Metro plans to hack its own new 7000 Series railcars over the next few months to figure out whether missing cybersecurity requirements in the contract left Metro data exposed or riders at risk.
The “penetration testing” will be completed by the end of August, a response to Metro’s Office of Inspector General said. The last of the 748 new railcars are due to be delivered within the next year.
“While it is too late to affect the procurement, we will be able to leverage this test to identify any severe cybersecurity vulnerabilities in those cars and begin the process of remediation,” the management response said.
Such “white hat” hacking is a common cyber defense tool, and it’s extremely important now because Metro had no specific cybersecurity requirements in place for contracts beyond some vague references, Inspector General Geoff Cherrington said.
“As such, contractors were not obligated to address cybersecurity,” Cherrington said.
“Consequently, WMATA may be vulnerable to cyberattacks and data breaches resulting from compromised third-party systems and services, and manipulation of rail software, which could adversely impact the safe operation of Metro’s rail system [and] potentially threaten national security.”
Past audits have warned a successful cyberattack could effectively shut the system down. Like most other agencies and companies, Metro has been a target before.
The agency is making a number of changes over the next six months.
Last month, Metro amended its request for proposals for future 8000 Series railcars to include new cybersecurity requirements such as independent testing, due both to this audit and to concerns from elected officials about a Chinese company winning the contract.
The audit shows, however, that railcars and other Metro equipment could be vulnerable to individuals or groups no matter who builds them if the proper oversight and protections are not in place.
Similar to most new cars drivers have on the roads today, the new railcars are essentially computers on wheels. Digital systems include speed limits and commands for train operators and train location information.
Metro promises to have all fixes recommended by the audit in place by the end of September, including updates for ongoing procurements, the hiring of additional contracting personnel to review contracts for cybersecurity compliance, changes to ensure cybersecurity rules are put in future contracts, adoption of the NIST Cybersecurity Framework, and new cybersecurity awareness training for procurement personnel.
“We have a new cyber unit, in effect,” General Manager Paul Wiedefeld said.
Wiedefeld said the concern is not necessarily that someone would get trains stuck on the tracks or send them speeding off, but that the railcars could be used as a way into Metro’s other systems.
“It maybe goes through all your personal contacts, your financials. That’s what the issue is,” he said.
The Office of Inspector General expressed similar concerns in the new audit about other contractor systems, citing incidents such as a heating and air conditioning contractor whose loose systems allowed millions of people’s information to be stolen from Target in 2013.
“Contractors may provide potential additional avenues for cyberattacks,” the audit said.
Suggestions for improvements include requirements tied to the security of contractors’ systems, a requirement to report any hacks or data breaches, and a process to investigate and mitigate any incidents.