Skip Ribbon Commands
Skip to main content

AASHTO Journal

IT ‘Visibility’ Becoming a Cybersecurity Stumbling Block

​Securing the information technology (IT) systems used by state departments of transportation against cyberattacks is becoming more challenging, particularly as the scope of such networks continues to broaden.

"What is the solution offered when we want to increase the efficiency of our operations or improve customer service? A new computer program – one that collects more data and provides an overview of more things," explained Pete Rahn, Secretary of the Maryland Department of Transportation, during the annual "Washington Briefing" held by the American Association of State Highway and Transportation Officials back on Feb. 28.

RahnMDOT.pngRahn (pictured at left) spoke during a panel presentation the event on how to create more "resiliency" in state DOT networks, with his part of the discussion focused on cybersecurity issues.

"As we have become more dependent on IT systems to do our jobs, to manage our highways and airports," state DOTs are also creating circumstances for more vulnerabilities, he stressed.

"We now need to build [cyber] security into IT, into everything we do," Rahn emphasized. "My personal nightmare is that [hackers] will play with our trains, traffic signals, and overhead signs. Imagine what kind of confusion they could cause. That is what we have the responsibility for – and we never had to think about these things before."

[Side note: A recent post on the Pew Trusts Stateline blog recently delved more deeply the specific potential cybersecurity gaps facing state DOTs. And AASHTO's National Operations Center of Excellence also offers a cyber threat reporting tool that can be accessed by state DOT members at]

The Colorado Department of Transportation experienced the impact of such an attack earlier this year when 2,000 of its computers became infected with a ransomware virus on Feb. 21 and then became partially re-infected later in March.

"It was a ransomware attack called SAMSAM [and] the breach was not through an email nor the result of employee error, but [through] a hole in our system that was exploited," noted Johnny Olson, regional transportation director for CDOT, in a presentation to Colorado's statewide transportation advisory committee April 27.

cdot.png"Between February 21st and 27th the main response was chasing down the virus and containing it from spreading further within our network. Once that was done we thought we could get back online, but soon realized that we needed to shut down again," he explained.

At that point, Colorado's Governor declared a disaster emergency and called in both the FBI and the National Guard to support CDOT's effort to safely reboot its computer network, Olson noted.

While CDOT released no dollar figure regarding the cost of this particular cyberattack – and it didn't pay any ransom to unlock its computers, the agency stressed – the expense associated with such events lessened over the last year.

For example, the 12th annual Cost of Data Breach study sponsored by IBM Security and independently conducted by the Ponemon Institute found that the average total cost of a data breach dipped 10 percent to $3.62 million in 2017. Yet despite that reduction in cost, the average size of a data breach increased by 1.8 percent to 24,089 records last year.

And many government agencies don't feel well-prepared from a cybersecurity perspective. According to a recent survey conducted by cybersecurity news firm CyberScoop and underwritten by cybersecurity firm Tenable found that a "significant portion" of state and local government technology officials said they are "underequipped, understaffed and under-resourced" in addressing cybersecurity concerns.

Four in 10 state and local IT leaders noted in the poll that they lack the tools they need to identify and report cybersecurity vulnerabilities, with 38 percent expressing a need for intelligence tools that prioritize vulnerability risks as "technology gaps make" it harder for security personnel to optimize their time and effectiveness.

In addition to managing traditional IT networks, more than one-third of state and local government IT leaders noted that their organizations also manage operational technology to control physical networks, such as traffic signals and water or electrical facilities; thus making their security landscape more challenging. A quarter of those polled added that their organizations also must secure systems used to manage internet-enabled devices such as environmental sensors.

"Digital transformation in the public sector should mean improved efficiency and citizen service, and if done right, reduced risk produced by development of good cyber-hygiene," noted Randy Crow, vice president of public sector sales for Tenable, in a statement. "The study illustrates that lack of visibility creates gaps that hamper security effectiveness."

Questions regarding this article may be directed to

Recommended Stories

Lawsuit Launched over Rhode Island Truck-Only Tolls

The trade group American Trucking Associations, along with three individual motor carriers, filed suit in the U.S. District Court for the District of Rhode Island on July 10 in an effort aimed at getting Rhode Island's truck-only tolling program declared "unconstitutional" as it...

July 13, 2018

TIFIA Loan Changes Recommended at EPW Committee Hearing

During a July 11 hearing held by Senate Committee on Environment and Public Works on Capitol Hill, changes to Transportation Infrastructure Finance and Innovation Act or "TIFIA" loans were urged to help shorten the application period and the timeline for their disbursement – both key...

July 13, 2018

Changes to Federal Cost Share for Transit Projects Debated at Hearing

Sen. Kirsten Gillibrand, D-N.Y., took pointed aim at changes being made to federal cost share for transit projects during a July 11 Environment and Public Works Committee hearing, noting that such changes could "make it more difficult for state and local agencies" to use low-interest...

July 13, 2018

Past Issues

Issue Date: