The National Academies Press

Currently Skimming:

Pages 7-33

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 7... ... 7 Literature Review This chapter summarizes key findings concerning cybersecurity trends, threats, incidents, mitigation strategies, and countermeasures from previously published research, from official sources, and from contemporary news accounts. The chapter also includes multiple case examples illustrating these findings. Read the entire page →
From page 8... ... 8 Cybersecurity in Transit Systems Officers and state Homeland Security guidance and reports, DHS security guidance and reports, and others. To collect information on recent transit cyber incidents, the research team searched local, national, and international news sites along with transit and transportation industry magazines such as METRO, Mass Transit, International Light Rail, and Rail Technology, Progressive Railroading, and industry websites. Read the entire page →
From page 9... ... Literature Review 9 whenever a passenger purchases or uses a ticket, or logs onto onboard Wi-Fi (Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020) Read the entire page →
From page 10... ... 10 Cybersecurity in Transit Systems The Forbes study also found that reputation damage is one of the top four factors -- along with preventing productivity losses, system downtime, and compliance failures -- that contribute most to securing budget commitments for cybersecurity. When a cyber incident occurs, the response matters. Read the entire page →
From page 11... ... Literature Review 11 Management and Consulting, LLC, 2020) Read the entire page →
From page 12... ... 12 Cybersecurity in Transit Systems Topping the list of FBI cybercrimes in 2020 were computer "phishing" scams, non-payment or non-delivery scams, and internet-based extortion (FBI, 2021) Read the entire page →
From page 13... ... Literature Review 13 messages to a large volume of people in the hopes that at least some of them will disclose personal information or click on a malicious link. Spear-phishing is highly personalized and carefully crafted to get a single individual to respond, an approach which makes it more likely to succeed (Shavell, 2021) Read the entire page →
From page 14... ... 14 Cybersecurity in Transit Systems In March 2017, a Chinese APT injected a malicious backdoor into a software update for the widely popular Windows registry cleaning tool, CCleaner. Approximately 2.27 million users downloaded the infected version of CCleaner. Read the entire page →
From page 15... ... Literature Review 15 employees from accessing their email and to stop providing real-time travel information to riders (Madej, 2021) Read the entire page →
From page 16... ... 16 Cybersecurity in Transit Systems that hackers mistakenly entered the MTA's system and discovered it was of little interest, which cybersecurity experts say is not unusual. The MTA coordinated and managed the response with state and federal agencies. Read the entire page →
From page 17... ... Literature Review 17 Some attackers possess a deep knowledge of rail industrial control systems, demonstrated by their deliberate actions and focus on specific systems, such as vehicle control and passenger information systems. Case History: San Francisco Municipal Transportation Agency, Muni Light Rail Cyber Attack Background In November 2016, the San Francisco Municipal Transportation Authority (SFMTA) Read the entire page →
From page 18... ... 18 Cybersecurity in Transit Systems The county government was never able to understand how the hacker got the information to carry out the attack. Some states and counties have open checkbook requirements, which may have been a means, but it was not clear how the hacker obtained the information that was used. Read the entire page →
From page 19... ... Literature Review 19 • Lost business -- activities that can include disruption caused by system downtime, the costs associated with customer churn, and reputational loss. • Notification -- activities to notify employees, customers, regulators, and third parties of the data breach. Read the entire page →
From page 20... ... 20 Cybersecurity in Transit Systems that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." According to FTA (Chandler, Sutherland, and Eldredge, 2009, p. Read the entire page →
From page 21... ... Literature Review 21 A pilot version of the initiative was launched in April 2021 in the electricity subsector with over 150 electricity utilities deploying or agreeing to deploy technologies for control system cybersecurity. The natural gas pipeline subsector was the next subsector to implement the initiative, and other sectors are anticipated to follow. Read the entire page →
From page 22... ... 22 Cybersecurity in Transit Systems Agencies can use the implementation guidance to characterize their current cybersecurity state; identify opportunities for enhancing existing cyber-risk management programs; and find tools, standards, and guides to support implementation and to communicate their risk management issues to internal and external stakeholders. The framework can provide an objective manner to show the status of the cybersecurity program and where improvements are needed. Read the entire page →
From page 23... ... Literature Review 23 value for Social Security and driver's license numbers added an incentive to the challenge of improving the cybersecurity of the agency. ITD looked at alternative frameworks and approaches to support their efforts. Read the entire page →
From page 24... ... 24 Cybersecurity in Transit Systems costs. Because the targets can be reset over time, the agency recommends focusing on agencyspecific cybersecurity risks. Read the entire page →
From page 25... ... Literature Review 25 cybersecurity at single points in the process. A shift in operating model may require a shift in talent as well, as work moves away from a framework of development, implementation, and deployment followed by security to a process in which security perspectives are involved from the beginning (Figure 4) Read the entire page →
From page 26... ... 26 Cybersecurity in Transit Systems APTA guidance recognizes the importance of establishing a cybersecurity culture in the agency. Having technology in place to provide cybersecurity is only one part of effective cybersecurity management. Read the entire page →
From page 27... ... Literature Review 27 across all industries. These groups provide current threat alerts and share information about effective practices. Read the entire page →
From page 28... ... 28 Cybersecurity in Transit Systems As an example, in December 2012, DHS conducted a two-day on-site consultation and assisted MARTA in using its CSET tool. MARTA's IT, police, and the Oce of Engineering and Development were involved in the assessment. Read the entire page →
From page 29... ... Literature Review 29 After MARTA received the detailed report, the agency performed a detailed gap analysis and subsequently began identifying capital projects. MARTA initially targeted items with the lowest SAL ratings compared with the target ratings. Read the entire page →
From page 30... ... 30 Cybersecurity in Transit Systems The CRR is derived from the CERT Resilience Management Model (CERT-RMM) , a capability- focused maturity model for process improvement, and it reflects suggested practices from industry and government for managing operational resilience across the disciplines of security management, business continuity management, and information technology operations management. Read the entire page →
From page 31... ... Literature Review 31 investing $3.7 million annually toward cybersecurity or "cyber-safety" in order to defend against eight million cyberattacks per month. The goal of the agency was to create a more resilient cybersecurity network to protect citizens, businesses, and the state. Read the entire page →
From page 32... ... 32 Cybersecurity in Transit Systems A much larger gap exists in transit-specific guidance. There is a limited amount of transit- specific guidance and very little current cybersecurity guidance available for transit agencies. Read the entire page →
From page 33... ... Literature Review 33 Incidents detected, compliance goals met, compliance audit results, and threats averted are the metrics used by most public sector organizations to measure the success of their organizations' IT security teams. Federal, state, and local respondents use compliance audit results to measure success. Read the entire page →

From page 7...

... 7 Literature Review This chapter summarizes key findings concerning cybersecurity trends, threats, incidents, mitigation strategies, and countermeasures from previously published research, from official sources, and from contemporary news accounts. The chapter also includes multiple case examples illustrating these findings.