Amid digitization of public infrastructure, cybersecurity is increasingly a challenge
The digitization of public infrastructure is a double-edged sword: While technology can streamline workflows and make systems run more efficiently, it’s also vulnerable to digital threats.
“The integration of new technologies into the public transit industry has resulted in improved service offerings to customers. But while these new services provide important information and conveniences to transit customers, they may also provide access points for nefarious actors who want to disrupt or cripple operations,” reads a new report from the Mineta Transportation Institute at San José State University titled “Aligning the Transit Industry and their Vendors in the Face of Increasing Cyber Risk: Recommendations for Identifying and Addressing Cybersecurity Challenges.” While the federal government has moved to strengthen the nation’s cyber defenses, the document highlights “a growing urgency for expanded regulatory guidance and directives regarding cybersecurity for U.S. critical infrastructure, including public transit.”
More focus is needed because of the evolving threat. When everyone suddenly started working from home at the start of the pandemic, cybercriminals adapted. Instead of focusing their efforts on large corporations, they began slipping into systems via unsuspecting end users who unwittingly followed a dangerous link or didn’t secure their own systems well enough, according to Chris Hills, chief security strategist at BeyondTrust, a Georgia-based cybersecurity business.
“The pandemic really caused what we referred to as the big bang,” Hills said, noting cybercriminals are “not dumb, but they are lazy: they’re going to take the pass of least resistance.”
As an increasing number of communities move toward digitization by linking legacy operating systems to the cloud, educating employees on the importance of maintaining digital hygiene is more important than ever.
“It boils down to zero trust,” Hills said, highlighting the vulnerabilities that exist on some legacy systems. “All of us know that there’s a server, a Windows 2000 server sitting in a back room somewhere that everyone is deathly afraid to pull the plug on.”
To protect these existing systems, Hills said IT professionals should encapsulate vulnerabilities through a zero trust framework—one that continuously requires all users to be authenticated.
Creating a comprehensive digitization plan to address emerging threats is another important element because it informs decisions across the organization.
“The adoption of a risk strategy inclusive of cyber threats enables an agency to articulate its expectations for vendors—what a potential vendor needs to have in place in terms of security, how the organizations’ respective risk programs can complement one another, and what gaps may exist that need to be addressed before contracts are signed,” the transportation report says.
But as administrators move to address the vulnerabilities in their communities, they’re facing another big challenge: there isn’t enough talent to fill positions.
Technology is outpacing talent, according to Hills. And it’s not a problem that’s going to see a resolution anytime soon.
“I think we’re going to see this problem continue for some time,” Hills said, predicting that automation and artificial intelligence will fill gaps. “I absolutely believe we are on a path that the AI aspect of doing human tasks,” such as searching for anomalies or reviewing data.
Among the recommendations put forward in the transit report, analysts recommended that agencies integrate their cyber risk management program with their existing physical security program. Organizations should also identify and evaluate software and hardware, the report says. Notably, while it’s directed at transit agencies, the same principals can be applied to all public organizations.
“In the last few years, cyber-attacks on transportation have increased, and transit agencies, along with every other sector of the economy have become a target for nefarious actors seeking to disrupt operations, be it for personal or political gain,” the report says. “The avenues to exploit this vital infrastructure will continue to evolve along with the technology that enables the industry to meet its core operations and customer demands.”