Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
49  Summary of Findings This chapter concludes the report with summaries of the key findings and suggests additional research in transit cybersecurity and related areas. Findings The purpose of TCRP Synthesis 158 is to identify and document emerging cybersecurity trends affecting transit agencies now and in the near future as a consequence of the acceleration of the digital transformation stimulated by the global pandemic of 2020â2021. The study uncovered many such trends, but agency surveys, industry prognosticators, and federal regula- tors consistently identified five inter-related trends: ⢠Cyber resilience, including cyber insurance ⢠Third-party cyber-risk management, including cyber supply chain risk ⢠Cybersecurity of location-agnostic access (e.g., remote work/teleworking/âwork-from-homeâ) ⢠Zero-trust computing architectures supporting contactless customer applications, including real-time and on-demand information and services ⢠Cybersecurity governance and workforce The objective of the synthesis is to highlight innovative approaches, successes, lessons learned, and challenges in these areas. The six-month period from March to September 2020 shattered the status quo in almost every industry and infrastructure sector in the country. Goaded by the twin prods of public health imperatives on one hand and the imperative to keep providing essential services to the economy and the country on the other hand, sector after sector replaced the older, riskier ways of doing business with a digital replacement as rapidly as possible. The transit industry was not spared from this upheaval. Contactless customer services replaced traditional fare box and ticketing transactions; transit-on-demand augmented or replaced fixed-route service; the nomadic remote worker, immersed in a new digital environ- ment replete with social media, group conferencing tools, and VPN access to cloud-based applications and data, replaced the fixed-office IT network with its centralized IT approaches and enterprise-controlled access to resources. Global Findings have been synthesized from the authorsâ holistic exposure to the literature and to the transportation and IT industries. Global Finding 1. Very few agencies were planning for or prepared for the scale, scope, or timing of this transformation. Global Finding 2. The ad hoc nature of the transformation exposed or created a number of previously unknown cyber vulnerabilities that in many cases have not yet been mitigated. C H A P T E R  4
50 Cybersecurity in Transit Systems Global Finding 3. Adversaries and criminals also quickly adapted to this new computing eco- system and dramatically increased the frequency and severity of attacks resulting in significant consequences, such as the Colonial Pipeline shutdown in May 2021. Global Finding 4. In many transit agencies, pre-transformation cybersecurity architectures, policies, training, tools, skill sets, and other resources provide inadequate protection against these attacks. Global Finding 5. Critical infrastructures, including transit, are not as reliable, resilient, or secure as assumed by elected officials, regulators, operators, or customers. Global Finding 6. As transit services become even more digital, this lack of resilience and security will become even more apparent and may ultimately threaten health and safety, physical assets, and system availability. Global Finding 7. Next-generation cybersecurity approaches are being introduced in other industries and in infrastructure sectors and are being promoted by federal regulators and the insurance industry. Specific Findings have been synthesized from contemporary news reports, existing TRB research reports, recent government and industry standards, recent industry (i.e., cyber, trans- portation and transit) surveys, and case examples. Specific Finding 1. There is a limited amount of transit-specific guidance and very little current cybersecurity guidance available for transit agencies. The most recent APTA-Recommended Practices related to cybersecurity were published in 2019. The previous Recommended Practices were published in 2016 or earlier. There is no transportation-specific, let along transit-specific, guidance to assist agencies in developing cybersecure procurement processes, particularly when procurements involve third- or fourth-party components or vendors. Specific Finding 2. Cybersecurity is not a priority in many transit agencies, as evidenced by the lack of investment or additional staffing and the unwillingness to change behavioral norms. Specific Finding 3. Experiencing a cyber incident made no difference in agency budgets or staffing. A recent survey found no significant differences in cybersecurity budgets or staffing between agencies with or without a previous cyber incident. Specific Finding 4. Currently, compliance audit results in addition to the number of incidents detected and compliance goals met, and threats averted are the metrics used by most public sector organizations to measure the success of their organizationâs IT security team. These performance measures are insufficient in a mature cybersecurity-conscious organization. Specific Finding 5. While agency use of cyber insurance is increasing, this tactic may be used to avoid making internal cybersecurity investments. Insurers are aware of this behavior and are raising underwriting requirements and premiums to discourage it. Specific Finding 6. The true risks associated with third- and fourth-party vendors and digital goods are unknown but assumed to be both large and growing. Almost no transit-specific guidance exists to assess, manage, and mitigate this risk. Specific Finding 7. Recruiting, onboarding, and retaining qualified cybersecurity employees will continue to be a significant challenge for all organizations. Small and medium-sized transit agencies may not be able to successfully compete in this environment and will need to develop more creative and flexible solutions to address this challenge. Suggestions for Further Research The following suggestions for further research have been derived from knowledge gaps identified by the lessons learned and from the challenges documented in Chapters 2 and 3. The research needs documented in this section are not ranked in any significant order, and no order should be inferred.
Summary of Findings 51  Given the increasing reliance on third-party relationships by transit agencies, there is an urgent need for procurement guidance across the entire spectrum of cybersecurity goods and services. Guidance needed includes ⢠How to vet a potential third- or fourth-party contractor, consultant, or vendor; ⢠Relatedly, how to vet an OT or IT software or hardware component; ⢠How to develop cybersecurity procurement specifications across a variety of IT and OT components or personnel; and ⢠How and when to purchase cyber insurance. Another major knowledge gap identified by public agencies is the gap in employee knowl- edge and skill sets. Agencies do not have employees with the requisite cybersecurity skills and are increasingly unable to recruit, on-board, and retain them for a variety of reasons. This dilemma can be resolved using either of two strategies: outsource the task(s) or upskill the workforce. Outsourcing leads to the procurement knowledge gaps just discussed, while upskilling identifies a new set of gaps: ⢠What is zero-trust architecture, and how do you transition legacy systems to it? ⢠What are recommended policies and practices for the remote worker, including draft policies on bring-your-own-device? ⢠How can the agency incorporate a cyber resilience perspective into existing emergency management plans, procedures, and personnel training? ⢠Need for transit-specific cyber incident management workshops, tabletop exercises, drills, functional exercises, and full-scale exercises.
