WMATA Inspector General brings attention to WMATA’s cybersecurity vulnerabilities

May 18, 2023
In a new report, the inspector general’s office details what it believes to be ‘unsound IT practices’ and makes recommendations on how the authority can mitigate cyber risk.

A report from the Washington Metropolitan Area Transit Authority (WMATA) Office of Inspector General (OIG) recommends the authority should “immediately establish security controls for restricting access to its data at all levels” after the inspector general’s office determined the authority had “failed in its Information Technology (IT) responsibilities by not implementing basic IT policy changes and an IT governance framework.”

The report was produced amid an investigation into abnormal network activity discovered in January 2023 by WMATA’s cyber security group that was determined to be from a former WMATA contractor, who remotely accessed a personal computer in Russia and used his still active WMATA credentials to breach “a sensitive WMATA directory.” The reports notes the former contractor’s credentials remained active because his supervisor hoped his contract would be renewed. The report includes the former contractor was hired through a U.S. company, and he worked on “sensitive WMATA applications and systems,” which includes WMATA’s SmarTrip® fare payment system.

In a 2022 cybersecurity audit by WMATA OIG, the office noted one of its “gravest concerns” was the use of foreign national contractors, who supported sensitive applications and systems from Russia. The report explains background investigations are outsourced for individual contractors, and OIG found 37 percent of the background investigations used the same last four digits of a social security number.

The investigation into the January 2023 breach continues, and WMATA OIG explained the report was needed to elevate the “multitude of IT-related critical recommendations, policy violations and unsound IT practices that continue to plague WMATA.”

WMATA OIG’s additional concerns and recommendations

The report, which is lightly redacted, brought up concerns with several other aspects of WMATA’s IT practices, including possibly cybersecurity vulnerabilities of a certain train, the specifics of which were redacted, a lack of encryption of WMATA-owned mobile devices, vulnerabilities in certain access controls, management of IT assets, non-adherence to cybersecurity assessment or provisions in certain procurements, confusion in roles concerning vulnerability management procedures and a disconnect between IT infrastructure and cyber staff.

The report includes 14 recommendations aimed at empowering WMATA’s cybersecurity professionals, fills gaps in processes concerning contractors who support the authority from outside the U.S., address issues and recommendations previously made in Corrective Action Plans (CAPs) and taking an inventory of IT assets and devices connected to the authority’s network.

WMATA’s work to correct vulnerabilities

In response, WMATA says the report failed to recognize improvements its IT department has made, which includes closing 142 out of 168 CAPs since 2019.

Following the January 2023 discovery of suspicious activity, the authority also retained and directed the Microsoft Detection and Response Team to investigate the activity. WMATA reports the Microsoft team found there was no concrete indication the contents of its OneDrive were synchronized to the device in Russia, ongoing malicious activity was not observed and the Microsoft team identified opportunities to improve the authority’s IT network cyber resiliency.

WMATA also noted it was one of the first agencies to perform a penetration test of rolling stock and is developing a corrective plan to address potential vulnerabilities with certain trains. The authority’s IT department is utilizing Zero Trust Architecture principles to modernize and improve the security of its digital assets and data. Additionally, the IT department will be integrating various data sources into a single tool to develop a Configuration Management Database that will provide a single source to identify the physical and virtual location of an asset.

WMATA also included six points of action the IT department is taking to address the matters included in the OIG’s report.

WMATA recognized the protection of its digital assets and sensitive data is important and explained efforts to secure those assets and data “must be balanced with the ability of the authority to operate the Metro system.”

About the Author

Mischa Wanek-Libman | Group Editorial Director

Mischa Wanek-Libman serves as editor in chief of Mass Transit magazine and group editorial director of the Infrastructure and Aviation Group at Endeavor Business Media. She is responsible for developing and maintaining the editorial direction of the group and is based in the western suburbs of Chicago.

Wanek-Libman has spent more than 20 years covering transportation issues including construction projects and engineering challenges for various commuter railroads and transit agencies. She has been recognized for editorial excellence through her individual work, as well as for collaborative content. 

She is an active member of the American Public Transportation Association's Marketing and Communications Committee and serves as a Board Observer on the National Railroad Construction and Maintenance Association (NRC) Board of Directors.  

She is a graduate of Drake University, where she earned a Bachelor of Arts degree in Journalism and Mass Communication with a major in magazine journalism and a minor in business management.