The Security Of The Nyc Transit System

Published Date: 02 Nov 2017

[Draw your reader in with an engaging abstract. It is typically a short summary of the document. When you’re ready to add your content, just click here and start typing.]

Antonio Andres, Antonio Lozano, Carlos Gil, Chelsea Yen

Contents

Executive Summary

Basic Design

Mass transit in New York City is mostly operated by the Metropolitan Transportation Authority, or MTA. As such, the MTA provides several mass transit services with several subsidiary companies. The MTA New York City Transit operates the subway system throughout the five boroughs of New York City, one of the largest subway systems in the world. The MTA Regional Bus Operations is responsible for bus service, composed of two branches; the MTA New York City Bus operates public buses and the MTA Bus Company provides buses for private use. The MTA Long Island Rail Road operates commuter services between Long Island, Queens, Nassau and Suffolk Counties. The MTA Metro-North Rail Road provides commuter service from The Bronx, Westchester County, Putnam County, Duchess County, southern Connecticut, and New Jersey, through a partnership with the New Jersey Transit. For the purposes of this evaluation, we will mostly concentrate on the operations of the MTA New York City Transit and the MTA Regional Bus Operations.

The Subway System

The New York City subway system operates under the MTA New York City Transit under ownership of the City of New York. The subway system itself is divided into two divisions; A Division and B Division. A Division, formerly the Interborough Rapid Transit Company, runs 8 separate routes. B division, now composed of the former Brooklyn-Manhattan Transit Corporation and the Independent Subway System, runs 16 different routes. The routes themselves are color coordinated to and identified by a letter or number to mark each route. The subway lines also run 24 hours, although not every route operates 24 hours and others begin reduced operations during the night. This means that the system must be operated and maintained during the night as well as the day. The subway station is interconnected by a network of stations where transients can board and disembark the subway trains. Some stations have mezzanines that lead passengers to the platforms and most stations adhere to the Americans with Disabilities Act. Under the "Music Under New York" program, street musicians have been performing at these stations since 1987. Some stations and platforms also maintain newspaper stands as well. The subway system possesses over 6,292 subway cars, with trains consisting of 8 to 11 cars. Both fleets are separated by division. In 1993, the MetroCard was introduced and today is the only way to pay for passage on the subway. In 1998, unlimited ride MetroCards were introduced.

The Bus System

The MTA Regional Bus Operations is divided into two public brands. The MTA New York City Bus is responsible for most routes within New York City. The MTA Bus Company operates primarily in Queens with some routes in Brooklyn. Bus routes are labeled with a number and an alphabetic prefix which identifies the borough through which the route primarily travels through. For the prefixes, B is for Brooklyn, Bx stands for Bronx, M for Manhattan, Q is for Queens and S is for Staten Island. For express routes, the X prefix is used. The MTA Bus Company combines prefixes to designate inter-borough routes. The color of the bus signage indicates the kind of service of the route. Blue indicates MTA local bus service, Bee-Line Bus System local bus stops, and Nassau Inter-County Express local bus stops within NYC limits. Purple designates limited-stop bus service. Green means express bus service. Black indicates the route operates late nights only. Turquoise indicates select bus service. Yellow mean school service and white stands for private tour bus. In the fleet, there are over 5,900 buses and over 2,000 vans and cabs for ADA service. There are also over 1,600 diesel-electric buses and over 900 compressed natural gas powered buses. The routes are dispatched from 28 garages and one annex in NYC. Buses, like the subway, only allows for the use of the MetroCard on routes where MetroCard is accepted. Fare payment depends on the service.

Basic Security

To ensure safe and secure operations, the MTA has implemented several features to the subway system over the years. The first system to be discussed is the computer-based interlocking system. Similar to how trains handle their interlocking system, the subway uses a computer-based system rather than a mechanical one. This is accomplished through the Communications-Based Train Control, or CBTC, system. The CBTC allows for the automation of the interlocking and signaling to ensure the safe and efficient operation of the subway. One of the main advantages of the CBTC is the automation of the railway signaling system and calculating positions, speeds, travel directions and braking distances of all the trains in service at any given time and relay that information to every other train. With this system, more accurate travel times are calculated, routes are efficiently mapped, and trains needing service can be moved quicker into maintenance and reduce downtime. With the CBTC, full automation of the trains is possible, though the CBTC is not the only technology involved for this purpose. The CBTC is only one part of a larger initiative to fully automate New York’s subway. The $200 million project was implemented to provide real-time centralized train traffic control, real-time tracking control, integrated voice communications, automatically develop train routing schemes, improved coordination of emergency response, centralized management for improved on-time performance, report generation, real-time service information and improved safety and overall system efficiency (Federal Highway Administration, 2006).

For security, the MTA employs the Eagle Team, which is responsible for protecting subway yards and other areas, and identifying and eliminating vulnerabilities in the New York City transit system’s facilities (Metropolitan Transit Authority, 2011). Eagle Team’s involvement ranges from personal security at stations and terminals to maintaining the personal appearance of the subway trains and buses. Surveillance cameras have also been implemented into the subway trains and buses to ensure further security where actual personnel are not available. To ensure the security of MTA’s technological assets, MTA has contracted Thales and Siemens to test and ensure the CBTC system is as safe and secure as possible (Siemens, 2012).

Vulnerabilities and Threats

There are however possibilities for damage through vulnerabilities in some parts of the system. Ranging from physical to software attacks, as well as natural occurrences, the effects are able to bring down the various systems for extended periods of time. Just like any other part of a revenue producing system, the longer that you are unable to produce, the more hazardous the problem becomes.

To begin examining how the railway system may be affected it is necessary to start with the basics, the physical parts that make up the system. Pieces like the train itself, the rails the train rides on, the bridges or tunnels they use, and the track circuit, are all able to be exploited in some way to incur a hindrance in the performance of the system.

The Train

The carts and the locomotive are both vulnerable to attacks like hijacking or tampering. Most carts are stored together in a place that is fenced in and at times roamed by security and monitored by cameras. However, gaining access is possible due to most of these areas being simply fenced in. This allows for someone to sneak through or get over a fence and gain access into a secure area. Once inside an attacker can tamper with the car physically or plant dangerous materials that might endanger passengers. Just as well the train can fall prey to a hijacking, although this is usually much more difficult. It requires getting through even more layers of security (Federal Transit Administration, 1997).

The Rails

An attacker may choose to cause damage by attacking the railway itself, or the bridges and tunnels they run on. A railway attack would be the simplest of the three due to the openness of the attack. Railways openly extend several miles and are made up of smaller sections that are held together commonly by spikes. It doesn't take much power to lift up one of these spikes with the proper tools. If you manage to unhinge enough of the rails then you could cause damage by derailing the train.

More difficult, but more damaging, would be an attack on a bridge or tunnel that the train rides on. Typically bridges or tunnels are heavily monitored in some form whether by video or first person surveillance. It also requires for extra materials that might be difficult and expensive to get, materials that can cause damage to thick blocks of cement, like bombs. In this case you could do more than just derail the train, you could destroy parts of the track and supporting areas (Federal Transit Administration, 1997).

Networks and Software Communication

Since these systems have become predominantly automated by engineers, they are vulnerable to attacks on the logical side as well. All of the devices like the switches and signals as well the throttle on the locomotive must be able to talk to the system and listen to instructions as well. If one of these two way communicators are unable to reach another, a problem starts forming.

The way that these devices communicate is a mixture between wired and wireless signals. As an attacker it is possible to interfere with these signals or listen to them. This describes the two different types of attacks that can be done to the networks, passive and active attacks. It is much easier to gain access to a wireless connection than it is a physical connection in this case, simply because these devices are usually in an open space. A physical connection would require infiltrating some protected area (Hartong, 2009).

The Attack

A passive attack would be where an attacker breaks into the network but does not alter or disrupt any communications on the network. This is a stealth attack that does not set off any alarms because it only listens to the communications between devices. The attacker could however, use this to steal information about the exact way the devices to communicate in order to devise an active attack.

An active attack would be when the attacker actually tampers with or jams the network traffic. This can be done with a Denial of Service on a single node or a Distributed Denial of Service on the system, something that would disrupt the communication between devices. In order to do this, all you would need would be a device that can block a certain frequency, which the attacker would know from the passive snooping attack, to perform a DoS on one device. A DDoS would require possibly more effort from the attackers because the attack would have to be a DoS at several locations of communication in order to knock down the systems mostly or totally. Another form of an active attack would be a man in the middle attack where the attacker is in between communication between two points and is making both ends think that they are talking to each other but in reality they are talking to the attacker. The attacker at this point could control the information that flows from one device to another, possibly altering the critical commands that keeps things running smoothly (Hatrong, Goel, & Wijesekera, n.d.).

When you think about this scenario, it becomes slightly different if you throw in a disgruntled employee that would like to harm the company. An inside person would typically know more about the infrastructure than an outside attacker would. They would also have access to places that would be difficult to get to or inaccessible to non-personnel. This really makes things worse, mainly because any employee could be a disgruntled employee at some point so ensuring that the infrastructure is impenetrable from the inside is key.

MetroCard Machines

The MetroCard are also vulnerable to exploits in some way. These can be both physical attacks on the machines or logical exploitations. The physical attacks can be robberies of the devices which can hold money inside, or defacing/damaging the devices and making them unusable/expensive to repair, but usually replaced. The logical attacks largely involve duplicating cards, this can be done simply with a computer and a magnetic card reading/writing device (KMOV.com, 2012).

Countermeasures

There are ways to defend against these types of attacks. In order to harden your system from attacks you must take a look at all your risks, determine how likely they are to happen and how much damage they can do. Then you can take action and find prioritize solutions for each problem. These solutions, or policies, will make up the foundation for a defense.

The Physical Defense

Creating a strong physical defense is the first half of a strong security policy. In order to combat the problems facing mass transit systems many have mainly turned to video surveillance and physical placement of guards in strategic locations. Constant video monitoring in large open spaces of railway, tunnels and bridges is necessary. A type of silent alarm or intrusion detection in the train yards combined with man power is helpful as well. Besides having a well thought out disaster and recovery plan, you cannot really have more of a countermeasure against natural occurrences (Federal Transit Administration, 1997).

The Logical Defense

Since it is much easier to gain access to a wireless network than it is a wired network, the first place to start would be making sure it is known and agreed upon who or what should have access to the network. Using an access list feature, found on many modern switches, routers, firewalls, and other layer 2 devices, you can safely hard code in the MAC addresses. This makes it so that even if someone can break the password on a wireless access point, once they connect they do not get any further communication to things that would allow them to use the network like a DHCP controller or a DNS server because they are not on the list. Only an inside attacker has a chance of learning what the MAC address is on a certain device (Hatrong, Goel, & Wijesekera, n.d.).

It has been shown that using a form of cyclic redundancy check on the packets sent between devices can help determine if the original package was altered. This is not enough to combat a man in the middle attack because it would still allow the information from the packet to be used. In order to defend against it you must have an encryption method and a general use of user name and password authentication. This gives you the ability to know who's doing what and at what time so you can reference any issues with that user, service, or device. In order to make sure a man in the middle attack is ineffective you could use cryptographic hash functions where hash values are unique. It makes it so if the data from the sender is tampered with, the receiving end will notice the difference in the hash value and determine it is bad data (Hatrong, Goel, & Wijesekera, n.d.). The bad data is discarded and not used, totally nullifying whatever change the attacker wanted to make. Countering duplicate or counterfeit cards requires some of the same encryption and verification procedures (Rouse, 2012).

Industry Standards

The MTA implements a thorough pair of programs to adhere to industry standards, becoming an industry leader. The American Public Transportation Association is one of the world’s largest nonprofit international organizations. Active organizations include standards for transit systems, commuter rail operations, rail planning, transit design and construction, development of financial firms to support these organizations, academic institutions, and state departments of transportation such as the MTA of New York. APTA extended new programs post-9/11 to further bolster transit system defenses from both physical and cyber-attack threats. Raising safety measures even further while simultaneously having an environmental impact as an industry leader, the MTA rose to the challenge of fitting their standards to an ISO. ISO, or International Organization Standard, is a group that is dedicated to international industry standards that make an industry more efficient and effective. All of these agencies and departments help the upkeep of security and surveillance, maintaining a consistent industry standard appropriate from such a prominent industry leader.

APTA has several phases dedicated to further the development of a Security Plan as well as security counter measures at consistent and periodic time intervals. Phases 1 and 2 outline recent incidents in the field that are considered breaches and assess a budget around the risk assessment that will be assembled during Phase 3. The APTA Transit Control Security requires a periodic Risk Assessment of the organization in question while overcasting several details generally demanded by today’s technology. This assessment ties into, although with less frequency, the periodic inspections of the couplers, trucks, emergency systems, and an employee Fitness for Duty program. Updates to the ASE certification are primed for modification every year with the latest security implementations made in the industry. Controlling the communications system boundaries through detailed assessments of the systems, equipment, locations, and stakeholders is essential. This phase continues to run progress checks on all work groups, either independent or contracted through the transit system in question, taking note of all significant breakthroughs and weaknesses found in the transit system. The final leg of the phase includes thorough testing and pushing of security measures with the newfound flaws and solutions, as well as a final training program for all employees appropriate for any new measures installed.

Throughout the 21st century, the APTA has raised its cyber standards on transit systems due to several reported attacks that raised unparalleled cause for concern. The attacks of 9/11 had a significant impact on the surveillance of NYC transit. The largest portion of security funding is consistently allocated into programs involving detection of radioactive materials, physical patrols for mass hubs in the transit system, and the revisions of policies and technological defenses through the periodic risk assessments. The Division of Homeland Security and Emergency Services through the Office of Cyber Security provides well managed Security Services to the MTA. Through both a secure identification system as well as federally funded risk assessments of all transportation systems (The American Public Transortation Association, 2009). The OCS’s greatest contribution to the system is a mind blowing 24/7 network monitoring group. This organization, the New York State Intelligence Center has actively received and built over 7000 reports regarding defense breaches and security threats, ranging everywhere from a security flaw discovered in Poland transit systems to possible terrorist attacks in major transit hubs (Division of Homeland Security Strategy, 2011). This consistent surveillance is one of New York’s most celebrated security defense mechanisms.

The MTA’s ISO, the 14001, is a landmark standardization implemented by few transit systems due to its demanding consistency and criteria. ISO 14001, is a long term plan that measures environmental goals and their overall effectiveness while maintaining and upgrading both the transit cars, rails, and security systems. Implemented through the MTA’s department of Capital Program Management, the ISO is the first Environmental Management System certification used in the United States. There are 17 criteria that must be met for proper certification of the 14001. They include general policy requirements, an environmental policy, a list of aspects for said policy, and legal requirements for the transit system in question listed and met. The transit system must have basic management programs consisting of the following details; management programs must ensure EMS through human resources, make use of an organized structure, and have both financial and technological resources. Employee competence, training, and awareness are also key factors. Employees must exhibit behavior or developmental progress that both impact the environment and identify all key aspects of the latest security protocols. ISO14001 requires a communications system with procedures for both internal and external dialog and its logging and documentation, additional documentation on EMS progress must be documented until sufficient information exists to verify the claims of a particular project, all documented projects and sessions must be consistently updated and maintained and approved prior to use, all documentation must be reviewed and properly versioned as changes occur, all critical transit functions that undergo either a legal or physical change must be properly identified with instructions on the former and latter systems along with reasons for the change, and there must always be a process for all potential emergencies detailed as standard case scenarios as well as mandatory periodic testing for these standards. All networks and systems must be consistently monitored, both automatically as well as manually unless accepted otherwise, an evaluation is to be conducted periodically by an agency or projected under the transit department to ensure it is up to EMS ISO standards, lists for procedures must exist for preventative measures for situations that occur outside of uncommon incidents as well as recorded for updates to future system policies and security flaws. Consistent checklists must exist and be met throughout transit reports, a system must be managed for maintenance of records so records are retrievable, safely stored, legible, and traceable. Finally top management must consistently monitor that EMS and security measures are being evaluated properly through the internal audits, periodic reviews, and report checklists acting on practical and environmentally sound recommendations (US Forest Service, 2005). Some of the projected successful EMS projects include: Surplus Material Sales, Rejected Materials Management, Artificial Reef Project, Subway Car Shunting Elimination Program, Green Escalators, and the Storm Water Management Program (MTA, n.d.). For all of these reasons, ISO 14001 has become the leading industry standardization for transit systems.

Regulatory Issues

Risk Assessment

Above, you will see a visual representation of our risk assessment for the NYC transit system. Hacking the system can result in a total loss of consumer security. All account credentials on record for each particular transaction are vulnerable is such an attack. Also, MetroCard cards can be duplicated, rendering them either compromised or wiped depending on the company reaction. While a bombing is unlikely, such an attack can prove catastrophic in terms of loss of life and damage to the infrastructure. However, counter terrorist measures make such an attack difficult to succeed. A power failure can result in major loss of revenue and potential injury, though backup generators are on-line to make up for any power failure. If a train or a bus were to breakdown, the relative damage won’t be as severe. However, as the transit system does work 24/7, assault on workers and pedestrians can occasionally happen and can be damaging to the system’s reputation of safety. Also, if a worker were to be hospitalized, it can result in loss of funds for the MTA. Also likely are bus collisions, though this is mostly due to human error. It can also be in result to an attack. Either way, moderate damages and loss of revenue will be the result. Fare evasion is a frequent issue but not that costly to the organization. Same with MetroCard duplication. Vandalism was once a frequent issue but has decreased with the implementation of the Eagle Team, though the problem still exists. Hijacking is still fairly improbable but a traditional hijacking won’t cause much damage. Other issues, like ticket machine failure and ticket theft are negligible as the resulting damage from either is minimal. Same with theft of other passengers.

One of the most important things to note is that the new provisions to the safety measures taken by the MTA are working. Fully automating the system and adhering to the ISO is clearly helping make the transit system safer. However, more funding can push the initiative forward. Investing on new antitheft measures and new ways to track duplicate MetroCard cards can drive those crimes down. New vulnerabilities are being found on a daily basis and systems must be put in place to stay ahead of these.

Conclusion