NJ TRANSIT Protects Critical Infrastructure and Strengthens Security with Zero Trust

Covering a service area of 5,325 square miles, NJ TRANSIT is the nation's third largest provider of bus, rail, and light rail transit, linking major points in New Jersey, New York, and Philadelphia. With 253 bus routes and 12 rail lines statewide, NJ TRANSIT provides transportation for 1 million passengers every weekday, which translates to 250 million per year.

As the organization transitioned to a cloud-first, fully remote-work environment, CISO Rafi Kahn was keenly aware of the limitations of its outdated castle-and-moat security architecture. 

“My responsibility at NJ TRANSIT is to ensure safe and reliable transportation of our constituents. Our priorities include defending our systems from bad actors, protecting our vital data, and complying with regulatory mandates,” said Khan. “Our legacy infrastructure was complex, lacked scalability, and was unable to meet these requirements, putting our operational continuity at risk.”

This led to high operational costs and management complexity. Top concerns were excessive time spent on hardware maintenance, ineffective TLS/SSL traffic inspection, and reliance on VPNs that expanded the attack surface and enabled lateral threat movement on the network. 

“We needed a solution that was dynamic, stayed current with today’s technologies, and could provide a better experience for our remote users—anywhere and on any device. After we looked at other vendors, the Zscaler Zero Trust Exchange platform was the standard we went with,” said Khan. “It gives us the security, scalability, and positive user experience we were looking for.”

As NJ TRANSIT increasingly embraced remote work, it initiated its zero trust journey with Zscaler Internet Access (ZIA) to enable its extended digital workforce to securely and seamlessly access the web and SaaS apps from anywhere and on any device. 

Enhancing inspection of encrypted traffic was a key focus area for Khan and his team. NJ TRANSIT’s legacy appliances lacked needed scalability and could only inspect a small fraction of traffic, focusing mainly on URLs. As a result, the organization was blind to many internet threats, including ransomware and malware hidden in encrypted traffic. 

The Zscaler platform changed that with its cloud-native platform and built-in TLS/SSL inspection at scale, making it easy to monitor 100% of encrypted traffic for hidden malicious content and data exfiltration activity hidden in encrypted traffic. “Once we deployed Zscaler, NJ TRANSIT was able to mitigate inspection problems,” Jon Cassidy, Manager, Cybersecurity Architecture and Engineering remarked. “We are impressed at its compatibility with NJ TRANSIT systems.”

Building on that success, NJ TRANSIT then addressed its legacy VPN, which Khan recognized as an inherent vulnerability and attack vector for ransomware. This gave him the confidence to accelerate the  Zscaler Private Access (ZPA) implementation, completely phasing out the VPN and giving users secure, high-performance connectivity to private apps and workloads residing on hardware, virtual machines, or the cloud through the Zero Trust Exchange platform. With role-based access through integration with NJ TRANSIT’s identity provider, Zscaler delivers a completely cloud-based work-from-anywhere model with minimal latency. For example, remote technicians tasked with repairing OT systems can quickly connect to these devices from their browsers—without the need for VPN—to ensure continuity of service and uptime for critical systems.

“Zscaler secures the work employees do every day, whether they are connecting to OT systems, workloads, the internet, or private apps,” said John Franciscone, Senior Director of Cybersecurity, Architecture, and Engineering.

Khan continued to refine NJ TRANSIT’s defense-in-depth security approach by incorporating additional Zscaler capabilities.

He and his team added AI-powered Zscaler Zero Trust Browser to block web threats and prevent data exfiltration by restricting upload, download, and cut and paste actions.

NJ TRANSIT has improved its threat detection capability with Zscaler Cloud Sandbox, which provides real-time analysis of zero day and advanced threats by quarantining potentially malicious code. It integrates with Zero Trust Browser, allowing users to securely interact with downloaded files by converting them to PDFs or disarming them to remove harmful content. 

Khan and his team also added Zscaler Deception to their arsenal to thwart insider threats, ransomware, and advanced attacks that target zero trust environments and bypass existing security controls. Deception uses decoys and lures to actively detect and intercept such threats. 

“Zscaler Deception helps us detect stealthy attacks and containerize threats so that we can observe how bad actors are behaving and recognize these patterns in the future . We’ve seen a significant reduction in alerting volume since rolling out this capability, and it has been beneficial to our prevention, detection, and response strategy,” said Khan.

As a federally funded entity, NJ TRANSIT is required to follow government security directives, namely recommendations by the Cybersecurity and Infrastructure Security Agency (CISA). These directives require the organization to assess the security level of IT/OT annually and implement mitigation controls to ensure that those systems are secure. One such system that NJ TRANSIT must monitor for compliance is Positive Train Control (PTC), a collision avoidance system implemented by the federal government and overseen by the The Federal Railway Administration (FRA).

NJ TRANSIT has extended ZPA’s agentless zero trust to OT systems such as PTC as well as communication systems. ZPA provides real-time monitoring and data analytics that enhance physical safety and cybersecurity. It further protects OT systems from internet-borne threats by creating a secure segment of one between an authorized user to a specific device.

NJ TRANSIT’s legacy architecture was hindering its mobile-first initiative, generating 250 support tickets per month that cost 60 hours of IT time and 125 hours of user productivity to resolve. 

NJ TRANSIT deployed Zscaler Digital Experience (ZDX) to move from reactive troubleshooting to proactive management. By gaining end-to-end visibility, the support team now instantly pinpoints and resolves issues, maximizing user uptime and productivity. 

“With Zscaler, we’ve been able to reduce support tickets by 50%,” said Franciscone. “It not only lightens the load for our help desk, it also ensures a seamless user experience.”

NJ TRANSIT recognizes that business continuity is a major benefit of the Zero Trust Exchange platform. The security team can now rest assured that the organization will remain secure and operational without interruption, even in the event of unexpected incidents.

“Zscaler’s resiliency and redundancy provides a multitenant, distributed cloud platform that could not be accomplished with traditional build-outs,” said Kahn.

Zscaler delivers zero trust communications as a service at the edge, from as close to the end user as possible, so there’s no need to make an extra hop and route users to a distant on-premises data center. Now employees have direct, frictionless access to the resources they need. 

Zscaler’s dynamic approach to security has made the organization’s security operations more efficient and effective, thanks to expanded visibility and real-time insights that translate to actionable alerts.

“Zscaler gives us the tools to monitor usage, pinpoint risks, and analyze threat patterns,” said Franciscone. “Best of all, we no longer have to spend time updating, reconfiguring, and maintaining on-premises security appliances. It makes our job so much easier.” 

Kahn went on to explain how zero trust plays a critical role in NJ TRANSIT’s defense-in-depth approach to security: “We have fully embraced the zero trust principle of ‘never trust, always verify.’ It helps us understand the who, what, and where—the user identity, the device, and the destination or apps users are attempting to access. Through the use of Zscaler, NJ TRANSIT’s data and IT and OT assets are shielded from malware and ransomware threats, supporting our mission to provide a first-rate travel experience.”