Untangling the OTS cyber attack
The press release went out at 8:03 a.m. yesterday morning.
"The City and County of Honolulu Department of Transportation Services (DTS) is investigating a massive shut down of online servers at Oahu Transit Services (OTS), operator of the City’s TheBus and TheHandi-Van, due to a possible cyber-attack. All OTS networks are affected."
Fortunately, TheBus was largely unaffected. Honolulu's extensive city bus network logs more than 62 million rides per year. (And that's a low number, compared to a high of 77 million in 2009.)
What was affected was TheHandi-Van, a public transit service for persons with disabilities who are unable to use TheBus. OTS staff were unable to access the day's reservations, requiring clients to call to reschedule pickups.
According to OTS spokesperson Travis Ota, TheHandi-Van sees roughly 2,500 trips on an average day. Usually, these are multiple trips for the same person (roundtrips), so the disruption could affect roughly 1,000 riders a day.
The "massive shut down" also affected both sales and use of the relatively new HOLO transit pass system. And as of this writing, the TheBus website is still down.
"OTS servers are separate from the city servers, and all other city operations remain the same," the release noted.
Still, "a possible cyber-attack" sounded serious.
Civic services in the crosshairs
A few years ago, most of the headlines surrounding computer hacks and data breaches focused on large companies, and mostly technology firms. But cybercriminals quickly broadened their scope and went after other sectors, notably the already sensitive healthcare industry.
(I've written about privacy and cybersecurity for the Paubox blog, and the vast majority of pieces were about cyberattacks on hospitals and health plans.)
More troubling were attacks on regional infrastructure. The Colonial Pipeline hack over the summer was just the most frightening example. Now, money didn't seem like the only plausible motive, as disrupting public services could easily be political in nature.
The transportation sector was certainly not immune. As a part of a city's critical infrastructure, the impact of an attack is incredibly broad. What's worse, the transportation sector overall has fallen behind in cybersecurity, with only 60 percent of agencies prepared with a cyber attack response plan.
New York has been hit, as has Atlanta and San Francisco. So has Toronto. In fact, just two months ago, TheRide -- the similarly named service of the Ann Arbor Area Transportation Authority -- was hit by a similar attack.
Could OTS, TheBus, and TheHandiVan have been specifically targeted? It's a possibility.
Defining a cyber attack
For most of the day, the only details we had came from the original release from OTS. "A massive shut down of online servers" due to "a possible cyber-attack." Not surprisingly, many online commenters joked that someone in the office had just "pushed the wrong button."
The second press release out of OTS was titled succinctly: "Oahu Transit Services hit with a cyber-attack."
The attack "caused a mass disabling of online servers to both administrative and operating access related to TheBus and TheHandi-Van," and the city and agency are "working with the Federal Bureau of Investigations (FBI), the Secret Service, and the Honolulu Police Department (HPD) to gather evidence."
Still, what sort of attack? The phrase "cyber attack" conjures images of shrouded figures crouched over glowing computers, stabbing at and burrowing into a victim's computer. It sounds like a concerted, deliberate effort to overcome defenses and pillage data through a hole in a high-tech border wall.
The reality is much more mundane.
Most cyber attacks come in the form of ransomware -- malicious computer programs that basically rounds up every program and piece of data on a machine and locks it up in such a way that no one can access it.
And how do these data encryption gremlins gain access to an organization? Nine times out of ten, an employee clicks a link or opens an attachment they shouldn't have, and activates the ransomware from the inside.
Is that what happened here?
No details provided
Photo courtesy Oahu Transit Services.
The second press release, which was sent out after 3:30 p.m., helpfully announced a press conference where OTS would provide more information... at 4:00 p.m.
Fortunately, the local media were able to scramble, and lobbed a few questions at OTS head Roger Morton.
"This morning we had an incident with an Oahu Transit Services contractor," Morton opened, already suggesting a possible scapegoat. "Multiple servers at the OTS administrative offices stopped operating, shut down."
In the mean time, he said, they're operating on a manual request and dispatch system, "taking us back to the 1970s time frame."
How did it happen?
"We don't know exactly how it happened, and the matter is being investigated by specialists from the various law enforcement agencies," he replied. "I'm reluctant to characterize it in any way because it may impact the ongoing investigation."
Was this a ransomware attack? (Good question, Mark Ladao of the Star-Advertiser.)
"It has the trappings of a ransom attack, but we have not been able to fully investigate that," Morton said. "We do not have any specific demand for money, but it has the trappings of a ransom demand, that's certainly a possibility."
It's not clear what Morton means by "the trappings" of a ransomware attack, but that would explain "a massive shut down." The lack of a ransom demand is odd, but not unheard of.
"We are trying to rebuild servers to take care of our critical systems right now, we're doing that with some backed up data," Morton explained. "For the next day or so we will be relying on our improvised systems."
The biggest question with any cyber attack is whether sensitive information was accessed by the hackers. And since the affected systems are now knotted up in a ball of cold, hard math, it's impossible to know for sure.
"We will be updating you regularly or immediately when more information becomes available," an OTS spokesperson added. "Definitely tomorrow there will be touch points where we have status on our network availability and we will take that opportunity as soon as we're aware to reach out and have a press release or a press conference."
I think it's very unlikely a culprit will be identified. It's very likely OTS will have to rebuild, rather than recover, the affected systems.
And it's still possible that someone on the inside "pushed the wrong button."
Image by Seksan Mongkhonkhamsao/Getty Images.