In a world peppered with terms such as the ‘the Internet of Things’ and ‘open source’, we’re encouraged to share and adopt systems and protocols that are interoperable to facilitate the easy transfer of data. But with the growing demand on interconnectivity for public transport control, traffic and information systems, we also open ourselves up to greater exposure to cyber-attack. Recent figures suggest that over four billion data records were compromised in 2016, an increase of 400% year-on-year.1
The benefits of interconnected systems are obvious: more harmonised co-ordination of road and rail networks for operation and maintenance and greater access for passengers to real-time information about not only the service they are travelling on, but also the next leg of their trip. This is great for the ‘door to door’ journey, yet it’s one thing to look after your own IT – but what about the systems of multiple suppliers and partners? And what protections and liabilities do we have if we’re opening our networks to others?
In other industries, attacks on essential infrastructure have emerged as serious and disruptive threats as more and more tailor-made trojans and malware are found each week that are designed to sabotage, collect information or hold organisations to ransom.
Digital security should therefore be viewed considering worst-case ‘when’, and not ‘if’, scenarios for all stakeholders in the transport industry. One only has to look at the petabytes of data generated by some of the bigger light and urban rail systems and the multiple interfaces to see that every endpoint (each mobile device, each sensor, each ticket machine, each networked CCTV camera) is a potential vulnerability. This includes operational systems, control centres and depots, signalling and telecommunications networks as well as the corporate systems of operators and infrastructure providers and shared systems used by designers, consultants and suppliers. Add in the fact that data is now routinely shared across geographical borders and the scale of the challenge soon becomes apparent.
Every hour, huge amounts of sensitive customer data is also being transmitted and received, often wirelessly, including names, addresses, email and phone contacts and bank account details. This happens whenever a passenger purchases or uses a ticket, or logs onto onboard Wi-Fi.
This article is designed to provide a general overview of cyber threats and, importantly, the new compliance landscape surrounding it that will come into force in May 2018.
Major attacks on infrastructure
In January 2010, International Atomic Energy Agency inspectors visiting a uranium enrichment plant in Iran found that the centrifuges used to enrich uranium gas were mysteriously failing – and at an unprecedented rate. Five months later, in a seemingly unrelated case, a Belarussian digital security firm was called in to investigate a series of computers in the country that were repeatedly crashing and rebooting themselves. Detailed analysis uncovered a handful of malicious files that led to the discovery of the world’s first purpose-built cyber weapon – Stuxnet.
Unlike most malware, the Stuxnet worm does little harm to apparatus that doesn’t meet specific configuration requirements; instead it has a clearly defined purpose in targeting specific systems to make them fail. Over the following months, amid rumours of nation state involvement, Stuxnet sent shockwaves throughout the world of industrial automation.
Since then we have seen a large-scale attack on a German steel mill in 2015 that resulted in a blast furnace malfunction causing “massive”, although unspecified, damage and then there was the hack on Sony Pictures in 2014 that wiped out half of the company’s global network. This targeted attack copied and then erased data on thousands of personal machines and servers, overwriting it in seven different ways to make recovery near impossible. To make matters worse, it then rendered the operating systems of those machines useless – effectively killing them. The fallout for the studio was immense, reducing communication to fax and posted messages and resulting in its 7000 employees having to be paid with paper cheques.
Over the following weeks nine batches of confidential files were released via public file-sharing sites, including unfinished scripts, executives’ emails and salary details. Five unreleased films were leaked to piracy websites. Sony estimated it cost USD35m to repair its IT and financial infrastructure2 – the reputational damage arguably went far beyond.
UK telecoms provider TalkTalk fell victim to two major breaches in 2015 and 2016, where data was stolen from central servers in one attack and malware infected the routers of hundreds of thousands of its customers in another. The company was eventually fined GBP400 000 for failing to take basic steps to protect customer data.3
In probably the biggest single incident, Yahoo announced last year that one billion customer accounts were compromised by hackers in 2013 using forged cookies (bits of code that stay in the user’s browser so a website doesn’t require a new login with every subsequent visit).
Even governmental bodies are subject to attack. More than 200GB of data was downloaded from the US Department of Justice’s internal network in early 2016, including details of job titles and contact details for around 30 000 federal employees, and exposing 1 797 special agents and a task force deputy director.4
For public transport, every endpoint creates a connection that has the potential to permit a two-way flow of data so it is vital that these gateways are unidirectional. Passengers have access to certain information in the control area – to track estimated time of arrivals and service speeds, for example – but they should not be able to influence those systems the other way to interfere with critical systems.
High-profile attacks on urban rail networks over the last 18 months include targeted attacks in Ukraine in June 2016 and October 2017 that disabled government, postal, utilities and banking systems, also leaving passengers on the Kyiv metro unable to pay for tickets using bankcards. Later that year, hackers caused significant disruption to San Francisco’s MUNI light rail service by bringing down its ticket machines; customers were greeted by “Out of Service” and “Metro Free!” notices, leaving the operator with little choice but to offer free rides for two days.
It is likely that many more attacks go unreported and, fortunately, none of those that did make the news affected safety critical systems. Probably the closest was the 2008 case where a 14-year-old boy took control of infrared signals on the tramway in Łódź, Poland’s third-largest city. Using a home-made device adapted from a universal remote control, the perpetrator found that it was possible to record the signal sent in one place to a set of points and play it back in another location.
Although crude, this attack was effective as the teenager was able to ‘control’ the points outside his home as trams passed, derailing four, causing several others to make emergency stops and injuring 12 passengers in the process.
Ransomware wreaks havoc
The Kyiv and San Francisco attacks demonstrate the increase in incidents that combine damage and disruption with a demand for money – usually digital currency in the form of Bitcoin. Among the most damaging were the widespread WannaCry ransomware attacks that hit the UK’s National Health Service, Spain’s Telefónica, global logistics firm FedEx and Germany’s Deutsche Bahn – amongst many other organisations around the world – in May 2017. WannaCry sought out a weak point in legacy software, in this case the Windows XP operating system. Worryingly, it is estimated that as many as 14% of desktop PCs still use Windows XP 5, an operating system that hasn’t been supported by Microsoft since April 2014 – no support means no security updates and no technical backup.
As the pace of digital technology change is so rapid, it is therefore crucial to closely manage any interface where new equipment has to interface with legacy software.
Kevin Bell, partner at Womble Bond Dickinson, expands upon the threats: “Ransomware is currently one of the most common threats we see, where a computer is infected with malware which encrypts files and locks down systems unless a ransom is paid. The most common method, however, is social engineering, psychological manipulation of one person by another into performing actions or releasing confidential information.
“Then there are the various forms of telephone scam, where fraudsters call up – often sounding perfectly legitimate – to obtain information in order to extort money or gain access to sensitive systems. In email form, phishing or whaling, genuine looking emails or websites are used to extract passwords or other information useful to the cybercriminal.
“We also see a lot of invoice scams where people are made to change account details or redirect future payments without realising that the request may come from a less than reputable source. A further growing trend is ‘CEO fraud’, where fraudsters impersonate or spoof a senior manager’s email account to send messages to customers to procure urgent payments to a specified account of their choosing.”
Bell continues: “There are five main risks, or areas of damage, for public transport operators. First, there are the regulatory penalties, and key changes in the law over the next 12 months will make these even more punitive in an attempt to make those holding data to take the issue more seriously.
“There’s then the potential for a breach of contractual obligations with a concession letting authority or other key stakeholders. More publicly, you have issues of reputational or brand damage as nobody wants to be associated with a cyber security breach.
“From the passenger side, you may get complaints and claims arising from leaks in personal data. Add to that the management time, loss of business or commercial advantage and, in the worst-case scenario, personal injury or event fatalities as a result of malfunctioning systems. These are all critical issues.”
The European Union’s General Data Protection Regulation (GDPR) will apply to organisations in all member states from 25 May 2018 with the key objective of increasing accountability in the handling of personal information.
The GDPR will enforce stricter obligations on data security and we will all be expected to put in place enhanced safeguards. To remain compliant, it is therefore important to enforce tighter policies governing access control, internet and mobile device usage and establish clear responsibilities for data retention and usage.
Organisations should conduct a Privacy Impact Assessment (PIA) to determine whether the endpoint is aligned with the GDPR. This could be mapped to asset registers for easy guidance on what is and isn’t aligned with the new regulations.
This applies to both internal networks and feeding those policies down the supply chain. Bell emphasises that cyber security policies will increasingly play a part in procurement policies: “We need to make sure that third-party suppliers adhere to these policies, and that from a legal perspective the contractual matrix that brings that all together passes on and apportions appropriate liability.
“The proposed administrative fines are severe. In the UK, the Information Commissioner’s Office can currently issue fines of up to GBP500 000 depending on the nature of the breach. Under the GDPR there are two new tiers. Tier 1 can be up to 2% of annual worldwide turnover from the preceding year or EUR10m, whichever is higher; this relates mainly to breaches of obligations for security processes, record-keeping and failure to include relevant contractual terms. Tier 2 penalties can be up to 4% of annual worldwide turnover, or EUR20m, whichever is higher.
“If you didn’t think data security and the issue of the transfer of personal data needed to be taken seriously, think again.”
The reporting mechanisms will also change. Reporting is mandatory unless the breach is unlikely to result in risk to the individual. If a breach does occur the impacted organisation must notify anyone potentially affected without undue delay and, where feasible, within 72 hours of becoming aware of the issue. This process applies to actual, and not suspected, breaches.
Working alongside the GDPR is the Directive on Security of Network and Information Systems (NIS Directive) that aims to improve cyber security capabilities at a national level; increase co-operation among EU member states; and introduce security measures and incident reporting obligations for operators of essential services (OES) in critical national infrastructure and digital service providers.
The NIS Directive was adopted by the European Parliament on 6 July 2016, and came into force in August 2016. EU member states have until May 2018 to translate this into national laws, and a further six months to identify the OESs to which it applies.
Under the NIS Directive, OESs – such as utility providers and transport operators – will be required to “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in those operations”.
This new notification-related regime will require OESs to report incidents having a significant impact on the continuity of the services they provide, also without undue delay. There is therefore an overlap with the GDPR, but the notification requirements have significant differences as the latter requires notification of personal data breaches unless the breach is unlikely to result in risk to the individuals, whereas the NIS Directive requires the notification of all incidents that meet the stated thresholds.
How do we respond?
Kevin Bell offers the following useful advice in response to security breaches: “The TIRR (Triage, Investigate, Remedy, Report) model for incident response is one that we have used and advised clients on for a number of years.
“Triage. First, assess the risks and look at damage limitation. How serious is the incident? Is it going to severely impact your transport network? Is public safety at risk? Is it an ongoing issue or single point of failure? For example, the NHS shut off its servers so the WannaCry malware couldn’t spread. For Sony Pictures in 2014 the malware spread throughout its global network in a matter of hours – the damage happened that quickly.
“Investigation. This is where it’s imperative to co-ordinate activities – media and communications, IT, HR, business continuity, customer services – and to get senior management involved from the very start.
“Remedy. How sensitive is the data that’s been stolen or lost? What’s happened to it? Professional advice is key to addressing potential claims by those subject to loss of data, on regulatory penalties and ultimately identifying a fix and advising clients on reasonable actions that need to be taken.
“Finally, report. This is the important obligation of reporting to the appropriate authorities. It’s critical to ensure that the reporting is completed correctly and promptly; good reporting is key in helping to avoid enforcement action and reduce the level of fines that may be levied.”
In September 2017 UK Information Commissioner Elizabeth Denham reiterated the importance of transparency on reporting of breaches that could affect personal rights and freedoms: “Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR. Tell it all, tell it fast, tell the truth.” 7
Project Honey Train
Prevention and protection
In the case of TalkTalk, 150 000 customer records were stolen through a known vulnerability in one of the company’s web pages. A software fix was available, but it wasn’t introduced and despite previous attacks the company failed to take appropriate steps to make its systems secure.
The remarks of Elizabeth Denham are telling: “Hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Failure to address known vulnerabilities is literally like leaving a door open and going on holiday.
Bell continues: “What makes this breach interesting is that the company had inherited the website in question from a bolt-on acquisition, so having a detailed asset register – especially of assets using legacy systems – and understanding what you’re still operating and where it sits in the chain is fundamental”.
Now we’re all suitably scared of what is happening out there in the digital world, what can we do in terms of protection?
The best form of security is being proactive, such as staying on top of anti-virus updates, software patches and regular monitoring of firewalls. Filtering web browser traffic is also an important measure; this can be done through the use of a security appliance or service to proxy your web traffic; paid-for proxies or secure VPN services are generally more secure than free ones.
Next, it is essential that care is taken with the use of removable media such as USB or portable drives, as Bell suggests: “We’ve worked with clients where an attack has been as simple as hackers leaving expensive-looking USB sticks in car parks. These are picked up and plugged into a laptop back in the victim’s office and bingo, they’re away. We’ve also all been to industry events where USB sticks are available with presentations or other materials on them. You can’t access the data until you’ve plugged it into your system, but doing this could release a whole host of malware or viruses that can remain dormant for months or years until activated to shut down your computer. So be vigilant.”
Another common issue is lax monitoring of user rights, the simple advice being that every user of any system should operate using the minimum set of privileges necessary to fulfil their role.
Mobile devices attached to corporate networks are another hot topic. As more organisations allow BYOD (Bring Your Own Device) policies for employees to use personally-owned devices to access corporate data such as email, this poses another range of challenges. So, if a personal device is used with unapproved, third-party apps when an employee is not at work and then to connect to company systems during the working week, it is very difficult to see where that device has been and what it has connected to.6
A similar scenario applies to public Wi-Fi hotspots (for example in hotels, coffee shops or even onboard a vehicle). If there is no way to easily find out who controls the hotspot, or to prove that it belongs to who you think it does, it is probably best avoided. Further, the protocol used to encrypt Wi-Fi traffic, WPA2, has been cracked rendering traffic using this protocol open to being intercepted and decrypted.
Help is at hand from governmental bodies, as Bell explains: “The Centre for the Protection of National Infrastructure has provided guidance on cyber defence, which includes detail on train control and signalling separation. It recommends physically or electronically separate on-vehicle networks from passenger systems, particularly where Wi-Fi is involved.
“The worry is that people use these Wi-Fi systems for one purpose, for a passenger to read his morning paper or catch up on emails on his tablet or phone, but by using the same gateways this can risk exposure to a whole host of the onboard systems as well. Cables that carry data relating to command and control infrastructure – often stretching to many miles across networks – also need particular protection from physical attack.
“It’s important to ensure that there are sufficient capabilities and competence within organisations to maintain cyber security. There are also international issues for those working with partners from overseas that will need to complete sufficient due diligence as cyber security standards can differ.”
The last big change is the growth of cyber risk insurance that can cover business interruption, loss of income and third-party claims. The market is growing, Bell says, but it is still inconsistent as to what is covered and excluded. Nevertheless, it is worth considering as part of overall protection strategies in relation to security breaches.
6 BYOD Security Risks and Mitigations – Melva Ratchford, Ping Wang and Raed Omar Sbeit. New Generations: 14th International Conference on Information Technology
7 GDPR: Setting the record straight on data breach reporting – https://iconewsblog.org.uk/category/Elizabeth-Denham/
8 8ww.sophos-events.com/honeytrain/index.cfm? src=soc
Grateful thanks are due to Kevin Bell of Womble Bond Dickinson and Julian Evans of AppSecTest for their assistance in the preparation of this article.
Originally featured in December 2017 TAUT (960).