Like many industries, transit has changed dramatically over the past decade, adopting technology to improve the speed and convenience of travel. With that, however, has come a quickly growing technology sprawl that needs to be secured, including thousands of connected devices across 270 field sites and more than 11,000 employees.
I sat down with Bilal Khan, NJ TRANSIT Chief Information & Digital Officer and John Franciscone III, NJ TRANSIT Director of Cybersecurity to discuss how the team is adapting to this new Enterprise of Things landscape, including the security strategies they are using to secure these systems. While their responsibilities don’t (yet) include connected trains, they are responsible for making sure all the behind the scenes support is there to keep NJ TRANSIT buses, trains and light rail, running and secure.
What are the biggest cybersecurity concerns for the NJ TRANSIT system?
First of all, we have an obligation to provide our customers with the highest level of assurance that their data is secure when they travel with us. PCI, in particular, is a big focus for us. We handle millions of small transactions, which need to be secured across machines at the stations, our mobile app, and more. We are also subject to other regulations, like HIPAA, because we have a small medical department, and CJIS because we have a police department.
Second, we have a huge priority on availability of our systems, which ensures our customers can get where they need to go without disruption. An example of the negative impact that can have is the ransomware attack on the San Francisco Municipal Transportation Agency in 2016, which took the system’s ticket machines offline during a busy Saturday. With an average of 735,000 trips a day, that was a huge disruption in service for the Bay Area. That’s what we’re working to ensure doesn’t happen, using the latest cybersecurity technologies.
What sort of connected devices are involved in keeping the NJ TRANSIT system running?
We don’t engage with the devices on the trains themselves, but most if not all devices at NJ TRANSIT are connected. This includes computers on the bus and trains for central communication, diagnostics, and analytics, as well as the passenger announcement system at the platform, cameras, digital signs and ticket vending machines.
How big of a team is there to support these devices, as well as all of your other systems?
Our team includes a number of people with a variety of skills to support our security strategy. We do have some consultants to help us out, as well, but a lot of the work to manage thousands of IP addresses falls on us. We want to ensure that every IP on every device on our network has a purpose, as well as that we have the tools in place to manage it across our entire organization with the resources we have available.
To that end, we focus our investments on tools that can help us make quicker, more educated decisions. Those tools help us maximize the human-power we do have, as well as makes us smarter. We also look for tools that can automate and offload some of the low-level tasks so we can focus on more strategic outcomes. With Forescout, for instance, we don’t have to troubleshoot endpoints anymore to ensure compliance. My phone doesn’t ring. I don’t get emails. It’s just gets done and actions are flagged to the support team when necessary.
How is that device landscape different than it was 10 years ago?
It is incredibly different. Our operations workforce is able to be much more reactive thanks to the integration of newer technologies, such as SmartBus/Clever and PTC, TMAC, smartphones, tablets, and laptops. In the past, much of the operations staff was reliant on Nextel phones and, more recently, Blackberries.
How has the CISO and security leader role evolved as a result?
The role of Security Leader has evolved dramatically. The well-defined perimeter of an organization has become blurred and changes frequently. Due to this ever-changing landscape, security leaders have to rethink and re-calibrate security controls on ongoing basis. The COVID-19 pandemic has further exasperated the situation now that people are working from home and the line between work and business has been blurred.
What is your advice to other small security teams who oversee important services, like
Talk to other agencies – they have similar challenges and may have already looked into the newer technologies you’re looking at.
To learn more, check out this case study of how Forescout partnered with NJ Transit to boost their cybersecurity efficiency and effectiveness.