Subway safety in New York took on a new meaning when the Metropolitan Transportation Authority acknowledged a cyber intrusion, which set off loud alarm bells about the rising threat of system hacks.
The MTA is one of the largest municipal issuers and reports linked China’s government to the episode.
Despite MTA officials’ assurances of quick troubleshooting and no evidence of compromise to its operational systems, employee or customer information, this marked the latest chilling cybersecurity event for public finance.
“It was hospitals in the fall. Over the winter it was a municipal water system. Now a series of transit agencies are the targets,” municipal bond analyst Joseph Krist said.
One positive, according to Krist, is that the MTA was able to hold the cost of recovery to “a very manageable number” and did not pay a ransom.
“It is not clear what more can be done to prevent ransomware hacks short of tightening cyber security,” said Chris Low, chief economist at FHN Financial.
The MTA, which carries $50 billion of debt including special credits, operates New York City’s massive subway-and-bus system, two commuter railroads and several interborough bridges and tunnels.
According to Moody’s Investors Service analyst Baye Larsen, this highlights the rising credit risk for U.S. infrastructure systems, and the importance of continued investment in cybersecurity.
“MTA has steadily increased its investment in cybersecurity over the past few years, leading to strong cyber practices that limited the impact of the breach,” she said.
Hackers with links to the Chinese government targeted the MTA in April, the New York Times reported, citing an MTA document.
According to MTA officials, the Federal Bureau of Investigation, the Cybersecurity Infrastructure Agency and the National Security Agency issued a joint alert at 8 p.m. April 20 about a zero-day vulnerability, which means no one in the world was aware of the attack when it happened.
CISA issued recommendations for fixes and patches and the authority implemented them immediately using its 24-hour protocol.
According to the MTA, only three of its 18 different systems were affected.
When the CISA alert first came out it included four vulnerabilities, three of which the MTA had already patched, an authority official said.
“The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems,” MTA chief technology officer Rafail Portnoy said in a statement.
“Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat.”
These attacks have been on the rise of late.
Amid COVID-19, cyber attacks struck 560 healthcare facilities last year, according to the Emsisoft State of Ransomware report. That included Universal Health Services, which operates about 400 hospitals nationwide.
At a treatment plant in Oldsmar, Florida, an intruder in February boosted the level of sodium hydroxide — or lye — in the water supply to 100 times higher than normal. JBS, the world’s largest meat-processing company, had to briefly shut down its operations. The FBI in a statement identified Russian-connected groups REvil and Sodinokibi as behind that hack.
In May, Colonial Pipeline halted 5,500 miles of pipeline, creating severe fuel shortages along the East Coast. The FBI attributed the targeting to criminal ransomware organization Darkside.
Cybersecurity risks are hard to quantify, according to Kroll Bond Rating Agency.
“Although the costs and benefits of a good cybersecurity program are sometimes hard to measure, the downside is substantial,” Kroll said.
Kroll views cybersecurity matters as a key governance matter that reflects management’s priorities and can affect operations.
“Although limited resources can be a constraint, they do not rule out improvements to cybersecurity programs,” Kroll said. “Basic improvements to employee training, for example, can provide many benefits and is generally not expensive to implement.”