‘Not a matter of if, rather when’: Watchdog raises concerns about Metro’s cybersecurity

WASHINGTON — Secrecy surrounding a new computer security audit and the inspector general’s plans for similar investigations in the coming year suggest Metro may need to make some significant changes.

“Attacks on IT resources have become commonplace. It’s not a matter of if, rather when,” Metro Inspector General Geoff Cherrington said. “An IT incident could have tremendous impact on WMATA operations and have legal and financial impacts.”

A 2016 cyberattack on the San Francisco area’s transit system shut down the fare payment systems and may have exposed personal information on thousands of riders and workers.

This new Metro audit focused on Metro’s ability to respond to similar incidents.

Metro has “taken steps” toward an incident response program, but it has “opportunities for improvement” to better detect and resolve IT incidents and reduce the likelihood that a hack could directly impact Metro operations, a summary of the audit’s findings said.

Metro management agreed with the findings of the audit of Metro’s IT incident response process and is taking steps to address the concerns.

Since the audit focused on specific security techniques and systems, Cherrington said releasing the details of the problems and promised solutions could add to the risk of a cyberattack.

“Such an audit in the wrong hands could expose vulnerabilities and thereby undermine our shared goal of making WMATA’s IT environment even more secure. For that reason, we have made an exception to our standard practice of posting audits to our website,” he said.

Cyberattack could halt system, is a major focus for additional reviews

Computer security is crucial to protect not just data on riders, workers and system designs, but also to keep the system running.

The Metrorail system was designed to run nearly entirely in automatic mode, although the transit agency has chosen not to use key parts of that automation since the deadly 2009 Red Line crash.

“Critical activities operated through the rail systems include: Control of trains, power, station ventilation, voice and data communications, and monitoring of gas and fire sensors,” part of the Office of Inspector General’s Annual Audit Plan for the next 12 months noted.

That particular audit of cybersecurity for rail control systems is one of six Cherrington’s office plans to complete by this time next year that are focused on preventing cyberattacks and data breaches or what Metro’s plans are if and when one does occur.

That represents about one-third of all audits planned for the new fiscal year. The Annual Audit Plan was approved last week by a Metro Board committee.

“The plan is risk-based,” Cherrington told the committee.

In 2017, the Office of Inspector General said the average cost of a data breach in the United States was $7.35 million, with an average breach exposing 24,000 records.

Personal data security, hacking, spending checks

The inspector general staff is already in the process of reviewing Metro’s security over publicly accessible web applications like the SmarTrip card all riders are now required to use.

“Security controls over publicly accessible Web applications are to prevent intrusions and safeguard the confidentiality, integrity and availability of WMATA’s information,” that audit’s description said.

Metro just expanded unsecured public Wi-Fi service to all underground stations.

A separate inspector general’s review is analyzing any Metro computer systems that are running unsupported operating systems that are unable to get the latest patches and updates to deal with newly discovered vulnerabilities.

In coming months, the office is also set to look into Metro’s contracted IT workers.

“The audit objective is to determine whether WMATA is effectively and efficiently managing the use of IT personal services contracts, and to determine if current WMATA employees should be performing the work instead of contractors to ensure WMATA is not wasting taxpayer dollars,” the audit plan said.

Other audits planned

In addition to cybersecurity issues, the Office of Inspector General plans to launch new more regular checks of stations and trains for safety hazards, cleanliness and even temperature control.

A series of other planned audits focus on ensuring financial transactions are handled properly from bidding for contracts to payments and use of fuel meant for Metro vehicles.

Investigators also plan to follow up on a lack of oversight when employees or contractors leave Metro to ensure that sensitive data and equipment is not lost.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up