authority (WMATA) procurements (Cherrington, 2019) warned that vendors and third-party contractors—such as contractors who maintain the automated control systems in rail cars—could provide additional pathways for cyber-attacks. 2. Attackers inject malicious code or components into a supposedly secure or trusted software or hardware component, which is then distributed by the vendor to its customers. This pathway is commonly known as a “supply chain attack.” 3. Software vulnerabilities or unintended security weaknesses are caused by improper security configurations or programming errors. A “zero-day” vulnerability is a security flaw that is known to the developer or manufacturer but does not yet have a patch, update, or replace- ment that resolves the issue. Zero-day vulnerabilities have been found in every layer of the software stack. 4. Another implicit cyber risk involves the failure of one or more infrastructures that the agency relies on for its operations—primarily the energy sector (e.g., power-generation and distribution infrastructure and natural gas pipelines), the communications sector, and the information technology sector (i.e., the internet). Attacks on telecommunications providers have halted operations. In October 2017, Distributed Denial-of-Service (DDoS) attacks on internet service providers used by Swedish transportation organizations disrupted train management and ticket-booking systems. Similarly, attacks on electricity suppliers could affect transit service, and attacks to manipulate information broadcast by a transit operator’s advertising partners or by a developer making an app with the operator’s scheduling data could prove disruptive. As agencies rely more on third parties to supply non-core services while striving to provide a seamless, low-friction customer experience, third-party cyber risk has increased significantly, particularly in the case of multi-tier supply chains. Unfortunately, because no universally accepted standards exist to manage this risk, each agency must perform its own due diligence investigations. Ideally, this means that every cyber component and third-party access relation- ship must be assessed for its suitability for a given task. The rise in recent supply chain attacks may also, in part, be due to improved defenses against more basic attacks. Attackers are now looking for less obvious and less protected vulnerabilities and are attracted to the “economies of scale” offered by infiltrating the supply chain—hack into one component and potentially infect hundreds or thousands of others at no cost. Due diligence (i.e., cyber-risk management) activities of all third-party relationships need to be ongoing throughout the entire vendor lifecycle, from specifications and contract develop- ment, vendor qualification and selection, to operational monitoring and audit. Although the specifics for every relationship vary, the general principle is to assume that the overall cyber- security risk is determined by the risks inherent in each of the agency’s vendors/contractors. Because of the potentially high costs associated with due diligence activities on the one hand and the costs associated with cyber failure on the other, many agencies are consciously reducing the number of third-party relationships that they maintain and are limiting even this smaller group of “trusted insiders” to those parties with demonstrable security approaches at least as robust as the agency itself. Risks posed by software vendors have been recognized by transit and rail agencies for some time. An APTA safety and security senior program manager noted in 2015 that due diligence

Synthesis of Emerging Cybersecurity Practice in Transit 41   when vetting third-party vendors was important, especially as agencies were introducing mobile ticketing apps that were often built by third parties (Neipow, 2015). Open-source software forms the basis for most software written and deployed today across the entire software stack (Figure 9). One survey (Zorz, 2018) found that 96 percent of applica- tions contain open-source components. When vulnerabilities are found in open-source code, many of the projects that rely on that code have neither the mechanisms for fixing those vulner- abilities nor the mechanisms for notifying users of the code about the patch or update. These vulnerabilities may occur in any tier of the stack. Software, hardware, and information technology service supply chains are major means through which bad actors seek to introduce vulnerability and risk into the U.S. cyber eco- system in ways that can neither be accounted for nor mitigated through standard cybersecurity practices. Increasing reliance on foreign-owned or -controlled companies introduces new vulnerabilities into the nation’s supply chains. These threats are among the most difficult to detect or prevent because they rely on trust relationships between vendors and their customers using equally trusted communication channels for software patches and updates. The National Telecommunications and Information Administration is leveraging the ongoing work and findings of the DHS-led ICT Supply Chain Risk Management Task Force to work with the private sector in order to identify both its needs and its mechanisms to improve information sharing on supply chain risk (Friedman, 2019). Concerns over a Chinese state-owned company that provided railcars for major cities in the U.S., such as Boston, Chicago, Los Angeles, Philadelphia, and Washington, DC, prompted security concerns from the U.S. Congress. Members of Congress from Virginia and Maryland sent a letter in January 2019 to WMATA that raised concerns “in regards to the procurement process that WMATA is currently undertaking to acquire new rail cars” (Norwood, 2019). In response, WMATA conducted an internal audit of the procurement process and made changes based on recommendations from the audit. To address concerns about the Chinese rail cars, cybersecurity “white hat” penetration tests of 7000 series rail cars were conducted and new cybersecurity requirements were developed for the future 8000 series rail cars that include independent cybersecurity testing. Changes were made in the agency to address cybersecurity, such as changes to ensure that contracts contain cybersecurity requirements and hiring of additional staff to provide review of cybersecurity compliance related to contracts; contractor cybersecurity requirements, including requirements to report hacks and data breaches; and establishment of processes to investigate and mitigate any incidents (Smith, 2019). Figure 9. Simple software stack.

42 Cybersecurity in Transit Systems A 2020 cybersecurity study (Subramanian and Ward, 2020) found that cybersecurity func- tions in state governments are increasingly being outsourced and that confidence in third-party vendors is decreasing. Respondents from 81 percent of states say they are only somewhat or not very confident in third-parties’ cybersecurity practices. Given that major cyber incidents in 2020–2021 have called into question the security of commonly used software, as a 2021 report (Garcia et al., 2021) noted, a further decline in confidence is anticipated. To address this issue, technology acquisitions require the expertise, knowledge, and active engagement of cross-functional teams throughout the process, with cybersecurity considered from the start. Determining appropriate security requirements for cybersecurity is difficult. According to a recent report, Integrating Cybersecurity into the Acquisition Process (Garcia et al., 2021), 80 percent of states have implemented some subset of the controls set forth by NIST in its special publication (SP) 800-53 (NIST, 2014), which includes a catalog of security and privacy controls to protect against a variety of threats. Another option is using Center for Internet Security (CIS) Controls and CIS Benchmarks which were developed through a baseline risk assessment conducted across a wide variety of industries for a wide range of organizational types and sizes. Draft policy language for vulnerability disclosure policies was developed for Florida trans- portation agencies (Barbeau et al., 2019) that may be applicable to other states. Procurement language guidance is available that provides security principles to consider when designing and procuring control system products and services (software, systems, maintenance, and networks) and examples of procurement language to incorporate into procurement speci- fications (CISA, 2020). Although developed for small and medium-sized organizations in the healthcare sector, the Health Industry Cybersecurity Supply Chain Risk Management Guide v2.0 (Healthcare and Public Health Sector Coordinating Councils, 2020) is a basic primer applicable to all infra- structure sectors concerned with supply chain risk. The guide provides information and templates for supplier risk governance, assessment, cybersecurity requirements and language for contracts, supplier inventory attributes, and supplier risk management policy. A process flow diagram is provided for an end-to-end view that links all these pieces together. Challenges with Supply Chain Attacks • How can transit agencies vet their software and hardware suppliers, particularly those providing operational technology? • What standards should they be held to? • With many vendors supplying components supplied by their vendors supplied by their vendors, how far back in the supply chain is it necessary to vet? Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, issued in May 2021 (The White House, 2021), recognized the need for bold changes and significant investments to address these challenges and determined that the federal government will lead by example. The order focuses on better information sharing, including removing contractual barriers and requiring notification of breaches/threats, and modernizing cyber systems by transitioning to cloud technology where possible with stronger cybersecurity standards such as zero-trust architectures. EO 14028 also mandates MFA and encryption both at rest and in transit for federal agencies.

Synthesis of Emerging Cybersecurity Practice in Transit 43   In response to the EO, NIST defined critical software in June 2021 as “any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: • Is designed to run with elevated privilege or manage privileges; • Has direct or privileged access to networking or computing resources; • Is designed to control access to data or operational technology; • Performs a function critical to trust; or • Operates outside of normal trust boundaries with privileged access.” In addition, NIST recommended that the initial EO implementation phase focus on stand- alone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised. Subsequent phases may address other categories of software such as • Software that controls access to data; • Cloud-based and hybrid software; • Software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software; • Software components in boot-level firmware; or • Software components in OT. In July 2021, NIST published white papers with guidance outlining security measures for critical software and published guidelines recommending minimum standards for vendors’ testing of their software source code. By November 2021, NIST is to publish preliminary guidelines based on stakeholder input and existing documents for enhancing software supply chain security. By February 2022, NIST will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria. By May 2022, NIST will publish additional guidelines, including procedures for periodically reviewing and updating guidelines. The EO directs the Department of Commerce, in coordination with the National Tele- communications and Information Administration, to publish the minimum elements for a Software Bill of Materials (SBOM), which the EO defines as “a formal record containing the details and supply chain relationships of various components used in building software.” This refers to what the software assurance organization SAFECode calls “third-party components.” Case History: 2020 SolarWinds Supply Chain Attack Background The SolarWinds hack was a masterfully orchestrated supply chain exploit that compromised approximately 18,000 systems used by governments and companies worldwide. This attack was first discovered by the cybersecurity firm FireEye in December 2020. Analysts at FireEye found unusual data being sent to a server of unknown origin. However, FireEye has concluded that affected systems may have been infected as far back as early 2020. Upon further investigation, it was uncovered that one of the servers that provides access to updates and patches for the SolarWinds Orion tools was compromised, thus allowing the attackers to inject code into the software updates and infect multiple clients at once. This code allowed data modification and exfiltration as well as remote access to devices that had the software installed. This malware has since been dubbed “SUNBURST.” Because of the complexity and overall scope of this attack, it has since been attributed to an advanced persistent threat (APT) actor.

44 Cybersecurity in Transit Systems Companies and high-level entities such as Microsoft and the DOD were affected by this hack, although investigations as to the scope of the attack are still ongoing. Lessons Learned Although the lessons resulting from SUNBURST are still being developed and internalized, it is clear that companies, agencies, and vendors are rethinking the way they view their software supply chains. The overall lesson emerging out of this incident is trust nothing, assume that everything accessing your network (e.g., software updates, users, devices, other applications) could be compromised, and act accordingly. According to Imperva, a cybersecurity firm, there have been over 150,000 reported common vulnerabilities or exposures (CVEs) in software applications and libraries since the year 2000 and approximately 18,000 CVEs reported in 2020 alone (Hathaway, 2021). Location-Agnostic Access In spring 2020, the advice from public health officials concerning the COVID-19 pandemic was clear and stark: “Stay home, save lives” and millions of workers around the globe did just that. Within weeks, countless numbers of them reconnected with their work places via virtual private networks (VPNs) or the public internet, and to their coworkers via popular video and audio conferencing platforms, online chat, and other collaborative platforms from an increasingly random number of eclectic places (e.g., home offices, coffee shops, vacation rentals, coworking spaces) using a myriad of devices supplied by their employer or, more commonly, personally owned devices (also known as bring-your-own-device). Although teleworking had been deployed in a small number of industries before 2020, the sheer numbers of workers involved gave rise to the phenomenon variously referred to as remote working or work-from-home computing. As of the publication of this synthesis, agencies, compa- nies, and their workers appear to want to sustain some degree of this new style of working, in which enterprise data, information services, and cyber resources are accessed, delivered, and enabled regardless of where employees, suppliers, customers, or stakeholders are physi- cally located. The ability of the economy to support this workplace transformation, in turn, rested on several convergent megatrends that have been underway since the early 2000s: • Increased urbanization, providing greater access to delivered goods and services (e.g., meals, online shopping) • Widespread distribution of high-speed internet • Access to high-powered mobile devices • Greater desire for better employee work–life balance While these trends were reshaping societies around the globe, similar disruptions were occurring in global supply chains and in e-commerce fulfillment workflows. The emerging global demand of online customers and consumers of all stripes for “anything, anywhere, anytime” is also driving the expectations of workers ever higher. The aggregate effect of all of this is to abandon location-centric network architectures in which the enterprise controlled the type, configuration, location, access, and security of all of its computing devices in favor of an approach in which the employees (and customers) choose where their access to enterprise resources happens and increasingly choose the remote device itself. Of course, this new style of computing requires new approaches to cybersecurity. One such approach—Zero Trust—is discussed in the next section.

Synthesis of Emerging Cybersecurity Practice in Transit 45   Challenges with Location-Agnostic Computing This new approach quickly highlighted a number of cybersecurity issues, including the following common challenges: • Patching and updating software on remote devices became more costly and, in some cases, impossible to perform. • Installing licensed software on personal devices created various licensing issues. • Access to license servers for enterprise software failed in some cases. • Security awareness and practice diminished over time for remote users. • Remote setups and devices are often insecure. • Logistical challenges hamper IT support. • Personal devices may lack efficient security controls. • Blurring of personal and professional devices (e.g., cell phones), apps (e.g., Zoom), and data (e.g., email, calendar events), and so forth. All of these, along with other risks, can be condensed to say that conventional location-centric security cannot be simply or easily extended to location-agnostic contexts. As it becomes more apparent that location-agnostic access is here to stay, the need to rethink the security model becomes imperative. Zero-Trust Computing Not too long ago, it was much easier to make the distinction between network “insiders” and “outsiders,” and various castle-and-moat or perimeter-based cybersecurity approaches were deployed to keep outsiders out and to give insiders maximum access to enterprise resources. However, one of the unanticipated results of the recent proliferation of networks, cloud-based services, remote offices and workers using a variety of bring-your-own devices, “trusted” third parties with privileged access, and so on has been the total erosion of the concept of the enterprise network perimeter. Enterprises can no longer easily identify or protect a single well-defined cyber perimeter. Moreover, once this perimeter has been breached, attackers have been able to move freely through various internal networks, threatening cyber operations and data integrity and accessibility. And if these changes weren’t destabilizing enough, external threats are evolving faster than countermeasures can be developed and deployed across the entire enterprise. In response to this new environment, an alternative cybersecurity model called “zero trust” (ZT) has been evolving over the past few years. As the name implies, ZT approaches assume that all environments are inherently risky and that potential attackers can be present in any environment. Further, ZT approaches generally do not make the distinction between enter- prise environments and non-enterprise ones; the computing environment is continuously monitored and adaptively protected. The implicit trust conferred to any and all users, systems, and networks inside the previous security perimeters is revoked and limited to only those known requestors identified as needing access. In summary, ZT-based cybersecurity does away with implicit trust relationships based on network location and replaces them with explicit, transaction-based trust (i.e., risk) evaluations and dynamic access to specific and limited resources. “Trust nothing; verify everything” is the new ZT mantra. As defined by NIST Special Publication 800-207 (NIST, 2020), Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforc- ing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

46 Cybersecurity in Transit Systems A zero-trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero-trust principles and designed to prevent data breaches and limit internal lateral movement. A ZTA is an enterprise’s cybersecurity plan that utilizes zero-trust concepts and encompasses component relationships, workflow planning, and access policies. A zero-trust enterprise (ZTE) is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero-trust architecture plan. Importantly, ZTA is not merely the next generation of technology components, although they may play a part. In the sense that NIST uses the term, ZTA refers to an integrated set of interdependent principles, policies, plans, designs, work flows, systems, technology components, and personnel used to improve cybersecurity and better protect data and business functionality in today’s hyper-connected enterprise. The goals of ZT are twofold: (1) prevent unauthorized access to enterprise data, services, and resources and (2) make access decisions and enforcement processes as granular as possible while minimizing transaction costs including authentication (i.e., you are who you say you are) and authorization (i.e., you have permission to use this resource or service) overheads. As is the case for many emerging innovations, the core concepts associated with the ZT model are still evolving. Additionally, these concepts are more usefully viewed as a continuum of choices instead of binary (i.e., yes/no) capabilities. With that in mind, the following concepts are generally incorporated into ZTA designs. Publication NIST SP 800-207 (NIST, 2020) provides additional detail and explanation of these concepts. • All data sources and computing services are considered resources. • All communication is secured regardless of network location. • Access to individual resources is granted on a per-session basis. • Access to resources is determined by dynamic policy. • The enterprise monitors and measures the integrity and security posture of all owned and associated assets. • All resource authentication and authorization are dynamic and strictly enforced before access is allowed. • The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture. Note that these concepts are deliberately technology and workflow neutral. That is, there are many approaches and components that could be employed across a wide spectrum of complexity, completeness, and cost using these concepts and definitions. President Joseph Biden’s May 2021 EO 14028 on Improving the Nation’s Cybersecurity (The White House, 2021) directs federal agencies to adopt zero-trust architecture, as practicable, in their cloud migration initiatives and to “develop a plan to implement Zero-Trust Architecture, which shall incorporate, as appropriate, the migration steps that [NIST] has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.” Challenges to Zero-Trust Architectures A 2020 Public Sector Cybersecurity survey (SolarWinds, 2020) of 400 public sector decision makers identified the following challenges to segmenting users by risk profile and adopting formal identity and access management approaches: • Growing number of systems that users want access to • Increased number of devices • Growing number of users

Synthesis of Emerging Cybersecurity Practice in Transit 47   • Lack of necessary skill sets to implement properly • Other, higher priority tasks • Users have multiple identities While the same survey documented that nearly a third of the respondents are pursuing ZT initiatives, over two-thirds are not using or considering it and 15 percent of respondents were unfamiliar with the concepts. Similarly, cost, complexity, scale, and scope of the effort and lack of internal expertise, among other factors, were identified as either extremely or very challenging barriers to implementation. Cybersecurity Governance The ISO/IEC 27001 standard, from the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), defines cybersecurity governance as, “the system by which an organization directs and controls security governance, specifies the account- ability framework, and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.” In other words, cyber- security governance refers to the organizational and institutional framework that provides for cybersecurity policies, priorities, procedures, resources, and other necessary controls. Governance is the foundation that guides and supports the pillars of cybersecurity, while steering indi- vidual transit agencies through their obligations to protect, secure and control critical information. Gover- nance identifies the desired end state for the transit agency to achieve, while ensuring that such strategies are aligned and implemented. Through a consistent and uniform approach, governance is channeled to support each of the pillars to ensure coherence across all the elements of cybersecurity. Transit agencies should consider adopting and developing an information security governance framework. An information security gover- nance framework will embed cybersecurity into transit agencies’ corporate governance process. Source: APTA, 2014. Since risk management is a core function of the organization, the successful implementation of information security objectives is heavily dependent on senior agency leadership. Effectively managing information security risk requires close attention from senior management. Assigning risk management responsibilities to senior leaders/executives involves • Recognizing and understanding information security risks to organizational operations and assets, individuals, and other organizations; • Establishing the organizational tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance affects ongoing decision-making activities; and • Taking responsibility and accountability for risk management decisions and for imple- menting effective, organization-wide risk management programs. Many transit agencies assign these primary responsibilities to a chief information security officer (CISO) who may report to the chief information officer (CIO), chief financial officer (CFO), or, in some cases, directly to the chief operating officer (COO) or chief executive officer (CEO). Promoting the CISO position to the C-suite supports the assertion that cyber- security is a significant enterprise-wide risk management and liability topic and not solely a technology issue. Regardless of the organizational structure, having a full-time CISO sets the “tone at the top.” Establishing the right tone is much more than a compliance exercise. It ensures that everyone is working according to plan, as a team, to deliver business activities and safeguard the protection of assets within the context of an overall risk management and security strategy.

48 Cybersecurity in Transit Systems This strategy incorporates several essential elements: • Management as role models. Although cybersecurity is every employee’s responsibility, senior management demonstrates the significance of cybersecurity by being role models and by being actively engaged in cyber initiatives. • Resources. To implement and maintain cybersecurity awareness and training programs, the required funds are programmed into the agency’s multi-year budget, and cybersecurity programs are programmed into the agency’s strategic plan. • Cybersecurity processes that identify, report, and track cyber incidents. Agency policies and protocols are developed in accordance with federal and industry guidance and standards to support these tasks. These policies and protocols are then communicated to all agency personnel so that they know how to identify and report a suspicious cyber incident. Cybersecurity Workforce As previously discussed, a significant challenge facing all public agencies is the difficulty finding, onboarding, and retaining cybersecurity staff who have the necessary knowledge, skill, and certification(s). This situation has resulted from the rapidly growing and currently unmet demand for cybersecurity expertise generated by various regulatory and risk management regimes. A 2021 study (Cyberseek) indicates that there are over 450,000 total cybersecurity job openings in the U.S., over 36,000 of which are in the public sector. The following represent the top cybersecurity job titles in mid-2021: • Cybersecurity analyst • Cybersecurity consultant • Cybersecurity manager • Software developer • Systems engineer • Network engineer • Penetration and vulnerability tester • Cybersecurity specialist • Incident and intrusion analyst Many transit agencies have yet to even define the roles and responsibilities and the necessary knowledge, skills, and experience for many of these jobs. Making the situation worse is the relative inability of public agencies to offer industry- competitive salaries and more desirable working conditions (e.g., work-from-home opportuni- ties). Public agencies often have inflexible and bureaucratic workplaces and frustrating hiring processes. Competition for competent cyber staff is global and encompasses all sectors of the digital economy. At the same time, the school-to-career pipeline is unable to meet the demand. In response, some agencies are outsourcing these responsibilities, sometimes to former agency employees now employed by the agency’s business partners. Transitioning IT employees into vendor/contractor staff could result in significant cost savings to the agency while enhancing the vendor’s understanding of the agency’s needs, processes, and culture. Agencies are also exploring the use of apprenticeships, internships, scholarships, and other initiatives to increase the number of eligible applicants for in-house positions.