CASE STUDY: Major Metropolitan Transportation Agency
Boosting Cyber Resilience
in Transportation Services
Reveald's Epiphany Intelligence Platform enhances cybersecurity in a major metropolitan transportation agency.
Reveald's Epiphany Intelligence Platform enhances cybersecurity in a major metropolitan transportation agency.
The Epiphany Intelligence Platform leverages existing infrastructure and security tools to analyze complex IT and OT environments and prioritize actions to significantly strengthen security posture.
Reveald was retained by a global sustainable development Professional Services firm to perform an adversarial assessment in a large Transportation Agency. The objective was to evaluate the agency’s cybersecurity posture and provide guidance on specific actions to improve cyber resilience. Reveald’s team set up Reveald’s Epiphany Intelligence Platform to analyze over 200 networks in 12 different physical locations in less than a week, saving tens of thousands of dollars over other solutions. The analysis included a combination of Transportation Agency systems and technologies used by tens of thousands of people and computers.
The Transportation Agency is in one of the top 15 municipalities in the world, with a transportation network covering over 2,500 square miles, serving a population of more than 7 million people. The thousands of miles of transportation infrastructure extends beyond the city limits into other adjacent municipalities and includes partner agencies for buses, bridges, and tunnels across multiple municipalities.
The Professional Services firm—which includes over 16,000 designers, advisors, and experts working across 140 countries—is a prime contractor for the Transportation Agency. It has been at the forefront of ambitious and challenging design and engineering for over 70 years.
The Professional Services firm needed to identify gaps between the Transportation Agency’s current control systems designs, architecture, and industry best practices and to understand the effectiveness of its existing security systems. It also needed to identify upgrades necessary to improve the Transportation Agency’s existing security systems.
The Transportation Agency’s network comprises one of the nation’s largest bus fleets and more subway and commuter rail cars than all other U.S. transit systems combined. It needed to understand how to protect its bus command and control systems, customer systems, and back-office applications from cyber threats.
Ensuring the functionality and safety of an organization’s networks is essential. As a way of understanding how to protect its command-and-control systems, customer systems, and back-office applications from cyber threats, the Transportation Agency required a threat, vulnerability, and risk assessment (TVRA). They were concerned with network design as well as the assets or devices on its networks and wanted to determine the extent of its attack surface and highlight any areas of concern that could affect support systems in its physical assets.
The complexity of the interconnectivity between the way the Transportation Agency’s systems operate made it difficult for any one person or even any one group—such as a group of IT managers—to readily understand the complete IT and OT environment and its risks and vulnerabilities.
The Professional Services firm retained Reveald to perform a vulnerability analysis and identify attack paths within its networks. Reveald uses its Epiphany Intelligence Platform to perform adversarial assessments that evaluate the cybersecurity posture of an organization and provide guidance on specific actions to improve cyber resilience.
Complications
Because the Transportation Agency is a very diverse organization, understanding its entire network infrastructure was very complex. Each organization has its own projects, management chains, and organizational structure. There are different management groups or administrative groups for Windows AD (Active Directory), endpoints, network layers, firewalls, and so on. People working in one group may not understand the implications of changes to network connectivity or firewall settings for other groups. The impact of a change in one group can be profound—it can affect the entire organization.
Another complexity the Transportation Agency experienced was limited visibility into active remote systems. With COVID requiring many people to work from home at the time, this was a new problem not seen before.
Epiphany performed assessments in two key areas: a perimeter analysis of OT networks and a network analysis of the Transportation Agency’s IT environments.
OT Networks Perimeter Analysis
Epiphany scanned the OT perimeter IP spaces to catalog all the devices that communicate external to the OT network. It evaluated exposed communications ports and protocols as well as services, applications, gateways, and remote access devices that are externally accessible. Reveald brought the results of these evaluations into Epiphany to identify and evaluate attack paths that could lead into the OT environment.
IT Environment Network Analysis
Epiphany gathered the Transportation Agency’s specific business risks, threat matrix, and impact matrix. It then deployed its assessment collectors and analyzed the organization’s data sources, which included its vulnerability scanner, directory services, and routing/switching/firewall data. Epiphany then identified high-value targets that could align with the objectives of a real-world attacker.
Armed with this information, Epiphany analyzed the Transportation Agency’s environments for potential entry and pivot points from its general network environment into the OT environment. The scope of this analysis encompassed a combination of systems and technologies. It included tens of thousands of users and computers in over 200 networks in 12 different physical locations.
In under 24 hours, Epiphany found over 7,000 attack opportunities by leveraging attack path learning capabilities. For each of these attack opportunities, Epiphany provided remediation recommendations and identified specific servers, hosts, and users along with exactly what needed to be upgraded, removed, or changed. This essentially became an actionable worklist for the Transportation Agency to use to proactively address its vulnerabilities before an attack occurred.
To demonstrate how an attacker could move from the Transportation Agency’s IT environment into its various OT environments, Epiphany created detailed maps of the organization’s OT network in relation to its IT environments in order to catalog, understand, and assess the accessible OT network attack surface.
Epiphany proved that multiple attack paths existed that allowed an adversary to gain a foothold in the IT environment and move to a position of control over an OT asset through control of user sessions. Epiphany demonstrated several ways this goal could be achieved by an adversary and provided actionable strategic and tactical recommendations on the optimal remediations to implement to break the identified attack chains.
The Epiphany Intelligence Platform, Reveald’s AI-driven enterprise solution, is the first of its kind. It gathers attack data from thousands of devices and provides prioritized attack path analysis. It identifies the most likely attack paths to your critical IT assets and users and delivers specific, actionable recommendations on how to remove them.
Reveald’s Continuous Exposure Management 360° (CEM360°) subscription service leverages Epiphany coupled with expert analysts from Reveald’s Fusion Center to provide 24x7 cybersecurity vulnerability prioritization based on advanced attack graph analysis. This leads to business risk reduction through data integration and automated security analysis, validation, reporting, and guiding resolution.
Reveald’s experts work in partnership with its clients’ teams to prioritize issues that are most likely to cause cybersecurity events across identity, configuration, and defensive controls. They continuously manage and tune Epiphany, ensuring integrations with cybersecurity toolchains work flawlessly to generate the most valuable remediation information.
The CEM360° service includes full support for the implementation of a unique Epiphany instance, training for a client’s teams, reporting on business objective results, risk minimization, and continuous vulnerability prioritization updates. It is available in base and enhanced packages and supports Crowdstrike, Microsoft, Trellix, and other platforms.
Other subscription services are available.
Trusted by industry-leading organizations across the globe.
