According to a study by the University of Maryland, a cyber-attack happens every 39 seconds, often preventable attacks when the correct measures are in place. As mass transit systems become more IP enabled and connected to the internet, these attacks are on the rise.
Transportation relates to more than just moving people. With COVID-19, transportation services were increasingly relied-upon for delivering everything from food, medicine and other vital services. COVID-19 also forced companies to pivot to remote work and a culture of working from anywhere. This transition required remote worker access to critical company computing systems via Virtual Private Networks (VPNs) and internet of things (IoT) portals, which opened up an array of gateways for hacking incidents to occur.
Recent Transportation Cyber-Attacks and Lessons Learned
At the heart of any functioning transportation system is reliable access to fuel. The recent cyberattack on the Colonial Pipeline, one of the largest private fuel pipeline operators in the United States and the supplier of approximately 45 percent of the fuel on the East Coast highlighted the problem. A compromised network password led to a ransomware attack and shutdown of the pipeline creating fuel shortages that greatly impacted East Coast transportation operations.
The attackers targeted the business side of the pipeline operations: making it clear that their motivation was money. However, had they targeted the operations side of the business, the crisis could have stretched beyond a single week. While a third-party security organization was hired to determine the source of the breach, the company did pay $5 million to the attackers to restore its systems.
Following the Colonial Pipeline incident, the Department of Homeland Security (DHS) issued new cybersecurity standards but some of these standards will take time and money to implement, which Colonial says it is doing.
The Colonial Pipeline hack is just one of many recent incidents impacting the North American transportation system. The San Francisco Municipal Transportation Agency suffered a ransomware attack on 2,000 computers. Toronto suffered a similar attack on its subway system, directly impacting control operations. And Martha’s Vineyard ferry service endured a ransomware attack in June of 2021.
The largest takeaway from these attacks? Mass transit systems responsible for transporting 34 million passengers a day are targets for increased cyberattacks and offer hackers and other bad actors a potential gold mine of opportunity.
Prevention and New Guidelines
One of the issues for transportation organizations is a lack of funding and internal/external staffing resources required for deploying a robust cybersecurity plan and defense against unwanted cyberattacks. While transportation network systems are becoming increasingly IP connected, they often use over-the-counter virus and cybersecurity software and firewalls that don’t offer the security protection they need.
As a result, the Cybersecurity and Infrastructure Security Agency (CISA) has instituted new rules: all pipeline operators need to have a Cybersecurity Coordinator who can be reached 24/7 in the event of any incident. In June of 2021, all pipeline operators had to report to CISA and the Transportation Security Administration (TSA) on the current state and protection of their systems and what their plans were for correcting any deficiencies.
By October, the TSA also went beyond mandates for pipelines and implemented guidelines for all the major rail systems, including Amtrak and larger transit and subway systems like those in New York, Washington, D.C., and even Chicago. Regulations include the requirement to have a cybersecurity response contact, that all breaches be reported to CISA and have an incident recovery plan.
Some feel that these regulations don’t go far enough. Bad actors continue to develop more sophisticated ways to attack vulnerable systems, and they include not only nation-states who intend to threaten national confidence and security, but criminal hackers and cybercriminals who are more motivated by money and ransom than the actual disruption of transportation systems.
It is important that both private companies, cities, states and regulators at the highest federal levels understand the threat to various systems, and the ways those threats can be mitigated. These areas include:
- Rail systems - responsible for transportation of people, food, medication and other vital goods and supplies.
- Mass transit - the systems responsible for transporting millions of passengers every day.
- Maritime and Ports - vital for our freight, logistics, and consumer goods transport.
- Aviation - responsible for moving hundreds of millions of people daily along with an increasing amount of goods and freight. Also, increasingly vulnerable to attack as noted by recent cyber incidents involving Delta and Southwest Airlines.
- Ground Freight, Logistics and other Fleet Operations - increasingly “going digital” with everything from manifests to driver logs, load routing and more.
What’s the solution here? For each aspect of transportation that could potentially be impacted, a comprehensive cybersecurity plan must be developed and implemented.
The Impact of the Private Cybersecurity Sector on Mass Transit
Fortunately for mass transit and transportation companies of all sizes, there is no need to reinvent the cybersecurity wheel. Other highly-regulated industries such as healthcare and financial services are already taking steps to develop more comprehensive cybersecurity measures that can be applied for the benefit of the transportation industry:
- Assess the organization using industry-standard frameworks to baseline the current state of maturity. Identify gaps, vulnerabilities and threats to quantify organizational risk.
- Establish goals and milestones as part of an overall plan.
- Formalize policies, standards, roles and responsibilities in case of an attack.
- Assess and track risk until remediated.
- Fully implement and enforce processes and new procedures.
- Engage third-party expertise to identify and fill any talent or skill gaps.
With new directives and policies in place and evolving as the need arises, for many mass transit systems, it makes sense to find a trusted third-party partner. It’s simpler and in many cases less costly than developing and hiring for a cybersecurity department from the ground up. Just be sure the company you work with is familiar with the unique challenges of mass transit system cybersecurity and has the agility to pivot as both threats and security systems evolve.
Think your transportation system is prepared for a cybersecurity breach? It’s time to think again, but not to stop there. It’s time to be proactive before you’re forced into a costly reaction.
Jason Stokes is chief information security officer (CISO) and vice president, Security Services at Secuvant, LLC.
Chris Barker is a Secuvant Executive Board Member, Transportation and smart cities advisor.