Miroslav Katsarov is the CEO of Modeshift, a technology company bringing intelligent transportation to small- and mid-size transit agencies.
getty
In recent years, automatic fare collection has been all the buzz in the public transportation industry—and rightfully so. The smart technologies that fuel automatic fare collection help to modernize agency operations and improve accessibility and convenience for riders. However, for an industry that has historically lagged behind when adopting smart technology, the influx of valuable data being managed by transit agencies paints a huge target for bad actors hoping to exploit weaknesses in security.
The potential risk is apparent—the Mineta Transportation Institute reported that in 2022, weekly ransomware attacks on transit systems were up 186% since June 2020. If the public transit industry hopes to fully integrate itself with the digital world and to leverage the potential of innovative public transit technologies, decision makers must make the development and implementation of effective security strategies a top priority.
Connecting Public Transit Systems To The Cloud
Slowly but surely, gone are the days of maintaining on-premises servers to keep transit systems up and running. Cloud infrastructures are more cost-effective and help reduce the network attack surface by limiting access to physical hardware. As transit agencies equip themselves with smart technologies from various vendors, they’ll quickly find that they cannot rely on a single solution to keep their systems protected. It is up to transit agencies to do their due diligence in assessing their security vulnerabilities with third-party vendors to protect the integrity of their systems.
As a best practice, public transit agencies should separate their information technology (IT) and operational technology (OT) networks to limit the attack surface and the potential number of affected entities in the event of a breach.
For example, if an agency’s IT and OT networks are separate but someone gains access to the IT network, they can’t manipulate anything on the OT network like infotainment panels on buses or bus routes and schedules. While someone could deploy ransomware in the IT network and encrypt the targeted PC, they wouldn’t have access to the entire public transit system.
Cloud architectures make this kind of network split much more achievable for agencies. While the cloud and the separation of IT and OT networks help reduce the overall attack surface, they don’t protect agencies outright.
Keeping Payment Information Protected
If riders want to benefit from the modern conveniences of automated fare collection (AFC) systems, they will need to input highly sensitive data, including banking and credit card details, into mobile and browser-based applications.
With this, it’s imperative that transit agencies handle sensitive rider data with utmost care. To ensure rider data is secure and protected, transit agencies must partner with vendors that are compliant with the necessary regulatory cybersecurity standards such as the Payment Card Industry Data Security Standard (PCI DSS) and Systems and Organization Controls (SOC 2). Vendors should also be equipped with security information and event management (SIEM) solutions to ensure they can detect, analyze and respond to a security threat before it has the chance to potentially harm operations.
Improving Cyber Literacy And Resilience Of Agencies
While some industries have been quicker to integrate smart technologies powered by the cloud, public transit, in particular, struggles from a lack of cybersecurity education throughout the industry. Without a strong grasp of the cybersecurity risks and best practices at play, agencies are leaving themselves more vulnerable to threats and attacks. It’s critical for transit agencies to understand that cybersecurity isn’t just a concern for IT and tech departments, and it should be top of mind for the business as a whole.
Looking at cybersecurity holistically and evaluating the impact potential attacks could have on administrative functions and leadership, as well as technologies, emphasizes the need for a designated cybersecurity officer or advocate. Smaller organizations without the resources to dedicate a role solely to cybersecurity need to do their due diligence when hiring a third-party vendor by accessing its cybersecurity compliance standards and expertise. Agencies can refer to APTA’s Cybersecurity Considerations for Public Transit to educate themselves and ask the right questions, such as, "How does my platform detect potential intrusion in a system, and how is my data encrypted?"
Once an organization prioritizes cybersecurity, educates itself on the potential threats and establishes cybersecurity leaders or advocates within the organization, it will be ready to develop a cybersecurity strategy.
Establishing Disaster Recovery Plans
The most important part of a transit agency's cybersecurity strategy is establishing a disaster recovery plan by following a three-part framework: prevention, anticipation and mitigation.
First, agencies should be aware that a number of preventative measures are already in place to protect their systems. This includes implementing multifactor authentication systems to sign into applications, data encryption, compliance with PCI DSS and SOC 2 regulations and 24/7 security monitoring, potentially leveraging automation, among other measures mentioned earlier.
Next, agencies need to anticipate unavoidable disasters. In the event of a data breach, even while following best practices, how will the agency react? Who will be in charge of mitigating the effects and reporting the incident to the Cybersecurity and Infrastructure Security Agency? How will the agencies document such incidents to leverage lessons learned and best practices in the future?
Once this framework is set, the final step is testing. While it might seem time-consuming and labor-intensive to test out the plan, this is the most important step because agencies will likely identify certain gaps and additional ways to mitigate potential risks.
Looking Forward
With the accelerated digital transformation that has been impacting our lives for the past couple of years, the infrastructures of cities must adapt accordingly to the evolving environments in which fare management and collection do not fully rely on the use of physical coins. In order to accomplish it successfully, for both transit agencies and riders, public transport should incorporate multifaceted security strategies that enable digital systems to operate flawlessly. Keeping the above considerations in mind is the very first step into the digital security journey public transport is already a part of.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
