Skip to main content

SPP Students Evaluate DC Metro Cyber Risks

Back to All News
WMATA cyber photo

In 2018 alone, ridership on the Washington Metropolitan Area Transit Authority (WMATA) rail system totaled around 174 million trips, with the rail and bus system having served a population of four million passengers. What would happen if a cyber attack brought that rail system down? Could buses scale up to meet the demand, or would our economy grind to a halt as thousands of employees struggle to make it to work? Two students sought to find out how close this scenario is to becoming a reality.

This spring, Cody O’Brien ‘20 and Tyler Ziegler '19 MPP '20, in conjunction with the office of Congressman Anthony Brown (D-Md.), conducted research evaluating the cyber risks to train and metro rail infrastructure in the Washington D.C. metro area, as well as potential railcar supply chain vulnerabilities. 

“Municipal transit operators need to understand how their systems could be exploited and ultimately shut down by hostile actors,” said Ziegler. “In today’s world, this is easier than ever due to the fact that subways systems rely so heavily on unsecured industrial control systems that assume a majority of a subway system’s overall operations.”

With the critical role public transportation plays in society, many rely on the metro for travel to work or to school, for recreation or for errands. Residents sometimes make determinations on where to live based on the quality of public transportation options or proximity to Metro stops, according to Ziegler. For a city such as Washington, D.C. to operate a robust public transportation system in peak condition is essential to maintaining consumer trust. For Ziegler and O’Brien, this meant looking holistically at the state of national transportation infrastructure.

Ziegler looked at the Federal Transit Administration’s Buy America program and how it has affected transportation infrastructure, as well as the ongoing efforts to regulate the use and procurement of Internet of Things/ Industrial Internet of Things (IoT/IIoT) devices in federal contracts. He found that the Buy America requirements artificially increase the price of infrastructure products while not actually providing much protection to American workers.

“Frankly, it has actually ended up being detrimental to the rail manufacturing market overall,” said Ziegler. “While I understand that Buy America is popular with voters, it is not terribly prudent public policy.”

O’Brien conducted interviews with cybersecurity experts and completed a literature review of both risk management practices used in U.S. critical infrastructure and best practices used by critical infrastructure software vendors before performing a cyber risk assessment for Congressman Brown’s office. 

“One of the biggest challenges to the government in securing the nation’s critical infrastructure is the fact that roughly 85% of the assets reside in private hands,” said O’Brien. 

The students noted that those assets have a heavy reliance on unsecured IoT/IIoT devices. While any transportation system in any city can be a target of a cyber attack, the WMATA in particular travels near nationally critical buildings such as the White House, Capitol Hill, and Ronald Reagan National Airport, and services a population that works within those buildings. This is part of the reason why Congressman Brown worked with the students in the first place.

“This is an issue which impacts both our national security and the safety of our communities in the Washington D.C region. Safe, reliable infrastructure that is resistant to cyberattacks from bad actors is essential to keeping our residents moving and ensuring the important work of the nation’s capital continues to benefit Americans across the country,” said Congressman Brown. “My staff and I appreciate Cody and Tyler’s research and recommendations, and look forward to continuing this productive partnership with the University of Maryland.”

The project gave the two students first-hand experience in answering a research question for a policy client. By completing a cybersecurity risk analysis of rail infrastructure for Congressman Brown’s office, Ziegler and O’Brien began to understand how policy can affect a very technical field while developing the skills necessary to thrive in that field.

“The policy world can be messy, fast moving, and we’re often dealing with imperfect information,” said O’Brien. “When operating in such an environment, it’s important to be able to rely on experts and translate complex ideas as succinctly as possible for the leader or policymaker. I think this project was the quintessential exercise of that idea.”

For Media Inquiries:
Devin Entrikin
Communications Manager, CISSM
For More from the School of Public Policy:
Sign up for SPP News