On November 25, 2016, San Francisco’s Muni rail system fell victim to a cyberattack. A hacker broke into the network, locking Muni out of its own systems and demanding a ransom of 100 Bitcoin (about $73,000). Muni responded by turning off payment machines to protect customer data for several days while it recovered. Operations were back to normal by Monday, and it appears that no sensitive data was compromised in the breach. But the attack could have been much worse, and serves as a reminder of the vulnerability transit agencies face in the digital age.
The Cybersecurity Threat
As transit agencies become increasingly reliant on information technology, the risks of cyberattacks soar. This is compounded by the fact that transit involves a large number of interdependent systems and, at many agencies, poorly maintained technology. Once a hacker gains access to an agency’s systems, they can exploit this access in a variety of ways. The Muni hacker simply encrypted the system and demanded money to unlock it, a process known as ransomware. More serious attacks can involve stealing private customer or agency data or sabotaging operations.
Layers of Vulnerability
The information ecosystem of a transit agency consists of three main layers: operational systems, enterprise information systems, and managed systems. Each of these three layers needs to be secured, as well as the connections between them.
- Operational systems - Hackers could do the most serious damage by accessing supervisory control and data acquisition (SCADA) and train control systems. While these systems aren’t directly linked to the internet, they interface with information technology in ways that keeps them from being totally secure.
- Enterprise information systems - User-interfaced applications like email and web browsers pose greatest risk to agency security. To a lesser extent, operating and enterprise systems can be compromised.
- Subscribed systems - Transit agencies use a variety of externally managed systems for payroll, data processing, and more. It’s vital that the agency ensure its third-party vendors are keeping proper security measures in place.
Protecting an agency’s IT is a multifaceted process. There are simple steps that an agency can take to increase its security. But to most effectively guard itself, an agency must create proactive, top-down practices that create an institutional culture of information security.
- Governance - Good security starts with good governance. Cybersecurity is too important to leave to the IT department. Senior management must engage in an organized practice of cybersecurity to guide the agency.
- IT infrastructure - IT hardware and software are the most obvious target of cyberattacks. Protecting hardware requires creating agency-wide security practices for everything from major servers to employee USB drives. The easiest way to keep software secure is to keep it updated. The Muni hacker operates by scanning the web for software vulnerabilities to exploit. Developers are constantly working to patch these flaws, but these patches are only effective if the agency makes sure to download them.
- People - People are the most vulnerable part of any security system. One of the easiest ways for a hacker to get access to a system is by getting a user to click a compromised link in an email or on a website. Fail-safe measures such as application whitelisting, restricting access to administrator accounts, and disabling macro scripts for emailed files can account for human error, but the best defense is to train employees to look out for these sorts of attacks.
- Facilities - Cyberattacks aren’t just conducted over the internet; hackers can also target physical hardware. Transit agencies should limit access to sensitive areas like server rooms, enact policies controlling physical media that interfaces with agency hardware, and ensure that vital utilities have redundancies.
Addressing cyberthreats on a case-by-base basis is inefficient, but it can also lead to inconsistencies that allow problems to slip through. Senior leadership at an agency should include cybersecurity standards into the agency’s overall risk management strategy to ensure that information security systems at all levels are coordinated towards one set of security goals. The International Organization for Standardization has created detailed risk management guidelines that an agency can follow in integrating information security with their risk management strategy.
Hackers evolve rapidly, constantly finding ways to outsmart even the best security systems. No matter how good an agency’s security practices are, there will always be risk. In the event of an attack, an agency must have contingency plans in place that allow it to recover. An agency should create concrete plans to deal with various aspects of recovery, such as incident response, business continuity, and communications strategies.
The single most important step a transit agency can take in protecting its system is to keep backups of everything. In the case of the Muni attack, the agency was able to restore operations without paying a ransom because it had backups of the systems it was locked out of. These should ideally be stored offline, and definitely should not be connected to the systems they are backing up. By keeping the backup on a separate network, an agency can keep it from being compromised in the attack it is meant to help recover from.
The Muni hack serves as a wakeup call to transit agencies - cyberattacks are a serious threat. The damage caused by this attack was relatively minor, but it’s easy to imagine a much more catastrophic event. Hackers have the ability to steal confidential data and cause massive system outages. Transit agencies must take this threat seriously and create institutional systems fostering both security from attacks and resiliency in the event that an attack occurs.
- Stewart, J. "SF's Transit Hack Could've Been Way Worse - and Cities Must Prepare." Wired. 2016, November 28.
- American Public Transportation Association. "Cybersecurity Considerations for Public Transit." 2014.
- Federal Bureau of Investigation. "Ransomware Victims Urged to Report Infections to Federal Law Enforcement." 2016, September 15.
- Krebs, B. "San Francisco Rail System Hacker Hacked." KrebsonSecurity. 2016, November 29.
- This APTA report provides more detailed descriptions of how transit agencies can protect their control and communications systems from cyberattacks.
- In 2013 President Barack Obama called for the creation of a national cybersecurity framework to protect our nation's infrastructure. The resulting document lays out best practices for integrating cybersecurity practices with industry operations.
- This toolkit provides an assortment of resources that transportation operators can use in managing their information security risks.
- SCADA networks are often thought to be relatively safe from cyberattacks, but they are by no means immune. This Department of Energy report outlines ways in which transit agencies can protect these vital systems.