Metro transport systems eyed after hack attack in San Francisco

Andrey Popov | Getty Images

The most concerning thing revealed so far about the cybercriminal attack on the San Francisco light rail system at the Thanksgiving weekend was that the virus was able to infect so much of the system, said cybersecurity experts.

Earlier reports said ransomware traveled from San Francisco Municipal Transportation Agency PC computers through the network to ticketing booths and forced the agency to temporarily run its service for free.

But according to an update from the San Francisco Metropolitan Transportation Authority said late on Monday, ticketing was not affected.

"The SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls," the authority said in a statement. "Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports - no data was accessed from any of our servers."

Speaking before the SFMTA statement, which gave more detail than previous statements on the nature of the attack, cybersecurity experts said the nature of the attack could possibly be a warning sign for other transport networks.

"There should be controls in place to segregate networks in such a way that these machines aren't connected with those that could infect them," said Tim Erlin, senior director, product management at cybersecurity company Tripwire.

Many other transportation networks are likely be vulnerable the same sort of attack, since the ransomware used attacks Microsoft Windows-based computers with outdated software, said Ed Cabrera, chief cybersecurity officer at TrendMicro.

The use of this strain of ransomware has spiked in recent weeks, security researchers said.

Hackers attack San Francisco Muni line
Hackers attack San Francisco Muni line

It is critical that our increasingly "smart" and connected cities make sure systems — from smart meters to traffic lights — are segmented to limit the potential damage hackers can cause, security experts said.

This also makes it easier to monitor internal traffic and devices, and to detect and respond to threats. Without such controls, anyone who has access to a turnstile could use that device to enter the system, said Ben Johnson, chief security strategist for cybersecurity firm Carbon Black.

The number of ransomware attacks doubled between 2015 and 2016, according to Carbon Black. The variety of strains is also growing — last year there was a 400 percent increase in the number of ransomware families detected by TrendMicro.

There is no one government agency tasked with securing critical infrastructure systems, whose protection often falls to local governments and states, said Cabrera.

The Department of Homeland Security and Center for Internet Security provide some support to help them defend their networks, he said.

Carbon Black, TrendMicro and Radware are among the many cybersecurity vendors selling products to government customers. Protecting transportation systems requires a holistic approach and there is no "silver bullet," they agreed.

Transportation systems should require special permission to make changes, only allow trusted software to run and should be disconnected from corporate networks, said Carbon Black's Johnson. The company counts many federal, state, and local agencies as customers.

"Most of them are focused on securing servers and employee systems and are often afraid of putting security software on specialized machines," he said. "In fact, some vendors say the warranties are voided if security software is installed. This puts the municipalities in a very tough spot."

Around a third of cybersecurity vendor Radware's business is critical infrastructure protection, and the company protects dozens of transportation organizations, said Carl Herberger, vice president of security solutions.

"Paying a ransom often leads to prolonged or repeated attacks," he said. "A better strategy is to turn the economic tables on attackers by making the business a more difficult target through strong security posture."

That means investing in software that protects devices, also called "endpoints," computer networks, and data stored on servvers or in the cloud.

Artificial intelligence technology will be key to protecting organizations going forward, said TrendMicro's Cabrera. The company has 500,000 commercial customers globally.

"Only by automating a lot this technology can you actually improve your risk management of these types of attacks," he said.