The Senate Committee on Commerce, Science, and Transportation along with the Committee on Environment and Public Works held separate hearings on July 27 and July 21, respectively, to examine the potential cybersecurity threats currently facing U.S. infrastructure.
[Above photo by the Architect of the Capitol]
“Our nation relies on more than 2.8 million miles of pipelines, 140,000 miles of railroad track, 4 million miles of roads, 11 million trucks, 361 ports, and nearly 20,000 airports,” noted Sen. Maria Cantwell, D-Wash., chair of the Commerce committee in her opening remarks at the July 27 hearing.
“[This] infrastructure increasingly depends on information technology systems and electronic data that are very susceptible to cyber threats,” she added. “The rapid growth in the number and sophistication of cyber-attacks is the alarm bell ringing about the need to immediately bolster the cybersecurity of our critical infrastructure.”
Polly Trottenberg, deputy secretary for the U.S. Department of Transportation, testified during the hearing that the nation’s transportation infrastructure “has long been a bedrock of our national security and economic prosperity” yet also faces “persistent and increasingly sophisticated cyberattacks” that require “proactive, coordinated, and agile responses.”
Trottenberg noted in her written testimony that Colonial Pipeline cybersecurity incident “spotlighted the importance of trusted and timely information sharing as well as public and private sector partnership in transportation cybersecurity. It also underscored that we need to keep learning and adapting quickly to meet increasingly complex and sophisticated cybersecurity challenges.”
She added that the “nexus” between transportation infrastructure and national security “centers on global competitiveness, climate change, and cybersecurity. As a nation, we need to take all three seriously.”
Trottenberg also emphasized that advances in hardware, software, and computational capabilities have brought “significant safety and efficiency benefits” to the nation’s infrastructure, yet “those advances, along with the merging of digital and physical systems and the increased reliance on data, are introducing new cybersecurity risks.”
The Senate EPW committee hearing on July 21 delved more deeply into the nature of the digital systems helping manage the nation’s transportation network as well as the specific cyber risks those systems face.
“All of us gathered here today understand the importance of protecting our nation’s critical infrastructure. Yet, in the past year alone, we have witnessed several major cyberattacks that have hobbled critical systems across our country,” noted Sen. Tom Carper, D-Del., in his opening remarks.
“Unfortunately, no government agency or industry is immune to attacks from the vast array of bad actors who seek to undermine our security and profit from our vulnerabilities,” he said.
“We face threats from unscrupulous individuals, criminal enterprises, and antagonistic state actors 24 hours a day and seven days a week,” Sen. Carper noted.
“On our roads and bridges, vehicles and infrastructure are becoming more connected and smarter, with these types of advancements increased data [yet] access to that data can result in safety and privacy threats,” added Ranking Member Shelley Moore Capito, R-W.Va., in her remarks.
“It opens our transportation system up to vulnerabilities that didn’t exist in the past,” she said.
Shailen Bhatt, president and CEO of the Intelligent Transportation Society of America – who is leaving ITS America in late August to join global infrastructure consulting firm AECOM – noted that, in the last three years alone, the United States has seen a 900 percent increase in attacks focused on operational technology used in traffic management signaling systems.
“Cyber threats are becoming increasingly sophisticated and target transportation’s interconnected data systems,” he said in his remarks. “As cyber technology becomes more sophisticated, the threat from attack is moving from data breaches to interrupting physical critical infrastructure, exposing transportation operators to economic and reputational damage. More important than these harms or damage to infrastructure is the potential harm to the nation’s transportation system.”
Bhatt explained that even more cyber vigilance is required in the near future as state and local transportation agencies migrate systems to the cloud.
“More prevalent cloud attacks include stolen credentials, typically via phishing, exploitation of cloud misconfigurations, and vulnerable cloud application hacking,” he said. That is cause for concern as intelligent transportation systems are “transforming” how the nation maintains and builds new roads and bridges.
“Integrating technology into the infrastructure, including sensors and advanced monitoring systems that can track roadway and bridge conditions, alerts state and local transportation agencies of any disruptions or extreme weather conditions,” he said.
“While advancements in technology have made the transportation system safer and more connected than ever, this connectivity brings increased cyber risk – and these risks have the potential to threaten the system, the economy, and people’s lives,” Bhatt noted.