Risk management & resilience: Interview with Cyber Security Committee Chair Paul Gwynn

Cyber security is vital to public transport resilience.

As public transport companies update their operations to make them more efficient, they must also make them more secure. Indeed, every automated system or piece of digital infrastructure, from ticketing to track signalling, is susceptible to a cyber attack. Given this, effective cyber security measures are the foundation of secure mass transit operations.

UITP’s Cyber Security Committee brings together experts and professionals from across the sector. The committee is working to raise awareness and provide guidance on best practices in cyber security governance, design for security, and build much-needed cyber capacity for the public transport sector.

The newest publication is Cyber Security for Small to Medium PTOs, which released to UITP members only in February 2024. The publication introduces the topic to operators with limited experience and resources. It outlines the four key objectives essential to a successful cyber security strategy, as well as the different approaches needed for Information Technologies (IT) and Operational Technologies (OT), providing user case examples from the point of view of an IT Security Manager and an OT Security Manager.

Read the publication on MyLibrary

To discuss the importance of cyber security in public transport and UITP’s impact, we spoke with UITP Cyber Security Committee Chair Paul Gwynn.

Q: How did the Cyber Security Committee start?

Paul Gwynn: In 2016, the Policy Board asked the ITSI Committee on advice on dealing with cyber security. We worked on a first report that became the Action Points: Cyber Security in Public Transport, which focused on how to get started, what to do, where to go, and the sector’s key standards. But the world has moved on in six years and so we are looking to update it this year.

As an outcome of the Action Points, cyber security was identified as an important topic and we were asked to set up a working group as a part of the Security Committee. Very quickly, cyber security became a hot topic and we received many requests with complex problems, from physical and technical security, to vulnerabilities in CCTV and radio communications. And we found that people were really uninformed when it came to cyber security.

Q: How is the committee making an impact?

Paul Gwynn: Well, by publishing papers with guidelines and examples of best practice we have a big effect. For example, our report on cyber security requirements in tendering has been already used in public tenders around the world. A coming paper that I think will be very popular with operators explores risk management tools for both small and large operators. In the paper, we aim to answer practically how operators can run risk assessments on their systems.

Read more

news

Cybersecurity requirements for operators and authorities in public transport tenders

12 Jan. 23

In addition, we are deeply involved in advocacy and outreach work, such as our liaison relationship with APTA in North America and a developing relationship with ENISA, the European Cyber Security Agency. We exchange information and invite them to our Committee meetings to have a wider view on the world of cyber security.

It’s also about raising awareness and answering questions in other UITP committees. Because if you’re new to cyber security, there are lots of existing standards that can be used, but it is often difficult to understand how they apply to different modes within public transport. Many of our reports explain how the guiding principles can be used.

Q: What are the risks of poor cyber security in public transport?

Paul Gwynn: Put simply, you could suffer loss of service. For example, the data that runs your ticketing system could be blocked by a Distributed Denial-of-Service (DDoS) attack. And then nobody can top up their cards and you have no revenue. Or if your crew rostering system becomes inoperative, then drivers don’t know their duties, and so trains don’t run and buses don’t leave the depot. These are simple problems with massive consequences.

On occasion, it might be just annoying and embarrassing, for example hackers changing the messaging on signs. But more importantly there can be a real threat to life. For instance, attacks on OT systems can affect safety-critical systems, such as signalling for railways. This is not out of the realm of possibility.

Q: Why would someone attack a public transport organisation?

Paul Gwynn: There’s a range of motivations. We hear about criminal hackers and those who use ransomware to extort money, or political groups who might usurp our information systems. But you also have disgruntled employees. Increasingly, we are seeing cyber attacks from state actors.

Quite often, public transport networks are attacked not because they’re targeted, but because they’re vulnerable. There are hundreds of cyber attacks on systems every day, people looking for ways in. So far, we have been very fortunate that public transport hasn’t been a high-profile sector for deliberate attacks.

But cyber security protects against more than just about external attacks. The human factor is the biggest element of data breaches. The thing is, people make mistakes. 85% of all breaches have a human factor in them. They’re accidental. So really, a big part of what we’re dealing with is training, awareness, and testing.

Q: What is your advice for operators and authorities who want to digitise their operations, while keeping them secure?

Paul Gwynn: Ultimately, organisations have to understand and manage the risks that they have. That comes firstly from doing an audit on your whole system and then conducting risk analyses. You have to prioritise the highest risk to your system, and introduce mitigations to control and manage the risk. For instance, by introducing internal procedures, training your staff, segmenting your networks, and updating your technology. Really, what we’re talking about here is cyber security by design.

To be secure, your system has to be continuously monitored. Through the lifespan of the system, there will be many changes. And every time that there there’s a change, there has to be an impact assessment of what that change means. Cyber security isn’t something you do once. It’s a whole-life process.

Q: What is the future of the Cyber Security Committee?

Paul Gwynn: With the Training Academy, we have already done five or six different training courses. Cyber security is relatively new to most operators and authorities, and that means it’s hard to recruit the right people. To help this, we want to create a UITP diploma to train staff on cyber security.

We know that many operators recruit internally. Often, they are not people with a cyber security background, just those with an interest or an ability to investigate things. We think that a UITP diploma on cyber security can help our members as well as give people a good job opportunity.

Read more

news

New UITP taskforce on workforce shortage tackles transforming labour market

01 Dec. 23

Q: Lastly, what can you tell us about the new publication from your committee, Cyber Security for Small to Medium Public Transport Operators?

Paul Gwynn: This new paper is about developing operational technology systems against new and emerging threats. There’s many things going on in terms of digital transformation right now, so we want to make sure that people understand their vulnerability. In short, it’s great having this new digital setting and wanting to exchange data freely, but you have to be aware of the potential cyber threats that you’re getting into by doing this.

The report explains these threats to operators with limited experience or resources and the steps that they may take to start addressing them. It points to relevant standards and best practices with a clear and hands-on approach.

Discover the insights of the paper! Members only