A new study’s been released highlighting the impact of America’s worst ever reported cyber attack and its implications for the public transport industry.
Last month cybersecurity firm FireEye discovered a breach of their internal systems that was traced to the IT management software they used, supplied by SolarWinds. Since the discovery, the investigation has uncovered that more than 18,000 organisations may have been breached as far back as March 2020, although the scale, breadth and depth of the so-called Sunburst cyber attack is still emerging.
The implications for transit report is written by leading consultant and former ITS America CEO Scott Belcher (pictured) and his colleague Brandon Thomas. He points out that, although the impact of Sunburst on public transit agencies is not yet known, several other recent cyber-attacks confirm that the transit industry is already a cyber target.
He notes that recent attacks on public transit agencies include the Southwestern Pennsylvania Transportation Authority (SEPTA) in
Philadelphia, which is still recovering from a malware attack last August that took down their critical systems for weeks, while in the Canadian city of Vancouver, the transit system is in the midst of recovering from and
assessing the damage of a ransomware attack just a few weeks ago.
Belcher says that to avoid similar results, cybersecurity preparedness must become an immediate priority for all leaders in public transit. He points out that public transit is part of the U.S.’ Transportation Security Sector, one of 16 sectors deemed critical to national security.
In October 2020, the Mineta Transportation Institute published Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness (the Study) which found that most public transit agencies are “woefully unprepared” when facing cybersecurity threats. The Study assessed the readiness of U.S. transit agencies to address, mitigate, and respond to the growing number of cybersecurity threats, with responses from agencies that serve nearly a third of the U.S. population.
Although more than 80% reported that they were prepared for a cybersecurity threat, it emerged only 60% had a cybersecurity
programme in place. Belcher calls this disconnect “very concerning in its own right and is made even more so given that the respondents were not aware of the SolarWinds breach at the time of the Study.”
He says the Study findings make clear that cybersecurity has not been a priority for many agencies in the public transit industry. Even though there are numerous resources available from Federal agencies and industry associations, he notes the data suggests that these resources are not always taken advantage of because of competing priorities, lack of internal resources, or focus.
This US report will make key reading for authorities in the UK, based on the assumption that cyber threats are a global challenge, and that risks, breaches and lessons learned in the US will be important here too. The authors write, “Though the details are still coming to light, one thing is already very clear: every public and private organisation, both in the United States and abroad, must focus on its cybersecurity programme. These organisations must ensure they understand program vulnerabilities and have a plan in place to address them on an on-going basis.”
(Picture – Scott Belcher’s LinkedIn page)