Below Rail Infrastructure, Digitalisation, Engineering, Freight Rail, Operations & Maintenance, Passenger Rail, Products & Technology, Safety, Standards & Regulation, Signalling & Communications, Technology and IT

Securing new transport systems against cyber risks

transport cyber risks

As the digital sophistication of public transport infrastructure and services increases, it is vital to ensure that new transport systems are secured against cyber risks.

Advanced technologies underpin modern operation, with enormous volumes of personal data exchanged daily to improve customer experience and build efficiencies.

In this data-rich and digitally interconnected environment there are significant opportunities – despite the complex cyber threat environment – to build trust and resilience.

Cyber disruptions, ransomware attacks and privacy breaches are in the headlines almost daily. And, as we increasingly rely on digital systems across all facets of life, they are likely to intensify in frequency and severity.

To date, Australia’s public transport systems have not been significantly affected by cyber incidents but there are many global examples of transport being a target for cybercrime, sometimes with severe financial and reputational consequences. Interrupted transport services can cripple a city, with significant flow-on impacts. But of greater concern, an attack on signalling or control systems could have serious health and safety impacts and even present a threat to life.

The stakes are high. Communities expect public transport agencies to implement all necessary protections to keep them safe and to safeguard their personal information.

Convergence spreads the ‘attack surface’

In the transport sector, the convergence of information technology (IT) and operational technology (OT) is not a new trend – but it is constantly increasing. In years gone by, these networks tended to be segregated and isolated, which made securing them easier. However, the increasing implementation of industrial IoT (IIoT) and growing hunger for data means systems need to be connected not only to each other, but also to internet, cloud and mobile systems, and among third-party vendors and other agencies.

This level of connectivity brings tremendous business benefits for service delivery, efficiency and user experience, but it broadens the ‘attack surface’ and makes critical transport systems more prone to digital disruption than ever before. In this context, built-in operability that supports smooth transitions between various systems and vendors should be a key security-supporting consideration.

Cyber is a priority for safe, secure infrastructure

Against this backdrop of growing cyber risk, the security obligations for critical infrastructure have increased. Public transport systems in major cities may be captured by the Security of Critical Infrastructure Act 2018 (SOCI Act), potentially as systems of national significance. Such systems have enhanced security obligations, including mandated risk management planning – and face increased penalties for failure to comply.

This increased regulatory and legislative focus has placed the spotlight on the cyber posture of critical infrastructure entities in Australia. In the wake of recent cyber attacks, this is especially pertinent in relation to protecting valuable customer data.

The SOCI Act views security across four intertwined pillars: cyber, physical, supply chain and personnel. This highlights the fact that cyber security is not merely an IT function and should not be siloed – it needs to be tackled as part of a holistic security approach.

Transport organisations have traditionally had a very strong and ingrained safety culture. In the context of cyber security, this safety culture can be leveraged, treating cyber as another safety requirement rather than merely a technology impact. Organisations that align cyber with their core values, such as safety, will be better prepared for enhanced obligations as well as the dynamic threat environment.

Secure data governance enables greater trust and resilience

The positive flipside to risk, consequence and compliance is that taking a strong stance on cyber security enhances resilience and is a catalyst for increased trust. Organisations that can demonstrate how they are keeping their customers safe both physically and digitally will gain a competitive edge, as consumers are increasingly concerned with data protection and privacy. Importantly, this trust will become more crucial as the digital economy advances.

Organisations with strong data management and governance programs in place will have greater visibility of their digital ecosystem, allowing them to share and secure data more confidently with third-parties. Where there is strong trust founded on data governance, there can be greater collaboration and better interoperability between systems and organisations. Transport systems that effectively protect their customers’ data will be able to leverage that data to build efficiencies and improve services.

At its most basic, good data governance means an organisation understands where and how data is stored, who can access it, what third-party systems it interacts with, and how long it is retained. In the event of a cyber incident, this can enable the organisation to respond more quickly to restore systems and understand if and what data may have been compromised.

One of the challenges highlighted in recent incidents is knowing which customers are affected and who to communicate with. In the event of a cyber incident or breach, good data governance makes it easier to communicate effectively and quickly with regulators, customers, third parties and other stakeholders, helping restore confidence and trust.

Consolidate the security function

The convergence of IT and OT, physical and cyber risks, and an increased regulatory focus on cyber security all point to one thing: the need to consolidate and integrate oversight of an organisation’s security function into a single role. Many organisations have adopted a Chief Security Officer role (CSO) with the accountability, mandate and authority to recognise and manage the convergence of physical, cyber, supply chain and personnel security and drive a holistic security uplift across an organisation.

Such an approach facilitates a coordinated and aligned approach to preparing for and managing incidents – including maintaining operational and business continuity, and effecting well-planned communications and crisis management.

Simple is powerful

Focusing on simplicity is a powerful way to enhance cyber security efforts. A key reason cyber uplift programs can be challenging is the prevalence of legacy technology and its ability to interoperate with newer systems, as well as common issues associated with patching and updating legacy systems. This is particularly relevant to transport, where a complex mix of legacy systems and new systems with very different hardware and software lifecycles often need to be integrated. Reducing technology complexity is usually looked at through cost drivers or a transformation agenda, but we’re now starting to see that it can be viewed through a cyber security lens. A cyber-led effort can prioritise or accelerate technology simplification to mitigate cyber and data risks.

Cyber security can’t be an afterthought

Transport organisations need to think of new infrastructure projects as digital projects and build cyber security into their foundations. In the same way as physical safety should never be compromised or deprioritised when building new transport infrastructure, cyber security needs to be built in from the outset. This means following ‘secure-by-design’ principles, with the right requirements and standards in place throughout planning, design, procurement and construction. Such projects will be more future-fit, resilient and trusted as the threat environment continues to evolve.

This article is part of PwC Australia’s series “Getting Transport Projects Purpose Ready”. Other articles in the series take a closer look at how to safeguard success through customer-centric design, community and stakeholder engagement, project assurance, data and analytics, and asset management.

About the authors

Rob Di Pietro is PwC Australia’s Cybersecurity and Digital Trust Leader, based in Melbourne. Rob has spent the past 17 years helping organisations and governments to manage information security risk and build cyber resilience.

Steffen Faurby is an Integrated Infrastructure Managing Director at PwC Australia, based in Sydney. Prior to joining PwC, Steffen held a number of CEO roles including at two transport agencies: Sydney Ferries and State Transit Authority of NSW (Sydney Buses). He brings more than 20 years of executive experience in the transport industry in Australia and overseas, which enables him to advise on strategy and delivery across transport and the broader infrastructure sector.