High-profile ransomware attacks last year on the Colonial Pipeline and on meat processing vendor JBS Foods caught the attention of businesses and the federal government. The risk of cyberattacks that disrupt public transit systems is growing, experts say. Malware may be lurking in critical safety systems that control the movement of trains, said Amir Levintal, CEO of Cylus.
The Biden administration has taken steps to better protect critical U.S. transportation infrastructure, including passenger railroads and rail transit. The Transportation Security Administration (TSA) imposed new cybersecurity requirements on the owners and operators of surface transportation systems in December.
"We can see a process of the authorities starting to understand the importance of cybersecurity for national security and homeland security in the U.S.," said Levintal, who is a former director of the Cyber R&D division of the Israel Defense Force’s Elite Technological Unit. He co-founded Cylus as a rail cybersecurity company in 2017.
J. Michael Daniel, president and CEO of the nonprofit Cyber Threat Alliance, outlined three kinds of potential threats during a webinar this week hosted by the Eno Center for Transportation. The first two — attempts to steal information and ransomware — are primarily due to criminal organizations, he said.
In the third class of threat, Daniel explained, "A foreign nation might actually have an interest in targeting you for the ability to cause a disruptive or destructive effect to achieve a foreign policy goal."
Cybersecurity breaches in U.S. transit systems have already been identified. In 2018, investigators found 86% of 1,000 hardware devices that Cisco had supplied to San Francisco's Bay Area Rapid Transit system contained "hidden backdoors on the devices, as well as a persistent ‘ping’ where data are sent to a foreign nation hostile to American interests," according to a 2020 report prepared by the Mineta Transportation Institute and San Jose State University. The devices were replaced within 72 hours.
A 2022 report from the National Academy of Sciences notes three cyberattacks on North American public transit systems attributed to foreign states or state-based actors: an April 2021 attack on the New York City Metropolitan Transportation Authority by China-based actors, a May 2020 attack on the Colorado Department of Transportation by Iran-based actors, and a January 2018 attack on the suburban Toronto Metrolinx system by North Korea. It also notes that the December 2020 Sunburst/Solar Winds attack, attributed to Russia-based actors, affected an "unknown number of transit agencies."
Daniel pointed out potential threats hidden in software, which can include code from different sources. He suggested that transit cybersecurity efforts include looking at the software supply chain, "so that you actually start to look at and understand where did all the different pieces of this software come from. Where were they assembled? Who had a hand in it?"
Another vulnerability comes when devices are connected across a transit operator's network and there is no separation from the internet, said Ari Schwartz, managing director of cybersecurity services at the law firm Venable, also speaking in the webinar. He explained that hackers can find their way across the network to obtain permissions they shouldn't have.
Even with devices not designed to be connected to the internet, Schwartz said that sometimes people create shortcuts to fix something or make improvements, "So a lot of people don't think stuff is connected to the internet, but it actually is." Companies with large control systems need to regularly test whether those systems are connected to the internet, he said, and if so, to secure them.
Scott Belcher, research associate for the Mineta Transportation Institute and principal investigator of the 2020 study, urged transportation operators to include cybersecurity within a risk management portfolio at the highest level: "an executive that's in the C-suite and … that's reporting regularly to the CEO and to the board of directors." The National Academy report echoes that recommendation.
A heightened focus on cybersecurity under the Biden administration has resulted in a May 2021 executive order, a series of directives and the Jan. 19 National Security Memorandum. "It should not surprise anyone now that's where the federal government is moving, and it's only going to move more in that direction," said Daniel.