Drivers line up at an Arlington, Va., gas station to buy fuel as gas shortages continue on May 13 after the Colonial Pipeline fell victim to a ransomware attack that affected its information technology systems and disrupted the flow of gasoline to several mid-Atlantic states on May 8. Photo by Jemal Countess/UPI | License Photo
WASHINGTON, Dec. 2 (UPI) WASHINGTON -- In response to rising concerns of cyberattacks on the nation's airports, pipelines and water systems, federal transportation officials discussed potential solutions, including mandatory cybersecurity audits and software oversight, at a House Transportation and Infrastructure Committee hearing Thursday.
Just as personal email addresses and credit card information can be hacked, the nation's transportation and energy infrastructure is at high risk for Internet attacks that could reveal classified information, dismantle IT systems and shut down operations, according to a Government Accountability Office report released Thursday before the hearing. These attacks could come from malicious individuals, criminal organizations, other countries or foreign groups.
Nick Marinos, the GAO's director of information technology and cybersecurity, told the committee that federal agencies have neglected to update cybersecurity policies and their software systems.
"We're constantly operating behind the eight-ball," Marinos said. "The reality is that it just takes one successful cyberattack to take down an organization."
In May, a criminal hacking group hacked the Colonial Pipeline's computer management system, causing the pipeline to shut down from May 7-12. The cyberattack had major repercussions: the pipeline provides diesel to the southeastern United States, and Rep. Carolyn Bourdeaux, D-Ga., told the committee that 43% of the gas stations in her state were out of service during the shutdown.
Federal agencies are susceptible to similar attacks. Kevin Dorsey, the assistant inspector general for IT audits at the Department of Transportation, said the DOT has a long history of cybersecurity shortcomings. The DOT has failed to address 66 prior audit recommendations involving 10,000 identified vulnerabilities, Dorsey said.
He recommended the development of a departmentwide cybersecurity strategy to address recurring weaknesses, protect sensitive information and coordinate with other agencies and industry partners. Dorsey said the DOT also lacks a departmentwide cybersecurity coordinator to be responsible for fixing such shortcomings.
But Cordell Schachter, the DOT's chief information officer, defended the agency's cybersecurity as on par, or even ahead, of other federal agencies.
"We have begun a series of cyber-sprints to complete tasks and make plans to meet our federal cybersecurity requirements and implement best practices," Schachter said. He cited departmentwide improvements in system access control, website security, and oversight coordination across DOT.
President Joe Biden's infrastructure bill, which he signed into law Nov. 15, provides funding to improve the national highway system and other public transportation systems' cybersecurity preparedness. The bill also allocates $21 million through September 2022 to the Office of the National Cyber Director, the president's principal adviser on cybersecurity policy.