In 2008 in the Polish city of Lodz, four trams derailed and several others were forced to make emergency stops, leading to 12 people injured. The cause? A teenager had hacked the tram system, by using open source information and trespassing into tram depots, taking control of a vehicle and the points system. It served as a graphic reminder of the importance of cyber security in today’s increasingly digital age.
Opening of systems and increasing vulnerability
Core IT systems or operational control systems, especially for rail, usually referred to as SCADA (Supervisory Control and Data Acquisition) systems are critical as they are usually responsible for control of the operations and equipment. With the progressive opening of systems, vulnerability, including of SCADA systems, is now a reality that should not be ignored. It is something that public transport companies must take into account and to take action to mitigate according to UITP’s latest Action Points entitled, ‘Cyber security in public transport’.
With the unprecedented pace and complexity of cyber-attacks, and the increasing digitalisation of the sector, a public transport organisation must be proactive in order to protect its critical information and systems and to fulfil its obligations to its customers.
An attack on information systems may take many forms: information and/or services may be stolen, blocked, destroyed or compromised, making it important to protect the confidentiality, availability and integrity of information and services. Failing to do so puts public transport companies in a position to lose money, operational capacity, image and trust.
Not simply a technical issue
Cyber security is not simply a technical issue to be solved by IT departments alone. Like other corporate risks, cyber risks need to be managed proactively by the Board, led by senior management and assured by corporate governance.
As for security in general, a successful information security management system rests upon three pillars: people (particularly awareness, training and education), policies and procedures as well as physical protection.
Find out more
This topic will be addressed in detail in the workshop session "How to protect our systems - Cybersecurity for public transport" on 17 May at the UITP Global Public Transport Summit in Montréal.
Download recommendations on how to protect information systems: