AASHTO Journal

IT ‘Visibility’ Becoming a Cybersecurity Stumbling Block

​Securing the information technology (IT) systems used by state departments of transportation against cyberattacks is becoming more challenging, particularly as the scope of such networks continues to broaden.

"What is the solution offered when we want to increase the efficiency of our operations or improve customer service? A new computer program – one that collects more data and provides an overview of more things," explained Pete Rahn, Secretary of the Maryland Department of Transportation, during the annual "Washington Briefing" held by the American Association of State Highway and Transportation Officials back on Feb. 28.

RahnMDOT.pngRahn (pictured at left) spoke during a panel presentation the event on how to create more "resiliency" in state DOT networks, with his part of the discussion focused on cybersecurity issues.

"As we have become more dependent on IT systems to do our jobs, to manage our highways and airports," state DOTs are also creating circumstances for more vulnerabilities, he stressed.

"We now need to build [cyber] security into IT, into everything we do," Rahn emphasized. "My personal nightmare is that [hackers] will play with our trains, traffic signals, and overhead signs. Imagine what kind of confusion they could cause. That is what we have the responsibility for – and we never had to think about these things before."

[Side note: A recent post on the Pew Trusts Stateline blog recently delved more deeply the specific potential cybersecurity gaps facing state DOTs. And AASHTO's National Operations Center of Excellence also offers a cyber threat reporting tool that can be accessed by state DOT members at https://transportationops.org/cyberfmwk.]

The Colorado Department of Transportation experienced the impact of such an attack earlier this year when 2,000 of its computers became infected with a ransomware virus on Feb. 21 and then became partially re-infected later in March.

"It was a ransomware attack called SAMSAM [and] the breach was not through an email nor the result of employee error, but [through] a hole in our system that was exploited," noted Johnny Olson, regional transportation director for CDOT, in a presentation to Colorado's statewide transportation advisory committee April 27.

cdot.png"Between February 21st and 27th the main response was chasing down the virus and containing it from spreading further within our network. Once that was done we thought we could get back online, but soon realized that we needed to shut down again," he explained.

At that point, Colorado's Governor declared a disaster emergency and called in both the FBI and the National Guard to support CDOT's effort to safely reboot its computer network, Olson noted.

While CDOT released no dollar figure regarding the cost of this particular cyberattack – and it didn't pay any ransom to unlock its computers, the agency stressed – the expense associated with such events lessened over the last year.

For example, the 12th annual Cost of Data Breach study sponsored by IBM Security and independently conducted by the Ponemon Institute found that the average total cost of a data breach dipped 10 percent to $3.62 million in 2017. Yet despite that reduction in cost, the average size of a data breach increased by 1.8 percent to 24,089 records last year.

And many government agencies don't feel well-prepared from a cybersecurity perspective. According to a recent survey conducted by cybersecurity news firm CyberScoop and underwritten by cybersecurity firm Tenable found that a "significant portion" of state and local government technology officials said they are "underequipped, understaffed and under-resourced" in addressing cybersecurity concerns.

Four in 10 state and local IT leaders noted in the poll that they lack the tools they need to identify and report cybersecurity vulnerabilities, with 38 percent expressing a need for intelligence tools that prioritize vulnerability risks as "technology gaps make" it harder for security personnel to optimize their time and effectiveness.

In addition to managing traditional IT networks, more than one-third of state and local government IT leaders noted that their organizations also manage operational technology to control physical networks, such as traffic signals and water or electrical facilities; thus making their security landscape more challenging. A quarter of those polled added that their organizations also must secure systems used to manage internet-enabled devices such as environmental sensors.

"Digital transformation in the public sector should mean improved efficiency and citizen service, and if done right, reduced risk produced by development of good cyber-hygiene," noted Randy Crow, vice president of public sector sales for Tenable, in a statement. "The study illustrates that lack of visibility creates gaps that hamper security effectiveness."

Questions regarding this article may be directed to editor@aashtojournal.org.

Recommended Stories

Shuster Lays Out ‘Framework’ for Infrastructure Discussion

Outgoing Rep. Bill Shuster, R-Penn., released a 108-page "infrastructure proposal" on July 23 that he hopes can serve as a "discussion draft" that is intended to "further the national conversation about the current state of America's infrastructure and highlight some of the...

July 27, 2018

Discussion Continues Over Finding New Sources of Transportation Funding

The broad infrastructure proposal unveiled July 23 on Capitol Hill by Rep. Bill Shuster, R-Penn., chairman of the House Transportation and Infrastructure Committee, also serves to underscore a long-running debate over how to return the Highway Trust Fund to solvency.

July 27, 2018

Debate over Rider for Autonomous Vehicles in FAA Bill Heats Up

Oft-delayed legislation sponsored by Sen. John Thune, R-South Dakota, designed to promote broader adoption of connected-autonomous vehicles or CAVs, may be attached to an updated version of the Senate's Federal Aviation Administration reauthorization bill – an effort that is encountering pushback...

July 27, 2018

Past Issues

Issue Date: