As railroaders work to secure their growing network of digital assets, they’ll need to keep a close eye on several key threats, including risks posed by their own employees and software vendors, information technology (IT) execs say. With access to a range of confidential information, employees can compromise the security of railroads’ numerous systems and databases — whether they intend to or not.
Last year, insider abuse of data led to nearly 10,500 “security incidents” — that is, any event that compromised the integrity, confidentiality or availability of an information asset, according to Verizon Enterprise Solutions’ 2016 Data Breach Investigations Report. The report, which examined more than 100,000 security incidents across several industries, also found that about 11,300 cases stemmed from “unintentional actions,” such as employees sending emails or documents to wrong recipients.
“The disgruntled insider is a principal source of computer crime,” APTA’s report states. “Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal system data.”
To mount a better defense against insider threats, rail leaders are exploring a number of cybersecurity strategies, which range from establishing better password protocols to conducting more rigorous background checks of new employees. They’re also striving to keep their employees abreast of any new cybersecurity threats through continued training and awareness programs.
For CN, bolstering cybersecurity ultimately is a “people process,” says Vice President and Chief Information Officer Serge Leduc.
“You could have invested in the best technology, but if you have not raised the awareness level at the right place within your organization, you can be a victim,” he says. “Technology is not the answer to everything.”
CN’s Corporate Information Security Unit (CISU) is one way the railroad promotes cybersecurity awareness among all its employees. The group’s “information security awareness campaign” aims to keep CN workers up to date on various cyber attacks, as well as ways to avoid them. In addition, the CISU is responsible for developing policies and standards, conducting risk assessments, and carrying out incident responses and investigations.
Amtrak IT execs also provide continuous training for staff on the latest attacks and techniques, said Chief Information Security Officer Ron Baklarz in an email.
“We monitor many open source intelligence sources on a daily basis to keep abreast of new and emergent issues,” he said.
Meanwhile, CN carefully monitors its dealings with third-party software distributors. Many vulnerabilities in the cybersecurity realm stem from companies working with third parties, Leduc says.
“We’re making sure we have some checks and controls with the external suppliers,” he adds.
Public transportation agencies also need to do their due diligence when vetting third-party vendors, says David Hahn, APTA’s senior program manager of safety and security. It’s especially important as agencies begin introducing mobile ticketing apps, which often are built by outside companies.
As part of their investigations into any new vendors, transit agencies should take the time to find out if the companies have ever been hacked, and if so, how they responded, Hahn says.
Cybersecurity firm LGS Innovations LLC advises its clients to keep close tabs on software provided by third parties, as well. If the developers who built those programs have ulterior motives, they could provide a “backdoor” into a railroad’s computer systems, says LGS Innovations Chief Executive Officer Kevin Kelly.
Read more of Daniel Niepow’s piece on Progressive Railroading.