#LTCtalks 2022 Dialogue 6: Cyber Security: How Technology Affects the Way We Move
So welcome, thank you very much for being here to our final dialogue of the year. It's great to have you before we get started. We'd like to play a short video For more than a century, HNTB has connected the people and places of Los Angeles. By creating infrastructure as innovative and diverse as those who call LA home, we are bringing Angelinos together and expanding opportunity. We are here to create the Los Angeles
that's important to you to all of us. We have been here in the past. We are here now and we will continue to be here. With you as we work together to build our community. Our home. Thanks so much for that, Raffi. It's great to have you again here and to see you all
today and we'd like to thank Matt Bushman and the whole team from HNTB for being such great sponsors and really helping out. Well really creating and really supporting this. This dialogue to move forward which. I think it's become a really important part of the Inland Empire conversation. I'm as you see on the slide. I'm Kimberly Collins. I'm the executive director of the Leonard Transportation Center and to get us started, I'd like to welcome the Dean of the Jack H Brown College of Business and Public Administration to say a few words. Dean Gomez Arias please. good morning everyone. Thank you. Thank you for being here. It's really a pleasure to see a group of people and community leaders participating in this dialogue that are really important.
The future of the greater Los Angeles area and the Inland Empire. as we think about how we can create. Both successful and inclusive communities and economies in in our region. I want to thank everyone that there's has made this possible, not only the speakers who have taken time to be here with us and prepared for it, and will share their expertise and their and their vision. Thank you to the committee members who planned everything and made sure we were all here together. But also there are supporters. Those of you and organizations that have made the activities of the Learner Transportation Center possible. Professor Collins mentioned HNTB, but
also the San Bernardino and Ontario international airports who have been our platinum sponsors woodruffs, Spradlin and Smart. The Southern California Association of Governments. And circle, Gas and Metrolink have been our gold sponsors, and there are also a number of silver sponsors. I'm not going to go through the through the whole list. You know who you are? Thank you for your support. And I'm really looking forward to the conversation. You don't want to listen to
me. You want to listen to the experts. So with that. Thank you all for being here and looking forward to a great conversation. Thank you. Dean goes our eyes for those for those welcoming words. Now I'd like to invite Matt Bushman from HNTB to give us a few words. Sure, thank you. Yeah, Matt bushman HITB. We're a transportation engineering company nationwide, but we have offices here in Ontario. We're proud to support the Land Transportation Center really from the inception, and also just quite excited to hear what we have to say today around cybersecurity. Thank you. All right, thank you so much Matt. Today we
have a great program for you. We have 4 speakers so a lot of speakers to go through and a lot of experts to hear from. And we'll share in just a moment the spark link to see the full program, and Raffi if you could share that for us on the chat, that would be great. And so we'd like to start as well with a see now the program there for today in the Adobe Express, which we. Used to send. I'm just going to give since we're talking about cybersecurity. We used to send out with the emails and the confirmations and such. You can't get a spark file through anymore on emails and it's blocked from people's emails so they don't get the registration. So
now we can only really surprise provided here. It's part of that cyber security and making sure that malicious links don't go through. So it's a piece we'd like to get started with the Zoom poll. And our first zoom question for today is looking specifically at the role of the federal government in in the in the realm of cybersecurity and transportation and so. And not surprising, you know, many think about the role of setting rules, regulations and guidelines that come from the federal government. Also some well one spoke about hands on assistance and support and then control and monitoring of the system itself and then. And other role. I don't know if you're interested in sharing what the other role might be, but you can share that in the chat. And we hope that this will
be an engaging piece where folks can share information and think about it and you know, again, talk about it in an all around form. So our next question is what was the percent increase in ransomware tax in the. Transportation industry between 2020 and 2021. Not sure how many of you are going to are going to know this except for those who are. Just give it a couple more. So we have an answer that's fairly. Divided we have 20 percent, 24 percent, 24% and 32%. Well, those who are in the 32% category. The 180 to 200%.
Increase in ransomware attacks would be correct, so the again, the threat that is out there is becoming much more intense and serious and I know any of you who really work in this field know. And all of us who are on the other end sort of the user side and how our institutions. We're dealing with cybersecurity and ransomware now know as we all have. These two steps you know, log in and all kinds of different ways to protect us. So with that I would like to invite our next speaker up, Donald Louie, who is from Foothill Transit, will be sharing today some of the things that are happening. On the ground with our local public transportation systems. So Donald please. Good morning everyone. Thank you for having me come in and speak today. My talk is going to be from the perspective of a transit agency regarding cybersecurity.
If I could have my slide. OK, so. From the perspective of cybersecurity professionals, the Transit Research Board and the National Academies. The risk of transit agencies to cyberattacks is based on these facts, so this is a report from the TRB having surveyed transit agencies across the nation. Here they inventoried most used technologies and transit operations from buses, trains, access services. And search for known vulnerabilities. Using what we call red teams and cybersecurity for penetration testing and then verifying attack methods. And then test vulnerabilities where blue teams are used to defend against the very attacks to test the patches to make sure they are securing the vulnerabilities that have been discovered.
So from these activities throughout transit agencies they've come up with these. For all transit agencies on how to protect their inventory of systems so as a result of this exercise they provided industry sectors next generation cybersecurity solutions. Next slide please. I think you're ahead of me. If can you go back, please. OK, so. Public transit agencies are reporting that there is a definite lack of funding. Identifying a large variance in complexities of their existing environments and the lack of expertise about what is next generation. So these approaches are substantial inhibitors
to implementing. The solutions for the cybersecurity issues. Next slide. Thank you So what makes transit so complex? So when you identify with transit, what do you have in mind? For some of you maybe rail or train for some bus buses and others maybe access services or last mile modes such as Uber and Lyft. Some of our transit agencies operate all of the above. For the outsider. They see public transit as a simple sector, basically running transit, but we are much more and this is what makes transit so difficult to secure.
So we are also in the financial business where we sell passes like traditional retail sales. So we're like retail stores. We have mobile ticketing so we're also e-commerce. We are business on wheels that require us to secure our transactions, so our fare collections on buses are basically mobile ATM's. We're an auto repair shop. We fix our own buses. And we have car washes or bus washes and we clean our own vehicles. We are in the marketing business and we also produce materials for our riders and keep them informed. So we run all of these additional businesses in addition to transit for operating hundreds of buses and trains and. The services we need to
dispatch to all the customers we use what we call intelligent transit systems, also known as ITS. So for some agencies, we are capable of tracking in real time, and we can tell how many passengers have boarded and alighted. We are able to announce the next stop and track in real time bus locations to our customers.
And we're also able to manipulate the system on the ITS to modify routes if there happens to be a collision or there is construction, and so all of this is done on the fly to run a daily operations and the. Complexity is what makes cyber security so difficult for transit agencies because there's there needs to be experts in so many different fields in addition to just transit. Excuse me So these technologies are just to name a few and to have a person with knowledge of all these systems is highly unlikely to know every single system and. How it operates? To ask the subject matter expert on each of these and then how to secure it or to change the policies to make it more secure is very unlikely. So either you have a person of knowledge on operations you know how to operate, the software or equipment, but to also know. Cyber security practices is very difficult and to bring an outsider to understand how to operate this equipment.
How could you secure something you don't know how it works? Is the challenge that we're all facing. So outsiders, unless you tell them, can't secure what you they don't know. And if you don't know that that's a risk, then it's hard to translate. So this is a. Huge challenge for many transit agencies right now with. Get all these recommendations. There's these solutions, but what exactly? Are we trying? To resolve, so this requires a cyber security specialist who needs to learn these intricate systems and even an A highly educated person in cyber security or a third party brought in. To secure System has a knowledge gap that he or she needs to sit and learn before they can begin to secure the next slide please. So knowledge gaps identify is identified as a result of lack of expertise concerning the next generation approaches. Transit agencies increasingly relying on 3rd party vendors.
Resulting in guidance for procuring services across transit agencies. For these very complex environments, for cyber security goods and services. So in addition to the knowledge of equipment, there is also a gap in knowledge of how to procure cyber security solutions. And how to vet these vendors?
So the catch 22 moment here is procurement needs to know the guidelines to hire third party vendors. Because the guidance identified is how to VET 3rd and 4th party suppliers, so many of us do not look who their outsource suppliers are and that. They also need to be vetted and that probably right now is not being done which that needs to be made aware to all transit agencies.
That this lack of understanding need actionable items as mentioned earlier. Do we need to have cyber security for these projects in case things don't go as planned and then the question is, well, the insurance pay if the error is on the agency side. Is a big question, is that worth the investment? So a big knowledge gap for transit agencies is the gap in employee knowledge and skill set. Smaller agencies do not have employees with knowledge in cybersecurity skills and are unable to recruit, hire, and retain them for a variety of reasons.
So the question is which strategy should they use? Should they outsource the task or train the workforce or outsourcing again leads to a procurement knowledge? And then training introduces a new set of gaps. So should transit agencies address cybersecurity skill gaps by developing a transit specific guidance or a new paradigm solution in what's happening today is known as zero trust architectures moving forward. They're managing the new workplace, and the next generation of employees. Do we just start from scratch? What exactly is a zero trust model? I think we'll go to the next slide, please. So a zero trust model is a security framework
that requires all the users whether they are in the inside or the outside of the organization's network to be continuously authenticated authorized. And validated for being granted access to the network, applications and data. So that basically means they're being authenticated. Every five seconds rather than once, and then they're in the network. And they do what they like, so this is known as a zero trust. So one of the most common tactics of a hacker used uses is taking a user's credential that they have compromised. Perhaps a weak password. Once they are in the network, they're. First thing they would try to do is change the credentials
that they have to a admin user or a super user within an application or in the network. This will then allow them to manipulate and change anything they like. So with a zero trust. The minute a user tries to change their credentials that would trigger a denied and they would be locked out of the system, so there's no need for all the monitoring there, so that's a totally different design. You don't need the experts, everything just gets turned off in this particular type of model. That is a new architecture that has been out for a while.
It has not been the primary model yet, but. That is, that is one of those suggestions from the TRB. Improve visibility, So what else does zero trust? Do it? The main objective of zero trust is to allow the organization to approve every user and every device every time it accesses the network and the. Network is requested. With a clear understanding of who, why, and how this capability. Coupled with least privilege allows the organization to maintain strict oversight of a network users and devices as well as their activities. Next slide, please. So with the colonial pipeline and many other organizations who have already suffered through ransomware attacks, the lessons learned is what we should take away. With any first step on strategies is to identify the risks. Many IT and security professionals
are working hard to integrate cybersecurity solutions that are mostly information technology. And operational technology. So what we are termed IT and OT. Many organizations started to implement cybersecurity strategies. His primary focus was on informational technology. IT is defined as a
computer hardware and software used for creating, managing, sharing and storing digital data. This can be on premise or in the cloud such as e-mail. As an example of it. Most, if not all networks started as an IT infrastructure as transit started implementing IT into its operational functions, it started to bring in old systems, which is. Old analog systems such as train PLCS or programmable logic controllers and then introduce new vulnerabilities that were initially unaware of. So as you bring in old technologies that's bringing in. New vulnerabilities, so this is what we call OT and since pipeline
OT has been. Highlighted as something that maybe has been overlooked as. We know it's harder to control Analog Devices, but if you want to communicate to it, you're integrating it in. So OT is a technology, hardware and software that is used for managing, controlling and monitoring physical industrial devices and machines. So very different than IT. It is mostly used in physical industries like electricity, water, oil, gas manufacturing and more. So This is why IT has a hard time when it comes to OT equipment because there isn't much. The systems are very different, and so bringing in more engineering than you do it when it comes to securing OT is it's a. Very different challenge. Next slide please.
Oh, you're already on it, so stay there. You can go back. So at the end of this, what has been reported as cyber threats in transit research by the TRB? Potential transit systems. Cyber vulnerabilities have been documented in operational systems, control centers, signaling and telecommunication networks, and back end systems of operators and infrastructure providers. Shared systems used by consultants and suppliers. There are literatures for these vulnerabilities found and known vulnerabilities for connected vehicles, autonomous vehicles, electronic ticketing systems, traffic signal controllers.
Traffic signal priorities. Dynamic message signs so. However, TRB has discovered that there is no literature for Cat AVL's, which is a computer aided dispatch. Automated vehicle locators, online tripper planners, mobile fare payments, onboard Wi-Fi, CCTV. ABC, which is known as automated people counters. There are no literatures. There is no knowledge of them even being tested. And so it is reasonable to believe and expect that security vulnerabilities
do exist in these technologies and have yet not been discovered. So the take away? Is that people need to understand what secure processes are, how their own work processes work, where security gaps need to be addressed. Agencies need to ensure they use an authentication process for vendors payments, including validations of vendors and backing accounts.
Increase employee education and assistance to departments as needed so staff can review their own internal process to ensure that process includes multi factor authentication and vetting requests and use verified communication methods beyond e-mail. Next slide please. So to conclude, with every new technology. That is introduced to the system. In the cyber world, a zero Day is an attack of an unknown vulnerability. It
has never been discovered yet. So with that said, it has been there from the very first day you bought it, but not exploit it. So every day has the potential to be a zero day. Attack, thank you, that's all I have.
Thanks so much for that, Donald. So it's great to hear. Sort of this macro perspective from the federal government and what's really happening at on the ground with some of our transit agencies and some of the. Is out there and I think a lot of what you spoke just to you know put my own two cents in as a as a professor in public administration, I think the risk that you're talking about are the risks that a lot of local governments face and that balance of the workforce with the realities and the changing nature. And the
resources. And the capacity to be able to deal with a lot of these issues. So it's an interesting piece that I hope our last speaker will work a bit on. I think the author of that report that you mentioned earlier Pat by. So We'll delve into that. I hope further so our next. Before
we launch onto our next speaker and hear a bit from the private sector and what they're doing. We'll have our next full question, so our data security and privacy the same thing. One of. Sort of softball questions out there so they are not the same. They are interconnected.
Privacy is users security and then all of our above. So just take a minute here. To think about these different pieces. For again, we jump in. To our next speaker. We, Joe. Alright, just a couple more seconds
and we'll. And our poll. Share our results. Just hold on. Share our results, sorry. So they are not the same. They are interconnected and then all of the above. So Ryan, maybe you can share with us a little bit in your presentation today. Ryan McNamara from Wejo, a data company and I'll have you speak more. But really, thinking about those pieces of privacy. Versus security.
Thanks Kimberly and good morning everyone and I do have a slide that will touch on it briefly. But yeah, I'll cover that once I get to. It so yeah, thanks for the opportunity to speak today and to give everyone an insight into what it is that that we do actually does.
And then also the. The important role that my team play and that so as you can see my name is Ryan McNamara. I'm the head of security operations at Wejo. And I'm based in the UK. However, my team do provide a 24/7 service to Wejo so if you could jump onto my first slide Raffi.
You can skip that one as well, sorry. OK, so we do. What is it that we do? So we are a global leader in connected vehicle data and we provide accurate and reliable insights from vehicles that can ultimately help improve the way that we travel. We organize billions of data points from millions of connected cars. And we do this using our partnership with global automotive manufacturers to stream data at scale and at speed. We then transform that data and enhance it by turning it into meaningful products that can help power innovations and drive efficiencies and also innovate mobility. And it's worth probably giving you some quick examples of what that looks like. So
in the first response data, so access details on crash severities, vehicle resting positions such as is it inverted, or is the vehicle in a ditch. The vehicle type status, occupancy and that information can all be fed then to emergency services and 1st responders and the next one is probably intelligent improvements. So using Wejo road and traffic modelling to inform road and intersection and. Movements and infrastructure and construction and then probably the one that infuriates everyone the most is Rd works and closure planning, and doing them at optimal times.
Whether it's going to have. The less impact. And just in that in that diagram that you can see in the screen, so privacy and security is at the center of Wejo. We have a regulatory and security wrapper that ensures that. Everything that is private stays private. We hold several recognized security certifications and these are these are audited by our independent third parties on a regular basis. I wouldn't go into that that much detail just now because I do have a
slide that that covers the certification, so I'll get into it. In that and then just at the bottom, I've got there that we stand for data for good. The what does data for good mean? So we create value so we create new revenue streams, driving business efficiencies and we can unlock opportunities for everybody. We can improve safety, identifying incident
and congestion hotspots to make the roads safer for drivers riders. Passengers and communities. And then enhancing sustainability. So to make our cities more livable and improve efficiency by predicting and also preventing buildup of traffic and ultimately lowering emissions. And then the last one is increasing convenience so. Taking that that better
personal transportation experience by helping. For example, drivers find a parking spot more easily, making EV charging more simpler and reducing commute times overall. Next, slide Raffi if you can't. So I thought it probably just we were sharing some numbers and again just this is the volume of data that that we chose currently handling. And as you can see, the illustration of the car on the left hand side of the side, and there's multiple sensors in the car that that we're collecting information from and. From our multi OEM data supply platform, we invest 18.6 billion data points. Per day as of
the 1st of September, we had actually ingested more than 18.4 trillion data points covering 4 continents with roughly 13.7 million vehicles on platform. Next, slide and this is just an example of one of our products that I'd mentioned so. It's a data visualization tool known as Widow Studio and this can provide immediate insights. Leveraging the Weija adept platform which is
collecting all of that data. New analytics are delivered on a regular basis to Visual Studio and there's a few other products that are that are in the pipeline for that as well. Next, slide Raffi OK, so just probably firstly before I go into to security operations, which is mainly my bag, it's probably worth just giving a bit of background as into the department because we are part of a bigger team. Within information security our vision is that we do remain safe, secure and resilient and we do this in a combination of people, processes and technologies.
We work on our strong security culture that we. Do and we support all of our colleagues and customers for parties vendors to make sure that we're all security aware. We always take an intelligence LED and risk based approach to security. We go against all internal and external threats. So as I said, information security is probably split up into two security operations, which is, which is my area. We've got kind of three main focuses, 1 being security engineering,
instant response, and our security operations, and then a project consultancy and. And that's really just to ensure that. All the operational elements of our security strategy are delivered, but again, I'll come on to that in a bit more detail on the next. Slide security governance. So this is information security governance
team are responsible for a number of risk policy and ISS framework related activities. So that is that includes our kind of. Or managing of our third party risk framework so any new or existing supplier base they'll have due diligence conducted on them to ensure that they have appropriate security controls. If they are managing any of the legal data. Managing our ISMS and ISO accreditation so that really entails ensuring that all the security processes and practices are governed in line with our ISO standard and it makes life a bit easier when it comes down to auditing time as well. That we've got all of these artifacts. Available to the orders. The Manager policy framework so not just ensuring the fact that we have the right policies and processes in place and they make sure that they're reviewed and updated on a regular basis, and probably the most important part of all of that is making sure that it's communicated to all staff that we do and everyone's got an understanding of. What these processes and
policies look like? And finally, risk management and reporting. So this is just looking at managing our risk profile by identifying any key risks and controls that are in place that we. So ensuring that any actions that are outstanding to remediate any weak areas of control are completed as well as reported to our Board Risk Committee. Just, uh, you've already got that up, so I've kind of split this bottom section into two and hopefully this answers your question. Kimberly, about the different or information security versus privacy, or it always hopefully touch on it so. We Joe as two separate teams.
Let's say we are. We do have this regulatory and security wrapper that is around all things we do and it is really important that information security have a close working relationship with our privacy colleagues and I think probably for me within security. Our goal is to. Provide protection for all types of data and information we look at protecting the full. What privacy if we got focus on the protection of sensitive information related to individuals and organizations? So I think that they both have their place and they both focus in in in different areas, but they do need to work together. As I say, we, we have regular contact with our privacy, privacy colleagues and. I've always been of the view and I don't know how controversial it actually is, but the security can always be achieved without privacy, but privacy can't be achieved without security. The two of them do need to work hand in hand, but they are separate.
So hopefully that answers your question, or at least my opinion of that question because I know it's quite a. It's quite an interesting one in terms of certification, so I'm not going to read out all the certifications, but we have obtained these certifications listed in that box as part of our commitment to ensure that all of the data that we have. That we hold is done so securely. Probably the big one in there is our ISO 27,000 and one, and that's a free year certification that we're pretty much in the middle of just now, so we are going through regular surveillance audit. That is all progressing well. And that is me for that slide Raffi. If you could jump to the next one. OK, so security operations as I say is my main focus and this slide is. Just really just to cover
the three main areas that my team's responsible for. So operations and incident response. So as I said at the beginning, our security operations team, they're 24 by 7 and they're proactively monitoring the Wejo environment. We consume information from all of our endpoints, our network environment, and our cloud environments. We're a big a big consumer of threat intelligence, so we consume that threat. Intelligence from government agencies, security researchers and
security vendors. We have artificial intelligence products in place that that look across our environment and the sock is really essential to ensuring that we maintain compliance. Against all these standards and best practices that are laid out in things like our ISO 27,000 and one, so a very important part of what we do. Security engineering, so the responsibilities there are looking at how we can introduce new security solutions so cyber security is ever changing and there is a big focus on. I mean, we, we're not always a fan of you, just flinging technology at it, but there is a time where new technology needs to be implemented, and that's where the security engineering team sit and they would look at introducing these new solutions, making sure that these solutions have Road maps, and so they're continually being. Developed and
the team also assist with instant response activity, so anything that happens in that incident response world, the security engineering team tend to be involved because a lot of the containment or eradication activities can all sit within that kind of security engineering space. And another part that that that that team also focuses on is vulnerability management and also the education of staff so. Again, as threats continue to change and the more that Wejo see to themselves, we what we want to make sure that our staff are properly equipped with all the right training and education. So that's a big focus for us as well. And the last one in the team. And I think this is probably one of the most important factors, and especially in a company that is continually innovating, continually changing working on new products and projects on a regular basis. our project consultancy team makes sure that security is in there from the very beginning, so they're involved in risk assessments. They'll have a look at the designs they'll define the security. Requirements and make sure that they comply with all of our standards and policies.
And that's me for that slide and probably just onto my last one, Raffi. If you could. Case that I think there's some similar themes to the previous speakers as well, so again, this isn't just a my view from Wejo, this is just my view in general about what the challenges are. Then what we do we do to try and counteract them? As I say, these top five cyber threats in my opinion are not just limited to. Automotive or tech or transport these across all industries and malware and ransomware. It's top of the list and it's top of the list for good reason. I think this is the one that. Always seems to be one that hits the headlines the majority of the time. And the statistics for this year are probably the ones that strike me the most,
and I think it was predicted that we would see one ransomware attack every 11 seconds, and ransomware creators are now raking in up to a billion dollars. Per year, it's not a bad business. UM? Fishing, so again, I think the FBI had released a statistic that they expected that this would increase by as much as 400% year on year. And for me, I think that's purely down to the high success rates of such attacks. The the numbers ridiculously high for it. I think it's 90 odd percent of data breaches occurred now are off the back of a phishing attack, which just shows how successful that actually is. And for me there is no, there's no silver
bullet. With fishing, there's no one tool that will be able to stop it. A lot of it. Comes down to. To end user and end user education. So we put a lot of focus and educating our users on what they can do and if they're not. If they're not sure they at least reach out to us first. And I'll probably just skim over some of the other ones so denial of service that that was also mentioned earlier on, UM, Internet of Things. Attacks for me is is one that is going
to start rearing its head more and more often, and I think specifically in the connected car world. There car network architectures are becoming more sophisticated, with enhancements being made to vehicle to vehicle communications and vehicle to everything communications that this is definitely going to be an area where I think we'll. Start to see a lot of noise. And the last one on there. Is third party breaches. Personally, this is the one that concerns me the most. It's the one that you have least. Roll over and our governance team do a really good job of carrying out due diligence on our supply chain and ensuring that appropriate security controls are all in place. But for me the monitoring of our customers, suppliers and for parties is still critical because that at times can also be one of your weakest links. And just finish off of you know how
we draw or how we as a team we try to respond to these threats so. We've aligned ourselves to the NIST four step process for instant response and purely because this that process really emphasizes that instant response activity doesn't just start when an incident is detected and end once you've recovered, it's that full process of and without going into them all individually. It's that having that preparation so all of these activities like these assessments and pen tests and vulnerability management, your red teams, your both teams. All these exercises are all done in advance of anything taking place. You don't do it after. Fact detection analysis, containment and eradication,
and recovery, and then that post instant activity and really making sure that you're learning your lessons. And I think from some of the big breaches that are that are hitting the news more often. I think it's becoming more and more apparent that that people aren't learning their lessons. And they're being stung twice, so it's really important for us that any post incidents that we. Have that activity needs to take place and we make sure that we remediate them.
And probably my last message before I don't know how I'm doing for time, but if I've kind of whizzed through that, but probably my last one was just obviously the cyber attack landscape is ever changing scams or are becoming more and more sophisticated than ever before? And I think that would probably be. People in in my position across all industries would also see that it's becoming very repeatable. There's lots happening, there's lots of noise, and unfortunately it's not go the other way. It's only going to get busier and louder. So and that's me.
Thank you so much Ryan for joining us. And for those, those insights in how the system is working from another perspective and again. It's these complexities and the difficulties in working across sectors. It's a very interesting process that I think we're living through today. And I'd like again to delve more into that as well. So how do we really? How do we? How do? We really make sure that. How we shift in this transitional space that we're in and all of these changes that are occurring and thinking about all of how organizations and the silos? It's an interesting piece, just. Again, some initial thoughts, so I'd. Like to before. We go to our last speaker, have our last poll question
to get us thinking about. Moving forward in the next 5 years as Brian just shared and I think we heard from Donald as well how the system's changing how it's coming so quickly? So what do you think? Are the two top issues facing the transportation cybersecurity industry in the next five years one? Being accessed to the workforce employees new technologies threats, data breaches. Just government regulations and then lack of public awareness. And then finally all of the above. So again our softball question out there for you. Not a scientific measure but.
Something for us to think about. Keep the poll open just for another few seconds and then we will close it out. And go to our last speaker of the day. OK, in the pool now. So of course all of the above. There is a lack of public awareness for
sure. Government regulations and some of the issues that come with that the new technology, threats and data breaches and then access to the workforce employees and as some of my colleagues in the Jack H Brown College and our cybersecurity center are really working to help with that as well. So let me just invite our. Last speaker to come up. Patricia bye or Pat Bye is an independent consultant and has worked with TRB on a number of issues and has written that report that Donald discussed earlier regarding. Cybersecurity in the transit and I think Pat's going to provide a bit more insight into that study. So pat, please. Thank you, my name is Pat Bye. I was just said and I want to briefly go
over the current and future state of cybersecurity in transportation that was based on that recent research that was published in late January of 2022 Raffi. If I could have. My slides please. Thank you and you can go on to. The next one. My objective today is to provide an overview of the state of cybersecurity and transportation today, and also a summary of the future trends that we found which include those cyber workforce challenges. Next slide, please. Is this image show of the transportation system? Shows cyber vulnerabilities are everywhere? A highway system is very similar with vulnerabilities everywhere too. This image does not include the physical opportunities for manipulation or destruction that may include manipulating. Infrared or laser signaling devices jamming Wi-Fi signals, or even physically damaging critical communications. Cabling nodes in power systems. Next slide please. And there are more because of their complexity and known vulnerabilities and related technologies.
It's reasonable to expect that cyber vulnerabilities exist in other systems as well. The vulnerabilities in autonomous vehicles have been widely demonstrated. Next slide, please. The pie chart on the left shows the distribution of various perpetrators of cyber incidents, which range as the previous speaker mentioned from agency insiders to hackers and hacktivists on the cyber criminals and nation state actors, the. Motive for cyber attacks in recent years has primarily become financial as opposed to espionage and other motives as shown on the chart and right on the right from the Verizon data Breach Investigations report. Transportation systems has been a problem for some time. In 2014, the American Public Transportation Association or APTA said it was one of the most. Common cyber security incidences threatening transit agencies. As mentioned earlier, that has increased from 180 to 200% from 2020 to 2021. Over time,
ransomware attacks have evolved from random speculative attacks on a large number of potential victims to highly targeted attacks that demand larger payouts from a single victim. In addition, ransomware has added a new level of extortion, stealing sensitive information from the victims and threatening to publicize or sell that data. If the ransoms are not paid recently, attackers have been increasingly using certain tactics such as deleting system backups. That make the. That make restoration and recovery more difficult. Ransomware targets are now carefully selected on the basis of their ability to pay, and their reliance on the data encrypted and the wider impact an attack would have. Critical infrastructure providers are targeted because their services are essential. Making them likely to pay ransoms or fear public exposure. Next slide, please.
Ransomware tax cost an average of $4.62 million, which is more expensive than the average data breach. These costs do not include the cost of the ransom. Full cost include the cost of detection and escalation. Those are the costs to identify the incident and then to begin to respond. It also doesn't include lost business, which could be the disruptive disruption of service or any of the loss of Fair payment systems or even reputational loss. It doesn't include the cost of notification notifying employees, customers, regulars, regulators. And third parties of the data breach, and it doesn't include all of those costs after the response. These are
the activities associated. Is it with any of the legal ramifications or compensation such as credit monitoring services for victims or legal expenses, and should there be regulatory fines any of those? The average ransom in state and local government entities was $214,000, but I should note that 34% of those who paid the ransom still could not recover their data. Next slide, please. There are expert resources and guidance for both IT and operational control systems from a variety of sources from federal government international organizations and transportation specific entities. NIST from the federal government has been providing cybersecurity information for 50 years. In addition to a cyber security framework that was established relatively recently, and this provides standards, recommended practices, alerts and mitigations for specific vulnerability.
Other national and other international entities providing guidance include the Organization for Standardization or ISO, the Information systems, audit and Control Association or ISA, CA, and control objectives. For information and related technology or COVID. Next slide, please. As the state transportation agency put. It one of the most difficult parts of the process was understanding how recommended cybersecurity and countermeasures guidance documents, such as those from Nest applied to a transportation agency.
There is a limited amount of up-to-date. Specific cybersecurity guidance available for transportation agencies, particularly as it relates to operational technology has produced recommended practices. These recommended practices, established considerations for transit agencies in developing cybersecurity strategies, and it provides practices and standards that address vulnerability assessment and mitigation system resiliency. And redundancy and disaster recovery. Most recently the after control and communications security work. Working group has issued an operational technology cybersecurity framework. Along with that
working group, APTA also has an IT enterprise Technology Working group. Next slide, please. Additional transportation guidance is available from the Transportation Research Board Transit Cooperative Research program, which recently published the Synthesis Report. The information the information from which I'm share. Today, together with the National Cooperative Highway Research Program, Joint Cybersecurity reports were published on the protection from cyber attacks and an update to a Security 101 guide that includes cybersecurity.
That these guides include sections on cybersecurity risk management, risk assessment, and asset evaluation, cybersecurity plans and strategies, countermeasures, training, and building a culture of cybersecurity. Next slide please. DHS has issued a transportation system sector cybersecurity framework implementation guidance in 2015 with the goal of assisting transportation agencies in implementing the NIST framework. More recently, the agency has issued a service surface transportation cybersecurity resource. Tool care for small and mid sized organizations and they maintain a stop ransomware website. Next slide, please. Now I'd like to discuss the cybersecurity trends we found and the emerging cybersecurity practices that have not yet been widely disseminated by transportation organizations, but are of growing importance now and over the near term first. Existing cybersecurity approaches and practices are no longer adequate. New vulnerabilities are identified continuously
and cyber actors are constantly learning, adapting and developing new approaches. Secondly, next generation cybersecurity approaches are being introduced. In it, along with industry, the federal government has become even more active, active in supporting and establishing these practices. And there are still substantial challenges due to lack of funding. The complexity of existing environments, including legacy systems and the lack of cybersecurity workforce. Expertise for transportation agencies. Next slide please. The first emerging trend I'd like to talk about is cyber resilience. There is no standard definition
of cyber resilience that has been universally adopted. This defines cyber resilience with an emphasis on preserving or restoring agency operations system functionality. In customer services, this is in contrast to cybersecurity, which is focused on protecting digital assets from unauthorized access, exploitation, damage, or loss. Cyber resilience is not something that can be made or purchased. Instead it's a consequence of political, strategic, and
operational decisions that are reflected in agency business policies, plans, processes and workflows. Senior leadership. Needs to establish and promote the core values associated with cyber resilience in formal, such as training and informal, such as on the job settings.
The starting point for cyber resilience planning is to assume that cyber incidents will occur and they could degrade, disable, or destroy not only the digital assets of the transportation system, but parts of the physical infrastructure as well techniques. The suggested practices for improving cyber resilience range from formal engineering approaches as outlined in NIST gut documents to more informal multi step processes. Next slide please. A previous speaker talked about cyber insurance. Cyber insurance is a rapidly growing sector of the insurance industry. A 2020 study found that 72% of transit agencies had cyber insurance already.
Concerns about the risks being underwritten are growing, however, particularly given the sharp increase in the number and severity of cyber breaches. Notice noticeably, the increase in ransomware and also the increased risk associated with remote computing. Such as increases in work from home situations. As a result, finding and negotiating deals is taking longer. Insurers have less capacity and are providing more restrictive coverages with lower caps.
Deductibles are increasing, premiums are rising steeply in some cases 100% year over year, and many new policies are now excluding ransomware. Next slide, please. As the previous speaker mentioned, cyber insurance underwriters are taking a much more aggressive posture in auditing agencies for minimal standards, including the adoption of the NIST Cyber security framework. The use of multi factor authentication segregated backups and documented. Incident response plans. Weak adoption of these practices may result in restricted or even canceled coverage. Next slide please. Not too long ago it was much easier to make the distinct distinction between network insiders and outsiders in their various perimeter based cybersecurity approaches were deployed to keep outsiders out and to give insiders maximum access to enterprise resources. However, one of the unexpected unanticipated results of the recent proliferation of networks, cloud based services, remote offices and workers using a variety of bring your own devices.
Has has been the total erosion of the concept of the enterprise network perimeter. In response to this new environment, an alternative cybersecurity model called zero trust has been evolving over the past three years. A previous speaker has discussed this earlier, so I'll be brief here. As the name implies, zero trust approaches assume that all environments. Are inherently risky, and that potential attackers can be present anywhere. Further, zero trust approaches generally do not make the distinction between enterprise and non enterprise environments. The computing environment as a whole is continuously monitored and adaptively protected. 0 based cybersecurity
does away with implicit. Trust relationships based on network location and replaces them with explicit transaction based evaluations and dynamic access to specific and limited resources. Trust nothing, verify everything is the zero trust mantra. Next slide please. Let me talk briefly about the findings of the 2021 San Jose State Mineta Transportation Institute Survey on Transit Agency security. Just over 80% of agencies that responded to the survey believe that they're prepared to manage and defend against cybersecurity. And yet only 60% have a cybersecurity program in place.
Most transit agencies do not have many of the basic policies and procedures in place to respond in the event of an incident. 42% don't have an incident response plan. And of those that have one over half have not had a drill in it over a year. 36% do not have a disaster recovery plan. 53% do not have a continuity in operations plan. 73% feel they have access to information that helps them implement their cybersecurity preparedness program. Yet only 43% do not believe that they have the resources necessary for cybersecurity preparedness.
Overall, the study found that cybersecurity is not a priority in many transit agencies, as evidenced by the lack of investment or additional staffing. Next slide, please. The survey found that cyber security staffing levels are low relative to other industries and that the headcount dedicated to cyber security does not correlate with either agency size or with whether the agency reported having suffered an incident. Many transit agencies have yet to define the roles and responsibilities and the necessary knowledge, skills and experience for many of the cybersecurity jobs. Of those that do have cyber security staff. Transit agencies do not have employees with the requisite cybersecurity skills. Only 38 of the 90 survey respondents have
certified cybersecurity specialists on staff. And there is no consensus within the industry on which certifications to require among potential new hires. Next slide, please. In terms of cybersecurity skills, disparate, institutional, cultural, and organizational domains collide. Cybersecurity is generally the responsibility of IT personnel.
Control systems are usually the responsibility of engineering and operations personnel. Implementing cyber security for transportation requires having a good understanding of security and the control systems and the operational environments as Donald from Foothill Transit mentioned. Add to that the fact that transportation agencies are increasingly unable to recruit on board and retain cybersecurity. Staff competition for competent cyber staff is global and it encompasses all sectors. A2021 cyber seek study indicates that there are over 450,000 total
cybersecurity job openings in the United States. Over 36,000 of which are in the public sector. Making the situation worse is the relative inability of public agencies to offer industry competitive salaries and more desirable working conditions such as more work from home opportunities. Next slide, please. Given that, what can be done? Well, there are existing resources that can help. From SISA has mentioned that SISA has resources and staff available. Even a small cyber insurance policy provides access to pre and post incident resource networks.
These resources may include cybersecurity disaster recovery, business and business continuity experts, plus legal and communication specialists and other hard to find skill sets. This strategy has been successfully adopted by many small and mid sized organization. Some agencies are outsourcing these responsibilities, sometimes to former agency employees now employed by the agency's business partner. Transitioning employees into vendor contractor staff could result in significant cost savings to the agency while enhancing the vendors understanding. Of the agencies needs, processes and culture. Transportation agencies
are also exploring the use of apprenticeships, internships, scholarships and other initiatives to increase the number of eligible applicants for in-house positions. Next slide, please. So given all that I've just presented, I'd like to leave you with some questions to concern. Center first how do we transition all of the legacy systems that are in place? Those without the security we need now and with limited ability to be modified to be more secure.
Next, since today's cyber environment is a complex amalgam of in-house, commercial and open source software running on a variety of platforms and devices and accessible to employees on site and off site, along with a variety of legitimate outsiders, including. Vendors, contractors and subcontractors. How do we address? These remote workers and their consultants. Third party cyber risk has increased significantly, particularly in the case of multi tier supply chains. So how do we vet third party systems and software? And finally, how do we find cybersecurity staff with the transportation agencies increasingly limited budgets and resources? Next slide, please. Thank you for giving me this time to provide a summary of the work I've done recently. You'll find my contact information and the link for where you can obtain that transit cyber security synthesis.
Thank you so much, Pat. That was great, Ralphie, I'd actually like if you could go back to Pats questions. So those are some of the many of the questions that I actually have for our speakers, and maybe we can. We can move into those questions, but first before we do that,
I'd like to open it up to anyone in the room. If you have any, any questions for our speakers. And you can either put it. In the chat, or you're welcome to. To ask directly. OK, well then I'm going to start us off and I think this goes into a bit of what Pat was putting there. Considering the complexity of the systems that we live in today and I speak about this, so a lot in my in my classes that I teach as well. So really thinking about. How do we transition? How do we? Move forward and. That's part of what the hope and the goals of these dialogues are is to bring experts. To the room so that
we can think about the multitude of issues that we're facing as a as a global society. And then, how do we address these Issues, so I'd like to open up to all of our speakers. Ryan, Pat and Donald. How do we? How do we? How do we really transition and? And I think you've touched
partly upon it, but how do we make sure that we're not working in silos? Because that's another issue that happens. In many organizations, and just, you know, a couple conversations. Thinking about the transition to EV's. And how do we get regional planning? How do we have the people crossing the silos? Also, you know, and I think Ryan brought this forward or thinking about the autonomous vehicles or PAT, you know, on the autonomous vehicles and entering. And there was a very interesting article in Slate magazine last week about autonomous vehicles around San Francisco, and just not so much. Where there weren't so much cybersecurity attacks, but just disrupting the transportation network. So it's an interesting piece from December 8th.
If you haven't seen this article. Translate, but you know how do we deal with these transitional environments that we're living in and really make sure that you know we're providing the security and the safety because going back to the initial and this will be sort of my last piece and then I'll open it up to our speakers, but going back to our, you know the initial kind of idea of the social contract. Between government and society is that security and safety to make sure that our communities are safe and now the threats. Seems so much larger and wider
and ever changing it's a Yeah it's a complex environment, just let me just repeat myself so any thoughts on this idea of silos? Working across and the complexity of the environm
2023-02-06 21:37
