May 17, 2022 By Jonathan Reed 4 min read

If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible.

Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause for concern. It’s clear that transport organizations require strong security to keep their systems and passengers safe.

Critical Public Infrastructure

According to the recent X-Force Threat Intelligence Index, ransomware was the top attack type globally in 2021 for the third year in a row.

The report states, “Malicious insiders emerged as the top attack type against transportation organizations in 2021, making up 29% of attacks on this industry. Ransomware, [remote access Trojans], data theft, credential harvesting and server access attacks all played a role against transportation in 2021 as well.” We’ll return to the theme of ‘malicious insiders’ later.

As part of critical public infrastructure, transportation is uniquely at risk. Most people and businesses depend on transport, whether it’s getting to work on time, sending goods or receiving medical supplies. If an attack disrupts transportation, entire supply chains could come crashing down. Traffic light or rail transit disruption could cause physical harm.

New Rules for Digital Defense

In response to the growing threat, the Department of Homeland Security’s Transportation Security Administration (TSA) announced new cybersecurity requirements for surface transportation owners and operators.

The requirements are for higher risk freight railroads, passenger rail and rail transit. They require owners and operators to:

  1. Designate a cybersecurity coordinator
  2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours
  3. Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption and
  4. Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

Motives Behind Cyberattacks

The motives driving attacks against transport agencies can vary. Intrusive actors may steal information or use ransomware for financial gain. Meanwhile, other attackers might receive support from foreign nations seeking to cause a disruptive or destructive effect to advance foreign policy goals. While any incident may result in systems disruption, foreign attacks may include a higher risk of equipment malfunctions and accidents.

Rogue Foreign Actors

In the New York MTA attack, the aggressors made no financial demands. Instead, the breach appears to have been part of a recent series of widespread intrusions by skilled attackers. According to FireEye, a private cybersecurity firm that helped find the breach, the intruders were likely backed by the Chinese government.

In late 2018, another attack resulted in a federal grand jury indictment of two men based in Iran. They were accused of holding the Colorado Department of Transportation (CDOT) computer system hostage as part of the SamSam malware scheme. Allegedly, the Iran-based attackers demanded a Bitcoin ransom to decrypt infected CDOT data. The incident caused 1,700 employee computer systems to shut down. It took six weeks and nearly $2 million to get the department’s systems back online.

In the end, the CDOT did not pay the ransom. The state had digital backups which enabled them to restore encrypted data. Also, segmented network operations helped prevent malware from spreading to other departments or agencies. That’s why servers controlling traffic lights or other road systems in Colorado did not feel the impact.

What Should Transport Leaders Do?

Given the widespread, ongoing threat against the transport industry, the TSA has developed a toolkit. If we dig into the directives for rail, public transportation and surface transportation, we find that cybersecurity coordination, reporting and response plans are critical. Vulnerability assessment is also a high priority, and the TSA recommends that agencies refer to the NIST Cybersecurity Framework as a guide.

Vulnerability assessment should include Internet of Things (IoT) security as more sensors and devices are deployed in the industry. In order to align the many moving parts and logistics of any transport system, IoT devices are essential. However, device connections are potential points of entry for attackers, and you should also assess this risk.

Transportation Attack Risk Mitigation

Like any organization, transportation agencies are exposed to the threat of cyberattack, but the stakes may be higher. That’s one of the reasons Alejandro Mayorkas, secretary of Homeland Security, said that “ransomware now poses a national security threat.” While the TSA directives address incident response, where can one find advice about risk mitigation?

The X-Force Threat Intelligence Index not only examines the current risk landscape, but it also offers advice on how to reduce the risk of compromise. Some suggestions by the X-Force report to mitigate cyber risk include:

  • Zero Trust: This approach assumes a breach has already occurred and aims to increase the difficulty for an intruder to move throughout a network. Zero trust understands where critical data resides and who has access to this data. Robust verification measures (multifactor authentication, least privilege, identity access management) are deployed throughout a network to ensure only the right people access that data in the right way. This is very important for transport, as nearly a third of agency attacks arise from malicious insiders.

  • Security Automation: With international threats, diverse attack types and multiple layers requiring protection, security automation is essential. Machines complete tasks much faster than any human analyst or team. Automation also helps identify mechanisms for improving workflows.

  • Extended detection & response (XDR): Detection and response technologies that combine several different solutions provide a significant advantage. XDR spots and removes attackers from a network before they reach the final stage of their attack, such as ransomware deployment or data theft.

Keeping Transportation Safe

Government agency efforts are helping to raise awareness and lower the chances of harm. Individual transport organizations have also taken on the responsibility of protecting their systems and traveler safety. The risk of attack against transport agencies will certainly continue, and passenger safety is of the utmost importance.

More from Mainframe

Low-Code Is Easy, But Is It Secure?

4 min read - Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

4 min read - When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

A Journey in Organizational Resilience: Supply Chain and Third Parties

4 min read - The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience. You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was…

Cybersecurity Trends and Emerging Threats in 2021

4 min read - The year 2021 is finally here, bringing with it the promise of a brighter future — but a long road ahead. In this piece, we’ll dive into five cybersecurity trends that pose significant potential risk in 2021 and offer practical advice to help entities reduce overall risk. The first quarter of 2021 represents a cybersecurity crossroads. Business owners may be shifting staff back into the office and managing the risks and rewards of remote work at the same time. For malicious actors,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today