Cybersecurity in Transportation: Implementation Challenges – Are You Ready?

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Cybersecurity of Your Operational Systems: Are You Ready?

 

The media regularly report on the impact of cyberattacks in the industrial sector. Crucial to social cohesion and the economy, transportation is one industry that operates under the omnipresent threat of cyberattack.

In Quebec alone, several recently reported events have revealed the industry’s vulnerability, leading to production stoppages as targeted industrial equipment and/or computer networks have been paralyzed. The ever-increasing number of officially disclosed attacks is but a glimpse into the actual situation, the full scope of which is still impossible to comprehend.

One indisputable fact remains: the financial and reputational stakes cannot be denied. No company can afford to fall victim to an attack that leads to service breakdown, holding users, customers, suppliers, and employees hostage. In light of the situation and increased cyberrisk factors, businesses should be vigilant and prepare appropriately to ensure the resilience of their organization.

Increased Cyberrisk Factors

Cyberresilience Self-Assessment

Resilience refers to the ability of a person, ecosystem, or economy to resume optimal operation after trauma, disruption, or crisis.

Just as viruses threaten human health, it is practically impossible to anticipate when or what kind of attack could jeopardize the survival of a business. Beginning to tackle the situation right away by determining the current status of the organization is not only possible, but highly recommended.

Where to begin?

A few self-assessment questions
  • Is the organization ready to react in the event of a cyberattack?
  • What operational systems face the greatest risk?
  • What percentage of the budget is dedicated to operational cybersecurity?
  • Have a cybersecurity program or other protective solutions been implemented? Have they been reassessed?
  • Are the skill sets required to assess cyberrisk exposure and solution rollout available in-house?

 

Adopt Best Practices Now

As we’ve previously discussed, assessing cyberrisk and risk mitigation measures should extend to the entire ecosystem in which businesses operate. It involves conducting a complete 360-degree analysis that includes company processes and structure, as well as those of every vendor in the supply chain.

The process should consider systems in the broadest sense (information technology, operational systems, equipment, machinery, etc.) and the people that run them, as digital security is still often compromised by human error.

The first stage of working toward greater cyberresilience consists of mapping operational systems. Drawing up the list of attack surfaces to determine the most vulnerable systems and the scope of risks the organization is facing helps define what level of protection is appropriate and what measures should be taken.

That means making cybersecurity a priority in all day-to-day operations and at the highest levels of the organization, for easier decision-making and resource mobilization. Changes to the organizational structure may be needed to ensure responsibility for cybersecurity is entrusted to the right people with the skills to make the necessary decisions.

The next stage involves implementing an operational cybersecurity program that includes a review of the corporate computer architecture. Business technology systems can be accessed in multiple ways, and every point of contact should be considered – critical systems, of course, but also interconnected subcontractor systems that handle increasing volumes of data. That’s why collaborating with the various parts of the supply chain is essential to securing systems.

Successful cybersecurity programs rely just as heavily on cross-functional collaboration within organizations. Having specialized teams take part in the process helps limit the impact on systems, as they have an invaluable understanding of technology.

Change management underpins the entire process. It is important to lay the foundation for the teams involved, and more broadly, to raise employee awareness about the nature of cyberrisks and how employees can make a difference day to day, helping them grow more vigilant. Communication, education, and training efforts are necessary. Areas of responsibility can also be reviewed so that the organizational structure of the business reflects the importance placed on cybersecurity.

Beyond integrating a well thought out operational cybersecurity program to operations, periodically reviewing and validating measures in place is essential to keeping systems secure and adapted as technology develops.

The last stage consists of conducting regular audits of the cybersecurity program, along with complementary activities including surveillance and continued training for the teams involved. With these tools, businesses are in a better position to keep up with the new standards and regulations they will have to integrate over time, both when it comes to securing current systems and to designing and developing future systems.

Rising to the Challenge to Set Yourself Apart

The threat is latent. Business rolls on and it is in the interest of businesses to stay one step ahead and maintain their competitive edge.

Overlooking cybersecurity could put essential business relations at risk and threaten the survival of organizations. Businesses whose systems perform well but fail in terms of cybersecurity could be excluded from requests for proposals. Conversely, businesses with solid cybersecurity programs would be in an influential position and could prompt its own customers to adopt higher security standards, for the benefit of their entire ecosystems.

Operational systems that are covered by cybersecurity programs could even provide a competitive edge over the short term, as the vast majority of businesses are only beginning to implement such programs. Being ahead of the curve puts organizations in an enviable position.

While being prepared for attacks doesn’t prevent them from happening, it does help targeted businesses react quickly and appropriately. In doing so, they demonstrate their earnestness, skill, and professionalism, all of which inspire trust among customers and suppliers.

Technology is developing rapidly, and new fields of expertise are emerging in both computing and engineering. As a result, organizations should secure the right skill sets to uphold system cybersecurity over time.

Standards in the field are also evolving. Staying abreast of regulations and certifications being adopted in the markets in which businesses operate help them make sure that their systems are designed to upcoming cybersecurity requirements. It seems likely that regulations stemming from the ISO 21434 standard will be adopted progressively across North America. Businesses can draw from this standard to set up robust processes that ensure the highest levels of security.

In a similar vein, staying on top of legislative developments could lead organizations to make a real difference, or at least foster the adoption of secure practices. Keeping a log of cyberincidents is a good example. Beyond the documentary interest in strengthening organizational security processes, such logs could become standard in the near future. Canadian regulations are evolving, and bill C-26 is set to make it mandatory for businesses to report the cyberattacks they fall victim to, rather than the current voluntary disclosure.

Anticipating the adoption of such rules and complying with them now, if not outright going beyond set security criteria, puts businesses one step ahead in a changing environment. Taking the lead could even help set them apart and give them a say as these new regulations are developed.

Cyberthreats are ever-shifting disturbance vectors businesses must learn to deal with. Cybersecurity is not an end in itself, but it is becoming one component of businesses’ operational and financial health, and ultimately, of their survival.

As with any threat or crisis, the degree of preparation is often an indication of how quick and efficient organizations will be in recovering and resuming normal operations. Businesses can adopt a preventive approach to cyberthreats and develop greater agility, making a major positive difference in the long run.

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Supply Chain

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Securing the Supply Chain

 

Minimizing attack surfaces and the impact of potential cyberincidents on business by mapping risks diligently and implementing a cybersecurity program is a crucial first step – but it isn’t enough.

In a global economy, no business runs in a vacuum, and the supply chain is now a significant vector for cyberthreats. The smallest security breach detected in a supplier becomes a vulnerability for client businesses.

The cyberresilience of a business also depends on the security level of the weakest link in its supply chain. As a result, organizations should go beyond securing their own systems and make sure to secure their ecosystem, particularly the network of suppliers and subcontractors with whom they do business.

 

Why Is the Supply Chain a Risk Vector?

Vendors have become prime targets and victims of a wide variety of cyberthreats, if not outright cyberincidents. Many market analysts predict that those numbers are going to continue to rise.

PwC has revealed that 54% of Canadian respondents to its annual Digital Trust 2022(1) survey expect to see an increase in reportable incidents in 2022 due to attacks on the software supply chain, as well as higher risks related to third parties and the supply chain.

Among the various motives for attacks cited by the European Union Agency for Cybersecurity (ENISA)(2), seeking to exploit the trust between businesses and their suppliers is behind 62% of attacks, which is quite telling.

It would be rash to base a cybersecurity risk assessment solely on the trust between customer and vendor. In fact, adopting a structured approach and requiring minimum cybersecurity levels from suppliers appears vital.

Threat Landscape for Supply Chain Attacks

Supply chain attacks on the rise

 

Risks that Impact the Supply Chain

Where is the Weak Point in Your Supply Chain?

Just as they have analyzed and assessed their own information and operational systems, businesses will have to determine the level of risk for every vendor involved in their production process.

In the transportation industry, many systems that are generally outsourced to third parties can be targeted, including HVAC, door systems, and passenger counters. Publishers of the software businesses use will also have to be taken into account, just as the manufacturers that supply the electronic parts that go into building electric circuits.

Pinpointing the highest risks in the supply chain involves examining every component closely. To do so, businesses can choose to implement self-assessment questionnaires, for example, to identify subcontractors at greatest risk. Using the data they collect, businesses can then assess maturity levels and better understand what organizational and operational assets and what sensitive information vendors can access.

Vehicle Cybersecurity Ecosystem

 

Depending on the nature of the conclusions drawn when data is collected and questionnaire results are analyzed, businesses can review and improve their supplier selection process to strengthen minimum cybersecurity requirements. In time, certain organizations will choose to consolidate their supply chain to make it easier to enforce subcontractor requirements.

Whether they are long-time suppliers of the organization or new, it is important to integrate them fully into the assessment process and communicate clearly with them to ensure the entire supply chain is secured.

Setting clear minimum cybersecurity requirements is always easier when entering into new contracts than it is when dealing with long-standing partners. It is nonetheless vital to address cybersecurity issues and requirements with the latter, with the support of procurement department representatives (purchasers) and legal teams. They will be the catalyst for awareness and the necessary review of internal processes and contractual procurement clauses. These professionals will have to be appropriately trained on minimum cybersecurity requirements that could feature in negotiations with subcontractors.

As cybersecurity-enhancing regulations and certifications are adopted and applied across the industry, integrating specific cybersecurity measures will have to be considered as part of contractual supply operations.

The ISO 21434 standard calls for close collaboration between a system’s integrator or designer and its various suppliers, thus requiring that the roles and responsibilities of both parties be clearly identified, documented, and mutually accepted. The integrator will then have to ensure that set cybersecurity processes are followed, both in their own organization and by subcontractors.

 

Anticipating Risks

According to Statistics Canada, 47% of cyberattacks in Canada in 2019 targeted small and medium enterprises(3). The more than 1.14 million such businesses across Canada(4) are an essential part of the national economic fabric.

Believing themselves too small to present an attractive target, they often underestimate the cyberthreats they could fall victim to. SMEs often have less robust security systems that present more easily accessible back doors to penetrate the information systems of larger businesses.

Customers could limit such vulnerabilities by being proactive in encouraging a collaborative approach with all partners to strengthen the supply chain from end to end. They could also prompt SMEs they deal with to develop their cyberresilience by leveraging dedicated cybersecurity resources.

While international standards are still being developed or adopted, many solutions already exist to support SMEs in securing their information systems, including the federal government’s CyberSecure Canada program(5) that gives SMEs access to resources to better understand the risks they face. Barring the implementation of specific security checks, they can opt for certification to reflect their best cybersecurity practices.

Subcontractors that integrate cybersecurity policies to the very design of their products and/or systems emerge as winners in the process, benefitting all customers by reducing cybersecurity risks. This collaborative approach is mutually beneficial to everyone involved, and the supply chain is all the more secure as collaboration between parties is enhanced.

Maintaining high cybersecurity levels among all supply chain members becomes a prerequisite to its proper operation, but it requires long-term investments and efforts, the benefits of which are difficult to assess. Sharing information and best practices between customers and suppliers will enable organizations to take part in a broader-scale drive to increase their mutual cyberresilience. By investing time and effort in analyzing and strengthening the cybersecurity of their supply chain, businesses will help build value for their entire ecosystem.

 

 

 

(1) https://www.pwc.com/ca/en/services/consulting/cybersecurity-privacy/digital-trust-insights

(2) https://www.enisa.europa.eu/understanding-the-increase-in-supply-chain-security-attacks

(3) https://www150.statcan.gc.ca/n1/daily-quotidien/201020/dq201020a-eng.htm

(4) https://cyber.gc.ca/publications

(5) https://cybersecure-canada/en/get-started

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Operational Systems

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Securing Operational Systems

 

As we have seen in the first two articles of this special report, cybersecurity is becoming a strategic imperative to ensure business longevity. After identifying the risk exposure of information and operational systems within organizations, risk mitigation involves laying a solid foundation to build cyberresilience.

The approach will be a key ingredient in the design phase of new products to eliminate potential security breaches at the source. That way, businesses will ensure that their operational systems meet the minimum cybersecurity compliance requirements of public and private clients.

But what about current products and services? How can you make sure they withstand cyberattacks? How can you convince and reassure customers that systems are robust and cyberresilient?

Cybersecurity Programs and Certification

Implementing an operational cybersecurity program is becoming the norm in both Europe and North America. By taking a proactive approach and the necessary precautions to tackle cybercrime, businesses and para-governmental organizations show customers and third parties (investors, employees, and the general public) that they are proactive by setting up the necessary conditions to ensure business continuity in the event of cyberincidents.

An overview of the implementation phases of an operational system within the framework of developing a cybersecurity program is presented below.

Development Phases of a Cybersecurity Program

Life Cycle Project Management: Cybersecurity-Related Actions

Certification is another step in that direction. Although standards are not yet harmonized across continents, they are becoming clearer and being implemented in a number of countries.

That is the case for regulations RN155 and RN156 that are progressively being adopted in Europe, as well as for standard ISO/SAE 21434 that covers every phase of the life cycle of connected vehicles, from electric and electronic systems, including their components and interfaces, to integrated software and the tools required for their development.

ISO/SAE 21434 was created following the exponential increase in cybersecurity incidents involving connected vehicles recorded between 2016 and 2019 – a staggering 605% (1). That number is bound to grow if nothing is done to secure the multiple systems aboard cars, such as communication units and voice assistance systems, geotracking sensors and cloud-based platforms that connect vehicles to mobility services. The Juniper Research Institute (2) estimates that 206 million vehicles will feature such capabilities by 2025, including 30 million connected to the 5G network.

Overview of the ISO/SAE 21434 Standard

A Prerequisite for Responding to RFPs?

Although the transportation industry increasingly demands vehicles be certified and meet standardized cybersecurity requirements, the challenge lies in the fact that the vast majority of these vehicles are already designed, if not already built. It should be noted that many other industries face the same issue.

Implementing an operational cybersecurity program and taking the steps to have existing systems certified poses an additional challenge for businesses trying to reconcile minimum compliance requirements, technical and financial system constraints, and time to market.

The approach to certifying current systems is similar to certifying new ones, but it can be more difficult to conduct a full system analysis. As cybersecurity risk mapping and attack scenarios are prepared using the existing architecture, the latter can be ill suited to these new requirements, making the documentation process to demonstrate cybersecurity compliance difficult, if not impossible.

The effort and resources dedicated to these analyses will incur costs that businesses may be forced to absorb in order to market systems at a competitive price point. One potential solution involves conducting a gap analysis before undertaking a cybersecurity program to assess the scope of needed efforts. To do so, businesses can call on external experts to conduct or assist in conducting the inherent cybersecurity risk analysis or review the analysis as part of an internal auditing process.

To ensure these steps are successful, involving various professionals and areas of expertise from across the organization is essential, including the sales team to explain the process and its financial implications and raise awareness of the need to integrate these new requirements when responding to RFP. The sales team can then determine the additional costs related to cybersecurity activity and leverage these add-ons.

Suppliers and subcontractors of system components are also essential stakeholders in the process; that consideration will be covered in our next article focusing on supply chain issues.

One Key Step: Reviewing IT Architecture

As previously explained, the ISO/SAE 21434 standard focuses mainly on operational systems. However, it is crucial that all information technology (IT) teams be considered essential partners in helping businesses become cyberresilient.

It is all the more important as minimum operational cybersecurity requirements are often conflated with organizational cybersecurity concerns. For example, simple system intrusion testing is often required, even though they only represent part of the cybersecurity certification process of systems.

Organizations that have yet to implement cybersecurity programs will also need to secure their organizational IT infrastructure. That involves analyzing gaps with common IT practices, upgrading methods to adopt market-compliant cybersecurity practices, and establishing policies and processes that foster these practices going forward.

9 Elements of Network Security

Once organizations have cybersecurity programs in place, developing new operational systems will have to take the revised IT infrastructure into account to ensure consistency across IT and operational technology (OT).

Examples of necessary actions to upgrade IT architecture

In light of the efforts needed, it appears that certifying operational systems poses several challenges and compels businesses to follow a strict process that involves mobilizing significant human and financial resources. And while implementing an operational cybersecurity program may constitute a first step toward certification, its impact on existing IT systems should not be overlooked.

As is the case for all major projects, proper planning is crucial to successfully transitioning to an operational cybersecurity program, including a precise mapping of the systems involved and the assistance of experienced resources to support businesses in their efforts. Successfully implementing such programs then simplifies business processes when responding to RFP going forward.

 

(1) Source: ISO/SAE 21434 Automotive Cybersecurity Standards Guide (beyondsecurity.com)

(2) Source: Operator Connected Car Strategies Statistics: Market Summary | Infographics (juniperresearch.com)

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Cyberresilience

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

Building Organizational Cyberresilience

 

Resilience refers to the ability of a person, ecosystem, or economy to resume optimal operation after trauma, disruption, or crisis.

The process is similar when it comes to cybersecurity. Zero (cyber)risk does not exist. But cyberresilient businesses can recognize and accept their vulnerability to cyberthreats and take measures to guard themselves, lowering the impact on their organizations, employees, customers, and reputations. What sets them apart is their ability to remain operational after a cyberattack and manage the resulting disturbances.

The effects of cyberattacks are many, and damages can be severe. No matter their nature, target, or scope, cyberattacks can tarnish the reputation of organizations and rattle the trust of stakeholders, i.e. customers, employees, shareholders/investors, the general public, etc.

In a core sector like transportation, organizational resilience is a must, both to ensure the economic survival of organizations and to secure their vehicles, equipment, and data networks. Integrating cybersecurity rapidly to organizational and operational processes is crucial.

 

At the Heart of IT-OT Convergence

 

Until a decade ago, information technology (IT) and operational technology (OT) were two fairly distinct areas. In the early 2000s, cybersecurity efforts were mainly focused on IT infrastructure, and cyberthreats, which were fewer and far between, almost never targeted operational systems. The systems did not communicate and the teams responsible for them had no need to collaborate.

Things have evolved and the emergence of cloud-based solutions has connected most operational systems to the Internet – for better and for worse. While advantages are undeniable, the situation also creates new vulnerabilities that businesses must analyze closely.

IT teams and implemented strategies still often reflect a misreading or poor understanding of operational systems, which hinders the comprehensiveness, effectiveness, and synergy of their approach.

Promoting convergence between IT and OT helps coordinate the work of the teams that oversee information systems and engineering departments. Using a cross-functional approach makes it easier to secure and make operational systems and their connected equipment an integral part of a shared, cohesive cybersecurity program.

Fully integrating networks (cloud, Internet of Things, etc.) to the implementation of a unified governance, process, and policy framework for IT and OT heightens businesses’ security for both their information and operational systems.

Businesses generally have an organizational cybersecurity program that defines activity in terms of information security – for which international standard ISO/IEC 27000 is used as a benchmark – but such programs are nonetheless ill suited to the reality of operational systems. As IT and OT face distinct, and sometimes divergent, issues, it is possible, and even beneficial, to include elements of organizational cybersecurity in order to promote the secure development and maintenance of operational systems.

If an organizational cybersecurity program has yet to be implemented, it is important to analyze operational processes and standards before moving on to any other cybersecurity-related activity. Determining gaps between current development processes and cybersecurity measures is an essential step in identifying vulnerabilities and potential security breaches.

This process is set to become an industry standard and compares to implementing a quality management program (ISO 9000). It involves implementing security controls from the very beginning of operational system design work. Doing so requires time, effort, and specific skills that can be provided by resources from outside the organization to support the process.

Over time, having a proactive approach to cybersecurity has a positive impact on company engineering decisions by fostering the secure development of new operational systems from the early design phase.

 

It’s Not Only About Technology

While a single vulnerable system can be enough to open a security breach into a digital environment, the ways to avoid such situations and the solutions to be implemented are not all technological in nature.

Organizational and human factors also play a crucial role in businesses’ ability to manage cyberrisks. Organizations have everything to gain by laying the foundations of a cyberculture that influences their actions, investments, technological innovation strategic planning, and the evolution of their processes and policies to secure systems. Effects will be all the more beneficial for businesses’ long-term health and success as decisions are supported by top management and communicated well to all teams.

One first step involves training all employees on the basics of cybersecurity to raise their awareness of the importance of practising good digital hygiene and the potential impact of their actions on company systems security. Promoting a solid understanding of these issues and business needs helps keep employees accountable.

Add to these awareness efforts more specialized training from IT teams as part of the business’s organizational cybersecurity program, to promote conducting risk analyses on systems and subsystems and clarify stakeholders’ roles and responsibilities. By developing a shared cybersecurity framework, the engineers responsible for individual subsystems will be able to respond to risk analyses and IT teams’ attack scenarios. Product managers will be kept informed of risks that may affect specific products.

Enhancing company cybersecurity requires specific skills and an effective strategy in the hands of a dedicated, duly coordinated team that is well represented at the upper management level.

Defining and implementing a cybersecurity program that is adapted to operational systems requires advanced expertise that current IT teams in the industry may not have. Businesses may need to recruit specialized resources or call on external expert cybersecurity services to support their efforts. Such dedicated resources capable of understanding and dealing with cybersecurity issues ensure that company stakeholders are kept informed and engaged throughout the organization.

In an ideal organizational structure, these efforts are coordinated by an executive-level specialist whose mission it is to uphold information and data security. This person, the Chief Information Safety Officer (CISO), plays a different role than the Chief Information Officer (CIO), whose tasks mainly focus on the strategic planning of organizational information technology initiatives. By working closely with the executive team, the CISO is aware of the company’s evolution, its development opportunities, and strategic direction when it comes to innovation. They can then see to it that operational cybersecurity concerns are integrated from the outset.

Transitioning to making cybersecurity central to business operations and strategic planning is crucial. The process may be long and complex, and it must take into account company constraints and avoid trying to change everything all at once. A gradual, properly explained implementation will encourage employees to adopt these important changes. A balance must be struck between the need to strengthen security activity and to ensure continued daily operations.

Just as businesses began undergoing a digital transformation a few years ago, a transition to cybersecurity is unavoidable. Businesses must adapt quickly to these new constantly shifting constraints. While most increasingly understand the related risks, many are still struggling to collect data and mobilize the resources they need to act.

One thing is certain: the days of handling cyberthreats in a vacuum are long gone, as every economic sector and organizational activity is affected. The time has come to secure current operational systems and make cybersecurity a design criterion for future systems. Today, clients are increasingly demanding confirmation that cybersecurity analyses are included in system development cycles, before even purchasing or implementing these systems.

As organizations grow cyberresilient, the ideal process will involve eliminating potential security breaches from systems right from the design stage. Until then, how can you ensure systems meet market requirements and expectations?

 

Read the first feature of our series.

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

Cybersecurity in Transportation: Implementation Challenges – Operational Networks

This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.

 

Cybersecurity and Operational Networks – Tackling New Challenges

 

As information and operational technologies are growing ever more interconnected and available to the general public, cyberthreats and security breaches pose new challenges that businesses must face.

While the digital transformation of businesses presents a wealth of new business opportunities, it also makes companies more vulnerable. Now present in all economic spheres, cloud-based solutions help blur the traditional boundaries between conventional computer systems and operational systems. Points of contact are multiplying, offering new attack surfaces for cybercriminals.

Unfortunately, the transportation industry has not been spared. The Government of Canada has even identified it as one of the top ten critical infrastructure sectors in terms of cybersecurity risk (1). Although the technologies in use vary from one vehicle to the next, most new vehicles are connected to a certain extent. Transportation networks are also largely dependent on connected equipment (sensors, controllers, onboard computers, management software, etc.), which leaves them vulnerable to cyberattacks seeking to disrupt operations or even take control with malicious intent.

Barring in-depth consideration at the highest echelons of organizations, cyberthreats pose a true challenge to the longevity of businesses and the proper functioning of society.

A New Playing Field

Operational technology (referring to equipment and software used to control physical devices or processes meant for operational environments) used to operate in closed circuits, i.e. with very little interconnection with corporate networks. Today, connected operational technology is omnipresent and integrates with other computer systems, making it possible to automate certain manufacturing processes, manage or control equipment remotely, and install updates.

However, operational systems are too often still run and maintained separately from conventional computer systems. As a result, the companies that operate them continue to consider related security concerns in compartmentalized fashion. There are more points of contact than before, and each one is a potential entry point or security breach for operational equipment.

Types of Cybersecurity

What Drives Cyberattacks?

Historically, cyberattacks mainly targeted organizational information infrastructure, i.e. servers, workstations, networks, etc., generally with the intent of stealing data. Several large-scale infiltrations have occurred in the last few years, including the infamous attack on SolarWinds in 2019.

The attack on one of the US software company’s servers targeted the production system of its flagship software, Orion, used by tens of thousands of businesses and organizations around the world. Among the hundreds of attacked clients that were identified (out of a total of nearly 18,000 clients) were six departments of the US Government, including the Departments of Energy, Commerce, Treasury, and the State Department. Although the nature of the information the group behind the attack sought to steal and the consequences of the operation remain unclear, such infiltrations highlight the vulnerability of organizations and the resulting domino effect on their ecosystems.

In Canada, many businesses and levels of government have also been the victim of cyberattacks in the last few years, underscoring the cybersecurity challenges organizations are now facing.

Recent technological advances have contributed to the spread of malicious software, as it becomes more easily available to individuals or groups with nefarious intent who are honing their strategies and increasingly well organized.

The development of enterprise IT solutions, multiplication of cloud-based services, and implementation of virtual infrastructure have granted businesses a tremendous amount of flexibility that goes beyond organizational infrastructure. Today, these connected operational systems commonly used in the manufacturing and transportation sectors are all potential security breaches that can inflict damage far beyond mere data theft.

Cyberattack Types

What Risks Are Businesses Exposed to?

While profit remains the main motive behind cyberattacks, potential damages can vary widely, depending on the perpetrators.

In the transportation sector, cyberthreats can, for example, seek to take control of equipment to disrupt, cripple, or even destroy a transit system. One recent example involves a computer virus attack on the transit authority of a large North American city. The infiltration affected over 60% of the organization’s servers, as well as a number of workstations, which forced it to mobilize vast resources to restore its servers and ensure no data was stolen. The cyberincident had no effect on the operational bus and subway systems, but other organizational platforms were disrupted, including its website and phone lines.

Another thought-provoking example that served as a wake-up call for the automotive industry involved two American scientists taking remote control of a Jeep Cherokee in 2015. The two information security specialists wanted to show that it was possible to disrupt certain car systems by infiltrating the onboard computer. Conducted with a journalist in the driver’s seat, the operation led Fiat Chrysler to recall over one million vehicles to correct identified vulnerabilities.

Although not all cyberattacks are alike in scope or severity, consequences can still be harmful to victim organizations, jeopardizing their financial health, reputation, and even their continued success.

According to a survey conducted by Deloitte (2), 32% of top executives worldwide indicated that the most significant repercussions are on an operational level. They also mentioned the theft of intellectual property (22%) and drops in share price (19%).

Operational systems are at even greater risk as they were often designed independently of organizational infrastructure and include no cybersecurity components. Generally built to last with life cycles of 10-plus years, operational technology relies on equipment and software with vulnerabilities that are often well known to hackers or become so from lack of updates.

 

Are Businesses Ready to Respond?

The very diverse nature of cyberthreats makes them difficult to anticipate and forces businesses to develop their cyberresilience. From inventorying assets connected to a network to identifying the skills needed to know, understand, detect, and prepare to face these new risks, businesses must rally their forces to present a united front against these threats.

On a global scale, governments, work groups, and regulatory bodies are also organizing to define new rules. Fighting against cyberrisks will soon involve clients and businesses demonstrating their ability to meet minimum cybersecurity requirements.

In the US, the National Institute of Standards and Technology (NIST), a non-regulatory federal agency, has developed a cybersecurity framework that includes several standards, guidelines, and best practices and made it available at no cost to private organizations seeking to develop or update their own cybersecurity programs. 

In the transportation industry, the United Nations has also drafted standards to prompt vehicle manufacturers to develop secure operational systems that include cybersecurity considerations right from the design phase. Adopted in 2021, UN regulations R155 and R156 lay the foundations of a cybersecurity framework for vehicles in various regions around the world, applying to both cybersecurity management systems and software update management systems. The European Union intends to impose these new measures to road vehicle manufacturers by 2022 for all new vehicle types and by 2024 for existing platforms.

In Canada, Transport Canada and various levels of government are taking these new security standards into account, particularly standard ISO/SAE 21434 (Road vehicles—Cybersecurity engineering) that seeks to integrate cybersecurity engineering practices at every stage of a vehicle’s life cycle.

The digital transformation is well underway and shows great potential for the transportation industry, in that it enables manufacturers to achieve greater efficiency and helps improve transportation safety for riders.

However, cybersecurity challenges are a growing concern for businesses, who should give them due consideration at the highest levels of the organization. They will have to assess organizational exposure to cyberrisks, mobilize the necessary resources to protect themselves appropriately, manage incidents and potential crises, and update operational systems. Adopting a comprehensive approach that includes third parties will also be important in managing the inherent risks of the supply chain, as we will discuss in upcoming articles in this special report.

 

 

Read the second feature of our series.

 

 

(1) Critical Infrastructure Partners (publicsafety.gc.ca)

(2) The Deloitte 2021 Future of Cyber Survey polled nearly 600 C-level executives about cybersecurity at companies with at least $500 million in annual revenue, between June 6 and August 24, 2021. the

CYBERSECURE YOUR
OPERATIONAL INFRASTRUCTURES

Get the free white paper to learn how to meet cybersecurity challenges in transportation.

The new reality of cybersecurity: operational networks

Operational Cybersecurity

 

Cyberattacks today go far beyond the traditional data theft-ransom combo that affects organizational IT. They now also aim to destabilize large parts of the economy, the market and the production and supply chain by directly attacking our operational infrastructures – which now often integrate virtual and cloud technologies – such as our communication networks, our factories and our transport. Hence the need and urgency to adapt our operational systems to this new reality.

Stay tuned as we will soon publish a series of articles on the challenges of implementing operational cybersecurity, more specifically in transportation where we will discuss topics such as implementing a culture of resilience within an organization, the best approach to certify an existing system, supply chain management and cybersecurity standards within the transport industry.

Cysca is well positioned to help you deal with cyber risks and cyber terrorism and modernize your systems.

Contact us to find out how Cysca can help you solve some of your biggest challenges, whether in software or systems engineering, systems integration, electronics design, IT architecture or cybersecurity.

 

ABOUT CYSCA TECHNOLOGIES

Since 1997, Cysca Technologies provides cutting-edge engineering solutions in systems engineering, electronics design, software engineering, systems integration and IT architecture and cybersecurity. We offer end to end services and support our clients in developing their own solutions by leveraging our expertise in developing electronic systems, the related embedded software and user interface applications. While bringing forth our creativity and innovative mindset, we harness innovation for the benefit of sustainable growth.

Proud to support the next generation

équipe Ourea étudiants génie Université de Sherbrooke

Cysca Technologies is proud to support the next generation

 

Resolutely looking to the future, Cysca Technologies is proud and very happy to sponsor Ourea, a team of graduating engineering students at the University of Sherbrooke, in the context of their drone design project.

The Ourea team has set itself the challenge of creating a hybrid multirotor-style drone with the ability to brave extreme weather conditions, autonomously, safely and economically. Among the outlets for future uses are the taking of imagery and scientific data and emergency assistance in difficult to access terrain.

Cysca strongly believes in creating innovative solutions and value for technological advancement for the benefit of sustainable growth. It was therefore natural for us to support the ambitions of this new generation of engineers.

We look forward to encouraging them at the 2022 edition of Expo MégaGÉNIALE, the largest exhibition of engineering projects in Canada, which will take place on December 2 and 3 at the Sports Centre of the University of Sherbrooke.

concept drone Ourea

Redesigned Website: A new interface with a refreshed brand

Cysca Technologies launches redesigned website with new refreshed corporate image

 

Cysca is excited to announce the launch of our newly designed website: www.cysca.com.

Through a more user-friendly and easier to navigate interface, our completely redesigned site offers a new simplified way of presenting our services and a few of the markets we support. Moving beyond a client centric philosophy, we aim to connect our clients with the solutions they need to solve the obstacles they are facing in developing innovative and sustainable products and services.

Our new site features a portfolio of a growing selection of projects showcasing our expertise and the innovative solutions we bring to our clients to help them solve some of their greatest challenges.

In addition to learning more about some of our projects, our audience will be able from now on to access thought leadership and other contents such as technical notes, articles, white papers and news on our Insights page. This knowledge centre, which will expand over time, will offer valuable and user-centric resources on a variety of topics to expand industry knowledge and find potential solutions to business pains.

Cysca’s President and Founding Partner Yves Tremblay said: “Our new corporate image and website are some of the steps we are taking as a way forward to pave our growth for the coming years. We are truly excited for the future and for extending our expertise and creativity in technology and electronic design solutions to support our clients in building a sustainable tomorrow for our society.”

We invite you to share your thoughts with us and look forward to seeing you at cysca.com.

 

ABOUT CYSCA TECHNOLOGIES

Since 1997, Cysca Technologies provides cutting-edge engineering solutions in systems engineering, electronics design, software engineering, systems integration and IT architecture and cybersecurity. We offer end to end services and support our clients in developing their own solutions by leveraging our expertise in developing electronic systems, the related embedded software and user interface applications. While bringing forth our creativity and innovative mindset, we harness innovation for the benefit of sustainable growth.

A New Office Location for Cysca

We are moving: a new office location in the Greater Montréal Area

 

We are pleased to inform you that we are relocating our offices to a new location within the Greater Montréal Area, effective Monday September 20th, 2021. Our new modern office in Terrebonne offers larger capacity to accommodate our growing business needs and will allow us to group all our expertise in one location, providing our various practices and professionals with increased efficiency and collaboration to better serve our clients.

Please update your records to reflect our new address:

Cysca Technologies
Greater Montréal Area
816 des Seigneurs Boulevard, Suite 300
Terrebonne, Quebec  J6W 1T9  CANADA

Note that our other contact information, such as our telephone number, remain the same as before.

Should you have any questions on the relocation, please contact us via our website Contact page or by phone at 514 405-5542.

We look forward to seeing and serving you at our new facility.


ABOUT CYSCA TECHNOLOGIES

Since 1997, Cysca Technologies provides cutting-edge engineering solutions in systems engineering, electronics design, software engineering, systems integration and IT architecture and cybersecurity. We offer end to end services and support our clients’ in developing their own solutions by leveraging our expertise in developing electronic systems, the related embedded software and user interface applications. While bringing forth our creativity and innovative mindset, we harness innovation for the benefit of sustainable growth.

Capacitors Piezoelectric Effect

Capacitors Piezoelectric Effect

How to address vibrations or low audible hums

Technical Note by Denis Lachapelle, P.Eng. and Francis Thiffault, P.Eng, July 2015
Revision by Frédéric Longchamps, Jr.Eng., February 2021

Our experience has shown that it is not a well-known fact that some multilayer ceramic capacitors can exhibit piezoelectric characteristics. This effect occurs in ferroelectric capacitors (class II and III) which possess medium to high dielectric constants such as X5R, X7R, X8R, Y5V, Y5U, and Z5U. The piezoelectric effect can cause the capacitor to vibrate and, if this occurs within audible frequencies (20 Hz to 20 kHz), may cause the capacitor to “sing” and be audible.

Having a capacitor susceptible to piezoelectric effect is not enough to cause the ringing noise since the amplitude caused by it is so small. Multiple condition must be met for it to be loud enough to be heard. Apart from the signal frequency and the capacitor design and construction, the effect is influenced mainly by the DC bias and the ripple amplitude of the signal applied on the capacitor. The PCB itself and the layout also play an important role, in addition to having the possibility that temperature may play a role as well.

This piezoelectric effect can also be reversed. An external mechanical pressure may cause the capacitor to produce a signal in microvolts, therefore, under certain conditions, making the capacitor potentially act as a microphone and capture acoustical noises in its surroundings and insert these in the system.

Application

Depending on the application, this effect may or not be an issue. The piezoelectric effect has no effect on the reliability of the components. However, in certain devices such as amplifier circuits and handheld devices, the noise caused or inserted in the system may become an issue.

We have encountered such an issue in a microphone amplifier circuit. The microphone was powered by a phantom DC and the audio signal was coupled to the amplifier using a 1uF ceramic surface mount capacitor. This was an echo canceller card installed in a PC. The circuit was working perfectly, except that a hard disk noise could be heard even with the microphone isolated. The initial plan involved an inspection of the coupling through the power supply rails, but upon doing this, the board was accidentally bumped and produced a ‘tick’ noise, which alerted us to a mechanical coupling problem. After replacing the 1uF ceramic surface mount capacitor, the issue disappeared.

Solutions

One manner to reduce the piezoelectric effect is to use through hole capacitors or ones with metal terminations which greatly reduce the vibration by decoupling the movement from the PCB. Capacitors which tend to not produce this effect include tantalum, aluminium electrolytic, C0G and NP0 capacitors.

Another way would be to improve the signal; as the ripple amplitude is directly proportional with the piezoelectric effect, reducing it will diminish the noise. Having a duty cycle closer to 10% or 90%, instead of 50%, will also improve this. A signal frequency outside the audible range would also prevent a user from hearing any ringing.

Finally, the use of a thicker PCB, which resist deformation better than thinner boards, will contribute to the reduction of the effect. Positioning the capacitor on the edge rather than the center of the board should also provide a lesser surface upon which to cause vibrations, therefore reducing the noise. Lastly, laying out the capacitors symmetrically on the top and bottom layers, one on top of the other, should make the deformation of each pair of capacitors cancel each other out.

Conclusion

When using ceramic capacitors in sensitive circuits, precautions should be taken to mitigate the piezoelectric effect, especially when working with high dielectric constant ceramic capacitors such as X7R and ZU5.

References

  1. https://web.archive.org/web/20190402155252/https://product.tdk.com/en/contact/faq/31_singing_capacitors_piezoelectric_effect.pdf
  2. https://sh.kemet.com/Lists/TechnicalArticles/Attachments/88/2006%2007%20ArrowAsiaTimes%20-%20MLC%20Noise.pdf
  3. https://www.edn.com/reducing-mlccs-piezoelectric-effects-and-audible-noise/
  4. https://e2e.ti.com/blogs_/b/powerhouse/posts/how-to-reduce-acoustic-noise-of-mlccs-in-power-applications
  5. R. Nelson and L. Davidson, Electrical noise generated from the microphonic effect in capacitors, 2002 IEEE International Symposium on Electromagnetic Compatibility, Minneapolis, MN, USA, 2002, pp. 855-860 vol.2, doi: 10.1109/ISEMC.2002.1032708.