Public transit is at the heart of smart-city development. As such, agencies have a critical responsibility to develop secure digital environments to support deployment of advancements like autonomous and connected vehicles.

The push toward smart technology and delivery of autonomous vehicles (AV) puts public transportation organizations in the role of “pioneer.”Although smart technologies and AV implementation arealready underway across the nation, each implementation and smart corridor development is unique.

However, one thing remains consistent in the design for each organization: those incorporating cybersecurity during project design will lower systemrisks.

New AV rollouts require extensive exploration into the policies, governance and infrastructure needed to setup a functional operating environment. With new technologyimplementations, existing digital and physical infrastructures must still be maintained. This is because system vulnerabilities grow naturally with the transition of traditional operational technology to remotely accessed Internet technology-based environments.

Now, layer these new environments with hackable elements such assensors and electronic control units, which can be manipulated to failure or caused to act in a way not intended. The resulting systems can increase attack surfaces for criminal organizations as well as mediocre hackers—and may even threaten human life.

Therefore, as we secure new networks and systems, we must also assess legacy operations. Cybersecurity has to be a central theme in defining the future of transportation conveyances, systems and organizational culture. The costs of not doing it is too great.

There are several key planning considerations in the design and delivery of advanced transportation systems. Each phase of the analysis and system design process must integrate a cyber analysis nexus to yield risk-reducing results.

The Jacksonville (FL) TransportationAuthority(JTA) is taking a secure-design approach in its AV development and integration. The agency recognizes that threats from the electronic platforms to the software execution and interconnection with partners, can affect confidentiality, integrity and accessibility. But how is JTA overlaying security approaches to secure the system?

According to Kevin Salzer, the agency’stransportation innovation officer, “The JTA recognizes that a technology-driven shift in our transportation culture will have implications for employees and customers alike. This is why the JTA holds workshops with IT, operations and a variety of departments to understand and reduce the risk of new vulnerabilities and threats.Everyone at the JTA is a security partner and that sentiment should be shared by all agencies that are incorporating more technology into their transportation services.”

JTA pointed to recent assaults on the public sector, such as ransomware attacks. Theseattacks remind us that cybersecurity approaches must include all stakeholders.

In 2019 alone, multiple cities and counties had their systems locked with demands from hackers for a ransom to have their data returned. The implementation and development of a “culture of cybersecurity” might have mitigated the impact of these attacks. It would havedefinitely prompted adequate investment.

Additionally, the rollout of a culture of cybersecurity provides a higher probability that stakeholders live by a code of “good cyber-hygiene.” This all works to lower the risk that an employee will click on an email that allows malware into the network.

JTA also recognized that measuring organizational cyber risks is critical and subsequently invested in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

Joe Tenga, JTA’s chief information officer, stated, “When we set out to select a security framework, we wanted to ensure the choice would be both relevant and attainable. The chosen framework would need to be appropriate for securing critical infrastructure. We wanted to adopt a framework that could be implemented in the shortterm to provide meaningful security measures now, and then add to it incrementally over time to provide an even more robust security program. The CSF fits the bill for us.”

Chief Information Security Officer Tom Limberadded, “The NIST CSF provides a methodology to identify, protect, detect, respond and recover from cybersecurity threats no matter where they originate. Furthermore, as part of our comprehensive DSP [Digital Security Program] plan, we have identified a path forward to adopt additional frameworks such as HIPAA [Health Insurance Portability and Accountability Act], PCI-DSS [Payment Card Industry Data Security Standard], ISO 27000 [Information Security Management Systems standard], and the full NIST 800-53.The eventual implementation of all of these frameworks will help ensure that the JTA is doing everything possible to safeguard itscustomers and allsystem data.”

Both JTAcybersecurity leaders agree it is important that organizations place demands on vendors that align new assets with the organization’s DSP. Vendors often inflate prices when security mechanisms are requested. These mechanismsinclude such elements as the ability to remotely identify a model number or asset description. Public transit organizations must change this paradigmby pressing vendors to meet at least the NIST standards as a condition of purchase.

Each advance in process and security approach will inform the evolution of smart technologies for the entire public transit community. However, the real advancements will come from organizations sharing cyber threat information with each other,and collectively insisting on a new cyber secure paradigm.

BY MICHAEL A. ECHOLS

Chief Executive Officer

Max Cybersecurity and International Association of Certified ISAOs

Former Cyber Director, Department of Homeland Security