Cybercrime is not a remote threat for toll operations
First publishedin ITS International
The rise of cybercrime is starting to impact tolling concessions, as Colin Sowman discovers.
Yahoo’s revelation that it has taken two years to discover that it had suffered a security breach resulting in hackers stealing the details of 500 million users is shocking - although the hackers only gained access to users’ names, contact details and encrypted passwords. What would they have accessed if they had hacked a tolling company’s system? Not only names and addresses but bank or card details, registration plate information, travel patterns… - in fact, every piece of information about a user that is held on file.
And how long it would take to discover the breach? Delegates at the IBTTA’s annual meeting in Denver were told that the average length of time to discover a hack is eight months.
If a hack does take place there will be consequential losses for both the tolling company and local authority, and the question then arises about which party is liable for any losses suffered by the drivers whose details were compromised?
With cybercrime both in the news and being the fastest growing criminal activity, the message from the speakers to IBTTA members was clear – tolling companies and road authorities alike must look very closely at their cyber security arrangements.
The starting point for both the authorities and the tolling industry is to consider what would happen if their systems were hacked and how to make their systems more secure to prevent data breaches occurring. This was the theme of a presentation by Jon Wade, security and compliance manager for Emovis UK, to the audience in Denver.
When ITS International caught up with Wade after his presentation, he said it was a case of companies and authorities assessing what information hackers could steal, the likelihood of a hack and the reputation and financial damage that would create. This has to be considered against the time, effort and cost of implementing security measures to prevent a hack occurring and to minimise what data any hacker could access.
The session was something of a wake-up call for the tolling industry which, hitherto, had considered itself reasonably well positioned in cybersecurity terms through compliance with the Payment Card Industry Data Security Standard (PCI-DSS) requirements laid down by the banks. This includes stringent penalties imposed on merchants by the acquiring bank (the bank issuing the card) for each person whose data is lost. For instance, the penalty from Visa Europe is €18 for each user whose details have been compromised (plus a €3000 admin. fee). Where the penalties would top €100,000, which could easily happen with the likes of tolling companies where the number of registered users can exceed a million, the charge is capped at 5% of the business’ gross annual Visa purchase.
This level of business threat has prompted more proactive tolling companies to ‘tokenise’ drivers’ card details (where encrypted details are held on a very secure third-party database and accessed by using the appropriate token) as well as encrypting data flowing between systems. Currently these initiatives tend to reflect the tolling company’s attitude to risk rather than any contractual obligation by the contracting authority and the clear message at the conference was: ‘if you aren’t tokenising, then you should be’.
Data security is a key issue for tolling systems on the new Mersey Gateway bridge which will open in 2017.
Beyond the requirements of PCI-DSS, which are limited to cardholder data, tolling companies must comply with national standards and there are often contractual obligations to meet local standards – although adherence to the latter has been found to be patchy on occasions.
For their part, local and national authorities are often more advanced than tolling companies in the area of cybersecurity – if for no other reason than any breach has a habit of making headline news in the local or national media. Unfortunately this is the case even if the hackers breach a supplier’s, contractor’s or even concessionaire’s system, which is why authorities are starting to consider these external enterprises as a ‘virtual extension’ to the authority itself. As such, Wade believes authorities will increasingly include stringent cybersecurity requirement in contracts and tenders and that tolling agencies must start preparing to meet these requirements.
The UK’s Highways Agency has taken something of a lead in this area, starting with the Certification of Approved Devices, or COAD, which stipulates that sensitive data (including number plate details) collected by roadside equipment must be encrypted within a matter of seconds before storage or transmission. In the case of concessions or other similar contracts, it now imposes (where applicable) requirements on suppliers to meet the ISO27001 cybersecurity standards. The new Mersey crossing is a case in point, although even this stops short of mandating certification.
ISO27001 is widely accepted as the ‘gold standard’ of Information Security Management Systems (ISMS) and lays out 114 security controls which can be implemented to mitigate security risks across the whole organisation.
Outside the UK (and Ireland) which have relatively few tolled roads, it is unusual for authorities to specify such strict cyber security standards and currently any requirement for full certification would preclude or prevent many tolling companies from bidding for the contract. That said, data security breaches remain a major concern for public sector organisations because they lead to a loss of reputation and confidence which takes many years to regain.
Currently North America lags well behind Europe and the Pacific nations in implementing ISO27001 and, globally, there were only 300 certificated companies in the transport, storage and communication sector at the end of 2015. Wade predicts that situation will change, and probably quite rapidly.
The requirement for data gathering or holding suppliers to be certified to ISO27001 would be a clearly defined and logical measure by public authorities to counter the rising tide of cybercrime, and tolling companies ignore this possibility at their peril. Indeed, being certified as ISO27001-compliant could be a major competitive advantage for companies that have invested the time and effort in meeting the standard.
The number and extent of hacking is rising each year. Source: Informationisbeautiful.net
As well as reducing the likelihood of a hack (and any contractual advantage) ISO27001 requires the implementation of a Security Incident and Event Management system (SIEM) solution which can help data owners identify when and how a successful hacker breached the security, and thereby reduce future vulnerability. There is the added advantage that companies adopting ISO27001 procedures would be less exposed to other cyber threats such as ransomware and denial of service, which will be highlighted as risks under the criteria checklist.
What could take longer to resolve, and add to the financial burden, is dealing with the individuals whose details have been lost and may consequently have suffered identity theft or financial loss. The liability for that loss would depend on which party’s system the hackers breached and contractual arrangements but the UK authorities now clearly place that responsibility on the concessionaire.
Across Europe, the EU’s re-definition of a concession requires the concessionaire shoulder some or all of the financial risk which is almost certain to include penalties for data breaches and liability for any inconsequential losses incurred by affected individuals. This is not only the case for new concessions but such conditions may be imposed if a concession is renewed or extended.
So with the risk and consequences of a hack increasing exponentially, Wade argues it is in the best interest of both the authority and concessionaire to adopt the ISO 27001 methodology but points out that the effort required to achieve certification should not be underestimated. He rates achieving ISO27001 certification as three or four times harder than meeting ISO9001 due to the more prescriptive nature of the ISO27001 controls and the specialist skills required to implement and operate an effective ISMS. The rationale is that while hacking has grabbed the headlines, many frauds and data breaches are ‘inside jobs’ and while a company can create an impenetrable firewall, an errant employee with a pen can easily copy the card details.
All steps and controls necessary for compliance are defined by the particular functions the company undertakes, which is established using a checklist. Being so prescriptive also makes compliance auditing much more straightforward than with ISO9001.
The good news is that Wade estimates that tolling companies which already comply with PCI-DSS Level 1 will probably have done 75% of the work towards achieving ISO27001 although for a single project that additional expense may be prohibitive. Larger tolling organisations may find the cost easier to justify at the organisational level where it can be spread across several concessions. And, as it is increasingly likely that, in Europe at least, tenders for future road tolling projects may require ISO27001 certification, compliance could be part of doing business in the tolling sector.