back arrow
Back to Resources

Cybersecurity in Rail Operations: A CISO's Triumphs, Challenges, and Lessons Learned | Joel Waugh | S2E2

In this episode, Joel Waugh, the CISO at WMATA, shares insights into navigating the unique challenges of cybersecurity in rail operations. . Emphasizing the shift in priorities compared to federal government protocols, Waugh highlights the importance of identifying critical systems, prioritizing cyber hygiene, and fostering a culture of communication and collaboration.

In this episode of the Secure Tracks Podcast, Joel Waugh, the CISO at the Washington Metropolitan Area Transit Authority (WMATA), shares insights into navigating the unique challenges of cybersecurity in rail operations. Emphasizing the shift in priorities compared to federal government protocols, Waugh highlights the importance of identifying critical systems, prioritizing cyber hygiene, and fostering a culture of communication and collaboration.

About our guest:

Joel Waugh currently serves as the Senior Director of Cybersecurity and Chief Information Security Officer at WMATA. With a tenure of two years in this key leadership position, Joel is responsible for ensuring the secure deployment of systems and technology, safeguarding the information of 17,000 WMATA employees and nearly 1 million daily commuters. Before his current role, Joel spent three years as the Director of Cybersecurity and Risk Management at WMATA, showcasing his commitment to enhancing cybersecurity measures within the organization. Joel's diverse professional background includes significant stints with the Federal Bureau of Investigation (FBI) and service in the US Army.


Roark Pollock: Hi, I'm Roark Pollock, and this is the second season of a Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're speaking with Joel Waugh from the Washington Metropolitan Area Transit Authority, or WMATA for short, which is located in Washington DC. One quick disclaimer today. Joel's views and opinions expressed in this podcast are his own and do not represent the views and opinions of WMATA. Joel is the current Senior Director of Cybersecurity and Chief Information Security Officer at WMATA and has been in this role for about two years. Prior to his current role, Joel was the director of cybersecurity and risk management at WMATA for three years. In his current role, Joel manages the secure deployment of systems and technology to protect 17,000 WMATA employees and nearly 1 million daily commuters. Prior to working at WMATA, Joel spent quite a few years with both the FBI, or the Federal Bureau of Investigation and served in the US Army. Joel, welcome to the show. And thank you for joining us today.

Joel Waugh: Thank you for having me. It's always pleasure to talk cyber and transit.

Roark Pollock: All right. Well, Joel one of the things I'd like to do is start with a question just about your career a little bit. It'd be great if you could tell us how you got into cybersecurity, and more specifically, how did you get into the rail industry?

Joel Waugh: So like a lot of people I kind of sidestepped into cybersecurity. I've been doing it for much longer than it's been called cybersecurity. I started back when I was in the Army. I was in the US Army for about 20 years. And I was tasked with simple duties like installing antivirus on workstations and making sure they were patched and configured correctly. That escalated up to scanning for vulnerabilities, I was helping to respond to some of the virus attacks that were prevalent in the 90s, blaster-sasser and others like that. I helped set up and troubleshoot networks on a couple of different deployments to ensure that the teams had good network connectivity. And it culminated in my last assignment in the military as the deputy chief security officer at United States Southern Command in Miami, Florida, where I really led teams of computer network defense individuals, I led the assessment and authorization team in the CommSec. Team. So Bill just built up over that 20 year career. Upon retirement, I came up here to the DC area. And I was at the Federal Bureau of Investigation for about seven years as a contractor and then as a fed. And to get into transit, I had the opportunity. The opportunity was offered to me to leave the federal government and to come here to WMATA to build out a federal-style assessment and authorization process. And the federal style risk management framework will not it was a very early adopter of that. And that was an offer I really couldn't refuse. It was exciting to go from zero to a program that we have now. So that's what took me here today.

Roark Pollock: Awesome. Well, we'll talk a little bit about that in just a minute. But before we jump into that, maybe you could tell some of our listeners who might not be familiar with WMATA. Just tell us a little bit about WMATA scope or the role you've had there today. 

Joel Waugh: Well, WMATA has been around a little bit. We are different than many other transit authorities and that we were formed by an interstate compact. The compact was in 1967, I believe, and that was Maryland, Virginia, and DC. So we have multi-jurisdictions that we have to serve and multiple rules we have to follow. We began building the rail system shortly thereafter. The first bus lines I believe began running in 1973 and the first rail service started in 1976. Currently, we have over 98 stations, 120 miles of tracks, Metro bus and metro rail we service a population of over 4 million in our nation's capital 24 hour 24 hours a day. seven days a week over 1500 buses, and we cover approximately 1500 square miles of jurisdiction. We also have Metro access, which provides accessible service for people who are otherwise disabled. And that provides about 2.3 million trips per year for that population. Here's at WMATA, my role as a chief information security officer is pretty broad. I have overall responsible for the strategy and the program execution of cybersecurity risk management and cybersecurity operations.

Roark Pollock: Okay, so you, you pretty much own the whole program.

Joel Waugh: I own the whole program, I have supply chain risk management, vulnerability, scanning, change management, policy requirements, and of course, the assessment authorization process I mentioned. And then I have another team, which does all of the computer defense, a threat hunt, threat, intelligence, cyber technology, all of that. One exciting thing I wanted to mention is that WMATA has a pretty exciting strategic transformation plan that we're executing now. And in that new plan, a new position was created an executive vice president level position that reports directly to our GM, that's the Chief Digital Officer. And not, I've seen that used in some tech companies, and I believe some finance companies, but I don't know if I've seen it used in transportation yet. What's exciting to me about that is it's trying to take technology out of the back office and really bring it forward as one of the facilitating components of WMATA.

Roark Pollock: That's a new role I've not run into in transit or transportation yet.

Joel Waugh: It is, and I do think it's going to have some benefits. It's already paying, I think, some good dividends. Another change that was made is I was moved from reporting to the CIO to elevating to reporting to the CTO, which I think really shows that I will not take cybersecurity seriously. And understand the criticality of cyber to operations.

Roark Pollock: Well, it's nice to see that cyber is connected to the digital transformation efforts. And seen as a part of that whole process. Yeah. So that's, that's, that's awesome. Well, let's, let's take a step back a little bit. And talk about your journey at WMATA. And what I'm interested in, you know, as a new employee at WMATA, you came in working in cybersecurity. One of the things I'm curious about is what you kind of found different or unique about the operational rail tech environments that you experienced and what's different from what you might expect to find in other operational industries, whether it's oil and gas or utilities. The reason I asked there's a lot of talk about how unique rail systems are. And so I thought maybe it'd be great to get your perspective on that topic. And maybe you could give us a few examples.

Joel Waugh: So I can definitely give a good comparison between transit and federal government. In the federal government, we have the well everywhere we have the security objectives of confidentiality, integrity, and availability. And in federal government, it's almost all about confidentiality, protecting the data, making sure that secrets stay secret. In Transit, it's very different that operational tech, the security objective is availability, it has to be up and running. And most of the data is not secret. It's meant to be used. It's meant to be shared even out to our customers. But those systems have to be there they have to be in place. Transit, in my experience, may be unique from other sectors, because our systems are very large or very expansive, covering a large geographical area. And generally they were built up in very siloed departments. So teams, different teams have managed different components of what has grown over time, into a system of systems. And it's fine but once you start getting to where you want to modernize and really scale the use of technology and data, that becomes a little more problematic, but also for cybersecurity, that cannot be siloed that has to be standardized across all of the technology and hat's one of the challenges is just getting people to understand why that function can't be siloed. It has to be centralized. Well, that's

Roark Pollock: Well that’s an interesting take. We tend to talk about rail operations as if it's a single entity, but you're saying within rail operations, there's many different kinds of functions and systems. 

Joel Waugh: Yes, there can be there are a lot of systems that provide data to those trains for automatic train operation.

Roark Pollock: Yeah, I've heard others quote, If there's as many as 40 or more systems involved in in rail operations just to make a train go, indeed, properly. Yes. So that's, that's a pretty broad space. So, Joel, there's lots of CISOs in the rail industry now who are taking ownership of the separate risk in these rail tech environments. Maybe you can tell us based on your journey at WMATA, how you started thinking about figuring out what the cyber risks were in a rail operational environments?

Joel Waugh: So very early on, when I joined WMATA in 2019, one of the first things I wanted to do is identify the critical systems, it's the crown jewels as what we call them, what I absolutely need to protect. And it was clear, even though I had no experience in transit, very clear that those transit supporting systems are among the crown jewels for WMATA. So what I did is I started meeting with the different teams that were operating these different systems operational technologies and understanding what security existed to try and assess the priority of those systems versus other vulnerabilities and other weaknesses that I was attempting to address on the corporate network. What I discovered is that, of course, security existed, WMATA had a decent security over its operational technology, it's focused as a lot of transit is on the Purdue enterprise reference architecture, which is not a security reference architecture. Right. But when implemented, it does provide a pretty decent security features, especially segmentation of that operational technology from the rest of the network. So that allowed me just that understanding and testing that segmentation. And understanding the strength of that segmentation allowed me to prioritize I think, correctly, that there are needed improvements in operational technology. But it wasn't dire. It's not like I needed to come in and shake anything up. I could build relationships and come up with plans that did not, or had a reduced chance of impacting availability of those systems. 

Roark Pollock: Right. Is there and you started with some some easy things where you trusted the operations teams, yes.

Joel Waugh: Yep. Indeed.

Roark Pollock: Well. Joel you mentioned prioritize. And, you know, some of the different projects that you looked at some of the things you knew were in place, but certainly there were things that needed to be done. I'm curious, you know, what, what projects did you tackle early on? Yeah, what were the top priorities kind of first, second, third, etc?

Joel Waugh: So, as I mentioned, after really validating the segmentation of that operational technology, it became clear that we needed to focus on on weaknesses in the corporate network. Basic kind of attacks that have hit other transit operators, Colonial Pipeline, some municipalities, ransomware, attacks that remove corporate systems from service. And those are the most likely kind of attacks based on, you know, recent hacks and intel. So really, we were focusing on basic cyber hygiene, that's really always the best place to start. And three things in particular, hardware and software, asset management, identity and authentication of users and devices and vulnerability management. Anyone who's focusing on those three things is going to reduce a lot of the vulnerabilities. We also commissioned some outside studies to take a look at our program and provide input. And then over the first two or three years that I was here, we focused heavily on building a cyber staff and structure that would allow us to be successful well into the future.

Roark Pollock: Many hard lessons learned in those early days? Especially working with the operations organizations?

Joel Waugh: So really, especially with the operational technology, I suppose one of the hardest, maybe most humbling lesson is just needing to communicate consistently and constantly. And understanding that most of the people I was dealing with, they understood cybersecurity, they knew that there was a need for cybersecurity. But they also knew that if applied incorrectly, it was going to reduce the availability of their systems. So really, it was focusing how I spoke, speaking their language, making sure they understood that I was going to protect availability of those systems as aggressively as they were. And something you had mentioned before, which was really, really important. It's focusing on quick wins small things quick wins, that to show them that I can do my job, and not impact the availability to build that trust to make sure that I have a seat at the table and that we're communicating about cybersecurity. 

Roark Pollock: So you're saying organizationally, is often more of a challenge than the technical side of the problem?

Joel Waugh: It can be culture is not an easy thing to change. It's I think it's easier to to probably roll out a new system than it is to change a culture.

Roark Pollock: Yeah, absolutely. Well Joel,  if we fast forward to the present day, you're now four to five years into your journey at WMATA, how have your top priorities now changed? Where's your focus today? What are the things that you're kind of that you have top of mind now for the next, let's say 12 to 18 months or so.

Joel Waugh: So really, we are focused now on completing some capital projects that are going to help us build a secure foundation, not just for the corporate network, but for OT systems as well. We are aligning everything we're doing to the zero trust architecture, then zero trust a whole body of documentation on it. But in a nutshell, it's really about ensuring that the right subject has access to the right resource for the right reasons. So building that framework and that foundation, we can apply it to OT it'll be it'll allow us to bring in new technologies with reduced risk to use data in new ways without exposing that data. That's really where we're focused now, is that secure foundation so the organization can modernize the organization can roll out new technology at an aggressive pace without impacting the cybersecurity posture?

Roark Pollock: Got it. Got it. Well, let's, let's change topics a little bit here. Like the talk a little bit about the new TSA security directives. It's certainly one of the big topics of conversation in the rail industry in the US and probably North America over the last year or so. How have the new TSA security directors impacted your organization? Or frankly, do they even apply to WMATA officially?

Joel Waugh: So there is one TSA security directive that applies to WMATA, it requires us to have an incident response plan and policy to test that plan to appoint responsible individuals. And to coordinate with the CISA the cybersecurity and infrastructure security agency for any potential breaches to report them decision coordinate with CISA. There are other security directives 1580/82, which does not apply to WMATA. But I felt that it was a good security directive. It applies to heavy rail freight rail, and a few passenger lines that were specifically notified by GSA but not right.

Roark Pollock: Okay, interesting. So did you mention that, did you say that you are trying to implement those same directive? 

Joel Waugh: Yes, we have chosen this year to voluntarily implement that TSA security directive even though it doesn't apply to us. The requirements are more aggressive require segmentation, it requires critical asset identification, access controls, continuous monitoring and, threat detection, and vulnerability remediation far beyond just an incident response plan and testing. But I do think it's a really good security directive. I think it provides a solid basis for an operational technology security program for WMATA.

Roark Pollock: Is that basically why I mean, it. I have heard other people talk about these directives being a bit prescriptive or even perhaps a bit onerous. But you're choosing to voluntarily take these on is it basically because you feel like they're in the right direction and they're the right things to be doing? 

Joel Waugh: I do. Absolutely agree with that statement, I do think it is the right direction to go. I do think that, in some cases for cybersecurity, those baseline the minimum standards do need to be prescribed by a legitimate authority, in this case, TSA. I, I believe, and this is a wholly personal opinion. So take it with a grain of salt, I have a suspicion that maybe three or four years from now, a similar type of regulation will apply to WMATA and other transit authorities. Again, that may or may not come true. But even if it doesn't, I think it provides a really solid defensible foundation for our OT security program, a solid defensible methodology for selecting security controls. And more importantly, for answering the question, if we're ever asked why did you not select other controls, this is our foundation. So it's really it's really about just making sure that we get aligned and stay aligned with where the federal government is going in terms of cybersecurity. 

Roark Pollock: Okay well, of those controls that you mentioned, that are part of the security directives, are there any that you are prioritizing, above others for something that perhaps you find more challenging than others?

Joel Waugh:  So I already mentioned segmentation. That is, that's the key. Everybody in transit and probably most other sectors that heavily rely on OT will tell you my system is air-gapped. Not exactly true. There are connections but still segmentation. Segmentation is one of the it is the foundational control for cybersecurity. After that, what I'm focusing on and what is a challenge for OT, and I've heard this from some of my peers at other agencies, is that asset identification. As I've mentioned, OT having grown up organically over the course of 20-30 or more years, without central management, and that technology, specifically having very, very long useful service lives, we have components running in that environment that maybe 20 or 30 years ago, 20-30 years old, that may be tracked on a spreadsheet in some Center of Excellence, where they're really good at their job, and they manage them expertly. But there's no central awareness of that technology, and maybe limited central awareness of what it's doing. So that is the challenge of getting real-time information because it'll never happen by trying to pull spreadsheets together. That's not the right approach. Real-time on-the-wire information regarding what is actually on the network. What's talking and what it's talking to.

Roark Pollock: Right. Yeah. Understood? Yeah, that's a I think that's pretty common statement as we get into these rail technology environments. You mentioned segmentation. I'm just curious, are you when you say segmentation? Are you thinking about segmentation at the top of the Purdue model between your operational technologies in your information technology systems? Are you talking about network segmentation and asset segmentation within your rail technology environment?

Joel Waugh: That a really good question. First and foremost, it's segmentation from the corporate network of the entire environment. But you're right, it does have to go further. Because some of the newer equipment, some of the equipment that's based on IT, like systems, operating systems with full servers, those can have modern security controls applied to it, some of the older stuff, you can't have modern security controls. So what we are doing and what I think most people should do, focus on that, on that perimeter protection, but also have an architecture in your OT environment, which can provide even more layered protection allows devices to talk but can protect them from other things on the network, if they don't have the ability to have good identification or access controls or any other type of security control.

Roark Pollock: Right. Okay, that's just if you talked about it, and it was, it was unclear to me which one you were talking about. So thank you for that clarification. So let's uh, let's flip the coin a little bit, Joel, and talk about the world outside. That's kind of outside of your control the threat landscape. And as you look from the inside, you know, how do you think about the threat landscape today relative, especially to the operational rail tech systems and applications, those 40 or plus systems that you may have running in your operations? What do you worry about? What are the big things that are top of mind?

Joel Waugh: So, of course, I'm still worried about ransomware type attacks, those are still some of the most prevalent still some of the most damaging. And whenever there's a financial motive, it's virtually impossible to prevent some group or many groups from wanting to profit from that. And it can be very damaging. I think anybody who has been hit by a ransomware attack, it damages of course, your finances. But more importantly, to me, it would it would erode a rider's trust in the safety and security of our system. And that is an unacceptable outcome. More recently, though, there have been an escalating number of attacks directed on operational technology, we've seen it over in what was it, Poland with the using their radio system to stop the trains, the attack on their communications and signalling system stopped all the trains, the very recent attack in Pennsylvania and some other states on municipal water systems. The number and severity I think of the attacks on operational technology systems is increasing. There doesn't seem to be a financial motive to it, which means it's aligned with some nation-state or a group with political motives. And that that's, that's scary. Because those people are generally not too afraid of anything, they're willing to suffer consequences to accomplish their objectives. Yeah, I do worry that those will continue to escalate. And it worries me if there are some known unknown vulnerabilities or collection of vulnerabilities that would allow a nation-state to do bad things to public transit, or electricity grid or the water grid or any of our other critical infrastructure systems.

Roark Pollock: Yeah, I think the worrying thing with nation states is, if somebody is in your environment, and they're active, it's usually pretty easy to find out, but they're in your environment, and they just sit silent until they're ready to take some action. That that's pretty frightening.

Joel Waugh: Yeah, it's difficult. They're not making any noise very difficult to find them.

Roark Pollock: Right, right. Or are there specific systems or parts of your operational rail tech environment that get more attention than others? Or you mentioned the notion of crown jewels? Maybe that's the answer to this question. I don't know. But maybe it's things you worry about and thinks your stakeholders or your operational counterparts worry about are the things that are more top of mind than others?

Joel Waugh:  So another good question, I'm looking at the systems that feed data to our rollingstock switching signaling, track power, those track occupancy, and the whole list of those cuff systems that are measuring or monitoring a specific thing and then feeding that information to the railcar to help it make decisions on where to go or operator if it's a manual operations. Those to me as a cybersecurity professional, that if I were an attacker, that's where I would look to exploit vulnerabilities. And that's where I'm looking to make sure that we have good protections over those systems. If they need to be updated, we have a plan to upgrade them. Or if they can't be upgraded, we have some plan to make sure we can layer some security controls on top of them to remove physical access, reduce logical access, etc.

Roark Pollock: Right? Yeah, one of the biggest concerns is even once you know about the vulnerability, oftentimes, it's very difficult to patch or eliminate or mitigate that vulnerability without some sort of compensating control. 

Joel Waugh: Correct. And the one other thing I'm doing now, that I mentioned before, is we are investing technology to help us monitor and identify what's talking on the OT networks, right, and feeding that data into a data set. So we can begin to build an understanding of what normal looks like. And then use that to monitor for any anomalies that we may see. Be at what you've stated before is absolutely true. If somebody's just sitting there and being quiet, you're not going to see them until they try and do something. So I want to be able to see that anomalous activity when it starts.

Roark Pollock  Absolutely. Well, Joel, let's, let's talk a little bit about a different topic. One of the challenges I think we already touched on this briefly, but one of the challenges with cyber in the operational real tech environments is that the necessary coordination you talked about earlier between cyber teams in the business or the operations groups. How do you go about getting buy in from the teams from operations, so that pretty much everybody's on the same page with the priorities, the projects that you're trying to implement, and it makes it smooth and successful?

Joel Waugh: Well, first and foremost, I think is just good education, walking to the various teams and doing cyber awareness, training for their teams, focused training on the specific threats that are emerging, and why we need to be aware of those threats and what we can do to protect ourselves from those threats. I think that's really good to get people to understand why this is critical, why it's becoming more critical now than it may have been just four or five years ago. The next thing is trying to share what we're learning, cyber, traditionally tends to be very close hold with any data we have, we want to protect it, we think it's absolute secret, I want to share as much of that data out to the operational teams as possible. In the instance of awareness of assets on the network, there's a tremendous cyber value for me. But I think there's a tremendous value for the operational people to get that same data right there, marry it up to your asset management system and your spreadsheets, and be able to in real-time know where specific assets are in the virtual and logical world. And that's really important. I think, sharing the value of this technology that we're trying to bring in, is the winning strategy, it makes the investment a lot more palatable for the organization, if I'm, if I'm championing it, and the ops teams are also saying, yes, we want that we need.

Roark Pollock Are you actively looking for valuable use cases where you can add value for the operations teams, as you implement these tools?

Joel Waugh: I am looking for them where I can, but having not not worked extensively on that side, what I'm doing is I'm bringing them in as much as possible, I'm giving them access to the datasets and saying, ״Please run your reports, look at it, let me know how you're using this data, if it's useful to you, or if it's not, and what you're doing with it,״ and then letting the people that actually do the work build those use cases, so we can make a really strong justification for the money. 

Roark Pollock: Got it. And are you actively integrating some of the cybersecurity tools with some of the operational tools for information sharing?

Joel Waugh: We haven't started that yet. Most of the tool integrations we have are with just some data repository like you know, asset management system or a vulnerability management system or a lot of management system, which is really powerful. But that is going to be the next step is to figure out how we can get all of that data that they're using now. And the data that we have available now together, and what can we do with that? Do we do that in the OT environment? Do we have to get that into a cloud and do analytics on it? We're discussing all of that right now.

Roark Pollock: Okay, it makes sense? Well, one of the challenges I hear from a lot of CISOs in the rail industry is perhaps the rail industry isn't seen by technical people as being as “sexy” as some others. And so I'm curious, you know, what you've been doing as far as trying to build your organization from a recruiting standpoint, build that expertise or develop that expertise internally? And especially how do you how do you get people that are knowledgeable about these these rail, operational environments and cybersecurity?

Joel Waugh: That is a very good question. And I wish I had a rock solid solution, I can tell you what we're doing. And I can tell you that we're probably going to have to modify, you know, as we go, just to make sure that we're successful. What you're saying is right, though it is it is very difficult to recruit and retain talented people. They are very valuable, especially here in the Washington DC area, in any major metropolitan area, probably; they can easily go get a job, probably for more money, maybe with full-time telework. So it is a challenge to keep our top people in, what we have done. The direction we're going is more of a hybrid model where we've structured our staff so that we can bring in junior people who may just be entering the cybersecurity field. They probably don't have a lot of cyber experience in general. Maybe they're college graduates maybe one two to three years on a helpdesk or doing some other IT functions. And likely may not have much OT experience at all. But we can train them, we can progress them, get them to where they can do tier one, two and three type activities, cyber activities and support activities. But I believe we're always gonna be reliant on vendors, industry and technology companies to provide a continuity for that tier three and tier four expertise. So the junior people have people they can go to and pull in for the extremely challenging extremely tough tasks. And even if somebody progresses and becomes very, very knowledgeable and leaves, I still have continuity, I still have that repository of knowledge that we can go to. And apart from human skill sets, we're investing in technology, we're investing in training programs, we built out a career progression training program for our cyber staff, to try and encourage people to get industry certifications to get college degrees and the like. And just good technologies that a junior person can make usable without advanced expertise. Cyber is good in that way. It's it's come a long way. It used to be the only people who could do cyber or people who had been doing some sort of technology for 20 years because the tools were not very user-friendly, but that's changed. So that's a good, a good place to spend money. 

Roark Pollock: Okay, gotcha. Do you find, And I'm curious about this? Do you find that people are interested in the operational aspects of the business?

Joel Waugh: Actually, yes, very much. It's new, it's unique. It's challenging for them to look at anything from you know, building management systems, HVAC systems, escalator control, and then all of the core systems that I'm talking about that run rail and bus. And to understand the, the importance, the criticality of those systems and the uniqueness. It's a challenge for anyone to learn. And I do think most people like to be challenged.

Roark Pollock: That's okay. I spent the last seven, eight years of my career in the oil industry. So I have an operational background. I wasn't sure if other people would be as interested as some of us are. So it's good to hear. Well, Joel, let's jump ahead a little bit. Let's talk about the future. You know, if you could project into the future, and I'm sure this is part of what you're tasked with, as the CISO at WMATA, how do you see rail operations in the rail operational environments evolving? And what future risks? Do you think that? You know, what future risks probably concern you the most based on what you see happening in the future?

Joel Waugh: That's, that's an interesting question. And it's a difficult question, right? When you're, when you're trying to, when you're trying to project in the future, there's something called an event horizon, which technology has changed so much, that it's almost impossible to make accurate predictions past that event horizon. The world we live in now, with the advances that we're seeing, it's really difficult to pretend that I could see much past, you know, four or five years. Basically, I don't think I'm smart enough to know what transits going to look like in 20 years. But what I am smart enough to do is know what we need to do now to try and be ready for any number of changes. And that's really why I'm focused on zero trust something that's adaptive and flexible. That allows us no matter what new technology comes out four or five, six years from now, we can bring it in securely, quickly and begin employing it either to the benefit of our customers or for enhanced cybersecurity or operations.

Roark Pollock: Yeah, certainly one of the things that I think we'll probably see is more inclusion of generative AI, facilities abilities that are probably both on the on the side of the good guys inside of the bad guys. Absolutely. But I think that's going to change a lot of what we do today. When you think about the sophistication and what the rail operators are doing it and what is needed to secure that. How do you expect to see yourselves and the rest of the cybersecurity organizations, you know, upping their game even more, you know, what do you think's coming next from a cyber perspective?

Joel Waugh: Well, so, if you're if I attend a transit, events, conferences, the amount of tech available is eye opening. There's so much technology available that provides incredible operational efficiencies, reduced headways, improved efficiency, better communications for our passengers, more awareness of where every single asset is and all that feeds into large datasets and out to the customer so they know exactly what's happening. And that's great. All that tech is going to make us much better at our core mission of running rail bus and paratransit. But what that new tech also means is that it has to be brought in securely, it has to be brought in with security requirements are defined upfront, and then integrated with an effective corporate cybersecurity program to ensure that we can use those systems safely that we can share that data without sharing data that we don't intend to share. I do think that's going to be a challenge because as I mentioned, the pace of change the pace of technology growth is is becoming blinding. And also you had mentioned AI. Another big thing I think, is AI hitting against very large data sets, or data lakes or data repositories or having connections to every database and the environment. And using that to try and make better decisions to get all the information that's siloed out silos and make really good decisions for at the executive level and the operational level. But that also has its own its own cyber vulnerabilities. The more data you put into a pool, the more attractive that pool is for a hacker and the more impact to the business if that big lake is compromised,

Roark Pollock: Right. Well, it sounds like you guys are trying to stay one step ahead. And with the creation of this new Chief Digital Officer, the fact that you are now part of that organization, and working soccer into every kind of project that comes up. I think that's a that's a fantastic sign of where things may be going.

Joel Waugh: Yeah, I think we have a good foundation.

Roark Pollock: All right. Well, that's awesome. Joel, wrap things up here a little bit. As CISO that's kind of in the heat of battle. You're building a cybersecurity and risk management program now and at WMATA, you're continuing to do so focusing especially now on the operational rail tech systems. You know, what bit of advice would you leave other rail operators CISOs with that may be either a little earlier or might just be starting a similar journey?

Joel Waugh: Um, I think I mentioned everything. First and foremost, I would focus on ensuring that your operational tech is segmented, that it's protected. It's not exposed publicly, and it's not exposed to your corporate network. After that, focus on the basics, the basics of cyber hygiene, tremendous value, their Hardware and Software Asset Management, identification, authentication for users and devices, and vulnerability identification remediation. Once you get that, or simultaneously, if you have the resources, really focus on your corporate Cybersecurity Awareness. Overwhelming majority of breaches are started by a user clicking on a malicious email. So if you can train your users to not click on phishing emails, that has tremendous value as well. 

Roark Pollock: Yeah. And I assume that things that you're talking about apply both to your IT and your OT environments, 

Joel Waugh: Correct. Absolutely. Yeah. All right. 

Roark Pollock: Well, Joel, if Lastly, if somebody wanted to get in contact with you, what's the easiest way for somebody to reach out and have a conversation?

Joel Waugh: I can easily be looked up on LinkedIn. My name is pretty unique. There's only one of me as far as I know. And I always appreciate connecting with industry, peers and others in the cyber field.

Roark Pollock: My name is well. From but stand out, it's great. Yes, indeed. All right. Well, Joel, thank you very much for joining us today. Having you as a guest on our Secure Tracks podcast has been a pleasure. And frankly, we would welcome you back anytime if other topics come up that are of interest, and for and for our Secure Tracks audience. Thank you for listening. That's the end of today's show. Until next time, keep those tracks secure.

Share this post


Cybersecurity in Rail Operations: A CISO's Triumphs, Challenges, and Lessons Learned | Joel Waugh | S2E2

icon location
customer icon

The Customer

challenges icon

The Challenges

solution icon

The Solution

Let’s Talk About Securing Your Rail

Our experts will get you back on track

Schedule a Call
Blue right arrowWhite right arrow