On May 7, 2021, the Colonial Pipeline ceased all production to contain a virtual threat from damaging pipeline operations. The sudden loss of 2.5 million gallons of oil created long lines at gas stations, gas shortages, and confusion along the U.S. east coast. The ordeal was only resolved after pipeline owners paid $4.4 million to the hacker group responsible. Although the FBI clawed back $2.3 million of the ransom money, the damage was done: pipeline operations were suspended until May 12, the company lost millions, and consumers were left scrambling for fuel and information.

According to the U.S Justice Department, cyberattacks are relatively common throughout the country. U.S Secretary of Energy Jennifer Granholm stated in an interview that “there are thousands of attacks on all aspects of the energy sector and the private sector generally…it’s happening all the time.” As transportation networks become more and more connected, they become more and more vulnerable to cyberattacks like the one that targeted the Colonial Pipeline.

Eno recently hosted a series of webinars, panels, and discussions on the pressing issues facing transportation as part of the Centennial Institute. One panel explored how agencies can prepare for the most perilous cyberattacks that can cripple their operations. The panel included:

Steven Polunsky, Director of the Transportation Policy Research Center, Transportation Institute

Shailen Bhatt, Senior Vice President of Global Transportation Innovation at AECOM

Samuel Spector, Director of Government Affairs & Public Policy – U.S., BlackBerry

The Harrowing Hassles of Hacking

Shailen Bhatt (AECOM) pointed out at the beginning of the panel that cybersecurity is, by and large, an afterthought in transportation due to its supposed lack of relevance. However, that irrelevance is quickly changing. Bhatt recalled a ransomware attack at the Colorado Department of Transportation that shut down the agency’s system for months, all thanks to an employee using an infected thumb drive.

Additionally, Steven Polunsky (Transportation Institute) elaborated that proliferation of technology, from drones to computer programs, makes it harder to regulate access to new systems. Polunsky went on to state that transportation is both the means and the end of cyberattacks, making it all the easier for “the bad guys” to use systems against operators and riders. Advances in electrification and communication technologies puts systems at an even greater risk for infiltration and disruption. Very soon, Polunsky said, we could see the “weaponization of transportation.”

Finally, Samuel Spector (Blackberry) highlighted the importance of transportation infrastructure and why it must be protected. Transportation systems are cited as “national critical functions,” and their disruption would be “disastrous.” With the number of ransomware attacks increasing, Spector noted that the prior strategy of cybersecurity self-regulation is no longer working.

Patchwork Protection

All three panelists commented on why public agencies are so slow at responding to increasing cyberattacks. Bhatt noted that transportation infrastructure has many different owners and investors, with many pieces of transportation equipment funded federally but operated locally. Transportation spending is typically geared towards capacity projects, while IT professionals are taken out of transportation agencies to work in other offices. Bhatt also admitted that transit and transportation agencies are embarrassed to admit successful cyberattacks. He also emphasized that if transportation actors want protection, “everyone has to be brought up to the same speed.” Polunsky also indicated that there is still a point of contention between public and private interacting on tackling cybersecurity, with both sides eschewing full cooperation in favor of going it alone.

A lack of communication is particularly troubling because as Spector stressed, it is important that information is easily shared as to not escape the awareness of public institutions. Spector illustrated the need for consistent private and public security communication to defend infrastructure from the worst cyberattacks. Cybersecurity threat notification legislation on the local, state, or federal level would help in the proliferation of information. However, as Spector pointed out, there is no dedicated federal approach documenting the effects of cyberattacks that threaten both private and public institutions. Up until this moment, the mechanisms for communication between private and public groups have functioned on a voluntary basis.

Getting Protected:

All three panelists expressed hope in various solutions aimed at addressing cybersecurity weaknesses. Several provisions in the recently passed Investing in Infrastructure and Jobs Act (IIJA) excited Spector. Several promising programs include:

• $1 billion over four years supporting state/local improvements in cybersecurity
• $100 million for the Department of Homeland Security that supports public/private entities responding to cybersecurity fights
• Cybersecurity accounting for Department of Transportation grant funding
• The designation of a cyber coordinator on all cyber incidents at the Federal Highway Administration

Additionally, Polunsky expressed his support for the recent collaborative cyber defense project rolled out by the Cybersecurity & Infrastructure Security Agency (CISA), a division of DHS. Polunsky also advised the U.S. borrow methods from other countries, such as Sweden and Israel.

Bhatt hoped that NIST guidelines could also offer useful guidance for local and state agencies. However, Bhatt stressed that although “the future in transportation is connected and autonomous and electrified and shared,” further connectivity and electrification open additional vectors for cyberattacks.

To hear more from the panelists on transportation equity, check out a recording of the panel hosted during Eno’s Centennial Institute on September 16, 2021.