Honolulu transportation officials continue to restore online services shut down by a ransomware attack — collaborating with other entities that have fallen victim on how to best fortify systems against the barrage of cyber assaults.
The city transportation services network intrusions and disruptions on Dec. 9 infiltrated online services for TheBus, TheHandi-Van, TheBus app and its Holo card system.
City information technology officials speculate the attack was the work of hackers affiliated with Russia but acknowledge the investigation into the incident by the FBI, Honolulu police and U.S. Secret Service is ongoing. A warning not to interfere while the hackers infiltrated OTS systems was allegedly connected to a Russian email address.
Separately last week, an apparent ransomware attack infiltrated and shut down the time-keeping services for employees at the Board of Water Supply and Emergency Medical Services — part of a nationwide offensive on public and private networks that could take weeks to fix.
Over the past year, scheduling, real-time location services, and operating systems for buses and paratransit services in five other municipal transportation entities have also come under attack.
“We don’t have any specific knowledge of targeted information, but are collaborating with other transit agencies and authorities who have experienced similar cyber-attacks in the past year,” Travis Ota, spokesman for the city Department of Transportation Services, in a statement to the Honolulu Star-Advertiser.
The city and OTS are working with the San Francisco Municipal Transportation Agency, New York Metropolitan Transportation Authority, Santa Clara Valley (Calif.) Transportation Authority, Dallas Area Rapid Transit and Ann Arbor (Mich.) Area Transportation Authority to understand the system disruption.
The Cyber Security Infrastructure and Security Agency determined that Chinese government cyber actors compromised New York’s MTA.
“The Transportation Systems Sector faces a multitude of cyber threats at the hands of criminals, hackers, insiders, and nation-state actors,” according to an October presentation by Benjamin Gilbert, CISA cybersecurity adviser, Region III. “Disruptive attacks, such as cyber physical manipulation, GPS spoofing and jamming, represent low-frequency — but potentially catastrophic threats — to the transportation industry.”
CISA scanned the systems of 33 U.S. transportation services looking for vulnerabilities and recommending security improvements:
>> 54.5% had “risky services” on internet-accessible hosts.
>> 48.5% of agencies ran “unsupported Windows operating systems” that no longer receive routine security updates, increasing exposure to vulnerabilities that can enable compromise, according to CISA.
>> 54.5% had email filtering controls that were bypassed by spear-phishing emails, “suggesting threat actors may have similar success when launching phishing attacks.”
On Friday, Oahu Transit Services restored the Holo card system services that allow users to prepay for rides with TheBus and TheHandi-Van. The Dec. 9 cyberattack disabled OTS’ administrative and operating systems that manage TheBus and TheHandi-Van.
The Holo card services are not connected to the OTS’ servers and “were halted out of an abundance of caution following the cyberattack.” Users are still required to tap their card against the reader to board TheBus.
As of Friday, real-time location services and transit applications remained offline. Some apps only display trip planning and arrivals based on scheduled times, according to a news release.
“Since the first day of the attack, OTS has worked around the clock to reinstall software on all affected servers and workstations to restore operations and ensure strict compliance with the most current and secure network configurations and settings,” said Ota. “We understand how important real-time, up-to-the-minute transit arrivals for TheBus and TheHandi-Van are for our passengers and are now focused on restoring those services which power HEA (Honolulu Estimated Arrivals), Google Maps, Transit App, DaBus, and EVA (Estimated Van Arrivals).”
Bus operators will allow riders to board provided they produce their Holo cards. If the onboard validator displays an “Out of Service” screen, riders must show a valid pass or demonstrate their Holo cards are funded sufficiently.
What the outage has cost over the past 12 days is tough to calculate.
“The HOLO system allows passengers to store monthly passes or to achieve day passes or monthly passes through an innovative fare capping program. Because of this capping program, it is difficult to determine the net revenue lost for the month of December until the end of the month. Cash fares were still required for passengers who did not have a HOLO card,” Ota said.
Those who rely on stored value in their account can still achieve the benefit of a monthly pass through the fare capping program. The capping program ensures no rider will pay more each month than a monthly pass would have cost them, Ota said.
“Card holders who rode during the system outage using stored value can still tap rides after the system was restored on Friday, to earn value towards their December monthly cap,” said Ota.
Most card users buy monthly passes, Ota said.
Retail locations for reloading and distributing Holo cards are back online. For up-to-date locations, visit holocard.net/where-to-obtain-load-a-card.