If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible.

Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause for concern. It’s clear that transport organizations require strong security to keep their systems and passengers safe.

Critical public infrastructure

According to the recent X-Force Threat Intelligence Index, ransomware was the top attack type globally in 2021 for the third year in a row.

The report states, “Malicious insiders emerged as the top attack type against transportation organizations in 2021, making up 29% of attacks on this industry. Ransomware, [remote access Trojans], data theft, credential harvesting and server access attacks all played a role against transportation in 2021 as well.” We’ll return to the theme of ‘malicious insiders’ later.

As part of critical public infrastructure, transportation is uniquely at risk. Most people and businesses depend on transport, whether it’s getting to work on time, sending goods or receiving medical supplies. If an attack disrupts transportation, entire supply chains could come crashing down. Traffic light or rail transit disruption could cause physical harm.

New rules for digital defense

In response to the growing threat, the Department of Homeland Security’s Transportation Security Administration (TSA) announced new cybersecurity requirements for surface transportation owners and operators.

The requirements are for higher risk freight railroads, passenger rail and rail transit. They require owners and operators to:

  1. Designate a cybersecurity coordinator
  2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours
  3. Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption and
  4. Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

Motives behind cyberattacks

The motives driving attacks against transport agencies can vary. Intrusive actors may steal information or use ransomware for financial gain. Meanwhile, other attackers might receive support from foreign nations seeking to cause a disruptive or destructive effect to advance foreign policy goals. While any incident may result in systems disruption, foreign attacks may include a higher risk of equipment malfunctions and accidents.

Rogue foreign actors

In the New York MTA attack, the aggressors made no financial demands. Instead, the breach appears to have been part of a recent series of widespread intrusions by skilled attackers. According to FireEye, a private cybersecurity firm that helped find the breach, the intruders were likely backed by the Chinese government.

In late 2018, another attack resulted in a federal grand jury indictment of two men based in Iran. They were accused of holding the Colorado Department of Transportation (CDOT) computer system hostage as part of the SamSam malware scheme. Allegedly, the Iran-based attackers demanded a Bitcoin ransom to decrypt infected CDOT data. The incident caused 1,700 employee computer systems to shut down. It took six weeks and nearly $2 million to get the department’s systems back online.

In the end, the CDOT did not pay the ransom. The state had digital backups which enabled them to restore encrypted data. Also, segmented network operations helped prevent malware from spreading to other departments or agencies. That’s why servers controlling traffic lights or other road systems in Colorado did not feel the impact.

What should transport leaders do?

Given the widespread, ongoing threat against the transport industry, the TSA has developed a toolkit. If we dig into the directives for rail, public transportation and surface transportation, we find that cybersecurity coordination, reporting and response plans are critical. Vulnerability assessment is also a high priority, and the TSA recommends that agencies refer to the NIST Cybersecurity Framework as a guide.

Vulnerability assessment should include Internet of Things (IoT) security as more sensors and devices are deployed in the industry. In order to align the many moving parts and logistics of any transport system, IoT devices are essential. However, device connections are potential points of entry for attackers, and you should also assess this risk.

Transportation attack risk mitigation

Like any organization, transportation agencies are exposed to the threat of cyberattack, but the stakes may be higher. That’s one of the reasons Alejandro Mayorkas, secretary of Homeland Security, said that “ransomware now poses a national security threat.” While the TSA directives address incident response, where can one find advice about risk mitigation?

The X-Force Threat Intelligence Index not only examines the current risk landscape, but it also offers advice on how to reduce the risk of compromise. Some suggestions by the X-Force report to mitigate cyber risk include:

  • Zero Trust: This approach assumes a breach has already occurred and aims to increase the difficulty for an intruder to move throughout a network. Zero trust understands where critical data resides and who has access to this data. Robust verification measures (multifactor authentication, least privilege, identity access management) are deployed throughout a network to ensure only the right people access that data in the right way. This is very important for transport, as nearly a third of agency attacks arise from malicious insiders.

  • Security Automation: With international threats, diverse attack types and multiple layers requiring protection, security automation is essential. Machines complete tasks much faster than any human analyst or team. Automation also helps identify mechanisms for improving workflows.

  • Extended detection & response (XDR): Detection and response technologies that combine several different solutions provide a significant advantage. XDR spots and removes attackers from a network before they reach the final stage of their attack, such as ransomware deployment or data theft.

Keeping transportation safe

Government agency efforts are helping to raise awareness and lower the chances of harm. Individual transport organizations have also taken on the responsibility of protecting their systems and traveler safety. The risk of attack against transport agencies will certainly continue, and passenger safety is of the utmost importance.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today