Sen. Mark R. Warner (D-Va.) wants to know how susceptible the Metro is to a cyberattack, following a “ransomware” hack that took down computers for San Francisco’s light-rail system late last year.
In a letter to Metro General Manager Paul J. Wiedefeld on Monday, Warner, co-founder of the Senate Cybersecurity Caucus, writes that he worries Metro could fall victim to a similar attack, inconveniencing hundreds of thousands of subway riders and further imperiling the finances of the agency, which is already facing a $290 million budget shortfall.
The November hack targeted the computer systems of the San Francisco Municipal Transportation Agency. The transit agency waived fares that weekend, according to the San Francisco Chronicle, as hackers requested $73,000 in exchange for unlocking the agency’s computers, a ransom the transit agency refused to pay.
“I am acutely concerned about what this kind of attack may mean for transportation systems like [the Washington Metropolitan Area Transit Authority],” Warner wrote. “While early reports indicate that the attack on SFMTA may have been opportunistic rather than targeted, I am concerned that WMATA may represent a particularly enticing target for more advanced threats, given its importance to the region and the number of federal agencies that rely on the system to transport their workforces each day.”
In the letter, Warner presses Wiedefeld for answers on the state of the agency’s computer systems, and requests a response by Feb. 15:
1. SFMTA was apparently a victim of a random attack that looked for antiquated, vulnerable computer systems. When was the last complete overhaul of WMATA’s IT systems? Has WMATA identified any end-of-life legacy components, and if so has WMATA taken steps to replace and/or isolate them? Does WMATA have backup systems in place that would allow for some level of continuity of operations in the case of a complete computer system outage?
2. Does WMATA employ network segmentation, including between consumer-facing or internet-connected systems and mission-critical, operational systems to protect against lateral movement of attackers? Does WMATA have a procedure in place to notify overseers, regulators, and the public in the case of a cyberattack?
3. Does WMATA have a comprehensive plan in place to deal with ransomware attacks? If so, was the plan developed in coordination with local and regional partners, including any entities or jurisdictions that may share or have access to internet-connected systems?
Metro’s IT systems have not been without problems in recent years. Planned IT testing that went awry last week caused the agency’s Rail Operations Control Center to lose ability to contol switches at the height of the morning rush, fouling the commute for thousands of riders. The ROCC lost the ability to remotely operate switches for about nine minutes, and separate reports suggest it also lost remote control of ventilation fans.
Metro says the problem was caused by an internal glitch.
In his letter, Warner says the MUNI incident might have also led to a breach of personal information for thousands of employees and customers, and warns of the rising frequency of cyberattacks.
“If these efforts are directed toward critical infrastructure, the impacts could be grave and far reaching,” he says. “Should a cyberattack cripple WMATA’s ability to collect fares for days at a time, or have the effect of deterring alarmed riders, the financial implications would only exacerbate WMATA’s serious and mounting fiscal problems. A cyberattack could potentially threaten these vital networks as well, putting riders at risk if an accident or emergency were to occur during a cyberattack.”
Metro spokesman Ron Holzer said the agency had received the letter and will provide a timely response.