What can we learn from the SolarWinds hack?

Explaining the potential dangers to your organization highlighted by the recent SolarWinds cyberattack isn’t easy. Many IT professionals don’t completely understand what transpired in the attack, so it’s no surprise that most executives don’t understand the magnitude of this event either. What Chernobyl was to the nuclear industry, SolarWinds was to the cybersecurity industry.

First, it wasn’t a single attack. The SolarWinds cyberattack was only part of a series of attacks conducted over a period of at least two years. Microsoft acknowledged that its systems were also breached and identified 40 corporate customers that were specifically targeted as part of the attacks. And, possibly the most significant fact, the US Departments of State, Homeland Security, Commerce, Treasury, Energy and the National Nuclear Security Administration were targeted. The Cybersecurity and Infrastructure Security Agency (CISA), responsible for determining risks to our national infrastructure, stated that state and local government agencies were also targeted and continue to be at risk of additional cyberattacks.

Analogies are helpful, but don’t adequately illustrate the risks of a cybersecurity event to your organization. Imagine learning the concrete used in all of your bridge structures in the past five years was found to be substandard? Or the financial data provided to obtain your AA bond rating was fraudulent? How would you respond if all the revenue for your organization for the past two years vanished? These analogies help to illustrate some of the severity of the SolarWinds cyberattack. For many state and local agencies the reality is their technical teams lack the skills, tools and executive support to properly secure the organization’s systems and critical assets. 

Many tolling agencies lack a true cybersecurity program, making them vulnerable and at high risk of cyberattacks. In a report published in July 2020 by KnowBe4, an industry leader in cybersecurity training, cyberattacks against state and local government agencies increased by at least half from 2018 to 2019. The report also highlights that “over 50% of local government institutions do not keep track of their cyberattacks.”  Because not all successful attacks are reported we don’t know the true number, but attacks against the cities of Baltimore and Atlanta and the Colorado Department of Transportation were very visible to the general public, as they caused service disruptions to the public lasting weeks, as well as financial losses in the tens of millions.

This year the risk of cyberattacks on tolling agencies continues to increase as attackers have zeroed in on critical infrastructure systems, such as state transportation networks. These attacks are not simple, single person attacks designed to damage a system, the equivalent of random vandalism. They are organized, well-funded attacks, often by large teams of highly trained engineers, conducted over months or even years. They are backed by foreign governments and designed to gain control of entire networks. The Covid-19 pandemic forced many agencies to quickly shift staff to work from home and they had no time to develop processes and controls to adequately protect their networks. Cybersecurity experts predict a massive increase in successful cyberattacks in 2021 as a direct result.

Unfortunately, the transportation industry’s defenses against cyberattacks have not kept up with the increased risks. Bi-annual surveys done by Deloitte over the past 10 years repeatedly list cybersecurity budget as the number one concern of government chief information security officers (CISOs). But one third of CISOs responded that they received little to no increase in their annual budgets during the survey period. State agencies also lack skilled, dedicated staff necessary to properly manage cyber risks. Cybersecurity and network engineering are different roles, just as accountants and auditors serve in different roles. However, many agencies rely on their already overworked systems and network engineer teams to act as their cybersecurity team.

Tolling agencies are among the various transportation and state agencies that are vulnerable and must improve their information security programs. Their systems are part of critical transportation infrastructure, including public information signs, reversible lane controls and other traffic control systems. They handle millions of dollars in transactions and have access to millions of credit card numbers and other customer data. Tolling agencies are also very high profile—critical infrastructure, major revenue stream, personal and credit card data for millions of customers and highly visible to the general public—a cyber attacker’s dream.

Tolling agencies need to assess their vulnerabilities for several reasons. Many are small operations with thin staff that depend on tolling system vendors for operations/maintenance and security of the tolling systems. Others rely on their state DOT’s IT staff for technical support. However, this support is generally focused on state/agency-owned systems and does not encompass systems operated and maintained by vendors. Tolling agencies have multiple systems provided by multiple vendors, each with their own staff connecting remotely to provide support. Coordination between agency staff and these vendors is key to ensure that cybersecurity processes are a shared responsibility and risks are appropriately allocated.   

Most state and local government agencies, and tolling agencies in particular, have a dangerously outdated approach to cybersecurity. Organization charts and internal structures must be developed to address the cybersecurity needs of 2021. Agencies need structured cybersecurity programs developed specifically for the agency with dedicated security staff and defined budgets. Establishing the cybersecurity team and its reporting structure (to the CEO would be optimal) should be a separate and distinct effort with the attention of the CEO.

As consultants with expertise in this area, we have a responsibility to help our clients use due care and due diligence to protect their assets, revenue and data. By helping develop up to date industry-standard cybersecurity programs, we help secure the integrity and availability of our clients’ data systems and the safety of public infrastructure.

The risks of not moving forward with a strong, dedicated cybersecurity program grow larger every day. The damage and fallout from successful attacks also increases. The average financial loss from cyberattacks in 2019 was an order of magnitude larger than in 2015. Imagine the impact to an agency if it was locked out of its technical systems for weeks. The Colorado governor declared a state of emergency and brought in National Guard and Department of Homeland Security support, and it still took the Colorado DOT two months to restore its systems to full functionality.

Cyberattacks against state and local agencies will continue and risks will increase with staff working from home and the pandemic affecting government funds. Many agencies are vulnerable to attacks due to the ongoing challenge of adapting to the changing cybersecurity world.

So, what can we learn from the SolarWinds hack? An outdated information security program puts an organization at risk. Now is the time to review your cybersecurity programs to identify areas of improvement and make necessary changes to ensure your systems are secure. For tolling agencies without a robust cybersecurity capability, it’s not a question of if they will be attacked, it’s a matter of what the damage will be and how to recover.

Robert Todd is a senior toll analyst for Atkins North America. Robert brought his background in information systems and cybersecurity to the tolling industry 15 years ago. He has been involved with roadside and back office operations as well as in the procurement and installation of new toll facilities. Prior to Atkins, Robert worked for VDOT and the Richmond Metropolitan Transportation Authority.