What do you worry about in this day and age? We all want a convenient and dependable world where everything just works. But as the Internet of Things grows, our exposure to hackers has joined economics, crime and natural disasters in the national litany of concerns.
It would be hard to characterize the early days of hacking as innocent. One inventive hacker used plastic whistle toys found in boxes of Cap’n Crunch cereal to trick phone systems into allowing him to make free long-distance calls. In more recent incidents, pranksters affecting transit have hacked electronic road signs, warning rush-hour motorists of the zombie apocalypse ahead. While these hacking feats may seem humorous to outsiders, insiders are held accountable for security breaches.
These days an intrusion is more likely to come from a coordinated campaign from a nation, state or a highly organized group of cybercriminals. To achieve this, saboteurs want to disable critical infrastructure—power grids, transportation systems and communications. And in today’s world, a breach of this significance could be part of a larger attack on the masses that rely on public transportation.
Agencies must ask themselves what defenses are in place to safeguard their systems. In the aftermath of a hack, the targets will often complain that they lack visibility and knowledge of their own systems. Here, information is your greatest defense. Your opponents are after it, so why not use it to your advantage? Know what is on your network and why it is there. What applications do you use? What purpose do your systems serve? Who has access to all of these components and at what levels?
Security patches are needed regularly. Make this part of the preventive maintenance routine of technical crews. Keep tight control over access to the network, both internally and externally. Open remote access only for select individuals and note the time periods when it is being used. Separate control and office networks. Closely guard Internet access on control networks.
At Valley Metro, the agency emphasizes security to its user population. Only agency-approved devices with antivirus software installed are allowed in the workplace. The mobile management platform pushes security updates to phones, tablets and laptops. Internal Wi-Fi networks use encryption and device verification to prevent eavesdropping or unauthorized access.
In addition, each new employee and contractor is expected to follow the “Acceptable Use Policy” upon hire. This policy forbids the use of non-approved devices, software or websites. Minor security breaches in office computers could lead to major issues down the line in other parts of operational systems.
But where do you start? How do you gauge what condition your organization is in? The Cyber Security Evaluation Tool program (cset.inl.gov) from the U.S. Department of Homeland Security offers a framework for understanding systems and what the vulnerabilities are. This software tool will guide cybersecurity professionals through the process of evaluating any organization’s environment and practices. The outcome of the program’s questioning will be an insight into what the valuable data assets are and where your agency’s security weaknesses lie.
Once you have a picture of your security situation, how do you improve your status? Running penetration tests using a third-party security vendor will expose shortcomings your own examinations did not uncover. Have these tests run from your vendor’s external location and from scanning devices on your internal network. These scans run a series of hacking tools against your network to discover your vulnerabilities, which can include out-of-date patches, obsolete versions of programs and insecure configurations of software, computers or networks. Repeat these scans at regular intervals, as new vulnerabilities are discovered daily.
Attacks on the private sector have been in the spotlight in recent years due to their high profile and financial impact. Corporations have now made security evaluations part of their technology focus. It’s time for our industry to heed this call.