Officials at Washington D.C.’s Metro, the Metropolitan Area Transit Authority, said that while they are not publicly sharing the results of a recent internal cybersecurity audit, they intend to improve their cybersecurity strategies after the results revealed that the agency is vulnerable to attacks.
Infosecurity Magazine contacted Metro who has yet to return our call. In a statement, Metro Inspector General Geoffrey A. Cherrington said, “By its nature, such an audit in the wrong hands could expose vulnerabilities and thereby undermine our shared goal of making [Metro’s] IT environment even more secure. For that reason, we have made an exception to our standard practice of posting audits to our website, and this one will be withheld from release.”
The audit was reportedly conducted behind closed doors by Metro’s board of directors in late June, and the results remain classified in order to help prevent any future attacks should malicious actors try to exploit any of the known vulnerabilities that were identified.
Transportation is one of the areas of primary concern when it comes to attacks on critical infrastructure, and the Washington Post reported that the weaknesses identified in Metro's audit could potentially endanger its security system and possibly imperil safety and day-to-day operations.
This recent audit is only one of several security-related audits scheduled over the next fiscal year. The June audit focused largely on Metro’s incident response plan and looked to identify where its people, processes and procedures could be improved. Across all sectors of cybersecurity, the growing skills gap limits an organization’s ability to detect and respond to attacks. The results of Metro’s audit showed where its most vulnerable, paving the path to minimize gaps in order to reduce risk.
The next six scheduled reviews will examine additional risks, “from a massive data breach of SmarTrip card information to potential attacks that could interfere with critical safety operations such as rail traffic control systems, gas and fire sensors, the power grid, station ventilation, and voice and data communications,” according to the Washington Post.