Cybersecurity in Transit Systems (2022)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

7   Literature Review This chapter summarizes key findings concerning cybersecurity trends, threats, incidents, mitigation strategies, and countermeasures from previously published research, from official sources, and from contemporary news accounts. The chapter also includes multiple case examples illustrating these findings. Sources of Information The study team conducted a focused search and review of recent domestic and international research on transit cybersecurity with areas of particular focus on the cybersecurity of emerging operational technology such as teleworking/remote worker offices, contactless customer services, real-time service information, and transit-on-demand services, as well as cyber resilience practices of transit and other relevant transportation modes (aviation, rail). In addition, the team looked at infrastructure sectors with similar dependence on operational technology or SCADA systems, such as energy, manufacturing, chemical, and water, that are applicable to U.S. and Canadian transit systems. The analysis of the material reviewed considered the applicability, conclusiveness, and useful- ness of the information. As part of this literature review, the current practices of transit agencies in addressing cybersecurity and recent cyber incidents were collected and reviewed using available information. Sources for the literature review include Google, Google Scholar, and the Transportation Research Integrated Database (TRID)—composed of the Transportation Research Information Services (TRIS) Database and the Organization for Economic Cooperation and Development’s Joint Transport Research Centre’s International Transport Research Documentation (ITRD) Database—as the initial search engines for the online search of relevant research and resources. The team also searched specific databases and sources such as the FTA National Transit Data- base. The team looked at both U.S. and non-U.S. results in the information-gathering phase of research. Transportation-specific sources included the published research reports from the NCHRP and TCRP programs; FHWA, FTA, Volpe National Transportation Systems Center, and other federal agencies; and ITS America, AASHTO, APTA, and other transportation-related organizations. The team also searched specific databases and sources such as the National Laboratory research (e.g., Sandia National Laboratories, Idaho National Laboratory, Argonne National Laboratory), IEEE publications, National Institute of Standards and Technology (NIST) cyber security publications, United States Computer Emergency Readiness Team (US-CERT), North American Electric Reliability Corporation, SANS InfoSec, and other data- bases, MITRE reports, RAND publications, National Association of State Chief Information C H A P T E R   2

8 Cybersecurity in Transit Systems Officers and state Homeland Security guidance and reports, DHS security guidance and reports, and others. To collect information on recent transit cyber incidents, the research team searched local, national, and international news sites along with transit and transportation industry magazines such as METRO, Mass Transit, International Light Rail, and Rail Technology, Progressive Rail- roading, and industry websites. Summary of Findings This section provides a summary of the literature review conducted as part of this synthesis project. The Internet Crime Complaint Center (FBI, 2021) logged 791,790 complaints of suspected internet crimes in 2020—an increase of more than 300,000 complaints from 2019. The reported losses due to cyber incidents exceeded $4.2 billion. On average, the cost to organizations affected by a data breach is $4.24 million, according to a 2021 study (IBM and Ponemon, 2021). This cost includes activities to detect and manage the breach and to notify those affected by the breach and others as required by statute, regulation, or policy to minimize business disruption/ revenue loss and to address any post-event response such as credit monitoring, identity protec- tion services, and legal expenditures. Ransomware attacks cost an average of $4.62 million, more than the cost of an average data breach, not including the costs of the ransom. Cybersecurity threats significantly increased during the COVID-19 pandemic (IBM, 2020). There was an “alarming rate of cyberattacks aimed at major corporations, governments, and critical infrastructure” (Interpol, 2020). Complaints about cyberattacks to the FBI Cyber Divi- sion were up to as many as 4,000 a day, a 400 percent increase from pre-pandemic numbers. Ransomware attacks were up 800 percent during the pandemic (Miller, 2020). According to a Pandemic Impact Survey (Bragdon, 2020) 61 percent of security and IT leader respondents are concerned about an increase in cyberattacks targeting their employees who are working from home. Twenty-six percent had seen an increase in the volume, severity, or scope of cyber-attacks since mid-March 2020. There has also been a significant increase in COVID-19–related phishing and malspam campaigns. Cyber Threats to Transit Cyber incidents pose a variety of threats to transit systems and agencies. Potential transit system cyber vulnerabilities have been documented in operational systems, control centers, signaling and telecommunications networks, and in the corporate systems of operators and infrastructure providers and shared systems used by designers, consultants, and suppliers. A search for system vulnerabilities (Barbeau et al., 2019) found “known vulnerabilities in literature for connected vehicles, autonomous vehicles, electronic ticketing systems, traffic signal controllers, traffic signal priority, and dynamic message signs. No known vulnerabilities were found in the literature for automatic vehicle location and computer-aided dispatch systems, online trip planners, mobile fare payment, onboard Wi-Fi, closed-circuit television [CCTV], and automated passenger counters, but given their complexity, their wide attack surfaces, and the known vulnerabilities in related technologies, the research believes that it is reasonable to expect that security vulnerabilities do exist in these technologies as well.” Transit systems, especially light and urban rail systems, generate significant quantities of data via multiple interfaces (such as mobile devices, sensors, ticket machines, and networked CCTV cameras). Sensitive customer data is also being transmitted and received, often wirelessly,

Literature Review 9   whenever a passenger purchases or uses a ticket, or logs onto onboard Wi-Fi (Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). NIST (2015) lists the following cyber threats and incidents as the major concerns for train and infrastructure operators: • Blocked or delayed flow of information through industrial control system (ICS) networks, which could disrupt ICS operation • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment; create environmental impacts, endanger human life, or both • Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have various negative effects • Modification of ICS software or configuration settings, or infection of malware into ICS software, which could have various negative effects • Interference with the operation of equipment-protection systems, which could endanger costly and difficult-to-replace equipment • Interference with the operation of safety systems, which could endanger human life Accenture (Accenture, 2020) summarized the range of threats to the transit value chain— planning and scheduling, pricing and ticket sales, station operations, transit operations, and assets and logistics. All value chain processes were potential cyber targets, with the threats rang- ing from defacement of announcement boards to reputational damage and embarrassment, through to theft of intellectual property or personal/financial information to extortion and social disruption. Potential losses are detailed in the following. Damage to Reputation Cyber data breaches are at the top with poor customer service and environmental disasters for harming brand reputation (Ponemon, 2014). A survey (Forbes, 2014) found that 46 percent of organizations had suffered damage to their reputations and brand value as a result of a cyber breach. Another 19 percent of organizations suffered reputational and brand damage as a result of a third-party security breach or IT system failure. PricewaterhouseCoopers (PwC, 2021) found that 69 percent of consumers surveyed believe that the companies they use are vulnerable to being hacked and attacked by cybercriminals. The same survey found that 87 percent of consumers are willing to walk away and take their business elsewhere if, or when, a data breach occurs. Cyber breaches result in damaged trust, damaged brand reputation, and impacts to the bottom line. For example, after its credit card data was hacked, Target pledged an additional $100 million for security improvements on top of its direct costs for reimbursing card issues. In total, Target lost $236 million in breach-related costs (Drinkwater, 2016). Forbes (Forbes, 2013) found that a security breach has the potential to do the most damage to reputations. The report estimated reputation-related costs as a percentage of total losses resulting from disruption to business or IT operations over the next 24 months (see Table 1). Minor Disruption Moderate Disruption Substantial Disruption 2% 11% 37% Source: Forbes, 2013. Table 1. Estimated reputation losses.

10 Cybersecurity in Transit Systems The Forbes study also found that reputation damage is one of the top four factors—along with preventing productivity losses, system downtime, and compliance failures—that contribute most to securing budget commitments for cybersecurity. When a cyber incident occurs, the response matters. Organizations with the most reputation damage—those that stay in the headlines—are those where the response was questioned and its communication criticized (Forbes, 2014). For example, there were at least 6 months of headlines after the city of Atlanta experienced a cyber incident (Neveux, 2020). Theft of Valuable Intellectual Property or Personal Data Profits can be made from intellectual property and certain types of data. Smart parking meters were first hacked in 2009. Transit fare cards have been an ongoing target since then (Counter- measures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). A survey of underground criminal forums and marketplaces between October 2017 and March 2020 (Accenture, 2020) has shown malicious actors selling access to compromised databases and offering services for loading funds into transit system accounts and for booking travel within Canada and the United States at discounted rates. The SolarWinds hack is a recent and notorious example of hacks that resulted in data losses over extended periods of time (Shavell, 2021). Extortion In Texas, Trinity Metro transportation agency (Fort Worth, Texas) lost access to some of its data and systems, including customer support, in 2019 after being hacked by a ransom- ware group that threatened to expose public data if the ransom was not paid (Goldbaum and Rashbaum, 2021). This “double-extortion”—both encrypting files and naming and shaming victims with the threat of releasing stolen data to increase pressure to pay the ransom (Fearn, 2020)—is becoming more common. A ransomware attack on the San Francisco Municipal Transportation Agency in 2016 dis- rupted ticketing systems, forcing the agency to provide free service for three days (Finkle, 2016). Social Disruption In 2011, a joint or hybrid action was conducted by different politically active groups against Bay Area Rapid Transit (BART) to protest the agency’s policies. This physical demonstration and cyberattack was intended to disrupt rail transit in the San Francisco Bay area (Countermeasures Assessment & Security Experts LLC, and Western Management and Consulting, LLC, 2020). Cyber Incident Actors The perpetrators of cyber incidents can range from agency insiders to hackers and hacktivists and to cybercriminal and state actors. Cybercriminals (22 percent) and hackers (19 percent) are the most common threat actors, with malicious insiders (11 percent) and nonmalicious insiders (11 percent) close behind (ISACA, 2020). Careless or untrained insiders are the largest source of security threats at public sector organizations (SolarWinds, 2020). Nation-state attackers (9 percent) and hacktivists (8 percent) complete the list (ISACA, 2020). Cybercriminals Modern cybercrime operations are sophisticated, well-funded, and capable of causing major disruption to organizations (Countermeasures Assessment & Security Experts, LLC, and Western

Literature Review 11   Management and Consulting, LLC, 2020). Cybercriminals usually have clear business objectives, targeting data or information that they can monetize. There are a variety of tools and tactics used, such as commodity information stealers, bank Trojans, and email compromises, to get personally identifiable information (PII), credit card data, or other information they can use to steal profits (Accenture, 2020). Cybercriminals have been increasingly using ransomware and since 2018 have been targeting it at local governments, services, and infrastructure. Hackers In November 2016, hackers attacked San Francisco’s Muni light rail system. The hack opened all station gates across the network, allowing passengers to travel for free, while paralyzing ticket machines and rendering them out of order. Ticketing systems in station agents’ booths also crashed. The attack lasted for two days (Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). Insiders In 2006, an employee hacked into the traffic control computer in Los Angeles as part of a labor dispute and caused major traffic congestion that took four days to completely resolve (Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). Nation-State Actors A hacking group believed to have links to the Chinese government penetrated New York City Metropolitan Transportation Authority’s computer systems in April 2020. The breach was the third cyberattack on the transit network by hackers thought to be connected to foreign governments (Goldbaum and Rashbaum, 2021). The February 2018 SamSam ransomware attack on the Colorado Department of Transportation was from Iran-based actors (Sylte and Zelinger, 2018). In January 2018, Metrolinx, a suburban Toronto transit authority, had a malware attack attributed to North Korea. The agency’s firewall was breached and malware was left on a system (Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). Hacktivists In 2011, Anonymous, a cyber hacktivist group defaced the BART public information website to make its presence known and collected customers’ PII from the agency’s data systems to use as a weapon to obtain concessions from BART. Anonymous threatened to release the customer information (Countermeasures Assessment & Security Experts, LLC, and Western Manage- ment and Consulting, LLC, 2020). Sources and Types of Cyber Incidents The sources and types of cyber incidents have continued to evolve. According to the 2020 State of Cybersecurity Report (ISACA, 2020), social engineering is the most popular method of attack, with 15 percent of compromised respondents saying it was the method used as a vehicle of entry. Advanced persistent threat was the second most common attack method at 10 percent. Ransomware and unpatched systems tied for the third most common method, at 9 percent each.

12 Cybersecurity in Transit Systems Topping the list of FBI cybercrimes in 2020 were computer “phishing” scams, non-payment or non-delivery scams, and internet-based extortion (FBI, 2021). According to APTA, the most common cybersecurity incidents threatening transit agencies involve phishing, email compro- mise, data breaches, ransomware, counterfeit hardware, and supply chain risks (APTA, 2014). Case Examples The results of the literature review and additional outreach were used to identify candidate organizations for case examples. The team sought out illustrations of effective practices as well as identifiable shortcomings that have emerged. The study team used selection criteria that included effectiveness and overall impact in terms of reduction in risk to the agency and its systems, transferability of the technology or approach to other transit agencies, mix of agency size and location, and the overall relevance toward meeting project objectives. Case History: Mass Transit Agency Compromise Assessment Background Mass Transit—a metropolitan transit agency with a fleet of more than 500 buses and street- cars and daily ridership of over 150,000 people—hired a security firm to evaluate the agency security posture and to assess the need for more advanced security measures and investments. A cybersecurity assessment or breach discovery was done using a proprietary forensic and analytical tool to determine whether any existing threats made it past current security controls. Cybersecurity assessments can be done in many ways. For example, the Cybersecurity and Infrastructure Security Agency (CISA) offers a range of assessment services such as vulner- ability scanning of accessible network services, web application scanning for bad or weak configurations, and remote penetration testing that simulates the tactics and techniques of cyberattackers. The assessment found undetected security threats that would have continued to go undetected, and tangible evidence to warrant increasing investments to improve the agency’s security posture. The results of the assessment helped the agency to pursue an increased budget and supplemental funding from U.S. DOT and DHS. Lessons Learned • Agencies may not be as cyber secure as assumed. – Multiple infections of malware, some in place for 2 years, were found in spite of the agency’s enterprise-grade antivirus and network-based threat detection capabilities. – Back doors and nuisance-ware were found across all systems, and there was suspicious code in active memory of one system that did not trigger any alerts. • Understand who is accessing your systems remotely and why – Multiple instances of legitimate but unauthorized remote access tools were found that could be used by attackers. Social Engineering Social engineering involves “targeting people, either by collecting personal information from online sources to establish fake credentials or fooling people into simply handing over needed intelligence through phishing emails or conversations with strangers” (Shavell, 2021). There are many forms of social engineering attacks such as phishing, which is one of the oldest and appears in many different types. Standard phishing attacks rely on sending generic

Literature Review 13   messages to a large volume of people in the hopes that at least some of them will disclose personal information or click on a malicious link. Spear-phishing is highly personalized and carefully crafted to get a single individual to respond, an approach which makes it more likely to succeed (Shavell, 2021). Spear-phishing emails have fooled both experts and laypersons. In 2017, the first family and White House staff were successfully spear-phished by a UK-based prankster (Tapper, 2017). Spear-phishers have taken advantage of the personal information available online and the ability to purchase details on 99 percent of all adult Americans from data brokers. Coupled with easy access to social media accounts, finding email addresses, phone numbers, and even hobbies and interests of targeted individuals is not difficult for bad actors (Shavell, 2021). Social engineering attacks have used contractors or vendors by spoofing or pretending to be a contractor. In some cases, agencies/companies are asked to change account details or to redirect future payments and then do so without realizing that the request may not come from a reputable source. A variant is “CEO fraud” or business email compromise (BEC), in which fraudsters impersonate or spoof a senior manager’s email account to send messages to customers to procure urgent payments to a specified account of the attacker’s choosing. Data exchanges with vendors or contractors are often subject to reduced security protocols. Of the public sector hacks that took place within the past year, about half of them happened via third parties (Shavell, 2021). Payment invoice scams accounted for nearly half of fraudulent transactions in 2018 and caused more than $1.5 billion in business losses (U.S. Treasury, 2019). Advanced Persistent Threat An advanced persistent threat (APT) is an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deceptive) over an extended period. The intention of an APT may be to steal data, or to cause damage to the network or organiza- tion, or to plant attack capabilities for future activation (NIST, 2014). An advanced persistent threat pursues its objectives repeatedly over an extended period of time, adapting to a defender’s efforts to resist it, and with determination to maintain the level of interaction needed to execute its objectives (NIST, 2011). Because of the level of effort needed to carry out such an attack, APTs are often associated with nation-states and are leveled at high-value targets, such as other nation-states and large corporations, with the ultimate goal of stealing information over a long period of time (Kaspersky, 2020). APTs have been evolving in recent years. More and more APT actors are developing tools to target mobile devices, a trend that has been predicted to continue (Kaspersky, 2019). It is anticipated that the initial network access will be through a partnership with cybercriminals, in essence buying available malware from cybercriminals to get into targeted networks, similar to ransomware access methods (Kaspersky, 2020). In 2009, Coca-Cola, in the midst of an acquisition bid for China Huiyuan Juice Group Limited, experienced a spear-phishing attempt, which led one of Coca-Cola’s executives to click on a malicious link. This entry point into Coca-Cola’s network group allowed a Chinese military unit, through an APT, to collect and send confidential files back to China each week, all without being noticed. “As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew (the Chinese group) was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy,” the New York Times reported (Sanger et al., 2013).

14 Cybersecurity in Transit Systems In March 2017, a Chinese APT injected a malicious backdoor into a software update for the widely popular Windows registry cleaning tool, CCleaner. Approximately 2.27 million users downloaded the infected version of CCleaner. Of these, 40 infected machines were subject to a subsequent attack by the APT that compromised 11 different companies. In June 2018, an APT injected malicious software into an ASUS software utility used to update its mother- boards. Fifty thousand machines downloaded the infected software, though the APT only attacked 600 systems (all belonging to various Wi-Fi technology vendors) (Loffredo, 2020). In 2020, at least two groups of China-linked hackers spent months using a previously undisclosed vulnerability in American virtual private networking devices to spy on the U.S. defense industry, researchers, and others. According to the devices’ Utah-based manufacturer, the hackers took advantage of the flaw in software to break into the systems of “a very limited number of customers,” one of which was a U.S. transit agency (Bing and Menn, 2021). In May 2021, Microsoft warned the aerospace and travel sectors of a new dynamic targeted- attack campaign aimed at stealing sensitive information from affected companies via a series of spear-phishing emails, which Microsoft had been tracking for several months (Arghire, 2020). Over time, many organizations have become much better at discovering APTs. However, some still trail behind significantly. In 2020 the average dwell time—the time between initial system penetration and its discovery—was 12 days, down from 30 in 2019, for internal detection, with organizations independently detecting their own incidents. This contrasts with the average dwell time of 73 days in 2020 and 141 the year before for external detection, when an outside entity informs the affected organization of a compromise (FireEye and Mandiant, 2021). Some intrusions are discovered through a news report, law enforcement notification, or external fraud monitoring. Even though the lag between a breach and its discovery has been decreasing over time, lag time is still a long, almost 2-week period, which highlights the continuing difficulty of determining a system breach. Ransomware Ransomware dominated headlines in 2020–2021. Of the 128 publicly disclosed incidents that were discovered in May, more than 40 percent of them were ransomware attacks. Attacks have evolved from random, speculative attacks on a large number of potential victims to highly targeted attacks that demand larger payouts from a single victim. The targets are carefully selected, on the basis of their ability to pay, their reliance on the data encrypted, and the wider impact an attack would have. Ransomware has added a new level of extortion, stealing sensitive information from victims and threatening to publicize or sell the data if ransoms are not paid. This trend is likely to develop further as ransomware gangs seek to maximize their return on investment (Kaspersky, 2020). Critical infrastructure providers are targeted because their services are essential, making them likely to pay ransoms or fear public exposure. Recently, attackers have been increasingly using certain tactics, such as deleting system backups, that make restoration and recovery more difficult or infeasible for affected organizations (CISA, 2020). Ransomware as a service gives cybercriminals with low technical capabilities the opportunity to carry out ransomware attacks by using ransomware malware they purchase from developers (Palmer, 2021). The monetary value of ransom demands has also increased, with some demands exceeding US $1 million (CISA, 2020). The cost of recovery can be significant too. Affected organizations spend an average of $3.86 million recovering from cybersecurity incidents, according to a 2020 study (IBM and Ponemon, 2020). In August 2021, a ransomware attack disrupted Southeastern Pennsylvania Transportation Authority (SEPTA) operations for months, an incident that required the agency to block

Literature Review 15   employees from accessing their email and to stop providing real-time travel information to riders (Madej, 2021). RailWorks, a North American rail infrastructure provider, reported in January 2020 that ransomware actors may have gained access to personal employee information (Arghire, 2020). Recent Cyber Incidents and Trends In 2008, a Polish teenager modified a TV remote to control the track switches of the Tram system near his home. A resulting derailment injured 12 passengers, and no loss of life (Countermeasures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). This may have been the first cyber incident to disrupt transit services. Since then, cyber incidents to transportation systems have become frequent and more disrup- tive. Appendix A provides a brief listing of recent cyber incidents in transit agencies. Incidents at other surface transportation agencies and in other industries are included in separate sections of the appendix. Some future trends have been identified through the literature review. Human engineering is a significant technique to gain entry for cyber incidents, in particular through “phishing” or “spear-phishing” attacks. Ransomware attacks are increasing, with the use of “double-extortion”— both encrypting files and threatening to release or releasing stolen data to increase pressure on a victim to pay the ransom—becoming more prevalent. The sophistication of new malware that attacks control systems make it more difficult to prevent or deter attacks on SCADA/ICS systems. Connecting other technologies to networks, such as GPS, radio-frequency identification, Wi-Fi, and internet of things (IoT) devices, compounds cybersecurity issues. The rest of this chapter provides a more detailed overview of a select sample of cyber incidents. Case History: 2021 Metropolitan Transportation Authority, New York Cyber Attack Background In April 2021 hackers were found in the Metropolitan Transportation Authority (MTA) system. The MTA systems appear to have been attacked on 2 days in the second week of April, and attacks continued at least until April 20. According to a statement by the MTA, the agency was notified by the FBI and other federal agencies that 3 of its 18 computer systems were at risk. Hackers gained access specifically to systems used by New York City Transit—which over- sees the subway and buses—and by both the Long Island Rail Road and Metro-North Railroad, according to the MTA document outlining the breach. To gain access to the MTA systems, the hackers took advantage of a previously unknown coding flaw in software for which a patch does not exist, a “zero-day” vulnerability, in a widely used connectivity tool that offers workers remote access to their employers’ networks. The MTA hackers did not make any ransom demands, and it is not clear what the goal of the attack was. It appears to be part of a recent series of widespread intrusions by sophisticated hackers believed to be backed by the Chinese government (Perez et al., 2021). A number of theories have been proposed to explain possible motives behind the attack. One focuses on China’s push to dominate the market for rail cars—an effort that could benefit from knowing more about the inner workings of a transit system that awards contracts. In recent years, China has used cyberattacks as a way to advance its economy and to become the dominant global superpower, according to the U.S. Justice Department. Another more benign view is

16 Cybersecurity in Transit Systems that hackers mistakenly entered the MTA’s system and discovered it was of little interest, which cybersecurity experts say is not unusual. The MTA coordinated and managed the response with state and federal agencies. The agency conducted a detailed forensic audit and analysis of the agency systems, which found malware in the authority’s virtual private network (VPN) application. The malware included malicious software that typically provides hackers a backdoor to remotely access—and in some cases control—certain servers over a long period of time. Based on the audit analysis, the MTA stated that there was “no employee or customer infor- mation breached, no data loss and no changes to our vital systems.” The agency noted that its “cybersecurity defense systems stopped it from spreading through MTA systems.” The forensic review also found signs that the hackers took steps to erase evidence of the intrusion, raising questions about whether there were other, undiscovered breaches. As part of the response, the MTA required a subset of employees and contractors—3,700 persons, or 5 percent of its total work force, including contractors—to change passwords as a precautionary measure and to reset other digital certificates that enabled access to the authority’s network. The agency migrated its infected VPN systems to a different virtual private network. Lessons Learned Be aware of vulnerabilities in systems, especially zero-day vulnerabilities. The zero-day flaw was first disclosed on April 20 and had the highest possible severity score, 10 out of 10. CISA issued an alert for the vulnerability on April 20, 2021. The MTA coordinated closely with state and federal agencies. Response can be costly. The response to the intrusion cost the agency an estimated $370,000. Case History: Project Honey Train Background To determine how cyberattacks on critical infrastructure such as rail networks could be carried out and to assess how widespread the knowledge of such systems is in the hacking community, in 2015 two security firms, Sophos and KORAMIS, created a realistic online rail- way as bait. Removed from any physical railway, Project Honey Train not only simulated com- puter systems and communication protocols, but also reproduced the software components of automation and control systems and included CCTV of real stations and train operator cabins. A customized website with timetables, ticketing, and real-time service information was also integrated. During a 6-week period, 2,745,267 attacks were detected. Geolocation indicated hacking locations around the world, although these may have differed from the hackers’ actual loca- tions. From that total, 41 percent of the attacks originated from China, 9 percent from the United States, and 7 percent from France, with other countries in low single-digit percentages— although at least one attack came from almost every country in the world. Four valid logins to the human-machine interface (HMI) were detected and detailed analysis showed that those successful attackers possessed a deep knowledge of industrial control systems— these actions were deliberate, and not performed randomly. Vehicle control and passenger information systems were accessed, but safety-critical systems were not. Lessons Learned Rail networks systems are attractive cyber targets, as evidenced by the over 2 million cyber- attacks in a 6-week period.

Literature Review 17   Some attackers possess a deep knowledge of rail industrial control systems, demonstrated by their deliberate actions and focus on specific systems, such as vehicle control and passenger information systems. Case History: San Francisco Municipal Transportation Agency, Muni Light Rail Cyber Attack Background In November 2016, the San Francisco Municipal Transportation Authority (SFMTA) expe- rienced a ransomware attack that encrypted the agency’s information systems. The attacker demanded 100 bitcoins, which at the time was estimated at $73,000, to free the system. Although the hack did not compromise the SFMTA’s fare system, the agency took its subway ticketing machines and fare gates offline as a precautionary measure to protect passengers after a hacker attacked its office computers. The attack disrupted transit service for 2 days. The agency did not pay the ransom, but it is estimated that the recovery cost $50,000. Lessons Learned The agency engaged DHS and the FBI immediately, and as a result, it was able to identify the nature of the attack and isolate the threat very quickly. Rapid response and recovery was possible without paying the ransom because there were frequent backups of systems—both off-site and in cloud storage. The impact on physical control systems was minimized because SFMTA used a segmentation approach to separate operational control and communications systems from other IT systems. Advance preparation and support helped. The agency had a contract with its IT vendor that gave priority treatment and support. Internally, there was support from senior management and processes in place so that the policy and public relations issues could be taken care of in a manner that freed up the technical staff to handle the response. Public affairs was involved immediately and provided timely messages to the public. Case History: Cabarrus Local Government Vendor Spoofing Background The local government of Cabarrus County, North Carolina, received an email requesting new bank routing information for payments, an attack that resulted in a $700,000 payment to a fraudulent account. The hacker sent email mimicking a trusted source that requested that new bank routing information be used for payment. This attack exhibited well-thought-out timing that tied the submission of the fake invoice to the regular and expected vendor submission schedule and that included the appropriate paper form and fax-back number. In addition, the attack occurred during a holiday period when local county employees were short-handed or rushed. A review of the incident found that all employees thought they were doing the right thing. The request looked legitimate and all established procedures were followed. Once the attack was discovered, county officials contacted the bank, local law enforcement, the FBI, and the county’s insurance company. The FBI was aware of similar attacks, but was limited in the assistance that it could provide.

18 Cybersecurity in Transit Systems The county government was never able to understand how the hacker got the information to carry out the attack. Some states and counties have open checkbook requirements, which may have been a means, but it was not clear how the hacker obtained the information that was used. The county was able to recover some of the $700,000 because of a mistake by the hacker, who had left money in the designated bank account long enough for the county to recover it. The county government took a number of steps in response: • Placed legal hold on emails • Changed all login credentials • Reviewed email for unauthorized accesses or rule creation • Switched accounts payable to paper checks and audited all vendor charges It took the county a year and a half to get processes improved to address similar situations. Since the initial incident, the county has had two additional attempted attacks that were caught by the new processes. Lessons Learned Employees need to understand what standard processes are, how their own processes work, and where security gaps need to be addressed. Agencies need to ensure they use an authentication process for vendor payments, including validation of vendors and banking accounts. Increased employee education and assistance to departments is needed so that staff can review their internal processes to ensure that procedures include multi-factor authentication for vetting requests and using verified communication methods beyond email. It is critical for agencies to know what their existing cyber insurance policy covers. Email- initiated fraudulent impersonation losses did not fall within the scope of coverage under the standard risk agreements because they were not losses “resulting directly from” any covered peril. The county had to look for additional offerings and stand-alone social engineering insurance products to address future similar incidents. Cost of Cyber Incidents Although the true total cost of cyber incidents is unknown and is probably unknowable, one estimate is that organizations spend an average of $3.86 million apiece recovering from security incidents in 2020 (IBM and Ponemon, 2020). Ransomware attacks cost an average of $4.62 million, more than the cost of the average data breach of $4.24 million. These expenses do not include the cost of the ransom. Malicious attacks that destroyed data cost an average of $4.69 million (IBM and Ponemon, 2021). The use of automated tools such as artificial intelligence and analytics to help detect breaches and suspicious behavior can reduce costs significantly. Organizations that use those types of tools spend, on average, $2.45 million on their recovery. Organizations that do not employ them spend more than twice that, with an average cost of $6.03 million. This report outlines the types of activities that make up the cost to respond: • Detection and escalation—activities to identify an incident and begin to respond, such as forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards.

Literature Review 19   • Lost business—activities that can include disruption caused by system downtime, the costs associated with customer churn, and reputational loss. • Notification—activities to notify employees, customers, regulators, and third parties of the data breach. • Ex post response—activities associated with compensation and legal ramifications such as credit monitoring services for victims, legal expenses, product discounts, and regulatory fines. Transit Cybersecurity Legal and Regulatory Requirements At the federal level, there are regulations for the transportation sector that provide require- ments for handling of sensitive security information (SSI) and protected critical infrastructure information (PCII). The governing regulations (49 CFR Parts 15 and 1520) define SSI as “information obtained or developed in the conduct of security activities, including research and development, the disclosure of which the Secretary of [Transportation] has determined would (1) constitute an unwarranted invasion of privacy (including, but not limited to, information contained in any personnel, medical, or similar file); (2) reveal trade secrets or privileged or confidential information obtained from any person; or (3) be detrimental to transportation safety.” Transit agencies are “covered persons” under 49 CFR Sections 15.7 and 1520.7 because they are either • A grantee of DOT or DHS; • A rail transit system subject to the requirements of 49 CFR Part 1580; • A transit agency for which a vulnerability assessment has been directed, created, held, funded, provided to, or approved by DOT. By regulation, SSI currently includes 16 types of records with only three that apply to transit agencies: 1. Security programs and contingency plans issued, established, required, received, or approved by DOT or DHS 2. Vulnerability assessments that are directed, created, held, funded, or approved by DOT or DHS, or that will be provided to either agency in support of a federal security program 3. Threat information held by the federal government concerning transportation, transportation systems, and cyber infrastructure, including sources and methods used to gather or develop the information Note that the TSA Administrator and the Secretary of Transportation have the discretion to designate other information as SSI in addition to what is listed. Transit agencies are instructed to evaluate security program plans and procedures, security contingency plans and records, records that reveal system or facility vulnerabilities, and infor- mation about threats against the transit agency. TSA created a Sensitive Security Information Stakeholder Best Practices Quick Reference Guide (TSA, n.d.) that provides suggested practices for handling SSI and has established an Office of SSI to assist transit agencies and other industries in managing SSI requirements. FTA produced Sensitive Security Information (SSI): Designation, Markings, and Control: Resource Document for Transit Agencies (Chandler et al., 2009) to provide guidance. PCII is defined by 6 U.S.C. Section 131 as “information not customarily in the public domain and related to the security of critical infrastructure or protected systems.” Under 42 U.S.C. Section 5195c(e) of the Homeland Security Act and Section 1016(e) of the U.S. Patriot Act, PCII includes “systems and assets, whether physical or virtual, so vital to the United States

20 Cybersecurity in Transit Systems that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” According to FTA (Chandler, Sutherland, and Eldredge, 2009, p. 3), PCII “includes information about actual, potential, or threatened interference, attack, compro- mise, or incapacitation of critical infrastructures or protected systems, and the ability of critical infrastructures or protected systems to resist such interference, compromise, or incapacita- tion. Transit agencies may come in contact with PCII through interaction with the federal government.” Business identifiable information (BII) is defined as “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential” (5 U.S.C. Section 552(b)(4) of the Freedom of Information Act). Commercial or financial information is considered confidential if disclosure is likely to cause substantial harm to the competitive position of the person from whom the information was obtained. BII is treated similarly to PII in terms of protection. SSI in electronic form, according to FTA, must be password protected and accessed through a secure connection. Electronic transmission should be encrypted or password protected, and the key or password should be provided separately. According to the U.S. Office of Privacy and Open Government, sensitive PII must be protected by secure methodologies, such as using encryption, public key infrastructure, or a secure sockets layer to electronically transmit. When in doubt, the office recommends treating PII as sensitive. Although recently enacted industry-specific statutes outline mandatory cybersecurity require- ments for specific industries—such as finance, chemical, water, and electrical generation—as of mid-2021, there are no federal mandates or requirements for transit agencies to implement cybersecurity standards or technologies nor to create a cybersecurity preparedness program. Recent federal legislation, 49 U.S.C. Section 5323(v), instituted by the National Defense Autho- rization Act for fiscal year 2020, Pub. L. 116-92, Section 7613 signed into law in December 20, 2019, requires operators of rail fixed guideway public transportation systems, as a condition of receiving financial assistance, to certify that they have “established a process to develop, main- tain, and execute a written plan for identifying and reducing cybersecurity risks” that includes “third-party testing and analysis to mitigate cybersecurity risks, such as hardware or software for rail rolling stock under proposed procurements” and use of approaches, standards, and best practices developed by NIST and DHS. Transit agencies may also have to adhere to state regulations involving cybersecurity. For example, when handling customer data (including payment information), transit agencies must comply with relevant state privacy rules and various breach notification requirements after a breach or loss of data. Moreover, relationships with related industries such as the financial industry create cyber- security requirements for transit agencies. For instance, the payment process is governed by financial sector cybersecurity rules and regulations that are typically included in the transit agency’s partnering contracts with banks or credit card companies. Because of the limitations on its authority, the federal government may only recommend voluntary guidance for cybersecurity. Most recently, the White House issued a National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems” (The White House, July 28, 2021) that directs CISA and NIST to develop cybersecurity perfor- mance goals for all critical infrastructure and creates a voluntary, collaborative, public-private sector Industrial Control System Cybersecurity Initiative to support the deployment of technology and systems to improve cybersecurity threat detection and warnings.

Literature Review 21   A pilot version of the initiative was launched in April 2021 in the electricity subsector with over 150 electricity utilities deploying or agreeing to deploy technologies for control system cybersecurity. The natural gas pipeline subsector was the next subsector to implement the initiative, and other sectors are anticipated to follow. There is a recognition at the federal level that depending on voluntary deployment to improve cybersecurity may not be enough, as senior White House officials noted during press question- ing about the July 2021 National Security Memorandum. The pipeline sector provides a valuable example. TSA provided voluntary cybersecurity reviews for pipelines, but not all pipelines, including Colonial Pipeline, asked TSA to do reviews. As a consequence of the Colonial ransomware attack, which created a major disruption to the nation’s gas supplies, TSA established mandatory cybersecurity requirements. The specific requirements are not publicly available, but according to TSA, they include “specific mitigation measures to protect against ransomware attacks and other known threats” to both the opera- tional technology systems that manage transporting hazardous liquids and natural gas and the conventional computer systems that interact with them, within specific timeframes. Pipeline owners must also develop and implement contingency and recovery plans and conduct annual cybersecurity architecture design reviews. In October 2021, TSA announced plans for new security directives for railroad and transit agencies. One for higher-risk railroad and rail transit agencies will require them to report cyber incidents to the Cybersecurity and Infrastructure Security Agency, identify a cybersecurity coordinator, and issue contingency recovery plans for cyberattacks. Another, for lower-risk surface transit agencies, would encourage but not require they take the same measures to reduce cybersecurity risk. It will take new legislation to provide authority for mandatory requirements, especially for transportation agencies. As part of the July 2021 National Security Memorandum, a White House spokesperson noted that the administration is starting with voluntary guidance, but is committed to addressing the limited and piecemeal regulation and is “pursuing all options, in order to make the rapid progress we need.” The spokesperson mentioned the incentives and barriers for cybersecurity implementation and noted that the administration is looking at what can be done with grants, potential tax credits, and performance incentives, as well as working with Congress. Cybersecurity Guidance and Recommended Practices There is a rich body of cybersecurity guidance and resources from an IT perspective and a growing body of cybersecurity guidance and resources developing today for control system cybersecurity (Countermeasures Assessment & Security Experts, LLC, and Western Manage- ment and Consulting, LLC, 2020). Payment transactions are governed by the Payment Card Industry Data Security Standard, a set of compliance requirements established by the PCI Security Standards Council. Appendix B provides a listing of the types of guidance available. This section contains an overview of the guidance with case examples of transportation agencies’ use of the guidance. A cyber-risk management framework that incorporates technology, process, and cyber culture has been developed at the national level by NIST (2018b) with transportation-specific implementation guidance available from CISA (2015). The framework, as illustrated in Figure 1, can help agencies better understand, manage, and reduce cybersecurity risks by determining which activities are most important to assure critical operations and service delivery and by prioritizing investments and maximizing the impact of each dollar spent on cybersecurity.

22 Cybersecurity in Transit Systems Agencies can use the implementation guidance to characterize their current cybersecurity state; identify opportunities for enhancing existing cyber-risk management programs; and find tools, standards, and guides to support implementation and to communicate their risk management issues to internal and external stakeholders. The framework can provide an objective manner to show the status of the cybersecurity program and where improvements are needed. Case History: Utah Transit Authority NIST Framework Implementation Background The Utah Transportation Authority (UTA) is a medium-sized transit agency with about 2,500 employees, serving six counties that cover about 1,600 square miles and comprise about 80 percent of the state’s population. To protect data connections between traffic control, SCADA, and data systems, IT staff worked with rail operations units to implement cybersecurity systems. They constantly scan the systems for viruses and unusual activity. UTA has implemented a formal decision-making process for cybersecurity improvement projects as follows. First, there is a risk assessment process which identifies possible security enhancement measures. For each decision cycle, several of UTA’s many systems undergo the risk assessment process. Second, a committee ranks these measures based on certain high-level factors. While the chief technology officer is responsible for overall cybersecurity for UTA, the UTA Security Administrator makes the final decisions on whether or not to proceed with the selected projects. This decision process occurs several times a year and has resulted in the implementation of 10–30 cybersecurity measures per year. Case History: Idaho Transportation Department NIST Framework Implementation Background The Idaho Transportation Department (ITD) has jurisdictional responsibility for almost 5,000 miles of highway (or 12,000 lane-miles), more than 1,700 bridges, and 30 recreational and emergency airstrips. ITD also has responsibility for the Department of Motor Vehicles (DMV) as one of its DOT functions, with the resultant need to protect state residents’ PII found in driving permits, driver’s licenses, and other related information. A significant black market Source: CISA, 2015. Figure 1. NIST framework implementation cycle.

Literature Review 23   value for Social Security and driver’s license numbers added an incentive to the challenge of improving the cybersecurity of the agency. ITD looked at alternative frameworks and approaches to support their efforts. ISO standards were being used at the agency, and the ITD team reviewed SANS Center for Internet Security (CIS) Controls before deciding to use the NIST framework. The NIST framework provided a common set of terms and values so that the agency could create metrics on movement toward goals—what investment looked like in terms of agency-specific goals and the work accomplished to address identified gaps. The framework gave the agency a structure for demonstrating return on investment for the investment of resources, employees, and tools that reduced the cyber risk of the agency. To implement the framework at ITD, the agency needed to identify its cyber-related goals (the primary focus was security of DMV-related information) and then do an internal analysis on where the current systems were in terms of recommended guidance. The agency went through each NIST framework function (identify, protect, detect, respond, recover) by category and subcategory (Figure 2) to assess by tier—a scale that ranges from partial to risk-informed, repeatable, and adaptive—the current level of the agency’s cybersecurity efforts. ITD added a zero to the scale, recognizing that, in some categories and subcategories, the agency either had not been aware or may not have been addressing certain aspects of security. Believing that visual management is the key to success, ITD developed a matrix (Excel spread- sheet) to evaluate the framework by subcategory by tier and created a method of scoring by numeric value of the tier (0 through 4) by subcategory (Figure 3). The agency created a baseline by taking an informed guess at where they were on the framework and set aggressive goals on where they should be in three to five years. The agency evaluates progress routinely and communicates progress and risks to senior management. Lessons Learned As a result of their experience, ITD recommends setting targets first before conducting the assessments. They caution about setting targets too high, which could result in high cybersecurity Source: Barnes and Schumacher, 2015. Figure 2. ITD cybersecurity model.

24 Cybersecurity in Transit Systems costs. Because the targets can be reset over time, the agency recommends focusing on agency- specific cybersecurity risks. For example, for securing customer information, ITD considered goals for each function category based on the value of the data. ITD found that one of the most difficult parts of the process was understanding how recom- mended cybersecurity and countermeasures guidance documents such as NIST SP 800 series documents applied to a transportation agency, since some were initially geared to federal agencies to address Federal Information Processing Standards (FIPS) compliance. It was a challenge to the ITD team doing the work, but the agency reported that the results were worth it. ITD was forced to take a hard look at their systems and current approaches and to ask difficult questions, especially in deciding how to score the agency. The team had to decide on agency goals, which forced them to take a holistic view of the whole program. The NIST framework does not include metric charts and graphical representation in the guidance, so ITD developed its own in-house materials. The team wanted to create metrics to represent in graphical format what investment looked like—that is, how the agency was moving toward the goals. The agency created a chart that summarized the tier assessments by function, and that information is presented to leadership on a regular basis. Figure 3 provides an illus- tration used by ITD with quarterly results. Goals have been set for each function based on the priorities set by the agency. ITD found that over time, as the agency became more cybersecurity- adept, the scoring became “harsher” than the initial assessment over time, so in some instances the tier was lower in a subsequent quarter. Other organizations also have created metrics adapted from the NIST Framework to com- municate their risk treatment plan and results. For example, the University of Michigan uses a high/medium/low rating instead of the scoring system used in Idaho. Security by design is the concept that security should be built into a product by design, instead of being added on later by third-party products and services. Integrating cybersecurity require- ments into the entire system design process is considerably more effective than addressing Source: ITD. Figure 3. ITD security scorecard.

Literature Review 25   cybersecurity at single points in the process. A shift in operating model may require a shift in talent as well, as work moves away from a framework of development, implementation, and deployment followed by security to a process in which security perspectives are involved from the beginning (Figure 4). There are existing suggested practices for building security into the development lifecycle (NIST, 2018a). Threat-specific guidance is available from a number of different sources. For example, on September 30, 2020, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center released a joint Ransomware Guide, a customer- centered, one-stop resource with suggested practices and ways to prevent, protect, and respond to a ransomware attack (CISA, 2020). CISA recently also published guidance on approaches to address the SolarWinds compromise (CISA, 2021a). Cloud services have been available for some time, and usage has been increasing. NIST defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal manage- ment effort or service provider interaction” (Mell and Grance, 2011). Three different types of cloud service models are offered by cloud service providers (CSPs): • Software as a Service (SaaS), in which the CSP provides software applications, such as email or office productivity tools • Platform as a Service (PaaS), in which the CSP provides an environment to build and operate one’s own software • Infrastructure as a Service (IaaS), in which the CSP provides network access to virtualized computing resources such as processing power and storage Security issues and risks are a shared responsibility between the CSP and the purchaser of the cloud service, as illustrated for each service model in Figure 5. It is essential that the respective roles and responsibilities for cloud cybersecurity are understood. In every model, the purchaser of the service is always responsible for protecting its data from security threats and controlling access to it. Protecting data in transit and at rest or in storage is critical in cloud services. NIST has developed a series of documents that provides recom- mendations for protecting sensitive, unclassified digitized information using cryptography and NIST’s cryptographic standards. Recent cloud cybersecurity guidance issued by NIST (2020b) provides general access control guidance for all three cloud service models, recognizing that each service model has its own focus with regard to access control requirements. NIST (2017) provides security and privacy controls for digital identity management for designated levels of assurance, including identity proofing, authentication and use of authen- ticators, and identity federation. Volume 3 of the four-volume set establishes risk-based pro- cesses for the assessment of risks for identity management activities and selection of appropriate assurance levels and controls. The document recommends multi-factor authentication (MFA), sometimes referred to as two-factor authentication, for all assurance levels. MFA is a security approach that requires two separate credentials when logging into an account. Transit-specific guidance is available from APTA in Recommended Practice publications available on the APTA website. The recommended practices establish considerations for transit agencies in developing cybersecurity strategies and detail practices and standards that address vulnerability assessment and mitigation, system resiliency and redundancy, and disaster recovery. Figure 4. Security by design cycle.

26 Cybersecurity in Transit Systems APTA guidance recognizes the importance of establishing a cybersecurity culture in the agency. Having technology in place to provide cybersecurity is only one part of effective cyber- security management. People and processes are just as important as technology in improving cybersecurity. Agency personnel need to be aware of users of the systems in place and aware of the risks to both the systems and themselves. Staff also need to be aware of security policies and procedures that have been put in place. Management must actively support cybersecurity in a visible manner. A cybersecurity strategy with policies and procedures that support the strategy is a critical component of an agency-wide culture of security. Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture. This requires an awareness program; a training program; an assessment of cybersecurity threats; a reduction of the attack surface (the number of places and ways someone can attack transit systems); a cybersecurity program that addresses: threats, mitigations, the software/firmware update process, monitoring and detection methodologies; and the ability to be audited to check for compliance via logs and change-management systems. Source: APTA, 2013, p. 11. Security working groups at the national level, such as the Computer Security Incident Response Team (CSIRT), US-CERT, and ICS CERT—which responds to breaches of cyber security—and at the industry level, such as the Public Transportation Information Sharing and Analysis Center (PT-ISAC), have compiled resources of recommended practices that can be applied Source: Adapted from NIST SP 800-210. Figure 5. Security/Risk sharing of cloud services.

Literature Review 27   across all industries. These groups provide current threat alerts and share information about effective practices. CISA offers guidance, tools, and training to assist organizations in improving their cybersecurity. Help is provided on CISA’s website at cisa.gov/publication/cyber-essentials- toolkits. CISA also provides recommendations to strengthen cloud security practices based on reported incidents through analysis reports. For example, CISA produced a January 2021 report (AS21-013A) based on cyberattacks that used a variety of tactics and techniques— including phishing, brute-force login attempts, and possibly a “pass-the-cookie” attack—to exploit weaknesses in the cloud security practices of employees working at home during the COVID-19 pandemic. The Cybersecurity Evaluation Tool (CSET) is available to improve the cybersecurity perfor- mance of agencies’ enterprise and industrial control cyber systems (ICS). To this end, CISA has developed at fact sheet with the following set of recommended practices for industrial control systems: • Check, prioritize, test, and implement ICS patches. • Back up system data and configurations. • Identify, minimize, and secure all network connections to ICS. • Continually monitor and assess the security of ICS, networks, and interconnections. • Disable unnecessary services, ports, and protocols. • Enable available security features and implement robust configuration management practices. • Leverage both application whitelisting and antivirus software. • Provide ICS cybersecurity training for all operators and system administrators. • Maintain and test an incident plan. • Implement a risk-based defense-in-depth approach to securing ICS hosts and networks. CISA is also standing up a Cybersecurity Advisor (CSA) program that will place CISA technical resources in every state. The local advisor will both participate in various prepared- ness activities and act as a liaison to the headquarters-based CISA vulnerability management resources, who are able to provide on-site and remote assistance, training, assessments, incident response, and coordination, as well as other services. Case History: Metropolitan Atlanta Rapid Transit Authority, CSET Background The Metropolitan Atlanta Rapid Transit Authority (MARTA) operates heavy rail, bus transit, and paratransit services. MARTA’s heavy rail system comprises four lines, including two lines serving the Hartsfield-Jackson Airport; its bus operations encompass 91 routes covering 1,000 route-miles. MARTA recognizes that, as part of its cybersecurity approach, the agency needs to be aware of all cyberattacks and pay specific attention to the ones that affect the transit industry. It further needs to be agile enough to adapt to hacking trends and be proactive and prepared for what may come in the future. The agency follows the NIST framework and adheres to Payment Card Industry (PCI) data security standards. Agencies that accept credit cards are required to meet PCI requirements annually. The agency relies on recommended practices in its cybersecurity program and continues to “work diligently” to safeguard its systems. MARTA evaluates risks from an enterprise-wide perspective and prioritizes on the basis of criticality.

28 Cybersecurity in Transit Systems As an example, in December 2012, DHS conducted a two-day on-site consultation and assisted MARTA in using its CSET tool. MARTA’s IT, police, and the Oce of Engineering and Development were involved in the assessment. e IT and enterprise network evaluation— the focus of the rst day—used the NIST SP800-53 (Security Controls for Federal IS and Organizations) standard. ICS (train control systems/SCADA)—the focus of the second day— employed the NIST SP800-82 (Guide to Industrial Control Systems Security) standard. Both standards had been selected by MARTA. MARTA’s initial approach to the Safety Critical Systems assessment was closely aligned with APTA Recommended Practice Part 2 on Security Zones. To undertake the evaluation, the agency formed a Control and Communications Security Team, inventoried its assets, and identied goals and objectives for the assessment. Before the on-site visit by DHS, MARTA sta set the scope of the assessment and the choice of specic focal points. MARTA selected legacy and existing systems and systems under modication or rehabilitation for the CSET and systems under modication or rehabilitation and new projects for APTA standards. For each evaluation, MARTA answered numerous questions on the consequences of a successful cyberattack. MARTA’s answers to these questions assisted the assessment team in producing a list of security gaps by comparing the answers to the standard. More speci- cally, as shown in Figure 6, each component is given a gap and priority rating, and a resulting Security Assurance Level (SAL) rating. e rating is based on on-site and o-site impact to the economy, to people (injury, death, hospitalization), and to capital assets loss. Next, the team created a network diagram to visualize the criticality of network components. For its gap analysis and risk assessment, MARTA combined information provided by the tool from APTA’s Securing Control and Communications Systems Recommended Practice Part  2 (APTA, 2013). Administrative elements, components, and train control/SCADA elements were considered in the analysis. e identied gaps were matched with APTA controls and analyzed according to availability, probability, and severity. Source: MARTA, 2013. Figure 6. CSET four-step process.

Literature Review 29   After MARTA received the detailed report, the agency performed a detailed gap analysis and subsequently began identifying capital projects. MARTA initially targeted items with the lowest SAL ratings compared with the target ratings. Once recommendations for implementa- tion had been selected, the recommendations were screened for criticality, feasibility, and cost. When a specific recommendation was not feasible, MARTA identified alternative improvements that can be made to move toward the recommended state. Lessons Learned The benefits of the evaluation process included the following: • Highlighted vulnerabilities • Provided recommendations • Identified areas of strength • Provided a method to compare/monitor cyber systems • Informed risk management and the decision-making process • Raised awareness and facilitated discussion on cybersecurity A major issue confronting MARTA has been the difficulty in replacing or retrofitting legacy systems. For instance, the replacement project for its private control system network, which became unstable, is expected to take several years. Installing security systems can also be difficult because changes to existing configurations may be needed. Another issue was the time, cost, and complexity of addressing the detailed recommenda- tions. While the tool was useful in identifying IT and ICS gaps, the process was extensive and lengthy. The recommended changes had to be prioritized and adapted to MARTA’s specific systems and needs. Since the evaluation, MARTA has been prioritizing the recommendations, continuing to inventory its equipment and systems, and assigning them the SAL ratings that resulted from the evaluation. Cybersecurity Capability Maturity Models A capability maturity model (CMM) is a framework used to establish targets for comparison when looking at an organization’s processes. It evaluates capability and implements strategies based on level of acceptable risk. An assessment of an organization’s maturity level helps to determine its security posture and to form an accurate snapshot of its current cybersecurity practices, which is essential for constructing a baseline for framework implementation. Maturity models provide an internal benchmark that an organization can use to measure capabilities of structural practices, assess processes and methods currently implemented, establish allocation of resources, and establish goals and priorities for enhancements (U.S. Department of Health and Human Services, 2020). Although the transportation sector does not have a uniform sector-wide cybersecurity maturity model, there are other models to assist organizations as they work their way through the cybersecurity lifecycle. The DHS Transportation Security Sector NIST Framework Imple- mentation Guidance recognizes the following CMMs: The DHS Cyber Resilience Review (CRR) is a no-cost, voluntary, nontechnical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and its ability to manage operational risks to critical services and their associated assets. The CRR assesses enterprise programs and practices across a range of 10 domains, including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized recommended practices (CISA, n.d.).

30 Cybersecurity in Transit Systems The CRR is derived from the CERT Resilience Management Model (CERT-RMM), a capability- focused maturity model for process improvement, and it reflects suggested practices from industry and government for managing operational resilience across the disciplines of secu- rity management, business continuity management, and information technology operations management. In this approach, the organization’s maturity is based on how completely the cybersecurity practices in each of the domains are institutionalized within the organization. Institutionalization means that cybersecurity practices become a deeper, more lasting part of the organization because they are managed and supported in meaningful ways. The Maturity Level (MIL) scale uses six maturity levels, each with rigorous, defined components: (1) incomplete, (2) performed, (3) planned, (4) managed, (5) measured, and (6) defined. Cybersecurity Capability Maturity Model (C2M2) is a U.S. Department of Energy program that enables organizations to voluntarily measure the maturity of their cybersecurity capabilities in a consistent manner. C2M2 is a common set of industry-vetted cybersecurity practices, grouped into 10 domains and arranged according to maturity level. During 2020, the C2M2 Program worked with the energy sector to update and validate the C2M2 model, ensuring that it reflects an evolving threat landscape and the emerging security needs of companies. The update addressed advancements in technologies, practices, and frameworks to protect critical infrastructure against cyber intrusions. As part of this effort, the C2M2 program has formed a C2M2 working group of industry partners comprising representatives of electric utilities, oil and natural gas companies, trade associations, and other cybersecurity experts. The working group is conducting technical reviews of the model, and volunteers will pilot a draft of Version 2.0 before it is published (U.S. Department of Energy, 2019). Other Transportation Capability Maturity Models A Transportation Resilience CMM published by the Transportation Research Board (Dor- ney et al., 2021) includes cybersecurity. The CMM Self-Assessment has three levels related to cybersecurity: • Level 1: We have cybersecurity controls in place and are familiar with cybersecurity prin- ciples; however, we have not used a specific industry standard-backed self-assessment tool. • Level 2: We have completed the self-assessment for all agency ICS and IT systems. We are in the intermediate stages of coordinating our ICS and IT system security with other relevant agencies in our jurisdiction. • Level 3: We have fully assessed the cybersecurity of our ICS and IT systems. In 2021, the U.S. Department of Defense (DOD) began to deploy its Cyber Maturity Model Certification (CMMC) program for all DOD contractors and subcontractors. This three-level certification program is intended to be the unifying standard for cybersecurity implementation across the nation’s Defense Industrial Base (DIB). Although this program is not applicable for organizations outside the DIB, the standard contains valuable guidance for any organization needing to protect sensitive information in a multi-tier supply chain environment. The CMMC program is expected to become fully operational by 2026. Additional information, including the CMMC model and assessment guides, can be obtained from the Office of the Under Secretary of Defense for Acquisition and Sustainment. Case History: Maryland DOT/Maryland Transit Agency, CMM Background In 2018 the Secretary of the Maryland Department of Transportation (MDOT) presented an overview of the agency’s cyber maturity model (Rahn, 2018). At that time the agency was

Literature Review 31   investing $3.7 million annually toward cybersecurity or “cyber-safety” in order to defend against eight million cyberattacks per month. The goal of the agency was to create a more resilient cybersecurity network to protect citizens, businesses, and the state. The agency CMM model had four levels, as shown in Figure 7: • Tools based—which included traditional cybersecurity practices such as network access con- trol, network segmentation, penetration testing, and security and event management. This was where the agency saw itself in 2017–2018. • Integrated framework—a holistic framework that incorporates technology, process, and cul- ture to address cybersecurity. • Dynamic defense—includes integrated dynamic cyber defense, security automation, and technologies for identifying and containing cyber system breaches. This is where the agency saw itself in 2–3 years. • Resilience—ability to preserve or restore uninterrupted digital services during cyber inci- dents. This is the ultimate agency goal. Lessons Learned Agencies may need to modify existing maturity models to account for their unique missions, goals and objectives. Understanding where an agency currently is in terms of cyber maturity, establishing a goal, and developing a plan to achieve that goal is an effective use of a CMM. Gaps in Guidance There are a number of gaps in the cybersecurity guidance available to transit agencies; for example, remote access for support and maintenance personnel or maintenance laptops connected directly to agency systems is common. Often, the agency has no knowledge of the systems being used for maintenance, or the personnel using the systems in these ways. There is limited information on how to address this problem. Another area with limited guidance involves systems that are integrated and shared or joint-use enterprise systems with linkages to transportation network systems for management and financial reporting (and sometimes e-commerce). Source: Rahn, 2018. Figure 7. MDOT cyber capability model.

32 Cybersecurity in Transit Systems A much larger gap exists in transit-specific guidance. There is a limited amount of transit- specific guidance and very little current cybersecurity guidance available for transit agencies. The most recent APTA Recommended Practices related to cybersecurity were published in 2019. The previous recommended practices were published in 2016 or earlier. There is no transportation-specific, let alone transit-specific, guidance to assist in developing a cybersecure procurement process and working with third-party software or vendors. State of Cybersecurity Practice in Transit A recent survey conducted by the Mineta Transportation Institute (MTI) concerning transit agency cyber practices found that cybersecurity was not a priority in many agencies and that transit agencies were not investing in a cybersecurity culture (Belcher et al., 2020). Many agencies were prepared for a cyber threat, but only 60 percent of agencies had a cybersecurity program in place, and only 64 percent had a disaster recovery plan. The MTI survey found that experiencing a cyber incident made no difference in agency budgets or staffing. There were no significant differences in cybersecurity budgets or staffing between agencies with or without a previous cyber incident. The survey also found that 41 percent of transit agencies surveyed did not have cybersecurity clauses in their vendor contracts and another 21 percent did not know if such clauses were included in the contracts. Another survey conducted by the University of South Florida Center for Urban Transportation Research of Florida transit agencies (Barbeau et al., 2019) explored technologies in use by the agencies, data management techniques, cyber incidents, and security challenges. The challenges to implementing good security practices were found to be employee training and funding. The COVID-19 pandemic had an impact on transit agencies’ operations that increased the cyber-risk profile of agencies. Agency employees worked from home when possible. Cyber maintenance processes, such as updating or applying software patches, were delayed as some agencies discovered that their cybersecurity protocols did not allow remote implementation (Gill, 2020). Transit agencies became innovative and flexible in response to the pandemic. Some agen- cies expedited new technologies, and others pivoted to new services (ENO Center for Trans- portation, 2020). In a 2021 survey of companies across all industries (PwC, 2021), 96 percent say they will adjust their cybersecurity strategy because of COVID-19. Half are more likely now to consider cybersecurity in every business decision—up from 25 percent in the 2020 survey results. A 2020 online survey of 400 public sector IT decision makers and influencers that included transportation agencies (SolarWinds, 2020) found that compliance mandates or regulations and a greater awareness of the sources of security risks have had the greatest impact on the evolution of cybersecurity policies and practices. The majority of the respondents, and significantly more so for state and local representatives, indicated their organization’s IT security operations are sourced through in-house staff. More federal than other public sector respondents use an on-site contractor. Local respondents are more likely than state respondents to outsource to a managed service provider. When describing their organizations’ IT operations/infrastructure teams and IT security teams, public sector respondents overall are split, with about half having separate departments and half being within the same department.

Literature Review 33   Incidents detected, compliance goals met, compliance audit results, and threats averted are the metrics used by most public sector organizations to measure the success of their organiza- tions’ IT security teams. Federal, state, and local respondents use compliance audit results to measure success. A significantly larger proportion of state and local respondents use threats averted. For incidents detected (the top metric mentioned overall), there are no significant differences between organization types. In terms of organizational maturity in cybersecurity capabilities, identity and access man- agement and endpoint protection were rated highest. Supply chain and external dependencies management were rated the lowest. A 2020 survey (IBM, 2020) explored the deployment of security automation—technologies that depend on artificial intelligence, machine learning, analytics, and automated orchestration for identifying and containing cyber system breaches—in various industries, including trans- portation. Communication, technology, and retail industries had the highest percentages of organizations with either fully or partially deployed automation. The transportation industry had the highest percentage of organizations (50 percent) that had not deployed automation. Transportation organizations had 18 percent fully deployed and 32 percent partially deployed. Conclusions Because of the increasing dependence in transit on connected systems and networks with inherent vulnerabilities, cyber risks are significant and growing in transportation (Counter- measures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). Emerging and disruptive technologies such as autonomous vehicles, artificial intelligence, IoT, and augmented/virtual reality are affecting public transportation (Murray, 2019). Threats evolve quickly, and cybersecurity is always playing catch-up. For example, cybercriminals are aware of ransomware countermeasures and are already developing ransomware encrypted at the code level, which will slow down the development of countermeasures. They are also rewriting ransomware code to infect the firmware of computing devices and to ensure perpetual presence in the victim’s environment. Once the device is infected, the hardware must be either replaced or sent back to the factory to reinstall the firmware (Ching, 2021). Today, cybersecurity is not about getting marginally better. Sophisticated hackers and easily available shared techniques are creating new methods for embedding malware in networks, remaining undetected for long periods, and stealing data or disrupting critical systems (Counter- measures Assessment & Security Experts, LLC, and Western Management and Consulting, LLC, 2020). Only four in 10 public sector respondents are very confident in their team’s ability to keep up with today’s evolving threats (SolarWinds, 2020). Systems users need access to an increasing number of devices, and everything—remote PCs, smartphones, tablets, IoT sensors, containers, virtual systems, and cloud resources—is susceptible to attack. As 2020 demonstrated, new situations are constantly being encountered. Approximately 40  percent of the global workforce shifted to working from home or other remote locations practically overnight. This is expected by many to continue at some level as a long-term trend. Cybersecurity strategies developed for staff working in the office within the same corporate network do not work for home environments with home routers and networks accessed by family members’ devices. A new way of operating is needed to maintain secure networks. It will require changes in behavior and new ways to verify access to data and assets (Ching, 2021).