The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next? Which unlucky industry will be the latest target caught in the crosshairs of cyber attackers? Unfortunately, there are several reasons that suggest mass transit will be the next casualty, and the potential for damage is quite serious.
1. What Makes Mass Transit So Vulnerable?
Supervisory control and data acquisition (SCADA) systems control the physical automation that coordinates mass transit. Some of these systems have been in operation since the 1970s, and needless to say, they were not designed with modern cybersecurity in mind. SCADA systems were intended to be kept separate from networked enterprise systems, but convenience has triumphed over security, and they are now often linked to conserve time and resources. Likewise, SCADA systems are well-known as vulnerable targets in hacker communities, and the methods for hacking them are widely shared online.
A 2017 IOActive white paper, titled SCADA and Mobile Security in the Internet of Things Era, raised the issue of another weakness in SCADA systems: the mobile apps with which they interface. Comparing the apps against the OWASP Top Ten Mobile risks, the researchers found 147 vulnerabilities across the 34 apps they analyzed. An attacker could use these apps to manipulate transit operators into taking dangerous actions, or even to directly influence SCADA systems, such as digital switches controlling railways.
Other Legacy Systems
It was revealed by a Department of Homeland Security report, that there is elevated risk in transportation due to the aging infrastructure used across the industry. These legacy systems are not limited to SCADA. The industry as a whole has made the move towards network-enabled “intelligent public transport” (IPT) but has simultaneously been slow to phase out aging systems. Additionally, mass transit systems rely heavily on networked devices for positioning, routing, tracking, access controls, navigation, and more. These devices provide the benefit of faster, more automated transit systems, but must also be recognized as additional system access points that require oversight and protection.
2. Potential for Terrorist and Criminal Attacks
Unlike most industries, where the potential consequences of poor cybersecurity are largely financial or privacy-driven, an attack on a public transit system has the potential to be lethal. Vulnerable SCADA systems could be hijacked by terrorists or cyber-criminals to cause derailing or collisions. While this nightmare scenario has not yet occurred, there have been numerous incidents involving mass transit and other SCADA-dependent industries that paint a clear picture of how it could happen:
● In late 2016, riders of San Francisco’s Muni transit system rode for free for a weekend, after a ransomware attack against the San Francisco Municipal Transportation Agency (SFMTA). On the surface, this was a relatively benign incident, but if a single hacker looking to make a quick buck could penetrate a major transit authority’s system, you can expect a state-sponsored or cyberterrorist attack to be much more severe.
● In 2016, there were multiple attacks against metro and train control systems in South Korea, suspected to be from North Korean hackers.
● In December 2015, a Massachusetts Bay Transportation Authority train travelled five stations without an operator controlling it. Hacking was never confirmed to be the cause but is widely suspected.
● In December 2015, attackers in Ukraine cut off electricity to more than 230,000 people. Once inside the system, they overwrote the controls, rendering them unusable. This incident demonstrates the possibility for hackers to target both a system and the means for recovering it.
3. How to Prepare
The consequences of a significant cyber-attack against a mass transit system will go well beyond a few fines and bad publicity. Even when dealing with an attack that only succeeds in stealing data, the American Public Transportation Association (APTA) has warned that it could breach compliance violations under HIPAA, PCI DSS, the Patriot Act, and more. To prevent this, the recommendations provided by the Department of Homeland Security (DHS) and the APTA stress the importance of “defense-in-depth”, meaning multiple layers of security to protect against future attacks. Strong compliance and audit programs are complements to—and not substitutes for—this type of robust multi-layer defense. With the stakes so high, and the volume of incidents on the rise, what more can transit authorities do to minimize the damage?
Identify Critical Assets
In order to protect their operations, transit authorities need to understand what assets will cause the most damage if compromised. It is clear that some transit authorities do not have a clear understanding of where they are vulnerable. This is evidenced in the San Francisco Municipal Transportation Agency hack, where they did not grasp how a simple data breach could hold their entire fare system hostage.
Manage Patches and Vulnerabilities
Networked devices, like the ones used for mass transit, are especially notorious for running obsolete operating systems that are easy targets for attacks. Transit authorities should ensure that they have solid centralized management of patches and updates for all systems.
Prepare for the Inevitable
It’s important to establish a strong incident response plan in order to minimize damage. There are several resources on which a transit authority could base their incident response plan, including documents from the DHS, APTA, and the European Union Agency for Network and Information Security. There are also industry-agnostic guidelines, such as the NIST 800-61 Incident Handling Guide. Automation and orchestration tools will help organizations streamline the detection and investigation process in order to respond quickly and decisively.
Learn More at SecurityWeek’s ICS/SCDADA Cyber Security Conference