The Washington Metropolitan Area Transit Authority, the public transportation agency for the nation’s capital, isn’t defending itself from cyberattacks as well as it should be, according to an internal audit completed last month by its inspector general’s office.
A brief summary of the audit released in late June noted that WMATA’s board of directors agreed with the audit’s findings that while the agency has taken steps to implement an “IT incident” or cyberattack, it needs to improve its abilities to detect, report and resolve incidents.
The summary also explained that the D.C. Metro is not alone among urban transit systems with cybersecurity shortcomings, citing a 2016 cyberattack on the San Francisco Transportation Agency that disabled card-charging systems, potentially exposed employee and rider data and saw the hackers demand a $73,000 ransom.
That incident, while isolated, drew the attention of Sen. Mark Warner, a Virginia Democrat with nearly 1.5 million constituents in WMATA’s service area. Warner wrote a letter to WMATA General Manager Paul Wiedefeld in January asking about the authority’s incident response plan, including how it would deal with a ransomware attack and communicating out emergency procedures in the event of an attack.
Warner’s letter was well-timed: Metro’s inspector general, Geoff Cherrington, told WTOP last week that “it’s not a matter of if, rather when,” a cyberattack will hit D.C.’s public transit. The agency also recently started recruiting candidates for the new position of cybersecurity director.
The recent audit examining incident response plans is just one of several security-related audits that Cherrington has planned for this year, the Washington Post reported . The additional audits will examine the unsecured public Wi-Fi networks WMATA recently installed at its underground stations and the digital speakers in its newest model of rail cars, both of which are potential attack points for hackers.
“The newer technology is what creates more opportunities, so as people do things like make Wi-Fi available, that creates a vulnerability that has to be mitigated,” said Polly Hanson of the American Public Transport Association.
Still, Hanson said, insider threats — such as employees falling victim to phishing emails or inadvertently transporting malware from a personal device to an agency device — is just as strong as those from the outside. Hanson added that transit authorities everywhere are focusing more on securing their procurement efforts, which WTOP reported that Cherrington’s office is planning on doing in the coming months.
“The audit objective is to determine whether WMATA is effectively and efficiently managing the use of IT personal services contracts, and to determine if current WMATA employees should be performing the work instead of contractors to ensure WMATA is not wasting taxpayer dollars,” the agency’s audit plan said.