Rail transit vulnerable to cyberattacks, experts say

The risk of cyberattacks that disrupt public transit systems is growing, experts say. Malware may be lurking in critical safety systems that control the movement of trains, said Amir Levintal, CEO of Cylus.

The Biden administration has taken steps to better protect critical U.S. transportation infrastructure, including passenger railroads and rail transit. The Transportation Security Administration (TSA) imposed new cybersecurity requirements on the owners and operators of surface transportation systems in December.

"We can see a process of the authorities starting to understand the importance of cybersecurity for national security and homeland security in the U.S.," said Levintal, who is a former director of the Cyber R&D division of the Israel Defense Force’s Elite Technological Unit. He co-founded Cylus as a rail cybersecurity company in 2017.

There are three kinds of potential threats, said J. Michael Daniel, president and CEO of the nonprofit Cyber Threat Alliance, during a webinar last week hosted by the Eno Center for Transportation:

The first two — attempts to steal information and ransomware — are primarily due to criminal organizations, he said.

In the third class of threat, "a foreign nation might actually have an interest in targeting you for the ability to cause a disruptive or destructive effect to achieve a foreign policy goal," Daniel said.

Experts have already identified cybersecurity breaches in U.S. transit systems.

In 2018, investigators found 86% of 1,000 hardware devices that Cisco had supplied to San Francisco's Bay Area Rapid Transit system contained "hidden backdoors on the devices, as well as a persistent 'ping' where data are sent to a foreign nation hostile to American interests," according to a 2020 report prepared by the Mineta Transportation Institute and San Jose State University. The devices were replaced within 72 hours.

A 2022 report from the National Academy of Sciences cited three cyberattacks on North American public transit systems attributed to foreign states or state-based actors:

An April 2021 attack on the New York City Metropolitan Transportation Authority by China-based actors
A May 2020 attack on the Colorado Department of Transportation by Iran-based actors
A January 2018 attack on the suburban Toronto Metrolinx system by North Korea.

The December 2020 SolarWinds attack, attributed to Russia-based actors, affected an "unknown number of transit agencies," the report said.

Potential threats are hidden in software, which can include code from different sources, Daniel said. Transit cybersecurity efforts should include looking at the software supply chain, "so that you actually start to look at and understand where did all the different pieces of this software come from. Where were they assembled? Who had a hand in it?"

Another vulnerability comes when devices are connected across a transit operator's network and there is no separation from the internet, said Ari Schwartz, managing director of cybersecurity services at the law firm Venable, also speaking in the webinar.

Hackers can find their way across the network to obtain permissions they shouldn't have, he said.

Even with devices not designed for internet connection, Schwartz said that sometimes people create shortcuts to fix something or make improvements.

"A lot of people don't think stuff is connected to the internet, but it actually is," he said. Companies with large control systems need to regularly test whether those systems are connected to the internet, and if so, to secure them.

Scott Belcher, research associate for the Mineta Transportation Institute and principal investigator of the 2020 study, urged transportation operators to include cybersecurity within a risk management portfolio at the highest level, with a security executive in the C-suite reporting to the CEO and board of directors. The National Academy report echoes that recommendation.

A heightened focus on cybersecurity under the Biden administration has resulted in a May 2021 executive order, a series of directives and the Jan. 19 National Security Memorandum.