Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

June 11, 2021  | Caroline Marete

Cyberattacks are posing an increasing threat on critical transportation infrastructure in the United States. A recent, high-profile ransomware attack on the Georgia-based energy company, Colonial Pipeline, shut down systems that supply about 45 percent of fuel consumed on the U.S. East Coast. Not only did the attack send gas prices soaring, the Colonial Pipeline President and CEO Joseph Blount elected to pay a ransom totaling $4.4 million. While the FBI was able to recover most of that payment, the incident highlights the vulnerability of transportation infrastructure and leverage that hackers have over its owners. These were the subjects of two hearings this week on Capitol Hill.

On Tuesday June 8, the Senate Committee on Homeland Security and Governmental Affairs held the hearing Threats to Critical Infrastructure: Examining the Colonial Pipeline Cyber Attack”. One witness was present. The witness testimony can be found here:

  • Joseph Blount, President and CEO Colonial Pipeline Company

A second hearing held on Wednesday, June 9 by the House Committee on Homeland Security, Cyber threats in the pipeline: using lessons from the colonial ransomware attack to defend critical infrastructure,” had two witnesses. No written testimonies were available.

  • Joseph Blount, President and CEO Colonial Pipeline Company
  • Charles Carmakal, SVP & CTO, FireEye Mandiant

The Senate hearing was opened by committee chairman Gary Peters (D-MI) and Sen. Rob Portman (R-OH), the ranking minority member of the committee. In their opening statements, both leaders acknowledged the increase in cases of cyberattacks directed at U.S. companies. These sentiments were echoed by several members of the committee throughout the hearing. Since the beginning of the COVID-19 pandemic, companies in different sectors including health care, meat processing and energy have become victims of ransomware attacks. In a press briefing on June 7, FBI Deputy Director Paul Abbate said the FBI had identified more than 90 victims of ransomware attacks across sectors perpetrated by Darkside, the hacking group believed to be responsible for the attack on Colonial Pipeline.

The House hearing opened on the same note. Chairman Bennie G. Thompson (D-MS) and Rep.  John Katco (R-NY), the ranking minority member of the committee emphasized that the events at Colonial Pipeline are not unique to the company. As such, most committee members highlighted the importance of using the lessons learned from Colonial Pipeline to “harden” cybersecurity in other U.S. companies. Several committee members sought the views of the witnesses on the involvement of government in strengthening cybersecurity policies in public and private sectors. The resounding response was government involvement is needed to develop sound cybersecurity policies and best practices. Panel members also suggested establishing diplomatic ties with countries that play host to cyber criminals are essential in fighting cyber criminals.

During both hearings, Blount was faced with the question of why he chose to pay ransom to attackers against FBI advisory. Paying ransom is highly discouraged by the FBI as it may encourage attacker’s behavior. Blount defended himself by saying that he believed this was the right decision at the time and it was made in the interest of the country and millions of Americans who depend on Colonial Pipeline products for critical everyday operations. Blount is not the only CEO that chose to pay ransom in a cyberattack crisis. The CEO of JBS, a meat packing company that supplies about one-fifth of U.S. meat supply, admitted that he paid $11 million to cyber criminals to regain access to the company systems after an attack. Blount was applauded for being honest and forthcoming about his decision to pay ransom to cyber attackers because many cyberattacks go unreported making it more difficult to fight cyber criminals.

While several committee members and the witnesses acknowledged that the responsibility of securing company systems fall on private companies, there was a general consensus that the government must be involved in developing policies that will support public and private companies in matters of cybersecurity. Notably, two bills that have been recently introduced were mentioned: Ranking member of the House Committee on Homeland Security John Katco (R-NY) mentioned the HR 1833 ‘‘DHS Industrial Control Systems Capabilities Enhancement Act of 2021’’ and committee member Sharon Jackson Lee (D-TX) mentioned HR 2980 “Cybersecurity Vulnerability Remediation Act’’.

The debate on cybersecurity policies and best practices for U.S. infrastructure is far from over. Transportation and other infrastructure that support the national economy remain vulnerable and it is increasingly difficult to predict when or where or who the next victim will be. Since the attack on Colonial Pipeline in May, several organizations including the NYC Metropolitan Transportation Authority and Steamship Authority have revealed that they were victims of cyberattacks. Matters of cybersecurity for key U.S. transportation infrastructure should be treated with urgency because of their outsized role in the national economy.

Share

Related Articles

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Rethinking Cybersecurity Policies for Critical  U.S. Transportation Infrastructure

Cyberattacks are posing an increasing threat on critical transportation infrastructure in the United States. A recent, high-profile...

Webinar: Automated Vehicle Technology, Public Policy, and BMW's Level 3 AV System

Webinar: Automated Vehicle Technology, Public Policy, and BMW's Level 3 AV System

While much of the transportation-related news has been focused on COVID-19 recovery, automated vehicle technologies are quietly progressing...

Webinar: Transportation Cybersecurity: Understanding Risks and Creating a Culture of Security

Webinar: Transportation Cybersecurity: Understanding Risks and Creating a Culture of Security

Essential transportation technologies, such as connected vehicles, tolling payment systems, back office systems, and road side units, need...

Webinar: Geofencing and the Potential of Connected Vehicles

Webinar: Geofencing and the Potential of Connected Vehicles

Full obedience of traffic rules and regulations and the ability to dynamically change them, depending on the current situation in a city or...

Webinar: Transportation in the Age of Biometrics

Webinar: Transportation in the Age of Biometrics

When: 4:00pm ET, Wednesday, July 11, 2019 Where: Via webinar Register In October, the TSA released their Biometrics Roadmap for...

Eno Staff to Participate in Infrastructure Week 2019

Eno Staff to Participate in Infrastructure Week 2019

May 9, 2019 Eno staff will participate in several events during Infrastructure Week, May 13-20, 2019. Register for our webinars and...

Eno at Infrastructure Week: Webinar Series

Eno at Infrastructure Week: Webinar Series

Smarter Cities and Intelligent Transportation Through Breakthrough Technology When: 4:00pm ET, Wednesday, May 15,...

Homeland Panel Examines Cyber Threats to Surface Transportation

Homeland Panel Examines Cyber Threats to Surface Transportation

March 1, 2019 On February 26, the House Homeland Security Committee held a joint hearing to look at ways to secure the U.S. surface...

Capitol Hill Events - Week of February 25, 2019

Capitol Hill Events - Week of February 25, 2019

Tuesday, February 26 – House Homeland Security – Subcommittee on Transportation and Maritime Security – subcommittee hearing on...

WMATA Urges Congressional Action on Railcar Supply Concerns, As EU Rejects Siemens-Alstom Merger

WMATA Urges Congressional Action on Railcar Supply Concerns, As EU Rejects Siemens-Alstom Merger

February 8, 2019 This week, the director of the Washington Metropolitan Area Transit Authority (WMATA) told Congress that he has ordered...

What Is the Future of the Interstate Highway System? TRB Consensus Study Released

What Is the Future of the Interstate Highway System? TRB Consensus Study Released

December 6, 2018 Three years and two days after the enactment of the FAST Act, the Transportation Research Board of the National...

New AV START Discussion Draft Addresses Some Stakeholder Concerns

New AV START Discussion Draft Addresses Some Stakeholder Concerns

December 5, 2018 (amended Dec. 7) The AV START bill (S. 1885), providing the first federal framework for addressing autonomous vehicles,...

Be Part of the Conversation
Sign up to receive news, events, publications, and course notifications.
No thanks