SmartCitiesWorld talks to Barry Einsig, global automotive and transportation executive at Cisco, about the implication of cyber threats and how to address the challenges
The transportation section’s findings of the Cisco 2017 Midyear Cyber security Report are based on 180 responses from chief information security officers and security operations professionals in the industry, who participated in the Cisco 2017 Security Capabilities Benchmark Study.
The threats included:
SmartCitiesWorld (SCW) spoke to Barry Einsig (BE), global automotive and transportation executive at Cisco, about the implication of these threats for smart cities and addressing the challenges they throw up.
SCW: How could these transportation security threats impact smart cities?
BE: Transportation across all modes is a vital service in all smart cities. Traditionally cities’ transportation infrastructure has been built on closed, proprietary systems, today smart cities are increasingly moving toward more digitised, connected transportation infrastructure. They’re doing this because of the many benefits connected transportation provides citizens, such as improved safety, faster response times for emergency responders, timelier infrastructure repairs, improved traffic flow and even reduce CO2 emissions.
However, as cities have adopted increasingly connected and more complex transportation systems, the attack surface has grown and new threats are coming to light. As more of a city’s transportation infrastructure – such as traffic lights, road sensors, mass transit rail or bus, ports, and airports systems – become connected to the network, cybercriminals are increasingly able to attack not only the information technology, but also the operational technology that runs a city’s signaling and control systems. This means cybercriminals could potentially cause significant disruptions by shutting down public transit services, altering traffic signals or otherwise remotely operating pieces of the city’s transportation infrastructure.
When Cisco surveyed 180 security professionals working in the transportation sector around the globe, we found that they are indeed wary of these growing threats. More than one-third of the security professionals we surveyed said that advanced persistent threats (APTs) and the proliferation of BYOD and smart devices were high security risks to their organisations. In addition, 59 percent said that cloud infrastructure and mobile devices are among the most challenging risks to defend against attacks.
Additionally, monitoring and defending against the sheer volume of attacks will increasingly be a challenge for smart cities with connected transportation systems. Thirty-five percent of the transportation security professionals we surveyed said they see thousands of daily alerts, of which only 44 percent are investigated. Of the alerts investigated, 19 percent are deemed legitimate threats—but only 33 percent of legitimate incidents are remediated.
As cyber security threats continue to increase, smart cities will need more experienced security personnel and robust security policies and procedures in place for not only defending against attacks, but also for how to respond and remediate after an attack.
SCW: Who should be devising policies to deal with them and what are the challenges of this?
BE: Rather than creating policies and procedures from scratch, transportation officials should leverage the best practices and reference frameworks that already exist. For example, they should use the reference designs for connected and automated vehicle systems provided by the Department of Transportation and the Framework for Improving Critical Infrastructure Cyber security from the National Institute of Standards and Technology (NIST) when architecting their networks and systems in order to make them as secure as possible. They can also join an information sharing and analysis center (ISAC) such as the surface transportation ISAC, which can help them keep an eye on the latest threats. There are also professional organisations that help create standards for specific sub-segments within the transportation industry, including for roadways, railways, mass transit, etc.
SCW: Regarding the talent shortage, do you think the threats are so complicated and pertinent to each vertical area, that we need to develop security professionals for each vertical sector?
BE: There is a degree of specialisation that will be necessary for security professionals working in the transportation sector, but the fundamental cyber security knowledge and capabilities should be the same, regardless of the vertical sector.
To navigate the evolving threat landscape, transportation organisations will need to be able to recruit, compensate and retain high-calibre security personnel in order to protect critical national and local infrastructure. However, it’s unclear whether they will be able to do so. Twenty-nine percent of respondents said they believe a lack of trained personnel is already a major obstacle to adopting advanced security processes and technologies. As the threats get even more sophisticated and specific, the likelihood they’ll be able to attract the right talent could decline even further.
Industry trade organisations can be helpful for training cyber security professionals on the industry-specific threats and for teaching the best practices that are unique for the transportation industry.
SCW: In Cisco’s experience to date, are organisations outsourcing responsibility for cyber-security rather than taking the trouble to understand it themselves? And have you observed a difference in attitude between the private and public sector?
BE: Generally speaking, transportation organisations are keeping their cyber security responsibilities in-house to the greatest extent possible and only outsourcing it where they don’t have the necessary skill set, or sufficient staff. This seems to be consistent whether an organisation is in the public or the private sector. In my observations, most organisations try to rely on in-house resources to the extent they can, but when they encounter an inability to recruit or retain the right talent, then they turn to outsourcing. Additionally, they sometimes turn to outsourcing because it can be more both cost effective and more successful to partner with security and technology companies that specialise in building robust security programmes and defending against these types of threats.
It should be noted that transportation organisations are taking security seriously. Seventy-five percent of the transportation organisations we surveyed have a security operations centre (SOC), and 14 percent said they plan to create an SOC. In addition, nearly 90 percent of the security professionals said their organisations participate in a security standards body or industry organisation, such as PT-ISAC or ST-ISAC. Nearly 80 percent said their organisations run attack simulations at least once every quarter and almost half said that the results of the attack simulations drove significant improvements in security policies, procedures and technologies.
SCW: If an organisation takes the outsourcing route, what are some of the questions they should be asking a supplier?
BE: They should ask the typical questions around consolidation with other similar customers in the transportation industry, ask for references, 24 x 7 operations, redundancy, certifications of employees, background checks, etc. These are the types of questions that any organisation should ask of the suppliers they work with, especially when it comes to cyber security.
If you enjoyed this, you may wish to view the following:
Autonomous car partnership aims to reduce hacking risk
Municipalities in France, Germany, Italy, Portugal and the Netherlands plan to introduce the vehicles for commercial use in 2017 and 2018
Dubai’s Road and Transport Authority (RTA) opts for Ericsson
The new agreement is expected to have a major impact on the RTA’s end user experience and will further develop Dubai’s smart transportation services