As an IT Manager or CISO (Chief Information Security Officer) for a public transportation system, you have to make big decisions every day. From data security to system redundancy, there are major considerations when it comes to planning and managing your organization's technology. One of the biggest decisions revolves around whether your organization should use local servers or cloud-based servers. Over the years, this has been one of the most common and popular questions facing CISOs from all industries.
I recently had a chat with Boris Surets, CISO at Optibus to better understand the benefits of using cloud-based servers, as opposed to local servers, specifically for transit agencies. Here's what I learned:Tell us a little bit about your background. How did you get into the field of cybersecurity, and what brought you to your role as CISO at Optibus?
I’m 35 years old, married to an incredible woman and we have 2 amazing children. I started off with several IT and security roles during my army service in the Israeli Defense Forces (IDF). After the army, I worked in security positions in a variety of global and domestic startups, SMBs, and enterprises.
Security has always been a passion of mine. I love how it’s constantly evolving and improving. The combination of IT, business and administration allows me to have a 360-degree perspective which allows me to fulfill my professional responsibilities - securing the services provided to our customers while simultaneously providing the highest level of protection of our intellectual property.
When I found out that Optibus was looking for a CISO, I jumped at the opportunity. What really appealed to me was discovering their significant impact on society and how they are literally changing the world. It's been an immense privilege to be a part of this team.
I was pleased to find that Optibus considers security one of the important aspects of our platform. We are constantly working to make sure our platform meets security industry standards which allows us to provide the best possible services and security to our customers.
What do you see as some of the latest trends in cybersecurity that the public transportation industry should be more aware of (and prepared for)?
Modernization and digitalization have advantages but also provide more opportunities for threat actors to breach operational infrastructures and IT infrastructures which process and store personal and financial data. There is also the threat of interrupting the availability of public-facing services to passengers, resulting in loss of confidence in public transportation.
We’ve seen an alarming increase in the number of supply chain, ransomware and Distributed-Denial-of-Service attacks in all sectors of life. The public transportation industry is not immune to these attack methods and could face significant cyber incidents as well.
“The public transportation industry is not immune to these attack methods and could face significant cyber incidents as well.”What are cyber hackers/cyber attacks after in the field of public transportation? What type of information should bus operators be sure to safeguard as much as possible?
The risk isn’t just serious disruptions and closures of business and mission critical services provided by public transportation companies to their customers. Every day, passengers put their trust in public transportation companies to take care of their financial details and other personal identifiable information. This sensitive information, if not properly protected, could lead to substantial harm, including identity theft or other fraudulent use of passenger information.
What can bus operators do to better ensure that their data is secure?
In my opinion, the principal way to ensure data is secure is to define top risks to the company and analyze them from a perspective of what we call the "CIA triad" (Confidentiality, Integrity and Availability). Nevertheless, how sensitive information is handled needs to be their highest priority.
One thing you can start with is implementing network segmentation, emphasizing between your operational technology and information technology networks.
- It’s best to take a risk-based approach for patch management - Put priority on business-critical assets.
- Maintain role-based and context-based rules when setting up access controls.
- Encrypt transmission and data with what works best for your company and always make sure that it is compatible with the technologies in use.
When upgrading and modernizing a public transportation system, what are some questions the IT department should consider?
- Who is monitoring and updating our cybersecurity protocols, and how do we train our staff?
- How often should we analyze and perform cybersecurity updates?
- What is our disaster recovery plan, and who needs to know about it?
- What is the most vulnerable point in our system (on premises or digital), and how can we make it less vulnerable?
- How do we demonstrate compliance with our cybersecurity controls?
Local servers, cloud-based or cloud-native? — which is more secure, and why?
There is a common misconception that on-premise infrastructure and legacy software are more secure. It is important to acknowledge that on-premise software has security-related risks that need to be properly handled, such as vulnerability management, patch management, networking, and access.
Legacy software is usually not encrypted, not in-transit and not at-rest, and if they are, the encryption methods used are old and vulnerable to security threats.
Using a cloud-native platform enables high levels of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) and supports Business Continuity and Disaster Recovery processes with high-level backups and data replications. Top-grade security and the best cloud computing resources ensure customers always receive the best functionality and security for their data and that of their passengers.
What makes Optibus more secure than our competitors? Especially legacy or on-premise software (or even Excel)?
Currently, most public transportation planning, scheduling, and rostering tools are on-premise legacy software platforms or just basic Excel files managed by IT personnel. These platforms and files are considered mission-critical, and every single action performed on them is significant.
Because these older legacy solutions were developed using outdated coding technologies and servers due to compatibility issues, they aren’t compatible with the latest security tools and in most cases cannot be updated. Unfortunately, it exposes them to severe security vulnerabilities.
Early on, Optibus implemented several security controls and mechanisms, both technical and administrative, to make sure we stand with the highest degree of security posture.
I am quite biased, but one of the most impressive decisions Optibus made was to use top-notch security mechanisms to keep all networks and data encrypted. We developed our platform as cloud-native, using privacy and security-by-design approaches. All Optibus infrastructures and customer platform environments are stored in top-secure, compliant Amazon Web Services (AWS) servers located in various locations.
We all know that public transportation is a significant part of critical infrastructure that impacts how cities operate and how they can be efficient. In that light, public transportation companies should take network security seriously, particularly when it comes to their users' information and personal data.
Ultimately, the decision of which type of server to use will depend on the specific needs and goals of an organization. However, it's worth considering the benefits of cloud-based servers as a viable option for a public transportation system.
Did you like this article? Sign up for our newsletter so you don't miss out on upcoming posts about security information for public transportation.