The increased focus on cybersecurity threats and attacks requires the transit industry to address critical vulnerabilities in interconnected systems throughout the lifecycle of new and existing systems. Traditionally, cyber vulnerabilities are addressed and mitigated in information technology (IT) networks with relative ease; however, this statement does not apply to operational technology (OT), which suffers from many complex challenges. OT describes many critical systems responsible for sustaining availability and ensuring safe, secure, and resilient operations.

With many transit agencies adopting automated fleet management, vehicle monitoring, and health status systems, it is important to understand the cyber implications of these OT systems. The utility of automated vehicle monitoring (AVM) and health monitoring systems (HMS) requires constant availability, real-time communications, remote connections, and dashboard reporting to ensure that the system properly functions. Many transit agencies are not aware that these systems are installed in their vehicles by the manufacturers. These built-in features can present a cyber risk and an avenue of attack for a motivated threat actor. For example, on November 3, 2022, a cyber-attack at Danske Statsbaner (DSB), the largest railway operator in Denmark, caused train operations to halt. A subcontractor of DSB had provided a critical component of the train control system and later reported that a criminal hacker had compromised their network, resulting in the complete shutdown of production servers and, thus, the halt of DSB operations.

Generally, the cyber vulnerability in OT systems is not addressed until well after a vulnerability has been exploited, which can impact the safety and security of riders, operators, and transit agencies as a whole. AVM and HMS rarely undergo cyber testing to identify critical vulnerabilities before they are deployed and used in vehicles. With threat actors aggressively targeting critical infrastructure and the transportation sector, vulnerabilities in on-vehicle systems are unknown, untested, and unmitigated.

Cyber incident response (IR) is a key process in a healthy cybersecurity program and contributes to the overall governance program. IR policies and processes must be aligned in accordance with compliance frameworks, federal security directives, and cyber best practices. Within the transit industry, there is a lack of guidance to frame how an IR process, and associated policies, should be codified for an effective response. A consistent and standard IR process is critical in identifying trends within the transit agency and the greater transit community. Identifying key metrics and reporting supports the transit agency’s compliance with regulatory mandates and captures trends over time to better understand policy, procedure, or technology gaps.

An important aspect of an IR plan involves each transit agency determining how to categorize events, incidents, and the associated reporting timelines and response activities based on severity or impact. Every day, thousands of events occur on a network, any one of which may lead to the identification of an incident. The response actions for an event versus an incident vary greatly, including how and when that information is reported to governing bodies such as the Transportation Security Administration (TSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), or Information Sharing and Analysis Centers (ISAC).

Default event and incident categories are not institutionalized in the transit community, potentially leading to the overreporting of events or the underreporting of incidents. Overreporting events can cause undue stress on the agency’s IR team and skew the metrics collected for future improvements to the IR process. The underreporting of incidents fails to meet the requirements of federal directives and may result in decreased IR support from external parties. Each of these scenarios results in an increased cost associated with investigating an incident, identifying the root cause, and remediating the impacts of a cyber-attack.

This research aims to (1) present best mitigation practices and improvements for cyber vulnerabilities in AVM and HMS, and (2) develop recommended practices for transit incident response utilizing the best practices and requirements in other critical infrastructure sectors.