Protecting the transportation sector from a cyberattack is about more than protecting data. It's about protecting the physical safety of people, too. The question is how – and only when that's answered can the industry identify and procure the right talent and tools for the job.
Some say automation is the best defense.
"This focus on skills is old-thinking," says Brian J. Gallagher, a Secret Service veteran and now president and COO at ProtectedBy.AI. "Fixing this on scale requires new types of automation that can be applied to legacy systems without needing all the systems to be upgraded."
Others say a focus on new cybersecurity skills is prudent but lost in the talent shortage.
"The elephant in the room – a bigger problem than the skills needed by analysts – is that there is a shortage of analysts to begin with, and this issue is not going away anytime soon," says Saumitra Das, CTO at Blue Hexagon. "The industry ratio of information security specialists over the software engineering team is 1/100 or even worse in many companies."
The bottom line is that while artificial intelligence (AI) and automation can help fill the talent gap in the transportation industry, talented cybersecurity pros are still the hottest finds on the planet – provided, of course, that they are staying on top of the security game and always adding to and sharpening their skills.
In fact, they may already work for you.
"These skill sets … are acquired through years of on-the-job experience, industry exposure, and mentorships," says Brian Proctor, principal OT strategist at Forescout. "There has always been a great debate about turning OT engineers into cybersecurity OT engineers or IT security engineers into IT/OT security engineers. From my perspective both can work, and asset owners should look internally at the skillsets/resources they have."
Here are the security skills that top the transportation sector's most-wanted list.
1. Major-League Network Skills
"The bulk cargo transportation industry must focus efforts on securing its physical, cyber, and communications infrastructure, as each area is vulnerable to exploitation by bad actors," explains Scot Rittenberg, managing director at Guidepost Solutions and formerly a special agent with the Department of Homeland Security and the US Customs Service.
Specifically, he says, security professionals in this sector need expertise in network, physical, and communications security, including familiarity with the tools, the resources required, and the skills to use all of it to best effect against changing threats.
2. A Mix of Cybersecurity and Transportation Industry Knowledge
As cybersecurity has matured over the years, vertical specialties are emerging. In this sector, cybersecurity candidates are going to need a blend of industry and security (both physical and virtual) knowledge.
"Experience of the operational challenges faced by different modes of transport – road, rail, sea, or air – is essential in order to contextualize any potential cybersecurity threats and therefore be able to assess the likelihood and impact of real-world attacks that may be attempted by different attacker groups," says Andy Davis, global transport practice director at NCC Group, a leading global cybersecurity adviser.
Why does experience in the industry matter? Davis says that experienced cybersecurity pros may "come up with extremely sophisticated technical attacks that could be performed against transport infrastructure to, for example, stop a train. However, if in reality these would be expensive or resource-intensive to perform, an attacker may instead throw some scrap metal into a railway line and achieve the same effect for no cost and requiring no specialist skills."
Given that companies in the transportation sector, like other industries, have tight security budgets, security pros must be able to deliver clear guidance on where to invest money and manpower to provide the best cybersecurity return on investment.
3. Blend of OT and IT Security Skills
Security issues no longer have borders. The virtual can present physical dangers and vice versa. And within the physical and virtual worlds are splintered yet overlapping areas. Security professionals need to possess borderless skills in order to protect these different areas effectively.
"Bulk transportation, regardless of the transportation mode, often involves the use of OT, which is the intersection between IT and industrial control systems that may be a crane at a port, the environmental monitoring system in a temperature-controlled shipping container, or a rail-signaling system," Davis explained.
Challenges unique to securing OT include how to deal with legacy control systems that cannot easily be updated and need to interface with modern IT systems.
"Therefore, knowledge and experience of OT cybersecurity is an important requirement for security professionals within the transportation sector," Davis says.
4. The Will and Ability to Continuously Learn New Technologies and Tactics
"To quickly bring bulk transportation companies to a more defensive stance, new frontier technologies focusing on securing systems at the software code level need to be mandated and deployed," says ProtectedBy.AI's Gallagher. Truly valuable security professionals don't wait for a mandate to find and learn something new.
5. Supply Chain Protection Skills
Bulk transport logistics are vast, complicated, and populated by numerous third parties, all of which regularly interact in the digital and physical realms.
"The bulk transportation industry is a seriously underappreciated part of our infrastructure," explains Ben Smith, field chief technology officer at RSA NetWitness. "Not many people think about how their online orders make it from the warehouse to their front step, or even the process involved with manufacturing that item, but none of it would be possible without the vast transport network that feeds manufacturers, distributors, wholesalers, retailers, and consumers. Impacts to supply chains are more and more visible today, and security teams are taking notice."
6. Skills in Securing Endpoints at the Edge
Not only do Internet of Things (IoT) devices generate, gather, and analyze data at the edge, but they can be an entry point into larger data stores and used to create harm in the physical world. There is high value in extracting security-related information from endpoints at the edge, which is where most IoT devices and gateways operate.
"Route monitoring and corresponding optimization of drivers and vehicles, predictive maintenance of vehicles as well as other equipment, and data flows coming out of semi-autonomous vehicle control are all potential data sources to be leveraged within the bulk transportation industry," Smith says. "Ideally, bringing that IoT- or edge-sourced information directly to the SOC brings additional context about the operating environment as a whole – making it clear when a threat appears."
7. The Ability to Extend the Plan to Physical Protections
Cybersecurity no longer exists exclusively in the virtual world. Digital and physical are joined and must be treated as a seamless attack surface rather than separate and unrelated areas of focus.
For example, "GPS, while commonly used for management and tracking, should be utilized as a security tool for ensuring safety of over the road transportation," says Guidepost Solutions' Rittenberg. "Layered physical security items, such as tamper-proof and serialized seals, are an example of products that should be used to prevent theft, increase cargo security, and if needed to assist law enforcement and internal security personnel during investigations of cargo theft."