If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible.

Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause for concern. It’s clear that transport organizations require strong security to keep their systems and passengers safe.

Critical public infrastructure

According to the recent X-Force Threat Intelligence Index, ransomware was the top attack type globally in 2021 for the third year in a row.

The report states, “Malicious insiders emerged as the top attack type against transportation organizations in 2021, making up 29% of attacks on this industry. Ransomware, [remote access Trojans], data theft, credential harvesting and server access attacks all played a role against transportation in 2021 as well.” We’ll return to the theme of ‘malicious insiders’ later.

As part of critical public infrastructure, transportation is uniquely at risk. Most people and businesses depend on transport, whether it’s getting to work on time, sending goods or receiving medical supplies. If an attack disrupts transportation, entire supply chains could come crashing down. Traffic light or rail transit disruption could cause physical harm.

New rules for digital defense

In response to the growing threat, the Department of Homeland Security’s Transportation Security Administration (TSA) announced new cybersecurity requirements for surface transportation owners and operators.

The requirements are for higher risk freight railroads, passenger rail and rail transit. They require owners and operators to:

  1. Designate a cybersecurity coordinator
  2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours
  3. Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption and
  4. Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

Motives behind cyberattacks

The motives driving attacks against transport agencies can vary. Intrusive actors may steal information or use ransomware for financial gain. Meanwhile, other attackers might receive support from foreign nations seeking to cause a disruptive or destructive effect to advance foreign policy goals. While any incident may result in systems disruption, foreign attacks may include a higher risk of equipment malfunctions and accidents.

Rogue foreign actors

In the New York MTA attack, the aggressors made no financial demands. Instead, the breach appears to have been part of a recent series of widespread intrusions by skilled attackers. According to FireEye, a private cybersecurity firm that helped find the breach, the intruders were likely backed by the Chinese government.

In late 2018, another attack resulted in a federal grand jury indictment of two men based in Iran. They were accused of holding the Colorado Department of Transportation (CDOT) computer system hostage as part of the SamSam malware scheme. Allegedly, the Iran-based attackers demanded a Bitcoin ransom to decrypt infected CDOT data. The incident caused 1,700 employee computer systems to shut down. It took six weeks and nearly $2 million to get the department’s systems back online.

In the end, the CDOT did not pay the ransom. The state had digital backups which enabled them to restore encrypted data. Also, segmented network operations helped prevent malware from spreading to other departments or agencies. That’s why servers controlling traffic lights or other road systems in Colorado did not feel the impact.

What should transport leaders do?

Given the widespread, ongoing threat against the transport industry, the TSA has developed a toolkit. If we dig into the directives for rail, public transportation and surface transportation, we find that cybersecurity coordination, reporting and response plans are critical. Vulnerability assessment is also a high priority, and the TSA recommends that agencies refer to the NIST Cybersecurity Framework as a guide.

Vulnerability assessment should include Internet of Things (IoT) security as more sensors and devices are deployed in the industry. In order to align the many moving parts and logistics of any transport system, IoT devices are essential. However, device connections are potential points of entry for attackers, and you should also assess this risk.

Transportation attack risk mitigation

Like any organization, transportation agencies are exposed to the threat of cyberattack, but the stakes may be higher. That’s one of the reasons Alejandro Mayorkas, secretary of Homeland Security, said that “ransomware now poses a national security threat.” While the TSA directives address incident response, where can one find advice about risk mitigation?

The X-Force Threat Intelligence Index not only examines the current risk landscape, but it also offers advice on how to reduce the risk of compromise. Some suggestions by the X-Force report to mitigate cyber risk include:

  • Zero Trust: This approach assumes a breach has already occurred and aims to increase the difficulty for an intruder to move throughout a network. Zero trust understands where critical data resides and who has access to this data. Robust verification measures (multifactor authentication, least privilege, identity access management) are deployed throughout a network to ensure only the right people access that data in the right way. This is very important for transport, as nearly a third of agency attacks arise from malicious insiders.

  • Security Automation: With international threats, diverse attack types and multiple layers requiring protection, security automation is essential. Machines complete tasks much faster than any human analyst or team. Automation also helps identify mechanisms for improving workflows.

  • Extended detection & response (XDR): Detection and response technologies that combine several different solutions provide a significant advantage. XDR spots and removes attackers from a network before they reach the final stage of their attack, such as ransomware deployment or data theft.

Keeping transportation safe

Government agency efforts are helping to raise awareness and lower the chances of harm. Individual transport organizations have also taken on the responsibility of protecting their systems and traveler safety. The risk of attack against transport agencies will certainly continue, and passenger safety is of the utmost importance.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today