Hero picture
Blog
news

Risk management & resilience: Interview with Cyber Security Committee Chair Paul Gwynn

27/02/2024
  • Global
  • Cyber Security
  • Information management
  • Maintenance
  • Operators
  • Resilience
  • Risk analysis
  • Risk management
Cyber security in public transport

More important than ever

Cyber security is vital to public transport resilience.

As public transport companies update their operations to make them more efficient, they must also make them more secure. Indeed, every automated system or piece of digital infrastructure, from ticketing to track signalling, is susceptible to a cyber attack. Given this, effective cyber security measures are the foundation of secure mass transit operations.

“Quite often, public transport networks are attacked not because they’re targeted, but because they’re vulnerable.”
andrea
Paul Gwynn
Chair UITP Cyber Security Committee
What does UITP do?

Tackling the trends in cyber security

UITP’s Cyber Security Committee brings together experts and professionals from across the sector. The committee is working to raise awareness and provide guidance on best practices in cyber security governance, design for security, and build much-needed cyber capacity for the public transport sector.

The newest publication is Cyber Security for Small to Medium PTOs, which released to UITP members only in February 2024. The publication introduces the topic to operators with limited experience and resources. It outlines the four key objectives essential to a successful cyber security strategy, as well as the different approaches needed for Information Technologies (IT) and Operational Technologies (OT), providing user case examples from the point of view of an IT Security Manager and an OT Security Manager.

 

To discuss the importance of cyber security in public transport and UITP’s impact, we spoke with UITP Cyber Security Committee Chair Paul Gwynn.

Why cyber security is so important

A talk with Cyber Security Committee Chair Paul Gwynn

Q: How did the Cyber Security Committee start?

Paul Gwynn: In 2016, the Policy Board asked the ITSI Committee on advice on dealing with cyber security. We worked on a first report that became the Action Points: Cyber Security in Public Transport, which focused on how to get started, what to do, where to go, and the sector’s key standards. But the world has moved on in six years and so we are looking to update it this year.

As an outcome of the Action Points, cyber security was identified as an important topic and we were asked to set up a working group as a part of the Security Committee. Very quickly, cyber security became a hot topic and we received many requests with complex problems, from physical and technical security, to vulnerabilities in CCTV and radio communications. And we found that people were really uninformed when it came to cyber security.

“Almost no one had any formal structures to deal with cyber security. Worse still, lots of technology was very old, and in many cases the original equipment manufacturers were no longer in business. So people had old systems that weren’t supported and didn’t know what to do. That’s why we wrote guidance on the vulnerability of obsolesence in OT systems, CCTV, and radiotelecommunications.”
andrea
Paul Gwynn
Chair UITP Cyber Security Committee
Building resilience

How the committee helps the sector

Q: How is the committee making an impact?

Paul Gwynn: Well, by publishing papers with guidelines and examples of best practice we have a big effect. For example, our report on cyber security requirements in tendering has been already used in public tenders around the world. A coming paper that I think will be very popular with operators explores risk management tools for both small and large operators. In the paper, we aim to answer practically how operators can run risk assessments on their systems.

Read more
Cybersecurity requirements for operators and authorities in public transport tenders picture
news
Cybersecurity requirements for operators and authorities in public transport tenders

 

In addition, we are deeply involved in advocacy and outreach work, such as our liaison relationship with APTA in North America and a developing relationship with ENISA, the European Cyber Security Agency. We exchange information and invite them to our Committee meetings to have a wider view on the world of cyber security.

It’s also about raising awareness and answering questions in other UITP committees. Because if you’re new to cyber security, there are lots of existing standards that can be used, but it is often difficult to understand how they apply to different modes within public transport. Many of our reports explain how the guiding principles can be used.

“In the end, our outreach work is about giving the whole public transport sector a voice and making sure our sectors are properly represented in the cyber security regulatory environment.”
andrea
Paul Gwynn
Chair UITP Cyber Security Committee
Threats & risks

Why cyber security is vital

Q: What are the risks of poor cyber security in public transport?

Paul Gwynn: Put simply, you could suffer loss of service. For example, the data that runs your ticketing system could be blocked by a Distributed Denial-of-Service (DDoS) attack. And then nobody can top up their cards and you have no revenue. Or if your crew rostering system becomes inoperative, then drivers don’t know their duties, and so trains don’t run and buses don’t leave the depot. These are simple problems with massive consequences.

On occasion, it might be just annoying and embarrassing, for example hackers changing the messaging on signs. But more importantly there can be a real threat to life. For instance, attacks on OT systems can affect safety-critical systems, such as signalling for railways. This is not out of the realm of possibility.

A case study from the Action Points

Hacker derails trams in Lodz, Poland
Attacks, breaches, and accidents

How cyber security incidents happen

Q: Why would someone attack a public transport organisation?

Paul Gwynn: There’s a range of motivations. We hear about criminal hackers and those who use ransomware to extort money, or political groups who might usurp our information systems. But you also have disgruntled employees. Increasingly, we are seeing cyber attacks from state actors.

Quite often, public transport networks are attacked not because they’re targeted, but because they’re vulnerable. There are hundreds of cyber attacks on systems every day, people looking for ways in. So far, we have been very fortunate that public transport hasn’t been a high-profile sector for deliberate attacks.

But cyber security protects against more than just about external attacks. The human factor is the biggest element of data breaches. The thing is, people make mistakes. 85% of all breaches have a human factor in them. They’re accidental. So really, a big part of what we’re dealing with is training, awareness, and testing.

  • 85% of all breaches have a human factor
  • DDoS accounts for 53% of attacks in PT, say ENISA statistics
  • While ransomware makes up 19% of attacks in PT, according to ENISA
Cyber security recommendations

Paul Gwynn’s advice

Q: What is your advice for operators and authorities who want to digitise their operations, while keeping them secure?

Paul Gwynn: Ultimately, organisations have to understand and manage the risks that they have. That comes firstly from doing an audit on your whole system and then conducting risk analyses. You have to prioritise the highest risk to your system, and introduce mitigations to control and manage the risk. For instance, by introducing internal procedures, training your staff, segmenting your networks, and updating your technology. Really, what we’re talking about here is cyber security by design.

To be secure, your system has to be continuously monitored. Through the lifespan of the system, there will be many changes. And every time that there there’s a change, there has to be an impact assessment of what that change means. Cyber security isn’t something you do once. It’s a whole-life process.

“Cyber security can’t be an afterthought. Not only does the design of systems have to be safe, it also has to be operated in a safe way. Ensuring this requires defence in-depth.”
andrea
Paul Gwynn
Chair UITP Cyber Security Committee
The committee's future

Committed to leading the way

Q: What is the future of the Cyber Security Committee?

Paul Gwynn: With the Training Academy, we have already done five or six different training courses. Cyber security is relatively new to most operators and authorities, and that means it’s hard to recruit the right people. To help this, we want to create a UITP diploma to train staff on cyber security.

We know that many operators recruit internally. Often, they are not people with a cyber security background, just those with an interest or an ability to investigate things. We think that a UITP diploma on cyber security can help our members as well as give people a good job opportunity.

Read more
New UITP taskforce on workforce shortage tackles transforming labour market picture
news
New UITP taskforce on workforce shortage tackles transforming labour market
The new publication

Cyber Security for Small to Medium Public Transport Operators

Q: Lastly, what can you tell us about the new publication from your committee, Cyber Security for Small to Medium Public Transport Operators?

Paul Gwynn: This new paper is about developing operational technology systems against new and emerging threats. There’s many things going on in terms of digital transformation right now, so we want to make sure that people understand their vulnerability. In short, it’s great having this new digital setting and wanting to exchange data freely, but you have to be aware of the potential cyber threats that you’re getting into by doing this.

The report explains these threats to operators with limited experience or resources and the steps that they may take to start addressing them. It points to relevant standards and best practices with a clear and hands-on approach.

Discover the insights of the paper! Members only

Want to
become a member
This website uses cookies

This website uses third-party website tracking technologies to give you the best experience, help us understand and continually improve how the site works, and to display advertisements according to users' interests. You consent to the use of our cookies by continuing to browse this website.

Cookies page
  • Essentials Essentials

    Those cookies are essentials to the functioning of the site and cannot be disabled in our systems. They are generally set as a response to actions you take that constitute a request for services, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or be notified of these cookies, but some parts of the website may be affected. These cookies do not store any personally identifying information.

    cloudflare

    Cloudflare uses various cookies to maximize network resources, manage traffic, and protect our customers’ sites from malicious traffic.

    epic-cookie-prefs

    Cookie that remembers the user’s cookie settings preferences. It allows to avoid asking the user about their preferences each time they visit the website.

  • Performance

    This Google Analytics cookie is used to persist session state. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic anonymously.

    _ga

    This Google Analytics cookie is created when you first visit our site. It contains the version of Google Analytics, a randomly generated ID and a datetime group of your first visit. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic anonymously.

    _ga_(STREAM ID)

    This Google Analytics cookie is used to persist session state. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic anonymously.

This website uses cookies

We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.