In 2008, a teenage boy converted an old TV remote into an infrared transmitter and used it to hack his city’s tram system, tripping switches, redirecting trains, causing thousands of dollars in damage and injuring more than a dozen people. Ten years later, Bay Area Rapid Transit (BART) discovered 86% of 1,000 hardware devices supplied by Cisco contained “hidden backdoors on the devices, as well as a persistent ‘ping’ where data are sent to a foreign nation hostile to American interests.”
The devices were replaced within 72 hours. But this situation is beyond dangerous—imagine foreign hostile nations or home-grown terrorists gaining control of even a portion of our transportation systems. Trains derailed could cost millions of dollars and even lives.
Cybersecurity must be addressed now to protect critical infrastructure and our community because we know ransomware and malware are lurking in some of the largest U.S. public transit systems.
In fact, earlier this year BART once again suffered an attack, whereby ransomware hackers released a collection of 120,000 police department files. Released files included mental health records, the names and driver’s license numbers of contractors who have worked on BART projects and even unredacted files detailing suspected child abuse.
While these files represented only 1% of BART internal documents and did not affect service, this was not the first time cyber attackers have targeted transit. And if these attacks can threaten an agency with the resources of BART—a public agency with access to millions of dollars in operating budget and the Department of Homeland Security’s Cybersecurity Advisor program—every agency is at risk. It’s time to take action.
And BART is not alone. In the last few years, multiple transit and rail systems, including the nation’s largest transit system, the New York City Metropolitan Transportation Authority, have been victims of such malicious attacks. The San Francisco Municipal Transportation Agency (SFMTA) was also targeted when bad actors broke into 2,000 servers to hold data for ransom. In this scenario, the worst effect was bus drivers having to hand write route assignments, but other comparable scenarios have caused service disruptions and injuries.
In 2021, the Santa Clara Valley Transportation Authority (VTA) successfully fended off a cyber breach in which the attackers threatened to release personal employee data. While the attack did not affect bus or light rail service, the agency shut down computer systems for several days to “protect against the possibility of major impacts to data.” This incident led VTA to invest more in cybersecurity protection and preparedness, including creating a new dedicated cybersecurity team.
To that end, in May of this year, VTA held its first cybersecurity preparedness exercise to prepare stakeholders to identify, isolate and solve potential cybersecurity threats. Specifically, the tabletop exercise was developed to build the agency’s defenses against “Advanced Persistent Threats, including denial-of-service ransom attacks, cyber-terrorists, ‘hactivists,’ and cyber espionage.”
VTA is taking tangible steps to protect against cyber threats, but what about other agencies? The Mineta Transportation Institute reports 42% of transit agencies do not have an incident response plan, 36% do not have a disaster recovery plan and 53% do not have a continuity in operations plan. Without increased efforts, the threat of cybersecurity will only grow.
“As transportation becomes more sophisticated and more connected, the risks and the opportunities for criminals to gain access have multiplied,” research associate and security expert Scott Belcher said. “The more you use connectivity, the more you use connected vehicle technology, the more you access the internet, the more vulnerable you become.”
Attacks like those mentioned, as well as other high-profile attacks, mean cybersecurity issues are beginning to get the attention they need. In response to the growing threat, the Biden administration has begun implementing new cybersecurity requirements and policies to increase protection for critical U.S. transportation infrastructure. This includes an executive order, security directives and the 2022 National Security Memorandum. This particular executive order calls for federal agencies to implement stronger, modern cybersecurity standards and establishes a cybersecurity safety review board.
Here in the Bay Area, VTA will be holding more tabletop exercises as part of a multi-year training and exercise program toward preventing cyber attacks. VTA will also be the first to participate in the Transportation Security Administration’s Cy-BASE program, a voluntary assessment of defenses against cyber threats.
The escalating danger of cybersecurity attacks on public transit agencies, exemplified by incidents faced by attacks on BART, VTA and SFMTA, is increasingly clear. Despite more and more tangible efforts, our infrastructure remains vulnerable. The need for critical action is now. Agencies can follow VTA’s example to invest in protection, preparedness and training—with more work to be done.
As cybersecurity threats continue to evolve, it is crucial for transit agencies to prioritize counter efforts to ensure the safety and security of their systems, sensitive data and our nation’s critical transportation infrastructure.
San José Spotlight columnist Karen E. Philbrick is the executive director of the Mineta Transportation Institute, a research institute focusing on multimodal surface transportation policy and management issues.