Roark Pollock: Hi, I'm Roark Pollock, and this is the second season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we speak with Susan Howard from Michael Baker International, an engineering and consulting services company. Susan is the Vice President of Industrial Control Systems and Operational Technologies Cybersecurity at Michael Baker and is responsible for strategic technical growth and development of ICS and OT cybersecurity across all client sectors, including rail. In her current role, Susan is responsible for developing cyber-informed engineering. Prior to Michael Baker, Susan also worked with LTK Engineering Services for nine years, working on multiple Intelligent Transportation Systems projects, including light rail control systems. And she also served as a telecommunications and cryptography specialist in the United States Air Force. Susan, welcome to the show, and thank you for joining us today.

‍

Susan Howard: Thanks, Roark. Glad to be here.

‍

Roark Pollock: Awesome. Well, we're happy to have you. So Susan, one of the things I like to do when we start the conversation is just get a little bit more about you and your career. So if you don't mind, can you tell us a little bit about how you got into cybersecurity and more specifically, how you got involved in the rail industry?

‍

Susan Howard: Yeah, so it's a pretty short story, really. I joined the United States Air Force right after high school. And I, they put me in telecommunications and cryptography, and I really, really enjoyed it. So I wanted to pursue that for the rest of my career. So after the military, I did some work with a hospital and healthcare, network services, and cybersecurity. Then I completed my undergrad and I got a job with Hatch LTK. They're called Hatch LTK now, but back then there were LTK engineering services. And it was my first introduction to light rail systems and control systems for light rail. And I kind of fell in love. I got bitten by the rail bug, like a lot of us. And my initial project was the first rail alignment light rail alignment for Denver, RTD.

‍

Roark Pollock: Okay, awesome. Well, Susan, I know there's probably a lot of people that may not be familiar with Michael Baker, especially some of our international, folks. So could you tell us a little bit about Michael Baker, and a bit about your scope and your role with the company?

‍

Susan Howard: Sure. Michael Baker has actually been around for a little over 80 years. And we are an architecture and engineering firm based out of Pittsburgh. We have multiple verticals that we serve, federal, federal infrastructure, state, local and education, and commercial services. And we’re full service like I said, so we do everything from aerial services to bridges, to water, wastewater, commercial buildings, consulting and technology. And of course, our rail and transit is a very large piece of our business. But we also have a big environmental engineering and planning team with about 100 offices across the country, and about 3,000 employees right now and we continue to grow. And cybersecurity is a new service for us, brought about by the mandate from the federal sector in the Department of Defense, which required a control system cybersecurity be involved in all designs. And my role is to grow the entire cyber services business across all of our sectors. But of course, my passion is light rail, because I just, I mean, once you're in it, it's hard to get out.

‍

Roark Pollock: I understand quite a few of us that kind of love the industry. So Susan today, as you kind of mentioned or alluded to, we're going to talk about cybersecurity, especially in the operational environments of light rail systems. And so maybe to get us started, you could give us a quick definition from your perspective of what light rail is and isn't and maybe compare it to commuter rail or metro systems.

‍

Susan Howard: Sure. So, so light rail can operate in inner-city traffic, which is much different than commuter rail or freight rail, and it can actually take advantage of traffic signals because The tracks are dedicated to the light rail system and the passenger capacity is lower. The reason it's called Light Rail is because the vehicles weigh less than passenger commuter rail. And the top speeds are lower as well maybe topping out at about 55 miles per hour, depending on location. Again, the tracks are below are at street level, there are shorter headways than passenger, then commuter rail, like trains arrive every three to five minutes, because the objective is to move people in and out of inner cities as quickly as possible. And what I liked most about it, what I've always liked is that it's completely green. It's all-electric, low emission, low noise, all DC powered. So it really is a truly green mode of transportation.

‍

Roark Pollock: Yeah, agreed. And we're seeing more and more of it, especially throughout the US in different cities. I know light rail is becoming a bigger and bigger transportation offering for many metropolitan areas. So Susan, I know you've been working light rail projects for a long time now. So how would you describe the current state of cybersecurity, especially as we think about the operational rail technology environments of these light rail systems and how do you think it's improved over the last say, five to six years?

‍

Susan Howard: So I will always remember when I started my light rail work because it was September 11, 2001, which is a day we none of us can forget. But back then the attacks were of the SQL Slammer type with Code Red and all kinds of SQL injection attacks. We're not saying denial of service so much anymore. So the vulnerabilities and attacks have changed. And the method of securing light rail system control systems has changed. Also, back then I was really busy installing CISCO PIX firewalls all over the country. Because there was no segmentation between the IT enterprise environment and the control systems environment, there was really no segmentation in the beginning. And people started thinking, well, that's not such a good idea. With all of the SQL injection attacks, they were we were seeing. So, that's changed now, of course, and the control systems are typically on their own network. That changed for me as part of the design with RTD light rail where we I designed a gigabit Ethernet network for the first time, because most of the light rail networks for control systems were being done using Sonnet or other ring topologies. So some of the things that have stayed the same. They're still funding problems, unfortunately, IT gets the funding and OT not so much. So I think what's happening out there is that IT and OT organizationally are converging so that the control systems folks can leverage the deep pockets that it has always had. Because they run the enterprise, right, and they are part of, you know, the revenue recovery for light rail systems. There's an increased awareness, also, among the light rail systems executive staff on the vulnerabilities involved with control systems. That wasn't there. 20 years ago, I actually left the consulting world because there just wasn't enough billable work for cybersecurity, and light rail systems, and control systems, which is hard to believe. But that was the case 20 years ago. The other thing I see is regulatory and regulatory control is becoming more centerstage. As we see with the current TSA directive that wasn't the case back 20 years ago, we had safety from a FRA, and others but there was no cybersecurity at all.

‍

Roark Pollock: Now, Susan, since you bring up TSA, I know that the TSA security directives in the US are relatively new. They're about 18 months in the making or even less. Do you find that the TSA security directives apply to the light rail systems today?

‍

Susan Howard: Well, I guess it depends on what you mean by apply if you take the you know, the words on the TSA directive and look at Appendix A which is appendix eight of title 49 part 1582 or something like that. You can Google it um, right off of the directive memo, so the application is only to high visibility light rail systems like WMATA, BART, and MARTA over in Atlanta. But those actions are required actions on that TSA directive memo. It's the same thing. Many of us the same things many of us have been saying for the past 20 years, to our light rail agency clients. It's just basic cyber hygiene, which is on the TSA directive. So. So if you read the memo, the mandates only apply to a certain small percentage of high-visibility agencies. But the actions required very definitely apply across the board. So any passenger rail system? 

‍

Roark Pollock: Right, I think you taken the same angle that I've been professing, which is we need as an industry to be thinking about these things, because they're the right things to do. They're the best practices, not because TSA is telling, telling us that we need to be doing. So I agree wholeheartedly. If we flip the coin, you talked a little bit, very briefly about the threat landscape, and how it's changed in the last, say, 20 years since you started in the space. What is it about the threat landscape and relative to light rail in particular, that that worries you the most, and you have any examples you might want to share?

‍

Susan Howard: I think we've seen an evolution in the types of cyber-attacks that are occurring in light rail systems. So if we look back, like I said, 20 years ago, we saw a lot of denial of service attacks on the enterprise IT not a lot of targeted control systems attack. But in the last year, maybe five years, what we've seen is, and those attacks back then then I have a service and SQL injections, and they were just meant to wreak havoc, they really didn't get anything for the attacker. And now everything is I guess incentivized by money. And that's why we're seeing ransomware January 2023, the BART ransomware attack comes to mind. But then in 2021, we saw several there was Santa Clara VTA, Oahu transit services, and Toronto Metro links all had ransomware attacks. And while these ransomware attacks don't, immediately or they they're not targeted towards the control systems, a very common practice is to disconnect the control system side from the IT side. And this impacts a lot of things like scheduling and things, for instance, and the Oahu ransomware attack, they did just that they disconnected the IT side from the OT side and who was affected were prior paratransit clients. Imagine you're somebody that relies on paratransit to have your dialysis appointment done, it's very challenging and could be potentially life-threatening to lose that service.

‍

Roark Pollock: Well, that's a good example. Thank you. So Susan, let's talk about the actual systems that exist within light rail. As we're talking about these operational rail tech systems, or the applications that are present in light rail, what immediately do you think of? Or are you concerned about when it comes to securing these environments? And how perhaps is it different than other rail systems or other industrial control system environments?

‍

Susan Howard: So I think in the past 20 years, the systems themselves haven't changed. They're the same systems, they just have morally highly automated components. So some of the systems that I typically assess are include passenger information systems, fare payment systems, signalling, traction, power, tunnel, CCTV, and more and more onboard vehicle systems, which have always been there, but they're increasing now in complexity and the need to secure so all of these systems are pretty generic to most of light rail agencies that I work with. And in terms of, you know, the difference between commuter and light rail systems, a lot of these like the ticket fare payment systems, those are all self-service. And one of the biggest differences though, that I get a lot of questions about is positive train control. positive train control is not a factor in light rail systems because it's not mandated for light rail systems, so because there are many other failsafe ways to protect light rail.

‍

Roark Polloc: Yeah, perfect. Well, Susan, one of the things that comes up quite a bit, especially as I talked to rail operators, CISOs, or people within the security teams, especially if they come from outside of the rail industry is, is how unique or different some of the operational rail systems are. What do you find? And I know you've been in the industry now for a while, but I'm sure you still work in an outside of rail, what do you find is unique or different about the operational rail tech systems and how they might compare to other kinds of ICS or OT industries?

‍

Susan Howard: So I think the primary difference is the use case. And I'll pick on Siemens only because I see Siemens S7s everywhere, you know, and they're pretty notorious since the infamous Stuxnet event. Still, I can have a Siemens IC, Siemens S7s and water treatment plants, wastewater treatment plants, electric utility substations, but also in light rail signaling houses. So the PLC is the same, the use case is completely different. And the challenge is to have the skills available to understand what the use case is, and what the application of that PLC is, and how to secure it in the best way possible. So while the the pieces and the parts aren't unique, the use cases are very unique in every industry. And along with that comes the skill sets needed to understand those use cases, which is another challenge.

‍

Roark Pollock: Yeah, it's really about understanding the operational environment, the practices and the context. Yes, exactly. Yeah. Okay, perfect. Well, Susan, you talked about a little bit about the systems and the threat landscape, how do you think about the possible consequences, or high-consequence events that normally you wouldn't be concerned about in light rail? And that you would probably come in thinking about as you look at a new light rail system?

‍

Susan Howard: Yeah, that's a great question. And there's a meeting going on right now that I attend, once a month, from the Department of Energy, Idaho National Labs, this whole, I guess, concept of high consequence was introduced by the Department of Energy, consequence-driven cyber-informed engineering, our CCE methodology. And I think it's groundbreaking, even though it should be common sense - it's not. And so when we think high consequences, I'll give you an example. Maybe I'm a cyber engineer at a light rail agency, and I have a limited capital budget. And I just had an assessment done. And, you know, fair systems are notorious for having really old Windows devices or Windows OS inside the ticket vending machine. And so maybe I have 1,000 vulnerabilities there, because Windows seven is into life. But then on the flip side, I have a tunnel ventilation system, that also has a SCADA system that's End of Life also has vulnerabilities. So I have X amount of capital, and the whole idea behind high consequences, I have to prioritize, there's no way that I can ever have enough money to fix everything so I prioritize the highest consequence event or highest consequence, system, the system that would have the highest consequence if attacked, and that would definitely be you know, like the tunnel ventilation system versus the windows seven machines.

‍

Roark Pollock: Yeah, I would agree there. And I often hear different organizations will refer to those kind of critical systems that you're referring to as kind of the quote-unquote, Crown Jewels in their systems. And I think that's a pretty common term in most of the rail organizations I've spoken with and, and something familiar to you as well.

‍

Susan Howard: Yes, and light rail and electric utility wastewater. I think also, the origin of that term might have been from DOE’s -  CCE, which has been around for a while, maybe five years, but it's gaining in popularity.

‍

Roark Pollock: Gotcha. What are those? You mentioned tunneling systems what would you list this kind of those crown jewel systems from an operational rail technology perspective in light rail?

‍

Susan Howard: So for light rail systems, I think there are three Crown Jewels, one being tunnel systems, the fire and ventilation systems for tunnel, one gain traction power control systems, and one being the other third being signal systems.

‍

Roark Pollock: Got it? Got it. That makes sense. Well, as you, as you think about those light rail systems that three that you mentioned, I think it was signaling system, was it signaling systems tunneling systems and traction power? Well, those are all pretty unique to rail. In general, the you think that makes it more challenging for cybersecurity teams from a from a implementation of security solutions in these real operational environments?

‍

Susan Howard: Yeah, so I think that the challenging part is not that, you know, these things are rocket science, you know, are really difficult systems to comprehend. It's like you said, the, the operational, the operational challenges that occur, you know, for instance, you take a person that just came from an IT cybersecurity group and put them into a light rail Control Systems Group and the way he does, he or she does patching and other things that affects the system in the light rail environment is, has to be much different than, than is done in the IT environment. And it really surprises a lot of people that came from the IT world that, you know, you don't immediately patch a vulnerability just because it's been posted. You've got to understand the operational consequences of patching and other things. And so there's also a very large and increasing shortage of skill sets that understand, for instance, signal systems or attraction power systems. And I think this is being made worse by what has been termed by others, the silver tsunami, where we've got mass retirement, and not a lot of people picking up these skill sets to replace them.

‍

Roark Pollock: Okay, well, that's a new term run for me, the silver tsunami.

‍

Susan Howard: Oh, okay. I think Gartner coined that term. 

‍

Roark Pollock: Well, I do know that it's always a dialogue, that when we're talking, which is really trying to bring together the cybersecurity skill sets and the people that understand the operations and create a dialogue between those teams. And I think that's just mandatory for good cybersecurity solutions in these environments. Because nobody knows everything about all the different systems. Right, exactly. Exactly. All right, awesome. So, Susan, you've mentioned these three kinds of crown jewel systems that exist in light rail, we've talked a little bit about the threat landscape, what do the high-consequence events look like? Or maybe give us an example or two of some high-consequence events within those crown jewel systems that maybe you'd be concerned about?

‍

Susan Howard: Sure. And, of course, the most notorious of all these not for light rail, but in general in our industry has always been Stuxnet right? So people always refer to Stuxnet, I think it's kind of like a textbook, you know, version of how to attack a control system. And so let's take tunnel ventilation, like we were talking about tumble fire and ventilation systems. I mean, all of these high consequence events involve supervisory control and data acquisition or SCADA systems. Because these are cyber physical components, and an attack on them can cause dire consequences. So if I wanted to attack a tunnel control system, I think the first thing I would do is disable the alarm system, right? So there are failsafe alarms that alarm when ventilation is taken down or not working properly, or fire systems are taken down. So if you disable the alarm system, then shut down the tunnel ventilation, or cause a fire without fire safety systems being enabled. That's a very high consequence event that could result in loss of life.

‍

Roark Pollock: Yeah, I think it's common I've seen before where people can go after the safety systems and not necessarily the systems themselves. That replace, right. Well, Susan, with these crown jewel systems, we talked about the three that you brought up, what are the biggest challenges in securing these environments and where do you think the industry stands today in overcoming those challenges? I know you mentioned budget being one concern but where do we stand as an industry?

‍

Susan Howard: That's a great question. Thanks. One of the things I've been mentioning all along, and I'm also on another committee to, to get skill sets more evenly distributed across the industry. And in order to do that we need to educate cyber-informed engineers in undergrad studies. Right. So, you know, if I think back to when I was an undergrad engineer, they had nothing involving cybersecurity in any of my courses. 

‍

Roark Pollock: Wasn't even a word we knew was it? 

‍

Susan Howard: No, it wasn't. And you know, but now in the digital age or industry 4.0 another Gartner term. You know, Gartner makes up these great terms, industry 4.0 it's digital, right, where everything's digital and automated. And so of course, you have to know how to secure those systems. The same way you need to know how to program those systems. So lack of skill sets is a big giant challenge right now, because we have engineers in the field right now that are not cyber informed. In order to fix that we need to start educating our engineering students early on in undergrad studies. And we've had some success with that. There's a several universities that have added cybersecurity into their electrical and mechanical engineering curriculums, which is great. So skill sets, I think it's the number one challenge, because we don't have enough people that understand the threat. And, you know, there's also a large in light rail systems a large, heterogeneous environment, I mentioned Siemens, but I mean, there's hundreds of vendors out there, with PLCs out there in the field. And it's very hard to have a staff that knows all of the like you said, not everyone knows, every system, as a matter of fact, and the Navy did something to fix that by mandating that you had only X amount of vendors involve in any single building, for instance, because they the heterogeneous environment really does affect the number of people that understand the technology in the field. Right.

‍

Roark Pollock: And to be clear, Susan, I meant well, I know that was in engineering cybersecurity was a nonissue. I was an Mechi. But that's been more years ago than I care to admit. But to be clear, you're talking about cyber-informed engineering, meaning we need to train the people that manage the operational systems themselves, not just the people that are responsible for cybersecurity within the IT orchestrating? 

‍

Susan Howard: Absolutely, absolutely. Like the Mechis, right? You need to have a cybersecurity curriculum in mechanical engineering, you know, classes in your undergraduate studies. 

‍

Roark Pollock: Yeah, control systems was a big area of study back then. And still is so.

‍

Susan Howard: And there's a control system PE also right? And there's one question out of however many on that PE test one cybersecurity question.

‍

Roark Pollock: Yeah. Well, that's more than there were back when I was there. Right. All right. Well, Susan, let's let's look forward a little bit and project into the future for light rail, you know, what do you expect to see change or maybe improved from a cybersecurity perspective, especially within the operational rail tech environments? Or, or simply maybe, you know, how do you expect to see light rail systems up their game from a cybersecurity perspective?

‍

Susan Howard: So, from the policy perspective, I definitely expect to see more regulatory controls, all TSA directive or DHS. Right now, it only applies to a certain select few of passenger rail agencies. But I we all I think expect that these controls are going to these directives and regulatory controls will expand to include all passenger and freight rail in the near future. Also, you know, the buzzword of the day is artificial intelligence. And people are concerned for a reason. Artificial intelligence can be a great asset. If we embed it more, like we already do with heuristics and other things in our cybersecurity software, that's already been done. But on the flip side, you know, the bad guys can use AI as well. So I think the complexity of the attacks will increase and the the software will also become more complex to protect systems.

‍

Roark Pollock: Well you beat me to the punch a little bit, I was going to ask as a follow-up question, thinking about the future and the threat landscape and the sophistication in the threat landscape. What do you expect to see change there? as well?

‍

Susan Howard: So, you know, I think the last time we talked was at APTA in Dallas, right? And since then, we've seen what a lot of us have expected and seen a little bit of in the past. And that's socio-political cyber attacks, like the attack on the control systems that are Israeli manufactured in the water treatment plant sector, that were recently publicized. And then there was some mention of attacks on Iranian bus or gas stations or something like that. So. So what I think we're going to see is increased. Warfare is moving into cyberspace. And we've all said this for a long time. But now the reality is here, and are all our complex and our wars are going to expand into cyberspace. For sure. We also started in Ukraine with the Russian attack on their electric utility system, and the Polish radio attack that affected supply chain into Ukraine. So I think we're going to see in the threat landscape, you know, the attacks are going to be sociopolitical instead of just monetary for ransomware, like we're seeing now.

‍

Roark Pollock: Yeah. And what's worrying is the, what's happening in cyber as a prelude to full armed conflict. It's an area where there's a lot of conflict short of going into full armed conflict or warfare.

‍

Susan Howard: Yeah. So I mean, the declaration of war is becoming very ambiguous.

‍

Roark Pollock: I would agree with that completely, as well. So well, Susan, I think that kind of wraps things up for us. But I'd love for you to leave us with a last thought you're a consultant, you've probably seen the good, bad and the ugly of cybersecurity and risk management and these operational rail technology systems. What bit of advice would you like to leave for any rail operator seaso, or people working on these rail operator security teams? What would you like to leave them with?

‍

Susan Howard: That's a great question. And what I typically tell CISOs, and you know, IT and OT staff that are in charge of control systems is whether your agency is on that TSA directive or not. Those actions that are required are really just basic cyber hygiene, and I would highly recommend that you implement those actions as soon as possible. Secondly, I a lot of people, a lot of small agencies aren't aware that Department of Homeland Security, CISA, they've been doing cyber assessments for free for a very long time. And I've enabled these assessments myself, because a lot of people don't know about them. So why, you know, all you need to do is call your or look up online, your regional Sissa office and get on their waitlist for a cybersecurity assessment. If you're one of the 16 critical infrastructures, which rail transit is, you're entitled to a free cyber assessment, a lot of people are reluctant, because they don't want to air their dirty laundry. But I would rather air my dirty laundry to CISA than to Russia, you know, or a nation-state, cyber-attack group.

‍

Roark Pollock: Right, right. Well, that's great advice, Susan, we really appreciate it. And lastly, Susan, if somebody wanted to contact you, maybe they want to have a chat about something we've talked about today. What's the easiest way for them to do so?

‍

Susan Howard: I think email is always best. I also have a LinkedIn account. I don't know if you want me to give my email here or you have that in the

‍

Roark Pollock: That's completely up to you, Susan. Okay. Well,

‍

Susan Howard: it's Susan.Howard@MBakerintl.com. It's kind of a mouthful.

‍

Roark Pollock: Okay, well, they can we'll have it recorded. And they can back it up if they have to listen to it two or three times and get it right. Sure.

‍

Susan Howard: Or you can just Google, you know, what was that event that we were at work in with the MISI, Hack the Rail event. 

‍

Roark Pollock: You were on the speaker agenda for that as well. So I'm sure they can find you on LinkedIn if they'd like to chat as well. That's pretty easy. All right. Well, Susan, I'd like to thank you very much for joining us today it's been a great conversation, specifically looking at light rail, which we haven't done before. So thank you for joining us as a guest on our Secure Tracks podcast.

‍

Susan Howard: Thank you. Thank you for offering me the opportunity. It is much appreciated. And thanks for all you do to secure our industry.

‍

Roark Pollock. Absolutely no thank you as well. We're all on. We're all on the same team, and for our Secure Tracks audience, thank you for listening today. That's the end of today's show. Until next time, keep those tracks secure

‍