Managing cyber risk as a transit CISO

Posted: 12 August 2020 | | No comments yet

Kyle Malo, Chief Information Security Officer (CISO) at the Washington Metropolitan Area Transit Authority (WMATA), highlights some of the key initiatives around WMATA’s new cyber fusion centre and gives his insight about adopting a cyber risk management framework.

Managing cyber risk as a transit CISO

As much as any Chief Information Officer (CIO), today’s Chief Operating Officers (COO) manage technology for transit organisations. Modern commuter rail cars have hundreds or thousands of processors managing every aspect of a train and feeding vital information back to command and control centres. The boundary of operational technology has expanded over the last few years and blurred lines with traditional IT. 

In every aspect of what we do, from passenger information, to trains operations, to advertising – we are now technology companies focused on moving people.

Transportation technology, like everything else in the world, is smarter and designed to be more connected

In other, more traditional technology companies, and even in our personal lives, cyber-security has become a part of the daily narrative. Chief Information Security Officers (CISO) are on the front lines of defending transit organisations from criminal and state actors that would take advantage of any gap in our defences. Unfortunately, CISOs are still a rare breed in this sector and resource commitment for these programs often lag behind other sectors. But cyber-security is not something you can buy or solve overnight – you are likely looking at many years just to get to a moderately safe posture.

Point one: If you manage a transit agency, commit to the cyber long game

Consider that, as transit organisations, we’ve been making investments in technologies, both information and operational, for decades. That’s decades and likely hundreds of millions of dollars, perhaps billions, spent on making transit more reliable and safer while improving the customer experience. For most major companies, a cyber-security budget of about 10 per cent of the total IT annual budget is fairly common.

However, if you’re playing catch up, your cyber program may need a healthy infusion of resources just to establish a proper baseline. Assuming you’ve spent one billion dollars over the last decade, you may need a $100 million infusion to establish your cyber posture (10 per cent of what you’ve already spent). Right about now, that probably sounds like a fantasy number. And for most of us, it probably is. But if nothing else, you have a sense of the magnitude of the problem. 

We are now technology companies focused on moving people

To understand why this is an expensive proposition, you must first understand that cyber-security is not just firewalls and antivirus software. Reviewing the Transportation Systems Sector Cybersecurity Framework (Department of Homeland Security product) might give you a better sense of what you should be considering. One fundamental example challenge is how “segmented” your networks are – those that manage your traditional IT versus those that provide train control. Segmentation is a technical design process that insulates your most sensitive and safety critical systems from other public facing parts of your network. In this one example, you may need to hire cyber-security architects and engineers to design and implement a safer model. The goal in this one initiative would be to prevent your adversary from moving across the network, perhaps from a website that allows your customers to add fare value to a card to the train command system. Ransomware in fare collection is bad, but ransomware on the control system is probably worse. 

The good thing is, you can triage and slowly improve the posture with a more reasonable annual budget. Don’t be discouraged by the long road, but do appreciate the complexity of what your cyber team is trying to accomplish and why they are asking for your financial support. Through the application of a risk-based model, you can decide on what needs to be funded immediately.

Point two: Have realistic budget expectations

So, what exactly has changed? How did we come to a place of potential cyber peril? Partly this is because transportation technology, like everything else in the world, is smarter and designed to be more connected. Paying close attention to the language in your procurements is essential. Every procurement that involves technology should have cyber-security minimum standards. We need to expect our suppliers to build cyber-secure technology as much as we’ve expected them to build safe technology. If we do not, then the risk and costs are born by the transit organisation – and building security after the fact is always more expensive.

The other major change that transit is experiencing is our desire to take advantage of data available on old technology. Perhaps you want to be more efficient about train maintenance cycles or perform analytics on schedule improvement. Data on previously inaccessible technologies can now be made available by “layering” new technology on the old ones. Simple enough solution, but it means you have just built a bridge between your business network and your operational network. This new bridge can be exploited by criminals and your 20-30-year-old OT probably was never designed to play the cyber defense game.   

Point three: The world is changing, and transit is changing with it, exposing us to the same cyber risks as every other industry. We are living through our sector’s technology evolution!

Where should you start? A cyber-security maturity assessment is a great way to see your program’s gaps. For a modest fee, an outside consultant can spend a few weeks in your organisation and provide a comprehensive set of security gaps. Most maturity assessments produce results on a one to five scale, where “one” is very basic or non-existent practices and “five” is fully optimised.

Cyber-security is not something you can buy or solve overnight – you are likely looking at many years just to get to a moderately safe posture

Do not be shocked to discover you are at a “one” – it is common in this sector but should be eye opening. A reasonable three- or four-year goal should be to get to “three”, a defined and realistic program. Once you set your goal, you can start having a frank budget discussion. Again, an independent consultant might help to appreciate the path ahead.   

Point four: Get a cyber-security maturity assessment done

Is there a guide book on establishing a cyber-security program? Yes! One example is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The CSF can help your CISO to navigate the many elements of cyber-security and establish a program that makes sense for your entity based on risk tolerances. He or she will be thinking about:

  • Identifying and keeping track of everything on your network. You cannot protect what you do not know about
  • Protecting those technologies through a defence-in-depth approach. You may want to consider partnering with an external security operations provider to help monitor your network with the latest threat intelligence
  • Detecting attacks and responding quickly to contain the adversary and recover from the attack. You do not want to be out of business for days or weeks because of a weak cyber posture
  • Reviewing every application/system in order to apply tailored risk-based security controls. Your HR system requires very different security than you train control system
  • Developing corporate polices and training programs to keep pace with daily-evolving threats.

Point 5: Use a cyber-security framework to guide your program

The conversation between the CISO, CIO and COO is an extremely important one. Technology is in everything we do. As a sector, we know how to have conversations about safety – and we fund safety programs to meet legal and ethical requirements. Cyber-security should be seen as an extension of your safety programs. If you couldn’t manage your safety program with three or four people, don’t expect to manage cyber with that headcount. As you trek through the cyber maturity journey, expect to hear from your CISO at least quarterly and be ready to have tough conversations about the cyber budget in the same way you’d have tough conversations about delivering safe services.


Kyle Malo is the CISO for the Washington Metropolitan Area Transit Authority (WMATA) in Washington, DC, and former CISO for the Federal Bureau of Investigation (FBI). He has spent most of his career in national security roles.