Is Your City’s Transportation Network Vulnerable to a Cyberattack?

It seems like you can’t go a day without seeing another headline related to a dramatic cybersecurity breach. You may even feel desensitized to them, taking the “that will never happen to me” mentality. But the truth is, it can happen to anyone, anywhere at anytime. In fact, there are 1.46 billion data breaches each month, on average.

As the internet of things (IoT) moves from theoretical to reality, we need to think beyond virtual identity theft and shift our attention toward much larger potential threats to our social infrastructure and physical world. One area that is particularly vulnerable, but many may not think about, is our transportation network. In fact, Gallagher ranked transportation as the third most vulnerable industry to cyberattacks, trailing closely behind healthcare and pharmaceuticals.

Public transportation is supposed to be a service that communities rely on to navigate their everyday lives. But in today’s cyberage, transportation operations increasingly depend on automation and connected technologies. Between navigation, access controls, signaling, communications, and data management, hackers have plenty of opportunities to crawl in and cause chaos.

Openbay is on a mission to get you where you need to go with peace-of-mind. That’s why we aim to empower you with the latest transportation news. As a commuter, errand-conqueror, or traveler, here’s what you need to know:

With great power comes great responsibility

Cities around the world, such as Washington, DC, are climbing on the “Smart City” bandwagon, and with good reason. Connected devices can dramatically reduce the carbon footprint in a metro area if IoT energy saving technologies are implemented government buildings. Connectivity can optimize city operations like trash pickup or scheduled maintenance to send workers to where they are most needed. Sensors help deploy resources appropriately such as city water allocation. Automation can eliminate many of the manual bureaucratic processes.

But with every touchpoint that’s connected to the IoT, new security concerns arise. We’ve seen hacks on public infrastructure and the damage they can do in places like Ukraine, where suspected Russian hackers cut off the electricity to more than 230,000 people in 2015, overwriting controls and rendering the entire system inaccessible. In 2016, the San Francisco rail system was infiltrated by a hacker demanding 100 Bitcoins ($70,000 at that time) to get operations back up and running. A 2017 incident in Dallas resulted in 4,400 calls to 911, after hackers set off the city’s emergency sirens for hours in the middle of the night. If it’s on the grid, then it can be hacked. And public transportation infrastructure is particularly vulnerable to bad actors.

Residents and commuters in the Metro DC area should be particularly aware. Just last month, Washington Metropolitan Area Transit Authority (WMATA) Inspector General Geoff Cherrington said that the city’s public transportation system is at a higher risk of cybersecurity attacks considering the number of high-value targets in the area.

“You have rail cars going near the White House, Capitol Hill, Ronald Reagan National Airport,” Cherrington said in an interview on Hill.TV. “So anytime that any part of a network is attached to anything, particularly a rail car, and can be controlled outside of the WMATA (Washington Metropolitan Area Transit Authority) system, it could be potentially a threat.” The Metro announced that they will hire additional cybersecurity personnel as a preventative measure.

Why are transportation networks so vulnerable?

Think about all of the communication networks, public safety organizations, emergency response teams, electricity companies and state/local/federal agencies that play a part in getting you from point A to B. If one of these entities falls victim to cybercrimes, it creates a domino effect that has the potential to spread like wildfire.

The US Department of Transportation assures citizens that it’s “working on multiple fronts to improve the cybersecurity resilience of surface transportation infrastructures,” but when you compare the sophisticated, cutting-edge capabilities of the cyber-underworld to the slower-moving world of federal agencies, it’s easy to see why Americans might be worried. Let’s take a look at some of the top risks posed by mass transit systems.

The politics of transportation

In recent years, Boston, Chicago and Los Angeles awarded contracts to the state-owned China Railway Rolling Stock Corp to make rail cars for their transit systems. Currently, no US companies manufacture transit cars, only freight rail cars such as boxcars and tank cars. These contracts raise concerns for the Pentagon and the US Congress, who fear that the contracts give leverage to the Chinese government to use transit rail cars as platforms for cyberespionage or sabotage.

Experts warn that railway networks are especially vulnerable to cyberattacks. Amir Levintal, CEO of a cybersecurity firm, explains that hackers “might change the controls on the train or could even access commands in order to derail the train. These kinds of attacks are probable.” The disconnect between modern technology in trains and archaic legacy hardware leaves a gap that is susceptible to hacking.

Archaic systems add a layer of vulnerability

In 2015, the Department of Homeland Security released a report warning of the increased risk of transportation systems due to the “advanced age and deterioration of many structures throughout the Nation’s transportation network.” Mass transit uses a type of system called supervisory control and data acquisition (SCADA) to handle its physical automation capabilities, and many of these systems have been in operation for nearly half a century.

In many cases, the industry’s swift adoption of technology outpaces the adoption of risk management tools to protect against security threats. According to Dan Geer, the top cybersecurity official at In-Q-Tel, “our attack surface is growing faster than our diligence can grow.” Suzanne Spaulding, a former Department of Homeland Security cybersecurity chief, reinforces this point, explaining “our adversaries are moving ahead with malicious capabilities more quickly than we are advancing our defenses.”

Vulnerable network connections

Like with any connected technology, many train networks use Wi-Fi connections to control mission critical components of the train, like brakes and doors. These wireless signals can expose a network’s vulnerabilities and leave the infrastructure wide open for hackers to control the train’s functions or even derail it. And those are just the obvious, easy plays. Sophisticated attackers can compare the code of one compromised system to another targeted system to find similarities in the code to exploit.

What’s the alternative?

There are plenty of resources to keep yourself safe from hackers in the digital realm. However, cyber liabilities in the physical world are a relatively recent phenomenon. The most common transportation cyberthreats didn’t even exist 20 years ago, and many state and local government officials are only recently realizing they need to confront these risks head-on.

While we wait for public and private entities in mass transit to implement the proper cybersecurity protocols and technologies, your best bet might be to take the wheel and drive. As we add more vehicle connectivity features and see autonomous vehicle advancements hit the market, we will see cybersecurity concerns shift from public to private transit. But we’re still a ways off from a future of IoT-enabled, fully “smart” cars. For now, keep your region’s cybersecurity initiatives on your radar.

Openbay is here to keep you in the driver’s seat, empowering you with the latest auto industry news. Plus, our auto repair booking platform keeps your information safe and secure. Book with confidence at openbay.com.