The U.S. Transportation Security Administration is reminding the student transportation industry to be vigilant of cyber threats tied to the increased use of connected technology on school buses.
Threats to personal data have become the new norm for consumers. But the TSA said student transporters, as well as other types of fleet operators, must take a renewed look at their IT security practices as applied to their vehicles, both to protect passenger data, the company’s, school district’s or other organizations, and of the vehicle itself.
In November, a TSA specialist told attendees at the National Association of State Directors of Pupil Transportation Services (NASDPTS) Annual Conference in Columbus, Ohio, that school buses are as vulnerable to hacking and remote takeovers as computers are, because of fleet management systems.
“The conversation needs to occur on how to protect autonomous vehicles from a cybersecurity standpoint,” said Jimmy Beasley during a session on Nov. 6.
He pointed to several best-practices that can be implemented immediately, such as performing password updates, access controls, securing internet connections, and training employees to not fall for “spear phishing” attacks delivered via email.
A TSA spokeswoman later told STN that the agency is focused on spreading its cybersecurity message through education, facilitation and communication. Press Secretary Lisa Farbstein cited President Obama’s February 2013 executive order aimed at improving critical infrastructure cybersecurity. Also, adoption of the National Institute of Standards and Technology Cybersecurity Framework and the Department of Homeland Security’s own national cybersecurity programs for industry stakeholders.
“The effort is aimed at developing and deploying transportation-focused cybersecurity strategies, initiatives, programs, assessment tools, as well as threat and intelligence information sharing products that industry can use to reduce its cybersecurity risk and increase its cyber resilience,” she added.
Farbstein said TSA continues to be in close communication with state and local governments, plus academic researchers and vehicle manufacturers, telematics providers, cybersecurity firms and others through the Automotive Information Sharing Analysis Center and Enterprise Cyber Security Working Group.
She also pointed to no-cost TSA resources like a surface transportation cybersecurity toolkit for small and midsize businesses, a weekly newsletter and cybersecurity workshops.
Computer and software security firm McAfee claims that an organization’s own employees are responsible for 43 percent of data loss, with half of those instances occurring as intentional acts. McAfee also says that personal information from customers and employees are the number one target, and that the value of personal data now surpasses credit card information. Meanwhile, IBM found that the average total cost of an individual data breach was approximately $4.3 million.