Fighting cyber threats

In the realm of public transport security we are accustomed to identifying crime, public disorder and vandalism as security incidents that can be recognised and reported, with measures implemented.

We have even learned to deal with terrorist threats and, unfortunately, executed attacks. Cyber threats, however, are often still ‘intangible’ and perceived as difficult to fight.

Cyber security could be seen as a technical challenge only, approached with a technical solution like that of new software or hardware, etc. A lot of suppliers develop new technology specifically to fight cyber threats and this is an important support for the sector, best developed in collaboration between industry and operators.

However, a lot of aspects have to be tackled by the operators themselves – i.e. the users. The IT landscape has changed dramatically in recent years, but also the speed of the change has dramatically improved. As an example, information data today is stored on various servers around the world and no longer owned by the user.

The typical IT landscape consists of three parts: the classical operations control systems, like SCADA systems; the Enterprise information and business systems; and customer facing and external, often subscribed systems, with different protection levels. It is no longer the case that all devices are owned by the system operator – instead devices and servers can be external. Subscribed systems open our interfaces for external systems and users – and people and customers are connected to our systems via their own device. This significant development brings new challenges when fighting cyber attacks.

The variety of attacks is huge, such as via information interfaces like Email, but also USB sticks that could also bypass possible ’air gaps‘ on systems in all three parts, which seemed to be safe and secure. This shows that general awareness on the topic needs to be raised for all users of its systems. The messenger of the attack can be sitting close by in the next office! Cyber attacks appear in various manifestations, be it malware, ransom ware, time delayed attacks, system attacks, etc., and very often there is no specific target, but a general attack on specific IT system characteristics. We can appreciate, therefore, that the goals of protecting a system cannot be achieved by the IT departments alone. Cyber security needs to become a common goal as part of the company’s governance policy, as is the case for other risks.

Public transport must also face this new danger; there are no ’per se’ safe and secure systems. It is important to conduct risk assessment procedures on information security topics; raise the awareness of all users about the threat of an attack; make it a governance topic and install adequate measures for prevention, resilience and response and join various security experts to best react to this new challenge.

Biography
Thomas Kritzer is currently Head of the Operations Control and Customer Service Business Unit at Wiener Linien. Prior to this (until June 2016) he was Head of the Security and Service Department, which remains part of Thomas’ current Business Unit. The Security and Service Department is responsible for security issues concerning customers, staff, operations and infrastructure, as well as for strategic security developments, crisis management and security risk management. The department is also in charge of ticket inspection, CCTV analysis, analysis of security incidents and prevention. Since 2008 Thomas has been a member of Wiener Linien’s staff for Crisis Management and has participated in the organisation’s risk analysis process. Thomas has also been a member of the UITP Security Commission since 2008 (he was its Vice-Chairman between 2009 and 2011 and its Chairman between 2011 and 2015).