APTA is recognized by both the U.S. Federal Government and the American National Standards Institute as a Standards Development Organization and the APTA Standards Program that began in 1996 now has over nine specific areas of standards development. Within this Program, APTA began to develop security standards for the industry in 2006 with the creation of three particular working groups on Infrastructure Security, Security Risk Management, and Emergency Management. These three working groups, comprised of representation from all stakeholders, continue to be very active in their production of standards and recommended practices.
With the support of the APTA Security Standards Policy & Planning Committee, the Security Standards Program approved a fourth Working Group; the Cyber Security Standards Working Group. Of central concern are the industrial control systems that monitor and control physical activities on transit rail systems.
TCRP Project J-6/Task 77 brought together transit rail systems, initially in response to the National Transportation Safety Board (NTSB) urgent recommendations made to the FTA dated July 13, 2009, NTSB Reference R-09-07. Additional NTSB recommendations of September 22, 2009, References R-09-17 and -18 (Urgent) and R-09-19, pointed to the need for research support for development of recommended practices and standards for industrial control systems and cyber security. The APTA Cyber Security Standards Working Group supports facilitation of volunteer participation (including travel support), which is necessary but not sufficient; research in depth is needed as well.
The objective of this research is to develop (1) a primer and (2) a briefing for transportation system owners and operators explaining the nature of cyber events and their operational and safety impacts. These products should contain a list of effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an attack or breach occur. The types of cyber events to be considered include cyber incidents and attacks on transit and traffic control/command centers, electronic security/surveillance systems, signal systems, control systems [such as Supervisory Control and Data Acquisition (SCADA)], and electronic signage; database breaches; phishing; and intranet and website breaches. This research is being coordinated through panel liaisons with (1) APTA standards working groups on (a) industrial control systems and (b) enterprise cyber security as well as (2) work at the Volpe National Transportation Systems Center and work by DHS/TSA.
This project is jointly funded by, and managed under, NCHRP Project 20-59 (48), Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents