A report from the Washington Metropolitan Area Transit Authority (WMATA) Office of Inspector General (OIG) recommends the authority should “immediately establish security controls for restricting access to its data at all levels” after the inspector general’s office determined the authority had “failed in its Information Technology (IT) responsibilities by not implementing basic IT policy changes and an IT governance framework.”
The report was produced amid an investigation into abnormal network activity discovered in January 2023 by WMATA’s cyber security group that was determined to be from a former WMATA contractor, who remotely accessed a personal computer in Russia and used his still active WMATA credentials to breach “a sensitive WMATA directory.” The reports notes the former contractor’s credentials remained active because his supervisor hoped his contract would be renewed. The report includes the former contractor was hired through a U.S. company, and he worked on “sensitive WMATA applications and systems,” which includes WMATA’s SmarTrip® fare payment system.
In a 2022 cybersecurity audit by WMATA OIG, the office noted one of its “gravest concerns” was the use of foreign national contractors, who supported sensitive applications and systems from Russia. The report explains background investigations are outsourced for individual contractors, and OIG found 37 percent of the background investigations used the same last four digits of a social security number.
The investigation into the January 2023 breach continues, and WMATA OIG explained the report was needed to elevate the “multitude of IT-related critical recommendations, policy violations and unsound IT practices that continue to plague WMATA.”
WMATA OIG’s additional concerns and recommendations
The report, which is lightly redacted, brought up concerns with several other aspects of WMATA’s IT practices, including possibly cybersecurity vulnerabilities of a certain train, the specifics of which were redacted, a lack of encryption of WMATA-owned mobile devices, vulnerabilities in certain access controls, management of IT assets, non-adherence to cybersecurity assessment or provisions in certain procurements, confusion in roles concerning vulnerability management procedures and a disconnect between IT infrastructure and cyber staff.
The report includes 14 recommendations aimed at empowering WMATA’s cybersecurity professionals, fills gaps in processes concerning contractors who support the authority from outside the U.S., address issues and recommendations previously made in Corrective Action Plans (CAPs) and taking an inventory of IT assets and devices connected to the authority’s network.
WMATA’s work to correct vulnerabilities
In response, WMATA says the report failed to recognize improvements its IT department has made, which includes closing 142 out of 168 CAPs since 2019.
Following the January 2023 discovery of suspicious activity, the authority also retained and directed the Microsoft Detection and Response Team to investigate the activity. WMATA reports the Microsoft team found there was no concrete indication the contents of its OneDrive were synchronized to the device in Russia, ongoing malicious activity was not observed and the Microsoft team identified opportunities to improve the authority’s IT network cyber resiliency.
WMATA also noted it was one of the first agencies to perform a penetration test of rolling stock and is developing a corrective plan to address potential vulnerabilities with certain trains. The authority’s IT department is utilizing Zero Trust Architecture principles to modernize and improve the security of its digital assets and data. Additionally, the IT department will be integrating various data sources into a single tool to develop a Configuration Management Database that will provide a single source to identify the physical and virtual location of an asset.
WMATA also included six points of action the IT department is taking to address the matters included in the OIG’s report.
WMATA recognized the protection of its digital assets and sensitive data is important and explained efforts to secure those assets and data “must be balanced with the ability of the authority to operate the Metro system.”
