Mass Transit - 17

Transit Cybersecurity

Transit Cybersecurity: Tabletop Exercise
By Randy Pargman

Just as response plans for
dealing with physical threats
against transit services must
be rehearsed periodically, cyber threat response
plans should also be tested to ensure that all the
responsible parties know
the plan and are capable
of carrying out their roles.
A Tabletop Exercise (TTX)
is an important crisis
response planning activity
that should be performed
at least once a year for
each type of major threat
that an organization faces,
including ransomware and
other cybersecurity events.
This TTX is a supplement to the feature, " New
Ransomware Attacks
Pose Costly Threat to
Transit Agencies. "
Here are a few guidelines for organizing a
ransomware TTX:
*	Any cybersecurity TTX
should be managed by
the appropriate technical
lead. This could be an
internal source, like the
company's chief information security officer (CISO)
or chief security officer
(CSO), or it could be an
outside consultant - like
an incident response (IR)
firm your agency has on
retainer. If you do not
have an IR firm, ask your
cyber insurance provider
if they have a preferred IR
provider that could organize this type of exercise.
*	The purpose of a TTX is to
reveal gaps in the written
response plans for handling crises, so it's important to develop those plans
and distribute them to
everyone involved before
attempting an exercise.

*	Each person who has a
stated responsibility in the
response plan needs to
participate in the TTX. For
cybersecurity exercises,
this usually includes the
executive in charge, the
public affairs officer, the
head of IT, the head of
physical security, the head
of logistics/scheduling and
possibly a representative
of law enforcement.
*	It is also helpful to hire
an outside expert with
direct experience in the
type of crisis that you wish
to prepare for. This person's experience will add
important real-world elements to the exercise and
help to test the thoroughness of the plan by bringing up unexpected but
realistic events. IR firms
have this expertise when
it comes to ransomware
and other cyber attacks.
*	A typical exercise takes
between four to eight
hours to complete. Ideally,
it should be held on a
weekend or outside of
normal business hours to
properly simulate how easy
or difficult it would be to
deal with the crisis during
off-hours. Ransomware
criminals often launch their
attacks on Friday night or
over the weekend to take
the victim by surprise and
maximize the damage.
*	These events can be
stressful, so it is nice to
plan for catering lunch
or another way to show
everyone involved that
they are valued.
Consider the following
realistic scenario as a
basis for your planning:
*	Starting late on a Friday
night, transit customers
complain that ticket

is paid, the systems might
be restored in two or three
days and the last week of
data will likely be intact.

machines aren't working across the system.
*	IT personnel report that
they are unable to remotely log in to perform maintenance on any computer
system and have to send
someone to the server
room to investigate.
*	All computers are inoperable and display a ransom
demand message asking
for $15 million USD in bitcoin with a deadline of 48
hours, after which the ransom demand will double.
*	An emergency conference call is initiated early
Saturday morning and
invitations sent via email.
Halfway through the conference call, someone
realizes that there is an
unauthorized person listening to the call. It turns
out to be the attacker, who
was monitoring all internal
email and received the
conference call details.
*	All personnel move
communications to an
alternate system using
mobile phones and all
computers and servers
are shut down to prevent
further damage from the
attackers, who still have
remote control of systems.
*	IT personnel report that
it will take 15 working
days to wipe all computer
systems and restore from
backups and that the most
recent backup was from
one week ago. Any data
created in the last week
will be lost. If the ransom

*	News reporters call constantly for interviews
and some begin to ask
about whether it was a
cyber attack. The attacker
begins to post information naming your transit
agency as a victim on
their website and threatens to publicly release all
internal email and details
about all customers if
the ransom is not paid.
*	Transit authorities must
decide whether it is legal
to pay the ransom and
whether it is advisable to
do so, how to communicate information to the
public, when to call law
enforcement and how to
carry on essential services while waiting for the
systems to be restored.
*	If a ransom is to be paid,
who will negotiate the
amount and who will
obtain the bitcoin cryptocurrency to make the
payment? If no ransom will
be paid, who will inform
the customers whose
personal data will be
released by the attacker,
and what compensation
will the transit agency
provide to those customers who are harmed?
*	Once the systems are
restored to operation,
decide how to investigate the root cause of
the incident to ensure
that it does not happen
again with the attackers
coming in the same way.
Consider how to supplement the IT personnel
resources, since they will
be exhausted after working so many long hours.

NOVEMBER 2020 | MassTransitmag.com | Mass Transit |

17
http://www.MassTransitmag.com
Mass Transit

Table of Contents for the Digital Edition of Mass Transit
