Cybersecurity Should be a Top Priority For Any Public Transport Agency: An interview with Dobrin Tinchev, VP of Technology

Cybersecurity Should be a Top Priority For Any Public Transport Agency: An interview with Dobrin Tinchev, VP of Technology

Cybersecurity is becoming increasingly important for public transportation. With the collection of large amounts of data and automated fare collection and open payment systems the sector is becoming more vulnerable. This makes it imperative that agencies start seeing cybersecurity as a top priority in order to ensure the safety of riders’ private information and the reliability of their own services. In this interview we explore the subject with Modeshift’s VP of Technology Dobrin Tinchev. Let’s dive in.

Dobrin, tell us a little bit more about yourself.

I’ve been working in the technology field since 2005, after beginning my career as a Software Developer, gaining experience in several firms before becoming the CTO and Co-Founder of a tech company in 2009, called New Millenium Software. My portfolio explores different technologies, frameworks, patterns, procedures, and techniques including the management of systems and maintenance of software. My other responsibilities include developing future strategies and overseeing their implementation with some of my latest roles being that of a Lead Software Engineer before eventually becoming VP of Technology and Software Engineer at Modeshift.  

So far, my career has allowed me to develop my knowledge and expertise in fields such as business analysis, system architecture, design, development, testing, and customer care. I’ve had the opportunity to work with various project stakeholders, including client teams, management teams, vendors, and contractors. I believe that through this I’ve gained substantial experience and I feel confident in my abilities to lead a team and manage various projects of different scales and sizes. My goal is to constantly improve myself by getting involved in new and interesting projects, particularly ones that drive innovation in the field of technology and contribute to the digital transit transformation of different sectors including mobility.

What is Cybersecurity and How Important is it to Public Transit?

Transit providers have been under continuous pressure to implement newer and more advanced technologies, particularly during the period of the pandemic, with riders pushing for contactless, mobile-based fare collection systems that are in line with their evolving needs as well as current trends. These technologies have indeed helped transit agencies bounce back from low ridership levels and cities want to cater to commuters’ demands but at what price? Modern transit systems are heavily reliant on a variety of Information Technology Systems (ITS) and therefore are at a higher risk of falling victim to cyber threats. Hackers could potentially destroy a transit agency’s physical system, rendering it inoperable, along with passing control of the system to an outside entity and jeopardizing the privacy of employee or customer data.  

When we talk about cybersecurity we refer to any protocols, practices, and strategies regarding the defense of computers, servers, mobile devices, electronic systems, networks, and data. It’s what businesses of all sizes use to protect themselves from hackers and malicious attacks in the online world and keep the integrity of their data. The smart technologies that drive automatic fare collection systems are a part of what agencies use to modernize their operations. Yet for an industry that has historically lagged in adopting smart technologies, this new influx of huge amounts of sensitive data which now has to be handled by agencies has become a major concern and a hurdle for some transit providers. Whenever sensitive data is collected and stored, there is an increased cybersecurity risk and hackers are ready to exploit any weaknesses in their systems.  

Cybersecurity should be a top priority for any public transport agency mainly because of the increased use of internet-connected devices and systems. As these systems become more interconnected, the risk of vulnerabilities rises and security gaps could be formed for cybercriminals to exploit. It is therefore of utmost importance that transport operators become diligent and persistent in their efforts to ensure that all their systems and devices are secure and regularly updated so that any potential breaches can be mitigated or avoided. By prioritizing cybersecurity measures, agencies can better protect their systems and passengers from potential attacks and infiltrations while ensuring their data and operations remain secure. 

Is the future of security in public transit in the Cloud vs on Prem? Why exactly is the Cloud a better option and are agencies understanding its value?

There is a general perception that keeping data on-premises is the more reliable and secure solution, however, I believe that this isn’t always the case and probably will not be in the future. On-prem solutions, apart from being extremely expensive, often rely on some sort of 3rd party provider, usually more than one, and sometimes a single point of entry like this is all hackers need. Cloud infrastructure is proving to be a far more cost-effective alternative that helps reduce the network attack surface by limiting access to physical hardware. As transit agencies continue to adopt smart technologies from various vendors, they’ll soon realize that they cannot rely on one particular solution to keep their systems fully secure and protected. It’s up to transit providers to do their due diligence in effectively assessing their security standards, pinpointing any vulnerabilities with third-party vendors, and making sure they take the appropriate measures to protect the integrity of their systems.  

Conventional security typically depends on expensive hardware that requires physical space and other resources such as electricity, along with on-site personnel who are competent in installing and managing these devices. Compared to the cost models of creating and hosting cloud resources in AWS or Azure, which cost just over a few cents per hour, it becomes quite apparent how cloud-based security streamlines costs more efficiently and effectively. The best part is that agencies also won’t have to worry about the additional costs of upgrading their hardware or software in the future as this is typically included in their subscription.  

Cloud-based security enables agencies to have significant flexibility in both time and location. When compared to standard on-premise security, scaling cloud solutions can be performed remotely and done so with great speed, as long as the underlying and mandatory technology has already been installed. This flexibility makes it possible for technology and security teams to significantly elevate their response time and move toward a more proactive approach that promotes agility in operations and enables them to stay ahead of changes in the business environment along with emerging trends. Cloud computing also allows for continuous synchronization between the cloud and validators inside transit vehicles. This ensures data is constantly updated in real-time as opposed to on the on-prem setup where vehicles need to be physically present in the garage for a synchronization of validations to occur.  

When it comes to data storage, on-premise infrastructure relies on its ability to store data across multiple servers, of which at least one is chosen as a designated one for backup in case of an outage or server failure. The problem with this setup is that it’s simply not robust enough to protect businesses and their data from large-scale attacks or more sophisticated cyber threats that could potentially hand over unauthorized access to an outside party or even destroy valuable data. Cloud providers offer a more effective solution to this problem by incorporating a variety of redundancy measures that on-premise infrastructure simply cannot achieve, such as storing data across multiple data centers.

How are cybersecurity risks affecting the transit business? How high are the stakes? Is it just a technological problem, or a business problem as well?

There is certainly a lot of tension rising in the transit industry between agencies needing to digitize their systems and operations and the cybersecurity team’s responsibility to protect the organization, their employees as well as their customer base. If cybersecurity teams want to position themselves as enablers of this digital transition they must elevate their capabilities along three main dimensions. This means improving the management of potential risks, incorporating quantitative risk analytics, and establishing cybersecurity straight into the businesses’ value chains. Supporting the next generation of enterprise-technology platforms, which will likely include innovations like agile modes of development, robotics, and cloud-based operating models will also be key in establishing success in this field.  

As companies strive to offer more digitized customer experiences, they need to determine how to get their teams to effectively collaborate on managing systems relating to fraud prevention, security, and product development. This means incorporating design controls such as authentication and facilitating user experiences that are simultaneously convenient and secure. When it comes to data analytics, agencies must further determine how to identify risks created by data sets which typically integrate various types of sensitive customer information. This also means implementing security controls into analytics solutions that may not rely on formal software development methodology.  

Furthermore, as companies incorporate robotic process automation (RPA), they must be productive in their management of bot credentials certifying that any cases with unexpected factors and anomalies, or inputs that are outside acceptable limits are not posing any security risks. Similarly, as companies build application programming interfaces (APIs) for customers outside of their network, they must decide on how they will identify any vulnerabilities created by interactions between APIs and services, and they must establish and reinforce standards for appropriate developer access.

How can agencies detect potential intrusion in a system and what preparations do they need to make to prevent cyber attacks?

Since the pandemic, transit agencies have been quick to initiate the widespread use of contactless and cEMV payments. This typically required their cooperation in becoming PCI-compliant to meet the demand of their customers who have placed their trust in them to provide a secure payment gateway for every transaction. Passing a standard compliance test means that the act of processing customer payment data does not present any risk of a potential security breach. If riders want to get the most out of the modern conveniences that come with Automated Fare Collection  Systems (AFC), they will need to submit highly sensitive data, including their banking and credit card details which usually go into mobile and browser-based applications. While some industries have shown more agility in integrating smart technologies powered by the cloud, public transit is historically known for lagging behind in both leadership and a lack of cybersecurity education throughout the industry. Without a strong knowledge base of current cybersecurity risks and best practices available, agencies are systematically exposing themselves to threats and attacks. Transit agencies must understand that cybersecurity isn’t just a problem for the IT and tech departments, but rather a vital component that should be considered of utmost importance for businesses as a whole. 

With this in mind, transit agencies must handle sensitive rider data with the utmost care. To ensure rider data is secure and protected, service providers need to partner with vendors who are compliant with regulatory cybersecurity standards such as Systems and Organization Controls (SOC 2) and the Payment Card Industry Data Security Standard (PCI DSS). This is done to guarantee that all organizations that accept, process, store, or transmit credit card information are maintaining a secure environment. Encryption is another crucial instrument that should be approached with the utmost consideration. Data that is exchanged between validators and the back end in the cloud needs to be encrypted following the latest protocols. Through this, agencies can solidify their efforts to keep passenger data protected at all times. Vendors should also be equipped with security information and event management (SIEM) solutions to ensure they can be effective in their efforts of detecting, analyzing, and responding to potential threats that may cause disturbances to services and systems.  

If we look at cybersecurity based on the impact potential attacks could have on administrative functions, systems, technology, and organizations as a whole, it makes sense that there is a need for a designated cybersecurity officer as well as leadership regarding the execution and planning of security strategies. Smaller organizations that cannot dedicate the resources needed to appoint a person for this role need to do their due diligence when hiring a third-party vendor by closely examining their cybersecurity compliance standards and expertise. Additionally, agencies can turn to APTA’s Cybersecurity Considerations for Public Transit for guidance on approaching the matter and educating themselves by asking the right questions and establishing the appropriate measures. This can look like anything from identifying how their platform performs in detecting potential intrusions in the systems to how their data is encrypted. Once an organization prioritizes cybersecurity and focuses on having leadership in place when dealing with potential threats and the right education, it can move on to creating an effective cybersecurity strategy.

How do bigger agencies address cybersecurity vs. smaller agencies?

There is a common misconception that smaller agencies are not prone to cyberattacks which is why some organizations tend to approach the matter of security as something not of high priority. Smaller businesses often do not have a dedicated cybersecurity team or enterprise-grade defenses to rely on. They fail to conduct regular cybersecurity training and are less likely to have robust security systems in place such as multi-factor authentication or password managers. This makes them easy targets for cybercriminals and they know that. Small to medium businesses are at a higher risk of being hacked since they often lack the resources and they’re also more likely to use outdated software that hackers can exploit by finding vulnerabilities. Implementing customized cybersecurity solutions that are built from the ground up should be a priority for transit providers along with making sure they are tailored to the specific needs of each system. We often see that cybersecurity solutions are offered as a one-size-fits-all package, something that typically overlooks the intricacies of individual transit systems and exposes them to even greater risk. 

While small and medium-sized businesses are prone to cyber attacks, big companies aren’t completely safe. With larger organizations, hackers aim to steal as much data as possible. They rely on the same strategies used in smaller businesses but attempt to do it on a larger scale. Bigger agencies are an exception because they have the security leadership most smaller agencies often lack. These types of enterprises are typically larger organizations with a lot of money and resources. They can afford to invest in comprehensive security strategies, implementing a variety of measures such as hiring expensive security consultants and building secure infrastructure from the ground up.

So what can smaller agencies do if they can not afford the same cybersecurity budget as larger companies? Well, it’s not all about the money although it is a factor. You see, while larger companies may have reinforced stricter security policies and obtained bigger budgets for cybersecurity, it still takes quality employee training on an individual level. Cyber attacks should be approached as any other event within an organization that requires an incident response plan. This means that an agency’s readiness to deal with attacks comes down to not only fancy tech but also a robust security strategy with a clear outline that is complemented by highly competent staff that knows how to react in such a situation. On a technology level, making sure employees within the company are using two-factor authentication and secure devices is a good first step in strengthening an agency’s defenses. In terms of security investment with real value, training existing IT staff or hiring an MSP or a security expert is probably the best way to approach cybersecurity from the beginning. A common mistake we often see businesses make with cybersecurity is that they tend to invest in the latest and fanciest tech on the market only to find that they lack the internal “know-how” to implement it properly.  

How important is it for agencies to have dedicated cybersecurity leadership in place and what questions should agencies be asking regarding cybersecurity?

Identifying a cybersecurity leader within an organization is paramount to making sure security measures are up to date as well as having someone who is authorized and ready to react swiftly in case of an attack or a breach of some kind. The appointed person is typically someone other than the information security tech in IT. Ideally, he or she would be on the leadership team and have direct access to every system and department. This means having the authority and mandate to oversee the entire organization, beyond technology and being involved in governance and policy, as well as the established security culture that is present in the organization. 

One of the most crucial aspects of a transit agency’s cybersecurity strategy should be establishing a disaster recovery plan that follows a three-part framework consisting of prevention, anticipation, and mitigation. For that to be executed to the required standard a person or a dedicated team needs to be appointed and trained for such instances. Just because an agency has some basic cybersecurity knowledge doesn’t mean all employees are qualified to handle an attack and as we know a poorly mishandled one could have disastrous consequences for an organization. Agencies must be made aware that preventative measures are already in place to protect their systems and what they are. This could include implementing multifactor authentication systems for signing into applications, data encryption, compliance with PCI DSS and SOC 2 regulations in combination with security monitoring.  

Agencies need to be prepared for events such as an unavoidable disaster. Say that a data breach occurs, even when adhering to the best practices, how will the organization react? Agencies need to be asking questions such as who will be in charge of a potential attack and who will be responsible for mitigating the effects and reporting the incident to the Cybersecurity and Infrastructure Security Agency. How will this incident be also documented so that it can be leveraged for the improvement of the agency’s future security protocols? Once a robust security framework is established, the final step should be to test it. It might appear as a time-consuming task at first and labor-intensive to play out, however, this is among the most important steps since agencies can observe their entire system with security protocols in place before an attack occurs, often allowing them to identify gaps and make improvements to mitigate potential risks. 

As VP of Technology at Modeshift, what do you think is unique about Modeshift’s cyber security strategy?

At Modeshitf, we believe that security should be a primary focus when it comes to designing software for the transit industry. We consider all measures to ensure optimal security of our platform including all aspects from design to architecture, back office credentials, and even the app itself. Modeshift’s account-based fare collection platform is currently running on Microsoft Azure which is certified according to the highest security standards in the industry. We’re extremely diligent when it comes to ensuring secure data processing along with being Level 1 PCI compliant which allows the facilitation of payments via PayPal, Braintree & more. We have a dedicated team that has meticulously vetted and reviewed the platform to ensure its safety and security throughout.  

For example, our system is protected by the CSA (Cloud Security Alliance) and follows guidelines such as Distributed Denial of Service (DDoS) which protects transit data, with added security from potential attacks thanks to Microsoft Azure’s defense mechanisms. Communications and endpoints are encrypted using TLS and all API requests require user authorization along with following OAuth. User data and authentication are managed with Azure Active Directory, with all electronic data being stored directly in the Azure SQL Databases or Azure Storage. Our employees have access to these systems based on what we refer to as a principle of least privilege, meaning they can only access the platform to perform their assigned tasks. Access to tenant data and information is logged and can be audited, with different privilege levels being available in the system. We also have a strict incident response system to deal with publicly reported issues.  

I think what makes Modeshift’s cyber security strategy unique essentially comes down to two components. First, a cloud-based approach means that our clients get added security since there are no physical servers. It becomes much harder for any attacks to occur and for hackers to infiltrate the system. Secondly, we’re able to separate the IT networks from the OT networks. Back in 2014, the APTA discussed how this kind of division allows for two separate systems to exist and function. One of them is the mechanical side of the system consisting of transit vehicles and equipment used by drivers in daily operations such as validators. The other system consists primarily of anything relating to Information Technologies (IT) and administration, where agencies operate and perform their daily tasks. By separating these two networks you can significantly limit the area of an attack. If someone gains access to a user who is in the IT system they can’t mess with the buses’ infotainment panels or anything else inside the network. Yes, they could potentially do some damage with ransomware and encrypt the PC of the target but it won’t affect the whole system, something which is incredibly important in the realm of cybersecurity.