In brief

In brief

  • Securing the safety of rail and transit infrastructures has never been more challenging.
  • Cyber sabotage threatens to paralyze transit networks increasingly reliant on technologies that enable data sharing across ecosystems.
  • The industry urgently requires better defense mechanisms.
  • An approach, based on robust core capabilities can help boost the security and resilience of the transit value chain, end-to-end.

An expanding “attack surface”

Cyber risk used to be a relatively simple matter of securing sensitive operator and customer data and was largely the responsibility of information technology (IT). But as technologies converge, more such risks are now associated with operations technology (OT) and Internet of Things (IoT)/Industrial Internet of Things (IIoT) infrastructure and services, whose security poses different challenges.

Meanwhile, the industry’s highly dispersed traditional operations are combining with an emerging mobility ecosystem. The development of Mobility as a Service (MaaS), which allows high volumes of user data to be exchanged via multi-operator technology platforms, is already challenging data protocols. As more third-party relationships evolve, the potential “attack surface” expands significantly. In fact, no area of the transit value chain is immune from cyber sabotage.

A multi-stranded strategy

Operators need a strong yet agile security program, which incorporates the entire organization plus all partners and stakeholders. It should be based on a robust set of core capabilities that apply security-by-design principles and ensure end-to-end security testing.

It should also mature over time, taking a lifecycle approach that addresses all areas of the value chain with continuous improvements as new technologies materialize, and leveraging those innovations to meet emerging operational and customer experience demands.

A resilient response to mounting cybersecurity challenges in rail and transit should also mature over time—hence the need for a mindset of continuous improvement.

Step 1

Define the desired security outcomes, including assessment and planning outcomes.

Step 2

Establish baseline capabilities.

Step 3

Establish advanced capabilities.

View All

Moving forward with confidence

Data privacy issues are likely to intensify as more and more customer data is shared across an expanding ecosystem. COVID-19-related contact-tracing has already compounded the challenge of ensuring cybersecurity without compromising privacy—and new risks are constantly arising.

A multi-stranded approach can help build the resilience transit organizations need to move forward with confidence. It takes full account of the converging technologies and expanding ecosystems that are driving the expansion of cybersecurity risks. It provides a framework of core capabilities robust enough to tackle them. And by affirming the critical importance of continuous improvement it helps ensure that organizations’ resilience matures over time.

About the Authors

Pierre-Olivier Desmurs

Managing Director – Rail and Transit Global Lead

Michael English

Managing Director – Rail and Transit, North America Lead

Tylor Truong

Lead – Cloud Security, Canada​​

Kevin O’Brien

Senior Principal – Accenture Security, Canada

MORE ON THIS TOPIC

Responsible transit of the future

Rail and Transit

Responsible transit of the future

From operation to orchestration

Rail and Transit

From operation to orchestration

Subscription Center
Visit our Subscription and Preference Center Visit our Subscription and Preference Center
Subscribe