Skip Ribbon Commands
Skip to main content

AASHTO Journal

IT ‘Visibility’ Becoming a Cybersecurity Stumbling Block

​Securing the information technology (IT) systems used by state departments of transportation against cyberattacks is becoming more challenging, particularly as the scope of such networks continues to broaden.

"What is the solution offered when we want to increase the efficiency of our operations or improve customer service? A new computer program – one that collects more data and provides an overview of more things," explained Pete Rahn, Secretary of the Maryland Department of Transportation, during the annual "Washington Briefing" held by the American Association of State Highway and Transportation Officials back on Feb. 28.

RahnMDOT.pngRahn (pictured at left) spoke during a panel presentation the event on how to create more "resiliency" in state DOT networks, with his part of the discussion focused on cybersecurity issues.

"As we have become more dependent on IT systems to do our jobs, to manage our highways and airports," state DOTs are also creating circumstances for more vulnerabilities, he stressed.

"We now need to build [cyber] security into IT, into everything we do," Rahn emphasized. "My personal nightmare is that [hackers] will play with our trains, traffic signals, and overhead signs. Imagine what kind of confusion they could cause. That is what we have the responsibility for – and we never had to think about these things before."

[Side note: A recent post on the Pew Trusts Stateline blog recently delved more deeply the specific potential cybersecurity gaps facing state DOTs. And AASHTO's National Operations Center of Excellence also offers a cyber threat reporting tool that can be accessed by state DOT members at]

The Colorado Department of Transportation experienced the impact of such an attack earlier this year when 2,000 of its computers became infected with a ransomware virus on Feb. 21 and then became partially re-infected later in March.

"It was a ransomware attack called SAMSAM [and] the breach was not through an email nor the result of employee error, but [through] a hole in our system that was exploited," noted Johnny Olson, regional transportation director for CDOT, in a presentation to Colorado's statewide transportation advisory committee April 27.

cdot.png"Between February 21st and 27th the main response was chasing down the virus and containing it from spreading further within our network. Once that was done we thought we could get back online, but soon realized that we needed to shut down again," he explained.

At that point, Colorado's Governor declared a disaster emergency and called in both the FBI and the National Guard to support CDOT's effort to safely reboot its computer network, Olson noted.

While CDOT released no dollar figure regarding the cost of this particular cyberattack – and it didn't pay any ransom to unlock its computers, the agency stressed – the expense associated with such events lessened over the last year.

For example, the 12th annual Cost of Data Breach study sponsored by IBM Security and independently conducted by the Ponemon Institute found that the average total cost of a data breach dipped 10 percent to $3.62 million in 2017. Yet despite that reduction in cost, the average size of a data breach increased by 1.8 percent to 24,089 records last year.

And many government agencies don't feel well-prepared from a cybersecurity perspective. According to a recent survey conducted by cybersecurity news firm CyberScoop and underwritten by cybersecurity firm Tenable found that a "significant portion" of state and local government technology officials said they are "underequipped, understaffed and under-resourced" in addressing cybersecurity concerns.

Four in 10 state and local IT leaders noted in the poll that they lack the tools they need to identify and report cybersecurity vulnerabilities, with 38 percent expressing a need for intelligence tools that prioritize vulnerability risks as "technology gaps make" it harder for security personnel to optimize their time and effectiveness.

In addition to managing traditional IT networks, more than one-third of state and local government IT leaders noted that their organizations also manage operational technology to control physical networks, such as traffic signals and water or electrical facilities; thus making their security landscape more challenging. A quarter of those polled added that their organizations also must secure systems used to manage internet-enabled devices such as environmental sensors.

"Digital transformation in the public sector should mean improved efficiency and citizen service, and if done right, reduced risk produced by development of good cyber-hygiene," noted Randy Crow, vice president of public sector sales for Tenable, in a statement. "The study illustrates that lack of visibility creates gaps that hamper security effectiveness."

Questions regarding this article may be directed to

Recommended Stories

Webinar Examines the Road Ahead for Highway Funding

​The American Association of State Highway and Transportation Officials along with the International Bridge, Tunnel and Turnpike Association held a free live-streaming webinar on May 14 entitled The State of Highway Investment: Plans, Promises and Predictions, focusing on both current trends and...

May 18, 2018

Former FHWA Official and AASHTO Division Director Tony Kane Dies

​Dr. Anthony R. (Tony) Kane, whose 45-year highway career included service at both the Federal Highway Administration and the American Association of State Highway and Transportation Officials, died May 15 after a long-standing illness. He was 72.

May 18, 2018

USDOT Announces Participants in National Drone Testing Program

​U.S. Transportation Secretary Elaine Chao officially announced the first 10 participants in the agency's Unmanned Aircraft Systems (UAS) Integration Pilot Program at a May 9 event in Washington D.C.; a three-year test program led by the Federal Aviation Administration (FAA), that includes...

May 11, 2018

Past Issues

Issue Date: