Implications of the 2020 Sunburst Cybersecurity Attack for Transit Agencies: Addressing Vulnerabilities

In December 2020, the cybersecurity firm FireEye discovered the worst cyber-attack in our nation’s history. While the full ramifications of this attack remain to be seen, the investigation revealed that more than 18,000 organizations may have been breached, including the Department of Defense and computer systems used by state and local governments, and critical infrastructure services such as the San Francisco International Airport.  The new Mineta Transportation Institute (MTI) perspective Implications of the Sunburst Cybersecurity Attack addresses the damage caused by this attack and what public and private organizations, including transit agencies, can do to mitigate future attacks.

Although the specific effects of the Sunburst attack on transit agencies is not yet understood, transit agencies have recently been confirmed targets of several other cyber-attacks. One such attack on the Southeastern Pennsylvania Transportation Authority in August of 2020 took down its real-time bus and rail information for two full weeks. Another recent, severe attack occurred in 2017 against Sacramento Regional Transit (SaRT) in which SaRT suffered a ransomware attack that crippled its website and destroyed data. Researchers have also previously proven hackers could take over the brakes and controls of vehicles. These instances hint at the potential damage of the Sunburst attack and others.

Moreover, an October 2020 MTI study,  Is the Transit Industry Prepared for the Cyber Revolution? Policy Recommendation to Enhance Surface Transit Cyber Preparedness found most public transit agencies acutely unprepared when facing cybersecurity threats and found that only 60% of agencies had any cybersecurity program in place even though 80% reported they were prepared.

“Cybersecurity is a growing concern for public transit managers, as control and management systems become increasingly dependent on information technology. These systems are vulnerable to increasingly sophisticated direct and indirect cyberattacks. Given these increasing risks, the transit industry and its technology managers must take proper steps to ensure the security of their cyber systems,” says Vice Chair of the APTA Board of Directors Jeff Nelson.

Agencies must prioritize cybersecurity by:

• Investing in their cybersecurity infrastructure, from effective hiring of cybersecurity expertise to ensuring alignment with the agency’s overall strategy;
• Educating persons within the organization about cyber-attack risks, especially phishing, which is by far the most common type of cyber-attack; and
• Requiring vendors to manage their cyber risk by contractually requiring vendors to maintain state-of-the-art cyber protections.

Cyber-attacks are ultimately inevitable. Fortunately, agencies can take action to help protect themselves from attacks and to prepare for any breaches that do occur, thus ensuring the critical transportation systems of our nation continue running smoothly and safely.

ABOUT THE MINETA TRANSPORTATION INSTITUTE

At the Mineta Transportation Institute (MTI) at San Jose State University (SJSU) our mission is to increase mobility for all by improving the safety, efficiency, accessibility, and convenience of our nations’ transportation system. Through research, education, workforce development and technology transfer, we help create a connected world. MTI was founded in 1991 and is funded through the US Departments of Transportation and Homeland Security, the California Department of Transportation, and public and private grants. MTI is affiliated with SJSU’s Lucas College and Graduate School of Business.

ABOUT THE AUTHORS

Scott Belcher, JD, MPP, is an MTI Research Associates, and the CEO of SFB Consulting, LLC. Prior to founding SFB Consulting, LLC he served for two years as the CEO of the Telecommunications Industry Association and for seven years as the CEO of the Intelligent Transportation Society of America.