E-Ticketing - an exciting, irreversible process
A ticketing app for all public transport journeys – across transport associations and countries – sounds convenient. But what about security when the most diverse players open their systems and share data? InnoTrans Report spoke to cyber security expert Mirko Ross.
Mr. Ross, as an expert in cyber security, what is the first thing that comes to your mind when you think of e-ticketing?
Mirko Ross: First of all, I believe that the user wants everything to work more simply and consistently. Even I, as a cyber security expert, would like that. At the same time, I ask myself the question of how data are transferred in such systems, how they are used and how they are secured in the long data supply chains.
As a user, what causes you a headache?
Mirko Ross: The lack of transparency. We are dealing with ticketing, i.e., with personal data. It is necessary to identify the owner of the ticket. We are dealing here with sensitive data, and if I lose them, I cannot find out where they are. After a successful hacking attack, my data may become freely available for sale on the darknet. And then, they can be used by crim- inal organisations for the purpose of optimising their cyber-attacks. We are also dealing with financial data - tickets have to be paid for. And this means that sensitive payment information and payment systems are involved. As a horror scenario, I may simply lose my credit card details or transactions will be carried out and damage me financially.
Intermodality requires a high degree of interconnection between the different actors. What vulnerabilities are created by data sharing?
Mirko Ross: It is necessary to network, to provide technical access to other participants in the system and to provide interfaces. This increases the vulnerable area. Potential attackers simply have more opportunities to penetrate such systems or to retrieve data from them.
On what security standards will intermodal networks be based?
Mirko Ross: We are dealing with various large players. Deutsche Bahn would be a very large player. But there are also regional transport companies as well as smaller bus companies. They all have different backgrounds. In some cases, the CERT (Computer Emergency Response Team, editor’s note) actively takes care of cyber security. This team can monitor and has almost unlimited resources. In other cases, it is difficult to even identify a staff member who is dedicated to cyber security, let alone a support team. Such different actors agree on minimal technical standards. However, the problem is always how to comply with these standards. Agreeing on them is easier than actually implementing them permanently in a company.
What does cyber security depend on?
Mirko Ross: In most cases, there are minor flaws. Standards exist, but they cannot be permanently maintained by all actors. Somewhere there is always this weakest link. A small player is just not in a position to quickly patch up, upgrade and close a security gap. This does not mean that the big players are so excellent. The same thing can also happen there, through human error or because some processes are too slow. Companies should therefore invest heavily in securing their systems. This raises the question of which companies within the chain still find it worthwhile as a business model when some participants already have high deficits and difficulties. Can they find the funds to invest at all to keep their data and their IT infrastructure secure?
What basic rules do transport operators have to follow to make e-ticketing as secure and trustworthy as possible?
Mirko Ross: The first basic rule of data protection is a minimal use of data. Even this is where the departments in a company sometimes conflict with each other. While some want to collect as many data as possible in order to optimise operations, others say that collecting so many data means having to protect a lot of data. In general, it has always to be expected that data can be lost. All those involved in this system would do well to write the credo of minimal use of data right at the top of their banners. When data leaks occur, this is the worst case and the trust in such a system also decreases.
The transport infrastructure is part of the critical infrastructure. E-ticketing, as you said, creates a larger vulnerable surface for potential hacker attacks. How can these be avoided?
Mirko Ross: The hacker attack is the new “normal” situation. Any company of any class or category will be attacked. This is a result of the way cyber-attacks are structured. Predominantly, cyber-attacks start through automated scans for known vulnerabilities or through phishing via email. The basic technical protection is to configure all systems properly and to keep them up to date. In fact, if we look at ransomware, this would prevent a majority of attacks. Attacks simply occur because the systems are not patched properly. And it’s about people. The last line of defence is the people who work in a company. If they are properly aware, they can also take the right measures and decisions. That’s why it is important to work with people and make sure that cyber security is maintained at a high level, that there is awareness and that people are properly trained.
What is your forecast for the years to come?
Mirko Ross: There is no alternative if we don’t want to keep the stripe card which is absolutely cyber-secure but also extremely inconvenient. The fact that we are digitising ticketing is an irreversible process. There is no doubt that it will happen and we have to be prepared for it. The fact that cyber-attacks are increasing is also an irreversible process. We have to adapt to that as well. So, the next few years will be extremely exciting.