CA’S ROADS AND RAILWAYS
waking up to the threat
          off ticket machines and fare gates in its stations, allowing customers to ride free during part of the weekend.
Last fall, Sacramento’s regional transit agency was hit with a ransomware attack demanding it pay a single bitcoin, then worth about $8,000, to get control of its website back. Transit service continued, but the website took two days to restore, and city officials met with federal secu- rity officials.
Atlanta has been reeling from a ran- somware attack in March that crippled several city offices and interrupted services. Residents couldn’t pay bills or traffic tickets online, the municipal court couldn’t view cases, and police had to return to paperwork for filing reports and booking suspects.
Many cyberattacks on state and local government have disrupted day-to-day operations or targeted the personal data of millions of residents. But cybersecurity experts and transportation officials cau- tion that in today’s digital world — where everything from traffic lights and road sensors to trains and ports are connected to computer networks, just as self- driving vehicles will be — hackers could do a lot more damage.
“There’s a real emerging concern about this in state DOTs because everything is
becoming more connected,” said Doug Couto, a cybersecurity and transportation consultant and former CIO at Michigan’s DOT. “Anything on a network or on the internet becomes vulnerable to hackers. We need to guard against cyberattacks because they’re exponentially increasing. It would be fair to say that they hadn’t been thinking about it a lot in DOTs.”
Cybersecurity
challenges ahead
Georgia’s Davis said cybercriminals could cripple states’ traffic operations centers, which monitor traffic signals, electronic message signs and incident response units that help stranded motorists.
He said his agency, which has its own IT department and cybersecurity team, has bolstered its defenses against hack- ers. He added that it’s a good idea for state transportation agencies to have their own IT and cybersecurity staff so they don’t have to share a network with other agencies and can be protected if the statewide system is breached.
Many transportation agencies, includ- ing Colorado’s, are consolidated into statewide IT departments that handle cybersecurity or have a hybrid setup
in which IT is centralized but agencies might have a cyber analyst on staff.
And many state IT officials believe it’s better for one statewide department to manage the entire network, both for ef- ficiency and to ensure that every agency is equally prepared for cyberthreats.
Regardless of where IT is located, offi- cials say cybersecurity funding remains a serious challenge for state governments. A 2016 survey of top IT security officers from 48 states found that in most states, spending on cybersecurity was a fraction of the overall IT budget, ranging from zero to 2 percent.
Another challenge for state trans- portation agencies is how to protect information when working with local governments on regional transportation projects, Davis said. Sharing information on networks that aren’t entirely secure can leave agencies vulnerable to hackers.
“You can build as high a wall on your side as possible, but they can go around that wall on the other side,” he said. “When Atlanta had their ransomware attack, I thought, ‘Uh-oh, what’s our connection to the city? Do we have to pull the plug?’ It turned out we were OK, but that was alarming.” •
This article originally appeared on State- line, an initiative of the Pew Charitable Trusts, where Jenni Bergal is a senior reporter.
GCN APRIL/MAY 2018 • GCN.COM 39