UITP 2017: Cybersecurity for Public Transport - How to Protect Our Systems
At the UITP Global Public Transport Summit, which took place in Montréal May 15-17, 2017 a workshop session spotlighted cybersecurity and how to prevent breaches or hacking.
"We now live in the world of IT and cyber and it's anonymous. When you click send do you know where it goes or what country it is in?" asked Chairperson Paul Gwynn, managing director, INIT Asia Pacific Pte Ltd. Gwynn stressed how important it is how transit companies and agencies keep data private. "If you work in a very large organization, and you've got a maintenance man coming around do you give them a key? I'm guessing many of you do."
Gwynn said that in instances of cybersecurity it is important to keep these keys only within the organization.
Roni Zehavi, CEO, Cyberspark related cybersecurity to how much people know about healthcare. "It's about how much we eat, exercise and none of us have studied medicine. Let's relate that to cybersecurity, very few people understand what it is about. When you think about modern society everything's is connected. We need to understand something about it, not everyone understands what it is about. They have to be able to conduct an educational conversation. They need to protect their system to 95 percent."
Zehavi said that in cybersecurity there is no 100 percent. "There is really nothing new about cybersecurity, just how you do it. There is something that is new, if you look at all the cyberattacks you can divide them into three categories. Third is the most dangerous is data manipulation, and that was not there before, it is my ability to manipulate the data in a way that no one understands."
According to Zehavi cybersecurity is about knowledge. "How do you base everything on reference scenarios and make a whole list of everything that could happen and train your entire personal? We need to find a way to check that the systems if systems is really resilient."
The need for cybersecurity
Stephan Liedl, project manager and head of Metro/light rail inspection body, TÜV SÜD RAIL GmbH asked, "Why do you need cybersecurity? There is a growing interest in hacking transit systems. When cybersecurity is compromised it may have negative impact on the riders and staff and it may have a negative impact in service timing."
In determining how severe the level of cybersecurity needed there are a number of different factors that need to be considered.
"There is a standard that defines risk analysis. First you need to identify what type of system it is that you are talking about and it clearly needs to be defined what is out of the system. The second step is to determine what threats there are to the system," explained Liedl. "The threats then need to be identified to determine how serious they are and how the response works."
Steps in risk analysis:
- Structure analysis of target system: is the model complete and accurate?
- Threat identification: have all the relevant threats been considered?
- Risk analysis: estimation of damages and likelihoods
- Risk treatment: derivation of relevant countermeasures
- Verify/validate: have oil countermeasures been tested and verified?
"People who are not allowed to get into the system, but get into the system internally," said Liedl. "You can see where in this architecture is being accessed."
Liedl explained that a risk matrix can be a general approach to calculating what a threat is, how serious the threat is, defining who is accessing it and how easy it is for the hacker to access the information.
"Risk mitigation measures can be defined and finally it needs to be verified," said Liedl. "It is really a mandatory approach to do with risk analysis. You need to define security measures and ensure that the system is safe and operating."
Protecting fare collection
Shashi Verma, chief technology officer and director of customer experience, Transport for London explained that the fare collection system is where TfL earns its money. "Keeping it safe has been an important part of my job for a very long time."
Verma explained that since TfL was founded, the agencies key focus has changed. "Fundamentally we're worried about people stealing our money, we don't want people to have our data," said Verma. "There are clear dividing lines to what we aggressively detail and there are things that we want to keep private. The other thing is our distribution of our operations. Our mission is to keep the city moving."
Even without an agency announcing its fare collection methods, they can still slip into the wrong hands.
"Clearly there are malicious players. They are doing it to try and gain money or controls over you. The way you deal with malicious operators," said Verma, but outside hackers shouldn't necessarily be an agencies focus. "The biggest threat is insiders, the most dangerous person that you can have in your house is the person who is going behind you."
Malicious players create issues such as money theft, disruption of operations and data theft. TfL continues to develop as the IT world does. Verma said that agencies need to be careful with how data is being used and where it is broadcast.
Verma added that it comes down to an agency having a single approach. "We do try to create a single approach to under all of our ideas. It starts with people, you really need people who know where the problem is and how to adjust it."
Fare collection is changing as agencies move towards eliminating money and moving towards contactless and fare collection technology.
François Baylot, head of mobile ticketing, Thales Communications & Security SAS, said, "There has been a change moving from traditional contactless cards, where most of the security was focused in the cards. Now we have a series of cities that are moving more to online and the internet with a diversification of fare systems. That's why there are a number of measures that need to be considered."
Baylot said that when looking at regular security, you take it from a national standard. "Network and IT is where cybersecurities are the most focused. Then you have identification and privacy rules and then you have open payment methods. It depends on the country that you are in and the banking standards."
Newer forms of technology and methods are making cybersecurity a continually developing area.
"The threats that you see are becoming more and more sophisticated. We’ve been trying to push more methods for cyber security," explained Baylot. "In the end it is really about trust. Whenever that the company ends up being attacked that needs to be addressed so trust continues with the shareholders."
Baylot said there is a lot of data communication between the technology and the station, and proper management can start within the agency itself.
"The first tip to managing cybersecurity is having s standardized security process, it is very important to train your staff. The second is security by design. For communication always communication to cloud end-point security," said Baylot.