The Washington PostDemocracy Dies in Darkness

Metro cybersecurity audit highlights growing concerns at agencies across the country

New technology, such as that included in Metro’s latest series of rail cars, the 7000s, makes the agency more vulnerable to hackers and other cyberattacks. (Bill O'Leary/Washington Post)

Metro officials say they plan to focus on improving security throughout the transit system after a classified inspector general’s report concluded that the agency remains vulnerable to hacks and attacks that could imperil safety and day-to-day operations.

That audit was presented to Metro’s board of directors in a closed meeting late last month, but the report and takeaways are being kept secret because of the risk of tipping off potential criminals to existing weaknesses at the transit agency.

“By its nature, such an audit in the wrong hands could expose vulnerabilities and thereby undermine our shared goal of making [Metro’s] IT environment even more secure,” Metro Inspector General Geoffrey A. Cherrington said in a statement. “For that reason, we have made an exception to our standard practice of posting audits to our website, and this one will be withheld from release.”

The report focused specifically on Metro’s “incident response” capabilities and whether tech experts within the agency have the proper procedures and know-how to quickly detect, fend off and shut down a hack. Although Metro has procedures in place in the event of an attack, “the program has opportunities for improvement,” the inspector general’s report said.

Metro’s new watchdog: ‘Where there’s money, there’s often fraud, and if it exists, we want to find it’

Upcoming audits, however, could reveal more vulnerabilities in the system. According to a schedule presented to the board, Cherrington plans six more security-related audits over the next fiscal year.

Those reviews will examine a range of potential hazards — from a massive data breach of SmarTrip card information to potential attacks that could interfere with critical safety operations such as rail traffic control systems, gas and fire sensors, the power grid, station ventilation, and voice and data communications.

San Francisco’s light-rail system was held hostage by hackers

The risk of those kinds of breaches only becomes greater as Metro upgrades to “smart” technology with more digital capabilities — which are more vulnerable to remote tampering. For example, Metro’s new 7000-series rail cars feature a digital audio communication device, with which announcements to passengers do not need to be prerecorded or spoken by the train operator but are transmitted by a computer-generated voice — an opportunity for hackers that did not exist on Metro’s older train models with rudimentary speaker systems.

The risk posed by new technology is something that transportation agencies across the country are concerned about, said Srini Subramanian, a state and local security principal at the risk and financial advisory unit of the consulting firm Deloitte.

“As you are embracing new technology and new solutions, there are new risks that are coming with it. It’s important to recognize those risks,” Subramanian said. “Keeping security at the forefront of your strategy as you explore and adopt those technologies is much more beneficial than doing something after the fact.”

Metro is already taking steps to address some of these vulnerabilities, officials said. Last month, the transit agency advertised for a new position: director of security.

Instead of traffic note, motorists get anti-Trump and ‘Kill Nazis’ messages on hacked sign

Metro’s increased emphasis on security reflects increasing awareness at transit agencies across the country that day-to-day operations of their decades-old subway systems could be attractive targets to hackers.

“The biggest challenge is understanding what the vulnerabilities are so you can start fixing them,” said C. Douglass Couto, a security expert who previously worked as chief information officer at the Michigan Department of Transportation and serves as chairman of the security subcommittee at the Transportation Research Board.

Couto praised Metro for conducting an initial audit. “That should give the public some confidence that at least someone’s thinking about this,” he said, but it’s important that transit administrators allocate the money, time and resources necessary to come up with long-term solutions.

“It’s the competition between focusing on daily operations and then doing things that may not have an immediate impact today but are critical in the long run,” Couto said.

Awareness about security risks at transit agencies also has been raised by high-profile incidents in recent years.

On Nov. 25, 2016, the San Francisco Municipal Transportation Agency was hit by a ransomware attack that resulted in the shutdown of the light-rail line’s fare system over the busy weekend after Thanksgiving. Hackers demanded $73,000 to put the system back online, but the transit agency refused to pay, instead allowing customers to ride free until they were able to bypass the hackers days later and fix the problem.

Can hackers take over traffic lights?

“Awareness has increased because of some of these recent attacks,” Subramanian said. “People are seeing these incidents and saying, ‘Gee, if it can happen to them, it can happen to me.’ ”

And smaller bouts of mischief are becoming increasingly routine — people posting profane messages on highway signs or playing pornographic material on train station advertising screens.

A Union Station ad screen played PornHub videos Monday night

But the problem, Subramanian said, is that even seemingly innocuous digital interference on transit can have dire effects. For example, he said, imagine if someone hacked Metro and was able to temporarily shut down all the escalators in a few busy downtown stations during rush hour. Such an incident might seem like a minor nuisance, but the effects could quickly balloon to something more serious: long, slow-moving queues for the stairs that result in station overcrowding, trains that sit on the tracks waiting to unload passengers, holding up trains behind them, and disrupting the flow of travel along an entire rail line, creating a nightmare Metro commute on steroids.

A catastrophic outcome? Probably not, Subramanian said. But enough of a disruption to potentially pique the interest of a digital troublemaker eager to prove their prowess.

Security risks at Metro and at transit agencies across the country will only increase as passengers ramp up their expectations for digital amenities — such as in-station WiFi and access to real-time train travel data — and as local officials seek opportunities to create “smart cities,” connecting trains and buses with local infrastructure and other transportation networks to ease commutes.

The downside to smart cities, Couto said, is that they open up many more avenues for potentiality breaking into the back end of a transit system.

“The threat surface gets bigger and bigger, and any weakness in all those things that are connected creates a weakness for everybody in that environment,” Couto said.