Implications of the Sunburst cybersecurity attack for transit agencies

January 22, 2021

In December 2020, the cybersecurity firm FireEye discovered one of the worst cyberattack in the U.S.'s history. While the full ramifications of this attack remain to be seen, the investigation revealed that more than 18,000 organizations may have been breached, including the Department of Defense and computer systems used by state and local governments, and critical infrastructure services such as the San Francisco International Airport. The new Mineta Transportation Institute (MTI) perspective Implications of the Sunburst Cybersecurity Attack addresses the damage caused by this attack and what public and private organizations, including transit agencies, can do to mitigate future attacks.

Although the specific effects of the Sunburst attack on transit agencies is not yet understood, transit agencies have recently been confirmed targets of several other cyberattacks. One such attack on the Southeastern Pennsylvania Transportation Authority in August of 2020 took down its real-time bus and rail information for two full weeks. Another recent, severe attack occurred in 2017 against Sacramento Regional Transit (SaRT) in which SaRT suffered a ransomware attack that crippled its website and destroyed data. Researchers have also previously proven hackers could take over the brakes and controls of vehicles. These instances hint at the potential damage of the Sunburst attack and others.

Moreover, an October 2020 MTI study, Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness found most public transit agencies acutely unprepared when facing cybersecurity threats and found that only 60% of agencies had any cybersecurity program in place even though 80% reported they were prepared.

“Cybersecurity is a growing concern for public transit managers, as control and management systems become increasingly dependent on information technology. These systems are vulnerable to increasingly sophisticated direct and indirect cyberattacks. Given these increasing risks, the transit industry and its technology managers must take proper steps to ensure the security of their cyber systems,” says Vice Chair of the APTA Board of Directors Jeff Nelson.

Agencies must prioritize cybersecurity by:

Investing in their cybersecurity infrastructure, from effective hiring of cybersecurity expertise to ensuring alignment with the agency’s overall strategy;
Educating persons within the organization about cyber-attack risks, especially phishing, which is by far the most common type of cyber-attack; and
Requiring vendors to manage their cyber risk by contractually requiring vendors to maintain state-of-the-art cyber protections.

Cyberattacks are ultimately inevitable. Fortunately, agencies can take action to help protect themselves from attacks and to prepare for any breaches that do occur, thus ensuring the critical transportation systems of our nation continue running smoothly and safely.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.