Every industry faces its own, unique security challenges. But one thing that CIISec LIVE makes clear is that none stands completely alone.
Our panel exploring cyber threats across the transportation grid highlighted that, however different road, rail, sea and air may seem from one another, they all face the same issues. And crucially, they are facing and solving issues that plague other sectors.
People, language and responsibility
One aspect setting transportation apart from most other Critical National Infrastructure is its accessibility. Unlike utilities or data centres, members of the public are intimately involved with transport systems at almost every step. Like healthcare, and many public-facing businesses, this doesn’t only make it harder to isolate or air gap critical systems. It also means the odds of somebody with no training or experience unknowingly putting themselves and others at risk is much greater.
This means communication is critical, as is encouraging both employees and the public to engage with security. The right language matters. Speaking in the terms we understand as security professionals will only marginalise them. Instead, the transport industry conveys its messages in the language of safety: already well ingrained into how transportation works, and with a vocabulary everyone involved is familiar with. This is an approach that applies across the board, placing security in a context people already understand instead of trying to teach them from scratch.
Another question that spans industries is where ultimate responsibility for security sits. While the panel’s answers varied from HR to governance, the one constant is that security can no longer be led by IT. This increases the risk of falling under general IT budget cuts and causes conflicts of interest: where the people building IT infrastructure also judge how safe and secure it is.
Complexity, response and accountability
Another aspect of transport is the complexity of the systems involved. Not only in the number of moving parts, but in how they interact with each other, and how automated and connected they are. Thorough assessments are essential to understanding where threats might come from and protecting against them.
For instance, a modern container port such as Rotterdam or Los Angeles will be full of connected devices, at different degrees of modernisation. But it will face very different challenges to an airport like Heathrow or Charles De Gaulle, where these connected systems will often operate in tandem with the general public.
Securing these environments means understanding how they operate and where the real threats will come from. We’ve seen numerous stories of white hats hacking into aircrafts’ in-flight entertainment systems. This might seem high-risk, but these systems are completely separate from avionics and other systems that are critical to operating the plane. Knowing this helps allocate resources to what really needs protecting.
The final lesson from the panel came from how to respond to an incident. Again, transportation’s priorities after an incident are the same as all industries’: to keep operations running and reassure people that they are safe. Communication, openness and operational resilience are the top priorities in ensuring this.
Where the lesson really strikes home is the scale of investigations. Given transport’s importance, and the disastrous nature of potential incidents which impact global supply chains and business operations, thorough investigations are baked into its culture. Sectors such as air and rail travel are safe because incidents are investigated openly and in depth, with learnings shared far and wide and reaching the level of Government panels.
It was a theme across LIVE that cyber needs the same approach. As a profession, openness, communication and thorough investigation will help us all improve, and make it much harder for attackers to take advantage of lower hanging fruit.
