This discussion explores the critical importance of protecting the transportation infrastructure Sector. I will discuss the Transportation sector’s Critical Infrastructure Protection(CIP) aspect, historical incidents and remediations, as well as provide a section detailing how I would prevent these threats from reoccurring within the organization I am currently employed. Let’s delve into the overview of the US Critical Infrastructure Transportation Sector.
Overview of the US Critical Infrastructure Transportation Sector
The Transportation Critical Infrastructure Sector is an industry that encompasses sub sectors such as airlines, shipping, companies, logistics providers, railroads and technology firms. According to the Bureau of Transportation Statistics (BTS), transportation services contributed $1.7 trillion (6.7%) to the U.S. economy in 2022(Transportation Services Contributed 6.7% to U.S. GDP in 2022; Rising Above 6.3% in 2019, n.d.). This includes for-hire transportation, in-house transportation by businesses, and household transportation using personal vehicles. The Transportation CI serves as the physical veins and capillaries of the nation. Now that we’ve covered what the transportation critical infrastructure sector is, let’s delve into an historical incident as well as the remediations.
Historical Incidents and Remediations
The incident I am going to review is the 2016, San Francisco’s Muni metro system shutdown due to ransomware. In November 2016, San Francisco’s Municipal Transportation Agency (Muni) suffered a ransomware attack that encrypted critical systems, including payment kiosks and employee computers. This attack disrupted Muni services, causing inconvenience to riders and raising concerns about cybersecurity in public transportation systems(The San Francisco Public Transit Ransomware Attack: What We’ve Learned, n.d.).
The San Francisco Muni ransomware attack was primarily resolved through the use of backups. The Municipal Transportation Agency (MTA) had robust backup systems in place, which allowed them to restore affected systems and avoid paying the ransom.Additionally, they took precautionary measures such as shutting down payment kiosks to prevent the malware from spreading further. Following the attack, the MTA implemented several remediation measures, including(Technical Approaches to Uncovering and Remediating Malicious Activity | CISA, 2020):
- Strengthening cybersecurity protocols: This likely involved improving network security, enhancing employee training on cybersecurity best practices, and implementing more stringent access controls.
- Increasing system monitoring: The MTA likely improved its ability to detect and respond to potential threats by implementing more sophisticated monitoring tools and procedures.
- Regularly testing backups: To ensure that backups remain effective and reliable in the event of another attack, regular testing and verification would be crucial.
Now that we’ve reviewed a historical incident and remediation, let’s move onto a theoretical approach to Threat Preparedness planning.
Theoretical Threat Preparedness Planning
I would begin the threat preparedness project plan by reviewing the lessons learned produced by the San Francisco Transportation Authority. From those lessons I would create a phased research and planning sprint, keeping the NIST Cybersecurity Framework(CSF) 2.0 scoped to reduce risk while improving the Cybersecurity program. The CSF provides steps including but not limited to identify, protect, detect, respond and recover(NIST Cybersecurity Framework 2.0: , 2024). Following a completed comprehensive research and planning spring, I would initiate the next phase of the project organization using the PMBOK’s guidance and best practices. I would heavily research the Mamba Ransomware details from San Francisco Municipal Transportation Agency(SFMTA) to create a knowledge base. I would utilize the knowledge collected from Fortinets article “A Closer Look at the Mamba Ransomware that Struck San Francisco Rail System,” and use it as a benchmark to create a testing environment. I would create an airtight off network lab where I could re-simulate the attack vectors and introduce various defensive and fail safe scenarios. I’ve recently discovered a Critical Infrastructure Protection(CIP) specialized security platform called OPSWAT. What’s interesting about OPSWAT is its recent acquisition of the InQuest threat intelligence platform(OPSWAT, Inc., 2024). Combined they represent a quality platform with no recent news of breach incidents. While no platform is 100% secure I would choose them over crowdstrike due to the recent incident that caused a worldwide incident. Let’s lightly touch on the contextual application of OPSWAT and InQuest.
OPSWAT and InQuest Contextual Application
OPSWAT MetaDefender provides multi-scanning and Deep CDR(Content Disarm and Reconstruction) capabilities, effectively neutralizing threats hidden in files, emails, or other data entering the network(OPSWAT, Inc., 2024). Network Detection and Response(NDR): InQuest’s Deep File Inspection (DFI) technology monitors network traffic for suspicious activity, detecting and responding to threats in real-time(InQuest, 2023). The combined threat intelligence capabilities of OPSWAT and InQuest provide actionable insights into the latest threats and vulnerabilities. Let’s move onto what actions could be taken to apply this to the transportation CI.
Implementation for Transportation CI
I would implement MetaDefender at various network entry points to scan all incoming and outgoing files, preventing the delivery and spread of malware. I would deploy InQuest’s network monitoring solution to detect anomalous network behavior indicative of a ransomware attack, allowing for rapid response and containment. Finally I would utilize the combined threat intelligence from OPSWAT and InQuest to identify potential threats, update security policies, and proactively hunt for vulnerabilities. I would of course work on adopting the Zero Trust principles and create a regular backup routine. Now that we’ve covered actioning the threat preparedness plan, let’s wrap-up and summarize key points.
Conclusion
This writing encapsulated what the transportation critical infrastructure sector is, historical threats impacting the sector and a theoretical approach to Threat preparedness. No defense is impenetrable, no plan is full proof but we can do our best to prepare. One of my favorite sayings goes like this “not if but when.” Most organizations would like to achieve 100% security but with the world we live in today the goal post keeps being pushed further out every day due to the continuous adaptation of the threat landscape. The good news is together through collaboration, intelligence sharing and some elbow grease, we can get the job done.
References
OPSWAT, Inc. (2024, August 16). Advanced Threat Prevention – MetaDefender – OPSWAT. OPSWAT. https://www.opswat.com/products/metadefender
InQuest. (2023, December 18). FileTAC | InQuest Product. https://inquest.net/products/filetac/
The San Francisco public transit ransomware attack: What we’ve learned. (n.d.). https://www.cyberpolicy.com/cybersecurity-education/the-san-francisco-public-transit-ransomware-attack-what-weve-learned
A Closer Look at the Mamba Ransomware that Struck San Francisco Rail System. (2016, December 5). Fortinet Blog. https://www.fortinet.com/blog/threat-research/a-closer-look-at-the-mamba-ransomware-that-struck-san-francisco-rail-system
Technical Approaches to Uncovering and Remediating Malicious Activity | CISA. (2020, September 24). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-245a
Transportation services contributed 6.7% to U.S. GDP in 2022; rising above 6.3% in 2019. (n.d.). Bureau of Transportation Statistics. https://www.bts.gov/newsroom/transportation-services-contributed-67-us-gdp-2022-rising-above-63-2019
Infrastructure. (n.d.). Bureau of Transportation Statistics. https://www.bts.gov/topics/infrastructure
NIST Cybersecurity Framework 2.0: (2024). https://doi.org/10.6028/nist.sp.1299