Risk Management & Resilience: Interview With Cybersecurity Committee Chair Paul Gwynn
Cybersecurity is vital to public transport resilience.
As public transport companies update their operations to make them more efficient, they must also make them more secure.
Indeed, every automated system or piece of digital infrastructure, from ticketing to track signalling, is susceptible to a cyberattack.
Given this, effective cybersecurity measures are the foundation of secure mass transit operations.
Paul Gwynn
Chair UITP Cybersecurity Committee
What Does UITP Do?
UITP’s Cybersecurity Committee brings together experts and professionals from across the sector.
The committee is working to raise awareness and provide guidance on best practices in cybersecurity governance, design for security, and build much-needed cyber capacity for the public transport sector.
The newest publication is Cybersecurity for Small to Medium PTOs, which released to UITP members only in February 2024.
The publication introduces the topic to operators with limited experience and resources.
It outlines the four key objectives essential to a successful cybersecurity strategy, as well as the different approaches needed for Information Technologies (IT) and Operational Technologies (OT), providing user case examples from the point of view of an IT Security Manager and an OT Security Manager.
To discuss the importance of cybersecurity in public transport and UITP’s impact, we spoke with UITP Cybersecurity Committee Chair Paul Gwynn.
A Talk With Cybersecurity Committee Chair Paul Gwynn
Q: How did the Cybersecurity Committee start?
Paul Gwynn: In 2016, the Policy Board asked the ITSI Committee on advice on dealing with cybersecurity. We worked on a first report that became the Action Points: Cybersecurity in Public Transport, which focused on how to get started, what to do, where to go, and the sector’s key standards. But the world has moved on in six years and so we are looking to update it this year.
As an outcome of the Action Points, cybersecurity was identified as an important topic and we were asked to set up a working group as a part of the Security Committee. Very quickly, cybersecurity became a hot topic and we received many requests with complex problems, from physical and technical security, to vulnerabilities in CCTV and radio communications. And we found that people were really uninformed when it came to cybersecurity.
Paul Gwynn
Chair UITP Cybersecurity Committee
Building resilience
Q: How is the committee making an impact?
Paul Gwynn: Well, by publishing papers with guidelines and examples of best practice we have a big effect. For example, our report on cybersecurity requirements in tendering has been already used in public tenders around the world. A coming paper that I think will be very popular with operators explores risk management tools for both small and large operators. In the paper, we aim to answer practically how operators can run risk assessments on their systems.
In addition, we are deeply involved in advocacy and outreach work, such as our liaison relationship with APTA in North America and a developing relationship with ENISA, the European Cybersecurity Agency. We exchange information and invite them to our Committee meetings to have a wider view on the world of cybersecurity.
It’s also about raising awareness and answering questions in other UITP committees. Because if you’re new to cybersecurity, there are lots of existing standards that can be used, but it is often difficult to understand how they apply to different modes within public transport. Many of our reports explain how the guiding principles can be used.
Paul Gwynn
Chair UITP Cybersecurity Committee
Threats & risks
Q: What are the risks of poor cybersecurity in public transport?
Paul Gwynn: Put simply, you could suffer loss of service. For example, the data that runs your ticketing system could be blocked by a Distributed Denial-of-Service (DDoS) attack. And then nobody can top up their cards and you have no revenue. Or if your crew rostering system becomes inoperative, then drivers don’t know their duties, and so trains don’t run and buses don’t leave the depot. These are simple problems with massive consequences.
On occasion, it might be just annoying and embarrassing, for example hackers changing the messaging on signs. But more importantly there can be a real threat to life. For instance, attacks on OT systems can affect safety-critical systems, such as signalling for railways. This is not out of the realm of possibility.
A Case Study From the Action Points
Hacker Derails Trams in Lodz, Poland
In 2008 in the city of Lodz, Poland, someone modified a television remote control to hack the tram system, taking control of a tram vehicle and the points systems.
During the incident, four trams were derailed and several others had to make emergency stops, leading to twelve people injured.
To conduct the stunt, the hacker used open source information and trespassed into tram depots to gather the necessary information and equipment.
Attacks, Breaches, and Accidents
Q: Why would someone attack a public transport organisation?
Paul Gwynn: There’s a range of motivations. We hear about criminal hackers and those who use ransomware to extort money, or political groups who might usurp our information systems. But you also have disgruntled employees. Increasingly, we are seeing cyberattacks from state actors.
Quite often, public transport networks are attacked not because they’re targeted, but because they’re vulnerable. There are hundreds of cyberattacks on systems every day, people looking for ways in. So far, we have been very fortunate that public transport hasn’t been a high-profile sector for deliberate attacks.
But cybersecurity protects against more than just about external attacks. The human factor is the biggest element of data breaches. The thing is, people make mistakes. 85% of all breaches have a human factor in them. They’re accidental. So really, a big part of what we’re dealing with is training, awareness, and testing.
- 85% of all breaches have a human factor
- DDoS accounts for 53% of attacks in PT, say ENISA statistics
- While ransomware makes up 19% of attacks in PT, according to ENISA
Cybersecurity Recommendations
Q: What is your advice for operators and authorities who want to digitise their operations, while keeping them secure?
Paul Gwynn: Ultimately, organisations have to understand and manage the risks that they have. That comes firstly from doing an audit on your whole system and then conducting risk analyses. You have to prioritise the highest risk to your system, and introduce mitigations to control and manage the risk. For instance, by introducing internal procedures, training your staff, segmenting your networks, and updating your technology. Really, what we’re talking about here is cybersecurity by design.
To be secure, your system has to be continuously monitored. Through the lifespan of the system, there will be many changes. And every time that there there’s a change, there has to be an impact assessment of what that change means. Cybersecurity isn’t something you do once. It’s a whole-life process.
Paul Gwynn
Chair UITP Cybersecurity Committee
The Committee’s Future
Q: What is the future of the Cybersecurity Committee?
Paul Gwynn: With the Training Academy, we have already done five or six different training courses. Cybersecurity is relatively new to most operators and authorities, and that means it’s hard to recruit the right people. To help this, we want to create a UITP diploma to train staff on cybersecurity.
We know that many operators recruit internally. Often, they are not people with a cybersecurity background, just those with an interest or an ability to investigate things. We think that a UITP diploma on cybersecurity can help our members as well as give people a good job opportunity.
The New Publication
Cybersecurity for Small to Medium Public Transport Operators
Q: Lastly, what can you tell us about the new publication from your committee, Cybersecurity for Small to Medium Public Transport Operators?
Paul Gwynn: This new paper is about developing operational technology systems against new and emerging threats. There’s many things going on in terms of digital transformation right now, so we want to make sure that people understand their vulnerability. In short, it’s great having this new digital setting and wanting to exchange data freely, but you have to be aware of the potential cyber threats that you’re getting into by doing this.
The report explains these threats to operators with limited experience or resources and the steps that they may take to start addressing them. It points to relevant standards and best practices with a clear and hands-on approach.
