The study defined in broad terms what cybersecurity means to CoMET and Nova metros from an industry perspective. Operational Technology (OT) was prioritised above Information Technology (IT) since the latter is not metro-specific and is more advanced, whereas metro OT systems’ rapid evolution has not been matched by suppliers or regulators.
A metro’s Cybersecurity Risk Profile combines three categories: background threats, connectivity and automation. The study found that high background threats are associated with the most active mitigation measures against cyberattacks, but metros with a high level of connectivity will feature a large risk profile even in a benign political environment. Automation increases the potential impact of cyber-attacks as both physical and non-physical actions may be carried out by a successful hacker.
Ultimately, the study findings concluded that metros, as a key public-facing industry, need to prioritise a cultural shift that places cybersecurity at the forefront of their concerns, similarly to how safety cultures have become established over time.