#LTCtalks 2022 Dialogue 6: Cyber Security: How Technology Affects the Way We Move

#LTCtalks 2022 Dialogue 6: Cyber Security: How Technology Affects the Way We Move

Show Video

So   welcome,   thank you very much for being  here to our final dialogue of   the year. It's great to have you before we  get started. We'd like to play a short video   For more than a century, HNTB has connected  the people and places of Los Angeles. By   creating infrastructure as innovative  and diverse as those who call LA home,   we are bringing Angelinos together and expanding  opportunity. We are here to create the Los Angeles  

that's important to you to all of us. We have  been here in the past. We are here now and we   will continue to be here. With you as we work  together to build our community. Our home.   Thanks so much for that, Raffi. It's great  to have you again here and to see you all  

today and we'd like to thank Matt Bushman and the  whole team from HNTB for being such great sponsors   and really helping out. Well really creating  and really supporting this. This dialogue to   move forward which. I think it's become a really  important part of the Inland Empire conversation.   I'm as you see on the slide. I'm Kimberly  Collins. I'm the executive director of the Leonard   Transportation Center and to get us started,  I'd like to welcome the Dean of the Jack H Brown   College of Business and Public Administration  to say a few words. Dean Gomez Arias please.   good morning everyone. Thank you. Thank you for  being here. It's really a pleasure to see a group   of people and community leaders participating  in this dialogue that are really important.  

The future of the greater Los Angeles area  and the Inland Empire. as we think about   how we can create. Both successful and inclusive  communities and economies in in our region.   I want to thank everyone that there's has made  this possible, not only the speakers who have   taken time to be here with us and prepared for  it, and will share their expertise and their and   their vision. Thank you to the committee members  who planned everything and made sure we were all   here together. But also there are supporters.  Those of you and organizations that have made the   activities of the Learner Transportation Center  possible. Professor Collins mentioned HNTB, but  

also the San Bernardino and Ontario international  airports who have been our platinum sponsors   woodruffs, Spradlin and Smart. The Southern  California Association of Governments. And circle,   Gas and Metrolink have been our gold sponsors,  and there are also a number of silver sponsors.   I'm not going to go through the through the  whole list. You know who you are? Thank you   for your support. And I'm really looking forward  to the conversation. You don't want to listen to  

me. You want to listen to the experts. So  with that. Thank you all for being here and   looking forward to a great conversation. Thank you. Dean goes our eyes for those for   those welcoming words. Now I'd like to invite  Matt Bushman from HNTB to give us a few words.   Sure, thank you. Yeah, Matt bushman HITB. We're  a transportation engineering company nationwide,   but we have offices here in Ontario. We're  proud to support the Land Transportation   Center really from the inception, and also  just quite excited to hear what we have to   say today around cybersecurity. Thank you. All right, thank you so much Matt. Today we  

have a great program for you. We have 4 speakers  so a lot of speakers to go through and a lot of   experts to hear from. And we'll share in just a  moment the spark link to see the full program,   and Raffi if you could share that for  us on the chat, that would be great.   And so we'd like to start as well with a see now  the program there for today in the Adobe Express,   which we. Used to send. I'm just going to give  since we're talking about cybersecurity. We used   to send out with the emails and the confirmations  and such. You can't get a spark file through   anymore on emails and it's blocked from people's  emails so they don't get the registration. So  

now we can only really surprise provided here.  It's part of that cyber security and making sure   that malicious links don't go through. So it's a  piece we'd like to get started with the Zoom poll.   And our first zoom question for today is looking  specifically at the role of the federal government   in in the in the realm of cybersecurity and  transportation and so. And not surprising, you   know, many think about the role of setting rules,  regulations and guidelines that come from the   federal government. Also some well one spoke about  hands on assistance and support and then control   and monitoring of the system itself and then. And  other role. I don't know if you're interested in   sharing what the other role might be, but you can  share that in the chat. And we hope that this will  

be an engaging piece where folks can share  information and think about it and you know,   again, talk about it in an all around form. So our next question is what was the percent   increase in ransomware tax in the. Transportation  industry between 2020 and 2021. Not sure how many   of you are going to are going to know this  except for those who are. Just give it a   couple more. So we have an answer  that's fairly. Divided we have 20   percent, 24 percent, 24% and 32%. Well, those  who are in the 32% category. The 180 to 200%.  

Increase in ransomware attacks would be correct,  so the again, the threat that is out there is   becoming much more intense and serious and I  know any of you who really work in this field   know. And all of us who are on the other end sort  of the user side and how our institutions. We're   dealing with cybersecurity and ransomware now  know as we all have. These two steps you know,   log in and all kinds of different ways to protect  us. So with that I would like to invite our next   speaker up, Donald Louie, who is from Foothill  Transit, will be sharing today some of the things   that are happening. On the ground with our local  public transportation systems. So Donald please.   Good morning everyone. Thank you for  having me come in and speak today.   My talk is going to be from the perspective  of a transit agency regarding cybersecurity.  

If I could have my slide. OK, so. From the  perspective of cybersecurity professionals,   the Transit Research Board and the National  Academies. The risk of transit agencies to   cyberattacks is based on these facts, so this  is a report from the TRB having surveyed transit   agencies across the nation. Here they inventoried  most used technologies and transit operations   from buses, trains, access services. And search  for known vulnerabilities. Using what we call   red teams and cybersecurity for penetration  testing and then verifying attack methods.   And then test vulnerabilities where blue teams  are used to defend against the very attacks to   test the patches to make sure they are securing  the vulnerabilities that have been discovered.  

So from these activities throughout transit  agencies they've come up with these. For all   transit agencies on how to protect their inventory  of systems so as a result of this exercise they   provided industry sectors next generation  cybersecurity solutions. Next slide please.   I think you're ahead of me.  If can you go back, please.   OK, so. Public transit agencies are reporting  that there is a definite lack of funding.   Identifying a large variance in complexities  of their existing environments and the lack of   expertise about what is next generation. So  these approaches are substantial inhibitors  

to implementing. The solutions for  the cybersecurity issues. Next slide.   Thank you So what makes transit so complex? So  when you identify with transit, what do you have   in mind? For some of you maybe rail or train for  some bus buses and others maybe access services or   last mile modes such as Uber and Lyft. Some of  our transit agencies operate all of the above.   For the outsider. They see public transit as  a simple sector, basically running transit,   but we are much more and this is what  makes transit so difficult to secure.  

So we are also in the financial business where  we sell passes like traditional retail sales.   So we're like retail stores. We have mobile  ticketing so we're also e-commerce. We are   business on wheels that require us to secure our  transactions, so our fare collections on buses   are basically mobile ATM's. We're an auto repair  shop. We fix our own buses. And we have car washes   or bus washes and we clean our own vehicles. We  are in the marketing business and we also produce   materials for our riders and keep them informed.  So we run all of these additional businesses in   addition to transit for operating hundreds of  buses and trains and. The services we need to  

dispatch to all the customers we use what we call  intelligent transit systems, also known as ITS.   So for some agencies, we are  capable of tracking in real time,   and we can tell how many passengers  have boarded and alighted. We are   able to announce the next stop and track in  real time bus locations to our customers.  

And we're also able to manipulate the system  on the ITS to modify routes if there happens   to be a collision or there is construction, and  so all of this is done on the fly to run a daily   operations and the. Complexity is what makes cyber  security so difficult for transit agencies because   there's there needs to be experts in so many  different fields in addition to just transit.   Excuse me So these technologies are just to name  a few and to have a person with knowledge of all   these systems is highly unlikely to know every  single system and. How it operates? To ask the   subject matter expert on each of these and then  how to secure it or to change the policies to   make it more secure is very unlikely. So either  you have a person of knowledge on operations you   know how to operate, the software or equipment,  but to also know. Cyber security practices is very   difficult and to bring an outsider to  understand how to operate this equipment.  

How could you secure something you don't know  how it works? Is the challenge that we're all   facing. So outsiders, unless you tell them,  can't secure what you they don't know. And   if you don't know that that's a risk, then it's  hard to translate. So this is a. Huge challenge   for many transit agencies right now with. Get all  these recommendations. There's these solutions,   but what exactly? Are we trying? To resolve,  so this requires a cyber security specialist   who needs to learn these intricate systems  and even an A highly educated person in   cyber security or a third party brought in.  To secure System has a knowledge gap that he   or she needs to sit and learn before they  can begin to secure the next slide please.   So knowledge gaps identify is identified as  a result of lack of expertise concerning the   next generation approaches. Transit agencies  increasingly relying on 3rd party vendors.  

Resulting in guidance for procuring  services across transit agencies.   For these very complex environments,  for cyber security goods and services.   So in addition to the knowledge of  equipment, there is also a gap in   knowledge of how to procure cyber security  solutions. And how to vet these vendors?  

So the catch 22 moment here is procurement  needs to know the guidelines to hire third   party vendors. Because the guidance identified is  how to VET 3rd and 4th party suppliers, so many of   us do not look who their outsource suppliers are  and that. They also need to be vetted and that   probably right now is not being done which that  needs to be made aware to all transit agencies.  

That this lack of understanding need actionable  items as mentioned earlier. Do we need to have   cyber security for these projects in case things  don't go as planned and then the question is,   well, the insurance pay if the error is  on the agency side. Is a big question,   is that worth the investment? So a big knowledge  gap for transit agencies is the gap in employee   knowledge and skill set. Smaller agencies  do not have employees with knowledge in   cybersecurity skills and are unable to recruit,  hire, and retain them for a variety of reasons.  

So the question is which strategy should  they use? Should they outsource the task   or train the workforce or outsourcing again  leads to a procurement knowledge? And then   training introduces a new set of gaps. So should  transit agencies address cybersecurity skill gaps   by developing a transit specific guidance or a  new paradigm solution in what's happening today   is known as zero trust architectures moving  forward. They're managing the new workplace,   and the next generation of employees. Do we just  start from scratch? What exactly is a zero trust   model? I think we'll go to the next slide, please.  So a zero trust model is a security framework  

that requires all the users whether they are in  the inside or the outside of the organization's   network to be continuously authenticated  authorized. And validated for being granted   access to the network, applications and data. So  that basically means they're being authenticated.   Every five seconds rather than once, and then  they're in the network. And they do what they   like, so this is known as a zero trust. So one  of the most common tactics of a hacker used   uses is taking a user's credential that they  have compromised. Perhaps a weak password.   Once they are in the network, they're. First thing  they would try to do is change the credentials  

that they have to a admin user or a super  user within an application or in the network.   This will then allow them to manipulate and  change anything they like. So with a zero trust.   The minute a user tries to change their  credentials that would trigger a denied   and they would be locked out of the system, so  there's no need for all the monitoring there,   so that's a totally different design. You don't  need the experts, everything just gets turned   off in this particular type of model. That is a  new architecture that has been out for a while.  

It has not been the primary model yet, but. That  is, that is one of those suggestions from the TRB.   Improve visibility, So what else does  zero trust? Do it? The main objective   of zero trust is to allow the organization to  approve every user and every device every time   it accesses the network and the. Network is  requested. With a clear understanding of who,   why, and how this capability. Coupled with least  privilege allows the organization to maintain   strict oversight of a network users and devices  as well as their activities. Next slide, please.   So with the colonial pipeline and many  other organizations who have already   suffered through ransomware attacks, the  lessons learned is what we should take away.   With any first step on strategies is to identify  the risks. Many IT and security professionals  

are working hard to integrate cybersecurity  solutions that are mostly information technology.   And operational technology. So what we are termed  IT and OT. Many organizations started to implement   cybersecurity strategies. His primary focus was  on informational technology. IT is defined as a  

computer hardware and software used for creating,  managing, sharing and storing digital data.   This can be on premise or in the cloud  such as e-mail. As an example of it.   Most, if not all networks started as  an IT infrastructure as transit started   implementing IT into its operational functions,  it started to bring in old systems, which is.   Old analog systems such as train PLCS or  programmable logic controllers and then   introduce new vulnerabilities that were initially  unaware of. So as you bring in old technologies   that's bringing in. New vulnerabilities, so  this is what we call OT and since pipeline  

OT has been. Highlighted as something  that maybe has been overlooked as.   We know it's harder to control Analog  Devices, but if you want to communicate to it,   you're integrating it in. So OT is a technology,  hardware and software that is used for managing,   controlling and monitoring physical industrial  devices and machines. So very different than IT.   It is mostly used in physical industries like  electricity, water, oil, gas manufacturing and   more. So This is why IT has a hard time when  it comes to OT equipment because there isn't   much. The systems are very different, and  so bringing in more engineering than you   do it when it comes to securing OT is it's a.  Very different challenge. Next slide please.  

Oh, you're already on it, so  stay there. You can go back.   So at the end of this, what has been reported  as cyber threats in transit research by the TRB?   Potential transit systems. Cyber vulnerabilities  have been documented in operational systems,   control centers, signaling and telecommunication  networks, and back end systems of operators and   infrastructure providers. Shared systems  used by consultants and suppliers.   There are literatures for these vulnerabilities  found and known vulnerabilities for connected   vehicles, autonomous vehicles, electronic  ticketing systems, traffic signal controllers.  

Traffic signal priorities. Dynamic message signs  so. However, TRB has discovered that there is no   literature for Cat AVL's, which is a computer  aided dispatch. Automated vehicle locators,   online tripper planners, mobile  fare payments, onboard Wi-Fi, CCTV.   ABC, which is known as automated people counters.  There are no literatures. There is no knowledge of   them even being tested. And so it is reasonable to  believe and expect that security vulnerabilities  

do exist in these technologies and have  yet not been discovered. So the take away?   Is that people need to understand what secure  processes are, how their own work processes work,   where security gaps need to be addressed.  Agencies need to ensure they use an authentication   process for vendors payments, including  validations of vendors and backing accounts.  

Increase employee education and assistance  to departments as needed so staff can review   their own internal process to ensure that process  includes multi factor authentication and vetting   requests and use verified communication  methods beyond e-mail. Next slide please.   So to conclude, with every new technology.  That is introduced to the system.   In the cyber world, a zero Day is an  attack of an unknown vulnerability. It  

has never been discovered yet. So with that said,   it has been there from the very first day  you bought it, but not exploit it. So every   day has the potential to be a zero day.  Attack, thank you, that's all I have.  

Thanks so much for that, Donald. So it's great  to hear. Sort of this macro perspective from the   federal government and what's really happening at  on the ground with some of our transit agencies   and some of the. Is out there and I  think a lot of what you spoke just to you   know put my own two cents in as a as  a professor in public administration,   I think the risk that you're talking about are  the risks that a lot of local governments face   and that balance of the workforce with the  realities and the changing nature. And the  

resources. And the capacity to be able to deal  with a lot of these issues. So it's an interesting   piece that I hope our last speaker will work a  bit on. I think the author of that report that   you mentioned earlier Pat by. So We'll delve  into that. I hope further so our next. Before  

we launch onto our next speaker and hear a bit  from the private sector and what they're doing.   We'll have our next full question, so our  data security and privacy the same thing.   One of. Sort of softball questions out there so  they are not the same. They are interconnected.  

Privacy is users security and then all of  our above. So just take a minute here. To   think about these different pieces. For again,   we jump in. To our next speaker. We,  Joe. Alright, just a couple more seconds  

and we'll. And our poll. Share our results.  Just hold on. Share our results, sorry.   So they are not the same. They are interconnected  and then all of the above. So Ryan, maybe you can   share with us a little bit in your presentation  today. Ryan McNamara from Wejo, a data company   and I'll have you speak more. But really, thinking  about those pieces of privacy. Versus security.  

Thanks Kimberly and good morning everyone and I  do have a slide that will touch on it briefly.   But yeah, I'll cover that once I get to. It  so yeah, thanks for the opportunity to speak   today and to give everyone an insight into  what it is that that we do actually does.  

And then also the. The important role that my  team play and that so as you can see my name   is Ryan McNamara. I'm the head of security  operations at Wejo. And I'm based in the UK.   However, my team do provide a 24/7 service to Wejo  so if you could jump onto my first slide Raffi.  

You can skip that one as well, sorry.   OK, so we do. What is it that we do? So we are  a global leader in connected vehicle data and   we provide accurate and reliable insights from  vehicles that can ultimately help improve the   way that we travel. We organize billions of  data points from millions of connected cars.   And we do this using our partnership with global  automotive manufacturers to stream data at scale   and at speed. We then transform that data  and enhance it by turning it into meaningful   products that can help power innovations and  drive efficiencies and also innovate mobility.   And it's worth probably giving you some  quick examples of what that looks like. So  

in the first response data, so access details  on crash severities, vehicle resting positions   such as is it inverted, or is the vehicle in  a ditch. The vehicle type status, occupancy   and that information can all be fed then to  emergency services and 1st responders and the next   one is probably intelligent improvements. So using  Wejo road and traffic modelling to inform road and   intersection and. Movements and infrastructure  and construction and then probably the one   that infuriates everyone the most is Rd works and  closure planning, and doing them at optimal times.  

Whether it's going to have. The less impact. And  just in that in that diagram that you can see   in the screen, so privacy and security is at the  center of Wejo. We have a regulatory and security   wrapper that ensures that. Everything that is  private stays private. We hold several recognized   security certifications and these are these  are audited by our independent third parties   on a regular basis. I wouldn't go into that  that much detail just now because I do have a  

slide that that covers the certification, so I'll  get into it. In that and then just at the bottom,   I've got there that we stand for data for  good. The what does data for good mean? So   we create value so we create new revenue  streams, driving business efficiencies and   we can unlock opportunities for everybody.  We can improve safety, identifying incident  

and congestion hotspots to make the roads safer  for drivers riders. Passengers and communities.   And then enhancing sustainability. So to make  our cities more livable and improve efficiency   by predicting and also preventing buildup of  traffic and ultimately lowering emissions.   And then the last one is increasing  convenience so. Taking that that better  

personal transportation experience by helping. For  example, drivers find a parking spot more easily,   making EV charging more simpler  and reducing commute times overall.   Next, slide Raffi if you can't. So I thought  it probably just we were sharing some numbers   and again just this is the volume of data  that that we chose currently handling.   And as you can see, the illustration of  the car on the left hand side of the side,   and there's multiple sensors in the car  that that we're collecting information from   and. From our multi OEM data supply platform, we  invest 18.6 billion data points. Per day as of  

the 1st of September, we had actually ingested  more than 18.4 trillion data points covering 4   continents with roughly 13.7 million vehicles on  platform. Next, slide and this is just an example   of one of our products that I'd mentioned so.  It's a data visualization tool known as Widow   Studio and this can provide immediate insights.  Leveraging the Weija adept platform which is  

collecting all of that data. New analytics are  delivered on a regular basis to Visual Studio and   there's a few other products that are that are in  the pipeline for that as well. Next, slide Raffi   OK, so just probably firstly before I go into  to security operations, which is mainly my bag,   it's probably worth just giving a bit of  background as into the department because   we are part of a bigger team. Within information  security our vision is that we do remain safe,   secure and resilient and we do this in a  combination of people, processes and technologies.  

We work on our strong security culture that we. Do  and we support all of our colleagues and customers   for parties vendors to make sure that we're all  security aware. We always take an intelligence   LED and risk based approach to security. We  go against all internal and external threats.   So as I said, information security is probably  split up into two security operations, which is,   which is my area. We've got kind of three  main focuses, 1 being security engineering,  

instant response, and our security operations,  and then a project consultancy and. And that's   really just to ensure that. All the operational  elements of our security strategy are delivered,   but again, I'll come on to that in  a bit more detail on the next. Slide   security governance. So this is  information security governance  

team are responsible for a number of risk  policy and ISS framework related activities.   So that is that includes our kind of. Or  managing of our third party risk framework   so any new or existing supplier base they'll  have due diligence conducted on them to ensure   that they have appropriate security controls.  If they are managing any of the legal data.   Managing our ISMS and ISO accreditation so that  really entails ensuring that all the security   processes and practices are governed in line with  our ISO standard and it makes life a bit easier   when it comes down to auditing time as well. That  we've got all of these artifacts. Available to the   orders. The Manager policy framework so not just  ensuring the fact that we have the right policies   and processes in place and they make sure that  they're reviewed and updated on a regular basis,   and probably the most important part of all of  that is making sure that it's communicated to   all staff that we do and everyone's got an  understanding of. What these processes and  

policies look like? And finally, risk management  and reporting. So this is just looking at managing   our risk profile by identifying any key risks  and controls that are in place that we. So   ensuring that any actions that are outstanding  to remediate any weak areas of control   are completed as well as reported  to our Board Risk Committee.   Just, uh, you've already got that up, so I've  kind of split this bottom section into two   and hopefully this answers your question.  Kimberly, about the different or information   security versus privacy, or it always hopefully  touch on it so. We Joe as two separate teams.  

Let's say we are. We do have this regulatory and  security wrapper that is around all things we do   and it is really important that information  security have a close working relationship   with our privacy colleagues and I think  probably for me within security. Our goal   is to. Provide protection for all types of data  and information we look at protecting the full.   What privacy if we got focus on the protection  of sensitive information related to individuals   and organizations? So I think that they both have  their place and they both focus in in in different   areas, but they do need to work together. As I  say, we, we have regular contact with our privacy,   privacy colleagues and. I've always been of  the view and I don't know how controversial   it actually is, but the security can always be  achieved without privacy, but privacy can't be   achieved without security. The two of them do  need to work hand in hand, but they are separate.  

So hopefully that answers your question, or at  least my opinion of that question because I know   it's quite a. It's quite an interesting one in  terms of certification, so I'm not going to read   out all the certifications, but we have obtained  these certifications listed in that box as part   of our commitment to ensure that all of the data  that we have. That we hold is done so securely.   Probably the big one in there is our ISO 27,000  and one, and that's a free year certification that   we're pretty much in the middle of just now, so we  are going through regular surveillance audit. That   is all progressing well. And that is me for that  slide Raffi. If you could jump to the next one.   OK, so security operations as I say is my main  focus and this slide is. Just really just to cover  

the three main areas that my team's responsible  for. So operations and incident response. So as I   said at the beginning, our security operations  team, they're 24 by 7 and they're proactively   monitoring the Wejo environment. We consume  information from all of our endpoints, our network   environment, and our cloud environments. We're  a big a big consumer of threat intelligence, so   we consume that threat. Intelligence from  government agencies, security researchers and  

security vendors. We have artificial intelligence  products in place that that look across our   environment and the sock is really essential to  ensuring that we maintain compliance. Against   all these standards and best practices that are  laid out in things like our ISO 27,000 and one, so   a very important part of what we do. Security  engineering, so the responsibilities there are   looking at how we can introduce new security  solutions so cyber security is ever changing   and there is a big focus on. I mean, we,  we're not always a fan of you, just flinging   technology at it, but there is a time where new  technology needs to be implemented, and that's   where the security engineering team sit and they  would look at introducing these new solutions,   making sure that these solutions have Road maps,  and so they're continually being. Developed and  

the team also assist with instant response  activity, so anything that happens in that   incident response world, the security engineering  team tend to be involved because a lot of the   containment or eradication activities can all sit  within that kind of security engineering space.   And another part that that that that team also  focuses on is vulnerability management and also   the education of staff so. Again, as threats  continue to change and the more that Wejo see   to themselves, we what we want to make sure that  our staff are properly equipped with all the right   training and education. So that's a big focus for  us as well. And the last one in the team. And I   think this is probably one of the most important  factors, and especially in a company that is   continually innovating, continually changing  working on new products and projects on a regular   basis. our project consultancy team makes sure  that security is in there from the very beginning,   so they're involved in risk assessments. They'll  have a look at the designs they'll define the   security. Requirements and make sure that they  comply with all of our standards and policies.  

And that's me for that slide and probably  just onto my last one, Raffi. If you could.   Case that I think there's some similar themes  to the previous speakers as well, so again,   this isn't just a my view from Wejo, this is just  my view in general about what the challenges are.   Then what we do we do to try and counteract  them? As I say, these top five cyber threats   in my opinion are not just limited to. Automotive  or tech or transport these across all industries   and malware and ransomware. It's top of the  list and it's top of the list for good reason.   I think this is the one that. Always seems to  be one that hits the headlines the majority   of the time. And the statistics for this year  are probably the ones that strike me the most,  

and I think it was predicted that we would  see one ransomware attack every 11 seconds,   and ransomware creators are now raking in up  to a billion dollars. Per year, it's not a bad   business. UM? Fishing, so again, I think the FBI  had released a statistic that they expected that   this would increase by as much as 400% year on  year. And for me, I think that's purely down   to the high success rates of such attacks. The  the numbers ridiculously high for it. I think   it's 90 odd percent of data breaches occurred  now are off the back of a phishing attack,   which just shows how successful that actually  is. And for me there is no, there's no silver  

bullet. With fishing, there's no one tool that  will be able to stop it. A lot of it. Comes down   to. To end user and end user education. So we  put a lot of focus and educating our users on   what they can do and if they're not. If they're  not sure they at least reach out to us first.   And I'll probably just skim over some of  the other ones so denial of service that   that was also mentioned earlier on, UM, Internet  of Things. Attacks for me is is one that is going  

to start rearing its head more and more often, and  I think specifically in the connected car world.   There car network architectures are becoming  more sophisticated, with enhancements being   made to vehicle to vehicle communications and  vehicle to everything communications that this   is definitely going to be an area where I  think we'll. Start to see a lot of noise.   And the last one on there.  Is third party breaches.   Personally, this is the one that concerns me the  most. It's the one that you have least. Roll over   and our governance team do a really good job  of carrying out due diligence on our supply   chain and ensuring that appropriate  security controls are all in place.   But for me the monitoring of our customers,  suppliers and for parties is still critical   because that at times can also be one of your  weakest links. And just finish off of you know how  

we draw or how we as a team we try to respond to  these threats so. We've aligned ourselves to the   NIST four step process for instant response and  purely because this that process really emphasizes   that instant response activity doesn't just start  when an incident is detected and end once you've   recovered, it's that full process of and without  going into them all individually. It's that having   that preparation so all of these activities like  these assessments and pen tests and vulnerability   management, your red teams, your both teams.  All these exercises are all done in advance of   anything taking place. You don't do it after. Fact  detection analysis, containment and eradication,  

and recovery, and then that post instant activity  and really making sure that you're learning your   lessons. And I think from some of the big  breaches that are that are hitting the news   more often. I think it's becoming more and more  apparent that that people aren't learning their   lessons. And they're being stung twice, so it's  really important for us that any post incidents   that we. Have that activity needs to take  place and we make sure that we remediate them.  

And probably my last message before I don't  know how I'm doing for time, but if I've kind   of whizzed through that, but probably my last one  was just obviously the cyber attack landscape is   ever changing scams or are becoming more  and more sophisticated than ever before?   And I think that would probably be. People in in  my position across all industries would also see   that it's becoming very repeatable. There's  lots happening, there's lots of noise, and   unfortunately it's not go the other way. It's only  going to get busier and louder. So and that's me.  

Thank you so much Ryan for  joining us. And for those,   those insights in how the system  is working from another perspective   and again. It's these complexities and the  difficulties in working across sectors. It's a   very interesting process that I think we're living  through today. And I'd like again to delve more   into that as well. So how do we really? How do  we? How do? We really make sure that. How we shift   in this transitional space that we're in and all  of these changes that are occurring and thinking   about all of how organizations and the silos?  It's an interesting piece, just. Again, some   initial thoughts, so I'd. Like to before. We go  to our last speaker, have our last poll question  

to get us thinking about. Moving forward in the  next 5 years as Brian just shared and I think   we heard from Donald as well how the system's  changing how it's coming so quickly? So what   do you think? Are the two top issues facing  the transportation cybersecurity industry in   the next five years one? Being accessed to the  workforce employees new technologies threats,   data breaches. Just government regulations and  then lack of public awareness. And then finally   all of the above. So again our softball question  out there for you. Not a scientific measure but.  

Something for us to think about. Keep  the poll open just for another few   seconds and then we will close it out.  And go to our last speaker of the day.   OK, in the pool now. So of course all of the  above. There is a lack of public awareness for  

sure. Government regulations and some of the  issues that come with that the new technology,   threats and data breaches and then access  to the workforce employees and as some of   my colleagues in the Jack H Brown College  and our cybersecurity center are really   working to help with that as well. So let  me just invite our. Last speaker to come up.   Patricia bye or Pat Bye is an independent  consultant and has worked with TRB on a number   of issues and has written that report that Donald  discussed earlier regarding. Cybersecurity in the   transit and I think Pat's going to provide a bit  more insight into that study. So pat, please.   Thank you, my name is Pat Bye. I was  just said and I want to briefly go  

over the current and future state of  cybersecurity in transportation that   was based on that recent research that  was published in late January of 2022   Raffi. If I could have. My slides please.  Thank you and you can go on to. The next one.   My objective today is to provide an  overview of the state of cybersecurity   and transportation today, and also  a summary of the future trends   that we found which include those cyber  workforce challenges. Next slide, please.   Is this image show of the transportation  system? Shows cyber vulnerabilities   are everywhere? A highway system is very  similar with vulnerabilities everywhere too.   This image does not include the physical  opportunities for manipulation or destruction   that may include manipulating. Infrared or laser  signaling devices jamming Wi-Fi signals, or even   physically damaging critical communications.  Cabling nodes in power systems. Next slide please.   And there are more because of their complexity and  known vulnerabilities and related technologies.  

It's reasonable to expect that cyber  vulnerabilities exist in other systems as   well. The vulnerabilities in autonomous vehicles  have been widely demonstrated. Next slide, please.   The pie chart on the left shows the distribution  of various perpetrators of cyber incidents,   which range as the previous speaker mentioned  from agency insiders to hackers and hacktivists   on the cyber criminals and nation state actors,  the. Motive for cyber attacks in recent years   has primarily become financial as opposed  to espionage and other motives as shown on   the chart and right on the right from the Verizon  data Breach Investigations report. Transportation   systems has been a problem for some time. In 2014,  the American Public Transportation Association   or APTA said it was one of the most. Common cyber  security incidences threatening transit agencies.   As mentioned earlier, that has increased from  180 to 200% from 2020 to 2021. Over time,  

ransomware attacks have evolved from random  speculative attacks on a large number of potential   victims to highly targeted attacks that demand  larger payouts from a single victim. In addition,   ransomware has added a new level of extortion,  stealing sensitive information from the victims   and threatening to publicize or sell that data.  If the ransoms are not paid recently, attackers   have been increasingly using certain tactics  such as deleting system backups. That make the.   That make restoration and recovery more difficult.   Ransomware targets are now carefully selected  on the basis of their ability to pay,   and their reliance on the data encrypted  and the wider impact an attack would have.   Critical infrastructure providers are  targeted because their services are   essential. Making them likely to pay ransoms  or fear public exposure. Next slide, please.  

Ransomware tax cost an average of $4.62 million,  which is more expensive than the average data   breach. These costs do not include the cost of the  ransom. Full cost include the cost of detection   and escalation. Those are the costs to identify  the incident and then to begin to respond.   It also doesn't include lost business, which  could be the disruptive disruption of service   or any of the loss of Fair payment systems or  even reputational loss. It doesn't include the   cost of notification notifying employees,  customers, regulars, regulators. And third   parties of the data breach, and it doesn't include  all of those costs after the response. These are  

the activities associated. Is it with any of the  legal ramifications or compensation such as credit   monitoring services for victims or legal expenses,  and should there be regulatory fines any of those?   The average ransom in state and local government  entities was $214,000, but I should note that   34% of those who paid the ransom still could  not recover their data. Next slide, please.   There are expert resources and guidance for both  IT and operational control systems from a variety   of sources from federal government international  organizations and transportation specific   entities. NIST from the federal government has  been providing cybersecurity information for 50   years. In addition to a cyber security framework  that was established relatively recently, and this   provides standards, recommended practices, alerts  and mitigations for specific vulnerability.  

Other national and other international entities  providing guidance include the Organization   for Standardization or ISO, the Information  systems, audit and Control Association or ISA,   CA, and control objectives. For information and  related technology or COVID. Next slide, please.   As the state transportation agency put. It one  of the most difficult parts of the process was   understanding how recommended cybersecurity  and countermeasures guidance documents,   such as those from Nest applied  to a transportation agency.  

There is a limited amount of up-to-date.  Specific cybersecurity guidance available   for transportation agencies, particularly  as it relates to operational technology   has produced recommended practices. These  recommended practices, established considerations   for transit agencies in developing cybersecurity  strategies, and it provides practices and   standards that address vulnerability assessment  and mitigation system resiliency. And redundancy   and disaster recovery. Most recently the after  control and communications security work. Working   group has issued an operational technology  cybersecurity framework. Along with that  

working group, APTA also has an IT enterprise  Technology Working group. Next slide, please.   Additional transportation guidance is  available from the Transportation Research   Board Transit Cooperative Research program,  which recently published the Synthesis Report.   The information the information from which  I'm share. Today, together with the National   Cooperative Highway Research Program, Joint  Cybersecurity reports were published on the   protection from cyber attacks and an update to a  Security 101 guide that includes cybersecurity.  

That these guides include sections on  cybersecurity risk management, risk assessment,   and asset evaluation, cybersecurity plans  and strategies, countermeasures, training,   and building a culture of cybersecurity. Next  slide please. DHS has issued a transportation   system sector cybersecurity framework  implementation guidance in 2015 with the goal of   assisting transportation agencies in implementing  the NIST framework. More recently, the agency   has issued a service surface transportation  cybersecurity resource. Tool care for small   and mid sized organizations and they maintain  a stop ransomware website. Next slide, please.   Now I'd like to discuss the cybersecurity  trends we found and the emerging cybersecurity   practices that have not yet been widely  disseminated by transportation organizations,   but are of growing importance now and over  the near term first. Existing cybersecurity   approaches and practices are no longer adequate.  New vulnerabilities are identified continuously  

and cyber actors are constantly learning,  adapting and developing new approaches.   Secondly, next generation cybersecurity  approaches are being introduced.   In it, along with industry, the federal government  has become even more active, active in supporting   and establishing these practices. And there  are still substantial challenges due to   lack of funding. The complexity of existing  environments, including legacy systems and   the lack of cybersecurity workforce. Expertise  for transportation agencies. Next slide please.   The first emerging trend I'd like to talk about is  cyber resilience. There is no standard definition  

of cyber resilience that has been universally  adopted. This defines cyber resilience with   an emphasis on preserving or restoring agency  operations system functionality. In customer   services, this is in contrast to cybersecurity,  which is focused on protecting digital assets   from unauthorized access, exploitation, damage,  or loss. Cyber resilience is not something that   can be made or purchased. Instead it's a  consequence of political, strategic, and  

operational decisions that are reflected in agency  business policies, plans, processes and workflows.   Senior leadership. Needs to establish and  promote the core values associated with   cyber resilience in formal, such as training  and informal, such as on the job settings.  

The starting point for cyber resilience planning  is to assume that cyber incidents will occur   and they could degrade, disable, or destroy not  only the digital assets of the transportation   system, but parts of the physical infrastructure  as well techniques. The suggested practices for   improving cyber resilience range from formal  engineering approaches as outlined in NIST   gut documents to more informal multi step  processes. Next slide please. A previous   speaker talked about cyber insurance. Cyber  insurance is a rapidly growing sector of the   insurance industry. A 2020 study found that 72%  of transit agencies had cyber insurance already.  

Concerns about the risks being underwritten are  growing, however, particularly given the sharp   increase in the number and severity of cyber  breaches. Notice noticeably, the increase in   ransomware and also the increased risk associated  with remote computing. Such as increases in work   from home situations. As a result, finding  and negotiating deals is taking longer.   Insurers have less capacity and are providing  more restrictive coverages with lower caps.  

Deductibles are increasing, premiums are rising  steeply in some cases 100% year over year,   and many new policies are now excluding  ransomware. Next slide, please.   As the previous speaker mentioned,  cyber insurance underwriters are   taking a much more aggressive posture in  auditing agencies for minimal standards,   including the adoption of the NIST Cyber security  framework. The use of multi factor authentication   segregated backups and documented.  Incident response plans. Weak adoption   of these practices may result in restricted  or even canceled coverage. Next slide please.   Not too long ago it was much easier to make the  distinct distinction between network insiders and   outsiders in their various perimeter based  cybersecurity approaches were deployed to   keep outsiders out and to give insiders  maximum access to enterprise resources.   However, one of the unexpected unanticipated  results of the recent proliferation of networks,   cloud based services, remote offices and workers  using a variety of bring your own devices.  

Has has been the total erosion of the concept of  the enterprise network perimeter. In response to   this new environment, an alternative cybersecurity  model called zero trust has been evolving over the   past three years. A previous speaker has discussed  this earlier, so I'll be brief here. As the name   implies, zero trust approaches assume that  all environments. Are inherently risky,   and that potential attackers can be present  anywhere. Further, zero trust approaches generally   do not make the distinction between enterprise  and non enterprise environments. The computing   environment as a whole is continuously monitored  and adaptively protected. 0 based cybersecurity  

does away with implicit. Trust relationships  based on network location and replaces them   with explicit transaction based evaluations and  dynamic access to specific and limited resources.   Trust nothing, verify everything is the  zero trust mantra. Next slide please.   Let me talk briefly about the  findings of the 2021 San Jose   State Mineta Transportation Institute  Survey on Transit Agency security.   Just over 80% of agencies that responded to  the survey believe that they're prepared to   manage and defend against cybersecurity. And yet  only 60% have a cybersecurity program in place.  

Most transit agencies do not have many of the  basic policies and procedures in place to respond   in the event of an incident. 42% don't have an  incident response plan. And of those that have   one over half have not had a drill in it over a  year. 36% do not have a disaster recovery plan.   53% do not have a continuity in operations plan.  73% feel they have access to information that   helps them implement their cybersecurity  preparedness program. Yet only 43% do   not believe that they have the resources  necessary for cybersecurity preparedness.  

Overall, the study found that cybersecurity  is not a priority in many transit agencies,   as evidenced by the lack of investment or  additional staffing. Next slide, please.   The survey found that cyber security staffing  levels are low relative to other industries   and that the headcount dedicated to cyber security  does not correlate with either agency size or with   whether the agency reported having suffered  an incident. Many transit agencies have yet   to define the roles and responsibilities and the  necessary knowledge, skills and experience for   many of the cybersecurity jobs. Of those that do  have cyber security staff. Transit agencies do not   have employees with the requisite cybersecurity  skills. Only 38 of the 90 survey respondents have  

certified cybersecurity specialists on staff.  And there is no consensus within the industry   on which certifications to require among  potential new hires. Next slide, please.   In terms of cybersecurity skills,  disparate, institutional, cultural,   and organizational domains collide. Cybersecurity  is generally the responsibility of IT personnel.  

Control systems are usually the responsibility of  engineering and operations personnel. Implementing   cyber security for transportation requires having  a good understanding of security and the control   systems and the operational environments  as Donald from Foothill Transit mentioned.   Add to that the fact that transportation agencies  are increasingly unable to recruit on board and   retain cybersecurity. Staff competition  for competent cyber staff is global and it   encompasses all sectors. A2021 cyber seek study  indicates that there are over 450,000 total  

cybersecurity job openings in the United States.  Over 36,000 of which are in the public sector.   Making the situation worse  is the relative inability   of public agencies to offer industry  competitive salaries and more desirable   working conditions such as more work from  home opportunities. Next slide, please.   Given that, what can be done? Well, there  are existing resources that can help.   From SISA has mentioned that SISA  has resources and staff available.   Even a small cyber insurance policy provides  access to pre and post incident resource networks.  

These resources may include cybersecurity  disaster recovery, business and business   continuity experts, plus legal and communication  specialists and other hard to find skill sets.   This strategy has been successfully adopted  by many small and mid sized organization.   Some agencies are outsourcing these  responsibilities, sometimes to former agency   employees now employed by the agency's business  partner. Transitioning employees into vendor   contractor staff could result in significant  cost savings to the agency while enhancing the   vendors understanding. Of the agencies needs,  processes and culture. Transportation agencies  

are also exploring the use of apprenticeships,  internships, scholarships and other initiatives   to increase the number of eligible applicants  for in-house positions. Next slide, please.   So given all that I've just presented, I'd  like to leave you with some questions to   concern. Center first how do we transition  all of the legacy systems that are in place?   Those without the security we need now and with  limited ability to be modified to be more secure.  

Next, since today's cyber environment is a complex  amalgam of in-house, commercial and open source   software running on a variety of platforms and  devices and accessible to employees on site and   off site, along with a variety of legitimate  outsiders, including. Vendors, contractors and   subcontractors. How do we address? These remote  workers and their consultants. Third party cyber   risk has increased significantly, particularly  in the case of multi tier supply chains.   So how do we vet third party systems and software?  And finally, how do we find cybersecurity staff   with the transportation agencies increasingly  limited budgets and resources? Next slide, please.   Thank you for giving me this  time to provide a summary of   the work I've done recently. You'll  find my contact information and the   link for where you can obtain that  transit cyber security synthesis.  

Thank you so much, Pat. That was great, Ralphie,  I'd actually like if you could go back to Pats   questions. So those are some of the many of the  questions that I actually have for our speakers,   and maybe we can. We can move into those  questions, but first before we do that,  

I'd like to open it up to anyone in the room.  If you have any, any questions for our speakers.   And you can either put it. In the chat,  or you're welcome to. To ask directly.   OK, well then I'm going to start us off and  I think this goes into a bit of what Pat was   putting there. Considering the complexity  of the systems that we live in today and I   speak about this, so a lot in my in my classes  that I teach as well. So really thinking about.   How do we transition? How do we? Move  forward and. That's part of what the   hope and the goals of these dialogues are  is to bring experts. To the room so that  

we can think about the multitude of issues  that we're facing as a as a global society.   And then, how do we address these Issues, so I'd  like to open up to all of our speakers. Ryan,   Pat and Donald. How do we? How do we? How do we  really transition and? And I think you've touched  

partly upon it, but how do we make sure that we're  not working in silos? Because that's another issue   that happens. In many organizations, and  just, you know, a couple conversations.   Thinking about the transition to EV's. And  how do we get regional planning? How do we   have the people crossing the silos? Also, you  know, and I think Ryan brought this forward or   thinking about the autonomous vehicles or PAT, you  know, on the autonomous vehicles and entering. And   there was a very interesting article in Slate  magazine last week about autonomous vehicles   around San Francisco, and just not so much. Where  there weren't so much cybersecurity attacks,   but just disrupting the transportation network.  So it's an interesting piece from December 8th.  

If you haven't seen this article. Translate, but  you know how do we deal with these transitional   environments that we're living in and really make  sure that you know we're providing the security   and the safety because going back to the initial  and this will be sort of my last piece and then   I'll open it up to our speakers, but going back  to our, you know the initial kind of idea of   the social contract. Between government  and society is that security and safety   to make sure that our communities are safe and  now the threats. Seems so much larger and wider  

and ever changing it's a Yeah it's a complex  environment, just let me just repeat myself so   any thoughts on this idea of silos? Working  across and the complexity of the environm

2023-02-06 21:37

Show Video

Other news