Issuers of transportation infrastructure debt now need to manage risks from cyber-attacks on multiple fronts, as potential targets for hackers include mass transit systems, airports, ports, toll roads and even parking facilities.
That’s the warning sounded by S&P Globl Ratings, which recently issued a report entitled, “Cyber Risk in A New Era: U.S. Transportation Infrastructure Providers Remain Vigilant On The Road To Cyber Preparedness”, which spells out a rise in threats to the muni world.
“We have seen cyber-attacks increase in frequency across the public finance and other sectors as a whole and expect them to continue,” said Scott Shad, associate director at S&P. “We generally expect transportation infrastructure enterprises will be targeted more frequently for cyberattacks given their role as providers of critical infrastructure for the movement of people and goods.”
The report raises concerns on the expanded use of third-party vendors by transit agencies. Such vendors now handle ticket purchases, cloud services, fleet management, and human resources systems, which increases the number of exposed external links and technology mismatches.
A report published earlier this year by the Mineta Transportation Institute, which is aligned with the Lucas College and Graduate School of Business at San José State University, expressed similar concerns.
That report noted that, “Transit vendors were nearly unanimous in their observation that the hardware and software lifecycles in public transit are out of sync, creating a situation in which vehicles and other hardware designed to last for fifteen years or more are being supported by or carrying software that stopped receiving security updates five years after it launched.”
In December of last year, the Department of Homeland Security sought to get ahead of the trend as the Transportation Security Administration announced two security directives for voluntary measures to strengthen cybersecurity across the transportation sector.
As cyber-attacks become more common, security efforts continue to pull the focus to a quick recovery in addition to prevention. “We believe providers, as part of a comprehensive cybersecurity program, should implement defined response plans to recover from a cyber-attack,” said Shad.
“A defined response plan can contain and mitigate the impact of a cyberattack, and potentially speed up the process of restoring systems and data to resume operations while mitigating the duration of the breach and longer-term credit risk.”
The agency is not predicting an uptick in cyber-crime as funds start flowing into infrastructure projects where federal oversight will play a large role. But it is seeing more state-sponsored crime as opposed to extortion-based ransomware hacks.
“Cyber-attacks across transportation providers have recently skewed more towards politically motivated or state-sponsored cyber criminals, although we also still see a significant number of financially-motivated ransom attacks,” said Shad.
The Russian invasion of Ukraine has prompted some additional concern in this area, as some analysts fear that American sanctions targeting Russia could elicit more Russian state-sponsored cyberattacks in retribution.
The report contains three brief case studies of attempted hacks and cyber mischief. On Oct. 10, 2022, at least 14 airport websites in the U.S. including Los Angeles International, Chicago O’Hare, and Hartsfield-Jackson International Airport in Atlanta came under a siege attributed to Russian hackers.
In August 2021, the Port of Houston was attacked by nation-state hackers who broke into web servers. The breach was detected in about ninety minutes and neutralized. The New York Metropolitan Transit Authority was attacked by Chinese hackers in April 2021. The criminals gained access but were thwarted before doing any harm.
The continued rise of ESG puts an additional spotlight on a municipality’s ability to safeguard its computer network and recover from an attack. S&P views cyber risks for transportation providers as a component of governance within their environmental, social, and governance credit factors. The agency has not seen any cyberattacks affecting transportation infrastructure providers creating any longer-term effect on entity creditworthiness within the sector.
Regularly scheduled staff training, firewalls, cyber audits, and tight controls around financial payments are considered the best weapon against attacks. Knowing an attack has happened remains a challenging issue. The report notes that “cyber breaches within the public finance sector that have not been uncovered for weeks, which can result in exponentially worse outcomes.”