Cyber Security Through the Lens of WMATA

The Washington Metropolitan Area Transit Authority runs Metro, the transit system that serves Washington DC, and the immediate areas in Virginia and Maryland. Its light rail service – Metro – may serve as a stand-in for whatever rail system or other public infrastructure project plagues your city.

WMATA works. Sometimes. The rest of the time it sucks. It is rarely on time, its communication system is unintelligible to anyone but an adult in a Peanuts cartoon, and when trains aren’t crashing and killing people, the rails are catching fire. Sound like the security apparatus in your enterprise? I’m not surprised. Want to avoid becoming cyber security’s Metro?

Operations and Maintenance Cannot be an Afterthought. Everyone loves to build stuff because that’s exciting; no one like to oil the gears and sweep the floors, that’s boring. But if you build something that people come to depend on, you need to ensure that it remains dependable. In the security world that means basic, boring stuff like patching and other unglamorous tasks. If you fail at the fundamentals, all the work that went into building your security architecture is for naught.

Walk in the Other Guy’s Shoes. A transit system is a thing, not an abstraction. If you do not ride the rails the problems that are brought to your attention are at best things to go to the bottom of your to-do list, at worst something to be ignored while you do ‘real’ work. People complain about security a lot and because security is not filled with empaths the results are predictable.  If you have not taken the time to use a system the way ordinary users do (you know, the people who generate revenue), you’re not in a position to understand what security mechanisms and methodologies are optimal for your enterprise, and what security-operational trade-offs are worth the risk.

Keep Walking (in the Other Guy’s Shoes). There is nothing like a transit station manager from (insert your own local neighborhood here) trying to explain how fare cards work to a family who only speaks Mandarin. The answer isn’t to grab the next Asian person you see coming and asking you to translate (true story). The answer is you take your ‘root’ card and demonstrate how to use it to get through the turnstiles. It takes more time and it’s a bit of an inconvenience, but in this case learning by doing is going to work better than shouting in a language they don’t understand. Do you know what repeating a CVE entry to the average user or executive sounds like? Mandarin. Taking the time to show people the how and why of security is going to advance your cause further than doing your best Chris Tucker impression.

Recognize IOCs: Indicators of Catastrophe. The situation is so bad at Metro that entire lines of the system may need to be shut down for months at a time. The transit system in the capitol city of the most powerful nation in the world is in danger of collapse because it has spent years ignoring the little things. Small changes and expenses now might not prevent some type of security failure in your enterprise, but it will assuredly be smaller and less painful than the negative impact of what will happen if leadership continue to kick the can down the road. They might not want to do security, but it is imperative that you communicate that without it the result is inevitable.