Safe Travels: A Business-Critical Mission for the Transportation Security Administration

We often end our conversations with colleagues by saying “safe travels” and now that we seem to be in the next phase of the pandemic, business travelers are getting on the road again. However, safe travel has taken on a new meaning due to the United States Transportation Security Administration’s recent cybersecurity initiative

The directive, announced by Secretary of Homeland Security Alejandro Mayorkas this month, is expected to be issued before the end of 2021. It focuses on railroad and transit systems as well as air travel, including operators of both airports and commercial and cargo aircraft. The directive will require transit, railroad, and air travel operators to designate a point person for cybersecurity issues and develop incident response plans — prior to experiencing a cyberattack. It will also mandate reporting to the government if and when systems are breached.

These requirements are timely due to October’s designation as Cybersecurity Awareness Month. They also mirror regulations imposed on another industry — the energy industry. The Colonial Pipeline ransomware attack earlier this year led to similar emergency rules being issued to strengthen cybersecurity for energy pipelines. Public transportations systems, like energy pipelines, are a vital part of the nation’s critical infrastructure and they are under attack. According to Ponemon, data breaches cost the transportation sector more than $3M in 2020 and 58% of them were caused by malicious attacks.

However, it is important to note that many of these attacks are not targeted at the operational technology level; they are actually the result of informational technology vulnerabilities. This means attacks against the business-critical applications that are core to the business, whether related to logistics and supply chain or financial and customer data. 

Transportation industry security leaders, when developing their security and incident response plans, should consider three things in their approach to protecting their business-critical applications: defense-in-depth strategy, digital transformation, and cloud migration.

Defense-in-Depth Strategy

The business-critical applications at the heart of the transportation industry contain the most valuable business data, such as supply-chain logistics for customers, passengers, and cargo as well as financial data and other sensitive information. Traditionally, best practices were to keep these systems on-premises and install layers of security around them, creating a theoretical and impenetrable fortress of castle walls and moats. However, the shift of the traditional on-premises perimeter to a distributed hybrid cloud model, and the need for every organization to transform how it does business digitally, has changed this paradigm. The conventional methodology of surrounding these applications with layers of security is now ineffective since attackers have become so skilled that they are targeting these applications directly. Protection of these applications goes beyond defense-in-depth. It means hardening these existing applications by implementing timely patch management, point-in-time vulnerability assessments, and continuous monitoring of threats. It also requires committing to a secure code development process that includes security testing of custom code and transports before these new applications and services are put into production. Lastly, it means committing to a process of control and governance of these applications as well as the data and information they contain. 

Digital Transformation 

Digital transformation projects were underway before 2020, but the global impact of the COVID-19 pandemic has accelerated the digitization of the transportation industry. An increase in customer demand for online ordering, shipping of goods, contactless check-in, and e-tickets for travel of all forms have given the transportation industry a new sense of urgency and a mandate to prioritize digital readiness above all else. The entire supply chain, from order placement to order delivery, has become digitized at a faster pace than ever before. This increased speed to transformation — and the number of interconnected systems involved, from order processing to cargo shipment — means a vulnerability in any one of these systems opens the entire business to risk. The risk is not only because of the number of interconnected critical systems, but also because of labor shortages that leave far fewer resources to implement security best practices for these systems.

Cloud Migration 

Digitized operations and products also mean business-critical applications are earmarked for cloud migration projects. However, migrating to the cloud is a complex process, requiring multiple stakeholders from across the business in order to collaborate to deliver the project on time and on budget. Vulnerabilities within applications that may have been overlooked when applications resided on-premises can increase the risk of exploitation when moved into a cloud environment. Migration projects are complex and typically involve a large number of people. It’s possible for changes to unknowingly be made that can introduce security or compliance risk.

Applications should be as secure as possible before they are migrated and compliance needs to be maintained throughout the project. Organizations trying to keep up with the fast pace of cloud migration may be overlooking points of exposure that potentially leave them susceptible to exploits. 

The transportation industry needs to ensure the business-critical applications that are at the core of their systems are secure since prevention, and being proactive, is easier and less costly than being reactive to a breach. Both the public and private sector organizations that make up this industry must implement best practices for their business-critical applications, wherever they reside. Consideration must be given to securing all of the interconnecting systems, vendors, and processes within the transportation industry — from customer ordering to cargo shipment, vacation booking to airline check ins, and business travel reservations to commuter passes via a mobile app. Only then can we be sure that all of us will have truly safe travels.

More Resources

  • Secure your business-critical applications. Here are five reasons why you need vulnerability management capabilities for SAP, Oracle, and other enterprise systems.
  • Learn more Cybersecurity Awareness Month and how to protect your organization.
  • Stay on top of the latest news and reports in business-critical application security.