If you are caught in the middle of this sandstorm, don’t even think about blinking your eyes. One second is all a hacker needs to penetrate a firewall and drop a load of Armageddon on a department of transportation (DOT).
“At any given moment there are about 20,000 attacks [happening] on the Internet,” Kurt Stammberger, founder of the RSA Conference and the chief marketing officer at Fortscale told Roads & Bridges. Fortscale engages in user behavior analytics in an attempt to eliminate cyber threats or attacks. “It’s like you are in a sandstorm. I can guarantee it’s an area under constant attack.”
But is it an area where DOTs are using the most technologically advanced line of defense, or are there agencies taking a more barbed-wire approach? When Richard McKinney arrived at the U.S. DOT as the new CIO in May 2013, he saw a lot of open holes in the wall. The staff was undermanned, the tools were dated and the vision had a serious blind spot. So the U.S. DOT hired Mischel Kwon and Associates, a firm that specializes in preparing clients for cyber battle, and the analysis of the U.S. DOT’s effort silenced the room.
“You could hear a pin drop [when they were done presenting],” said McKinney. “It was a very sobering experience for all of the operation administrators there.”
The main problem at the U.S. DOT was most who were supposed to be holding a gun kept it in the holster. They were reluctant to engage and felt taking additional cyber measures was unnecessary. McKinney quickly gutted the war room and made using cyber tools mandatory.
“The right way to approach cybersecurity is thinking about how quick you respond, how agile you are, how quick you share information about incidents and penetrations,” he said. “It’s more about how you operate day to day to day.”
When Roads & Bridges polled government officials and asked them how vulnerable state DOTs were to cyber attacks, over 80% said they were somewhat or very vulnerable. When they were then asked if DOTs have done enough to prevent a cyber implosion, only 9.8% said yes, while almost 70% simply did not know.
By their very nature, state agencies are slow adaptors. They are underfunded and the procurement process is often long and convoluted.
“People in government are much less likely to be early adopters of new technologies that might significantly move the needle in terms of safety and security,” said Stammberger. “They will certainly adopt it, but they are not going to be beta testers. You can make some tremendous advances in security by experimenting with new technologies, but there has to be that willingness on the organizational level to experiment.”
Trying to make money
The nature of hacking has certainly evolved over the last decade or so. The criminal behavior was more about bragging 20 years ago than it was about financial gain.
“Today’s attacks come from organizations who are literally organized crime or individuals that are quite focused and are looking for a positive ROI on their activities,” said Stammberger.
Cyber attackers will hook into anything that will make them money. It is the main reason spam exists. Credit card and social security numbers can go for $5 to $10 online, and huge lists are worth thousands. According to Stammberger, health records are even more valuable. One report for an individual living in the U.S. can sell online for $100 to $200.
DOTs also need to worry about strikes against their communications system, particularly transportation management centers, and those areas that could create mass chaos, like an attack on a traffic-signal network.
Michael Hashberger, the North Central IT manager and computer security officer for the Washington State Department of Transportation (WSDOT), believes hackers are becoming more stealth-like, and some are even using old tactics with an improved twist.
“Cyber criminals today are very good at being able to break into systems and they are getting better and better at hiding what they are doing and making it harder to detect,” he told Roads & Bridges. “What keeps me up at night, I worry about breach of our e-commerce site because that is the one where we have customer credit cards and if those get hacked it’s not only the banks, it’s the individuals, it’s us. Somebody coming in for that information is going to be highly trained, very good at what they do and they are going to be very good at hiding what they do.”
Layer it up
If thieves are going to be very good then you need a system that has a good amount of deterrents. It’s all about the layers. The framework at WSDOT relies on a number of different elements. There is the software, log management, log alerts, firewalls and encryption. WSDOT also separates its e-commerce from the rest of the enterprise. An Intrusion Detection System sits behind firewalls and provides yet another layer of protection, and there is a security incident event manager and a file-integrity management system to boost cybersecurity.
WSDOT security personnel are in each of the active operational groups (data management, networking, work station support, programming). There are a total of nine cyber defenders on staff, and WSDOT also is part of a state cybersecurity network.
“It’s just trying to keep up with what the bad guys are doing,” said Hashberger. “We are constantly looking at our firewall rules. That’s the front door and we are always looking at ways to try and tighten those down.
“The bottom line is you have to provide a layered approach.”
Stammberger said the typical institution probably spends as much as 7% of the IT budget on defense.
“That’s the question people in leadership roles at the DOT level need to ask themselves,” he said. “They should know what other DOTs spend, what the financial industry spends, and create a benchmark.”
A chunk of money goes towards training. Hashberger has to be certified with the payment card industry (PCI) every year because he is an internal auditor for the PCI council. His certification as an internal security auditor requires him to go through training every year. A security computer information systems security professional program is offered up every three years and requires continuous professional engagements, which could involve reading articles, attending seminars and other activities. Hashberger has amassed 120 credits over a three-year span to maintain certification. His technician is a PIN tester who must recertify every year.
“[I train] every free moment that I have,” said Hashberger. “I go home at night, I pick up a book and I read it. Every free moment you get you are picking up something.”
Communication also is constant at WSDOT. Weekly meetings are held with those at the executive level, and every two weeks there is an executive security meeting where issues are brought up and addressed. Hashberger’s staff also has meetings every week to make sure any problem is being resolved.
Two become one
It wasn’t long ago that the state of Minnesota kept IT and cybersecurity on separate paths. They are both together today, and a five-year plan is being executed. The plan is made up of 18 broad strategies, which are broken down into four main buckets: Proactive Risk Management, Improved Situational Awareness, Robust Crisis and Incident Response, and Partnering for Success. Proactive Risk Management is perhaps the most important bucket. It contains 11 of the 18 strategies and is about preventing bad events from happening in the first place. The fourth bucket, Partnering for Success, mirrors the theme in Minnesota for the need to have a broader cybersecurity ecosystem.
Taking it a step further, MN.IT (a combination of Minnesota’s IT and cybersecurity sectors) has created a service delivery model that is broken down into 12 security services—six serving the centralized model as a whole and six allowing for a localized, boots-on-the-ground presence. The Minnesota Department of Transportation (MnDOT) falls into the latter.
“What we are trying to do in the service delivery model is really clearly identify what needs to be done, how it needs to be done and then where it will be done,” Chris Buse, assistant commissioner and chief information security officer for the state of Minnesota, told Roads & Bridges. “We call that striking the optimal balance between leveraging our economy of scale and then retaining that business experience, boots-on-the-ground effort that you need to effectively manage security within a lot of the service areas.”
The six broad services include the following: Security Program Management, End Point Defense, Boundary Defense, Vulnerability Management, Incident Response, and Forensics and Monitoring. Secure Engineering, Risk and Compliance, Security Awareness Training, Disaster Recovery, Identity and Access Management, and Physical Security Oversight are the six areas of focus at the local level.
Jim Close is the chief information officer for MN.IT at MnDOT and is responsible for the security applications at the agency, and making sure they are tested and follow the appropriate risk assessment.
“MnDOT, like most agencies, [doesn’t have] as much outward-facing types of applications [as] in other industries,” he told Roads & Bridges. “A lot of our information systems are internally used by engineers and transportation staff.”
Every employee at MnDOT is required to go through security awareness training annually. There is a Cybersecurity Awareness Month, and agency-wide communication on security takes place regularly through emails and a newsletter.
Minnesota also is part of a national threat intelligence pipeline called the Multistate Information Sharing and Analysis Center, which sends out cyber alerts every day.
“The days where there was just broad Internet-based attacks where there was a shotgun approach that hit all organizations the same, those are gone,” said Buse. “Organizations are specifically targeted now as part of hacker attacks, and things are a lot stealthier than they have been in the past.”
Denial-of-service attacks are on the rise. Those are when the hacker tries to wreak havoc and shut down critical services that citizens need.
It’s not about cotton t-shirts, it’s about body armor
If a state DOT wants to batten down the hatches of its cybersecurity effort it needs to be appropriately armored.
“It’s not about wearing cotton t-shirts, it’s about wearing armor,” said Stammberger. “It’s good firewalls, it’s good policies.”
Stammberger said there needs to be proper network hygiene. An agency needs to make sure people are not sharing credentials. If an HVAC contractor has access to the air-conditioning systems at Target stores across the country, and those creds were lost and re-sold online a hacker could get into the Target network, connect to the point-of-sale system and steal hundreds of millions of credit card numbers. It’s that simple.
Credentials (log-in information) must be issued and retired properly. Firewalls should be encrypted, and hiring a red team should be mandatory.
A red team is a group of coworkers or an outside firm that knows how to penetrate your network. They launch attacks to show all of your vulnerabilities.
“If you look at it one way it’s embarrassing because it almost always succeeds, but it’s really effective in showing you where the holes in your network are, and it could do a lot of good,” said Stammberger. R&B