- We expect U.S. transportation infrastructure enterprises will be targeted more frequently for cyberattacks given their role as providers of critical infrastructure for the movement of people and goods. Overall, we view risks as moderate, although there are lower-probability, high-impact risks within the sector.
- Across the transportation subsectors, particularly for ports, mass transit operators, and airports that have federal cyber oversight and regulation, management teams have implemented cyber security policies and procedures to mitigate long-term credit risk, supported by ample liquidity to buffer a disruption in operations.
- S&P Global Ratings evaluates cyber risks for transportation providers within our management and governance assessment and they are viewed as a component of governance within our environmental, social, and governance credit factors.
- To date, cyberattacks affecting transportation infrastructure providers have typically been short in duration with minimal lasting effects on operations and key financial metrics; consequently, we have not seen any longer-term effect on entity creditworthiness within the sector yet.
As cyberattacks increase in sophistication and frequency, U.S. transportation infrastructure operators--including airports, mass transit, toll roads, ports, and parking issuers--continue to embed cyber security into their comprehensive risk-mitigation strategies. We believe most U.S. transportation issuers' cyber preparedness will support credit fundamentals and prevent significant financial, operational, or reputational fallout that can result from an attack. Exposure to cyberattacks, malware, ransomware, and other security breaches are significant risks for transportation providers; however, given the complex operating model and the role of federal oversight for some operators, we do not view cyberattacks as a critical risk for long-term operations and credit quality. In our view, well-managed operators are taking steps to mitigate their exposure to event risk stemming from cyberattacks. Although the inability to fully restore operations in a timely manner after a cyberattack could affect several rating factors, we believe most cyberattacks among transportation providers will likely be short in duration with minimal lasting effects on operations and key financial metrics. To date, no negative rating actions have been associated with a cyberattack on U.S. transportation infrastructure enterprises.
Geopolitical Events Can Lead To Increased Cyber Risk For Transportation Providers
The use of cyberattacks as an instrument to impair an entity or disrupt operations due to geopolitical tensions poses unique risks to public finance issuers, particularly for transportation issuers given their role as providers of critical infrastructure. The FBI listed cyber as one of its top risks to the nation in 2020 and we've seen cyberattacks become an embedded part of hybrid warfare (see "Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?" published Feb. 22, 2022, on RatingsDirect). For a politically motivated or state-sponsored cyber criminal, targeting critical infrastructure providers creates a scenario where risks to the attacker are potentially low and rewards for disruption can be high. In the past, municipal institutions were much more insulated from risks posed by geopolitical conflicts. Today, technological innovation and the efficiencies it creates for municipal institutions have transformed how business is conducted. However, the reliance on technology as a benchmark of critical municipal infrastructure means that institutions can now be targeted in ways that were not possible in the past. We expect cyberattacks on transportation providers will increase in frequency, as evidenced by very visible recent high-profile attacks on major port facilities, airports, and mass transit agencies.
Proactive Management Teams And Governance Policies Are Key To Good Cyber Hygiene
Within our "Global Not-For-Profit Transportation Infrastructure Enterprises" criteria), we evaluate cyber security preparedness for transportation issuers through the risk management and financial management subcategory within our management and governance assessment. If we view a transportation operator as lacking sufficient risk-management policies and practices, it can weaken our view of the issuer's overall management and governance assessment, often resulting in a lower rating than that on otherwise comparable peers with stronger policies. As cyberattacks increase in sophistication and frequency, we observe strong and extremely strong management teams embedding cybersecurity into their comprehensive risk-mitigation strategies. Along with the management and governance assessment, we view risk management and mitigation as a component of governance within our environmental, social, and governance (ESG) credit factors (See "ESG Brief: Cyber Risk Management In U.S. Public Finance", June 28, 2021).
A telling sign that transportation providers are taking cyber preparedness seriously is the elevation or creation of new positions within senior management to address cyber risk, such as a chief information officer or chief information security officer. Our analysis of management's cyber hygiene pertains to policies and procedures that can be used to prepare for, respond to, and recover from potential cyber threats to mitigate financial and operational risk. In addition, we evaluate the sufficiency of an issuer's liquidity position, including cyber insurance policies, to recover from a disruption in cash flow after a cyber incident. Although cyber insurance may mitigate risk, we note that premiums continue to rise due to the increased frequency and severity of cyberattacks and greater systemic vulnerabilities. For additional information, see "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market", July 26, 2022.
Overall, we believe management teams are rising to the challenge of thwarting potential cyber intrusion by adopting policies and practices to assure that if cyberattacks occur, there are clear mitigation strategies in place that allow operations to continue without debilitating effects.
What We're Watching
Our approach to understanding cyber risk exposure focuses on the tenets of "prepare, respond, recover," which include understanding the degree of access controls that are in place, system redundancies, and monitoring processes. Monitoring systems that support early detection are one of the most important strategies to reduce the potential impact of an attack. There have been cyber breaches within the public finance sector that have not been uncovered for weeks, which can result in exponentially worse outcomes. If a cyber incident occurs, it is important to understand the response and recovery plans, including whether the provider and its assets can continue to function off-network and independently; and whether safeguards are in place to respond to a worst-case scenario.
Issuer disclosure is extremely important in determining not only the potential risks but also the mitigation measures. These could include drafting response plans for a potential cyber security attack and ensuring those plans are updated and tested regularly with walkthroughs and full-scale exercises.
S&P Global Ratings' assessment of a transportation provider's strategy to prepare for, respond to, and recover from a cyberattack uses principles similar to those set out in the National Institute of Standards & Technology (NIST) framework and by the Center for Internet Security, among others (chart 3). In our view, the emphasis on prevention, response, and recovery is a key element of an effective cyber security strategy.
Although there isn't a single standard for cyber preparedness, industry associations and federal agencies have provided guidance, recommendations, and tools for transportation providers to assess their cyber resilience. In lieu of a single standard, we look to the issuer to demonstrate how it incorporates best practices into its information technology (IT) systems, assets, risk assessments, and employee training.
We will continue to track cyber resiliency in the transportation sector as well as whether a federal standard will be set, which we believe would help the industry because it would set a minimum floor for cyber resilience and provide guidance for smaller providers that might not have the sophistication or budget to implement sufficient planning. Even where there is no direct federal oversight, various states and insurance providers are moving to require that basic cybersecurity measures are in place. Among transportation providers, we note federal regulation, oversight, and support within a few asset classes for cyber risk.
Third-Party Vendor Risk Must Be Addressed
Innovation and emerging digital technologies are continuously reshaping an interconnected world. The way in which transportation providers conduct their day-to-day operations has changed significantly as they become increasingly dependent on technology. The gradual transition to remote services and work began before the COVID-19 pandemic, but prioritization and demand for third-party digital infrastructure accelerated during the pandemic and it will likely remain a key business need.
The deployment of third-party technologies and associated spending increased at a frenetic pace over the past five years. Although S&P Global Ratings believes outsourcing and procurement of third-party managed services will continue and offers substantial benefits, including cost savings and improved service delivery, it can also introduce new vulnerabilities to cyberattacks if risks are not properly mitigated.
We believe the digitalization in operations and IT services can increase risks of cyberattacks for transportation providers if proper vendor risk management is not in place. This could include payment collections such as EZ-Pass for toll roads or software providers for airports. As a result, integration of third-party vendor risks into a comprehensive cyber-defense strategy is an important aspect for transportation providers to help reduce the frequency and mitigate the effects of cyberattacks. For additional information, see "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?," Oct. 25, 2021.
U.S. Transportation Cybersecurity Case Studies
A key takeaway from our analysis of U.S. transportation providers is that good cyber hygiene generally lessens the likelihood of a credit rating impact from a cyberattack, as illustrated by the following case studies.
New York Metropolitan Transit Authority (MTA). In April 2021, the MTA reported that hackers with suspected ties to China gained access to certain computer systems, but did not make any changes to operations, compromise any accounts, or collect any employee or customer information; nor did they gain access to systems that control train cars. Although the attack did not disrupt operations or affect financial metrics, it exposes vulnerabilities in the largest transportation provider in the U.S. However, the MTA was successful in quickly identifying the attack and aggressively responding to mitigate longer-term credit risk.
U.S. airports denial-of-service (DOS) cyberattack. On Oct. 10, 2022, at least 14 airport websites were affected by a DOS cyberattack attributed to pro-Russian hackers, although this resulted in no disruption to airport operations or access to information. The cyberattacks claimed by Killnet affected the websites for Los Angeles International Airport, Chicago O'Hare International Airport, and Hartsfield-Jackson International Airport, among others. The attack made airports' public-facing websites inaccessible to the public; however, no internal airport systems were compromised, nor were operations disrupted.
Port of Houston. The Port of Houston was targeted in an attempted cyberattack by nation-state hackers in August 2021 but successfully defended itself following its facilities security plan, as guided under the Maritime Transportation Security Act. Hackers exploited a previously unknown vulnerability in password-management software to break into one of the port's web servers, although the breach was detected about 90 minutes after the initial hack. No operational data or systems were affected.
S&P Global Ratings continues to assess cyber risks in the transportation sector as part of its regular surveillance, as well as in response to reported incidents. Issuers should be prepared to discuss this topic in their annual surveillance meetings with analysts, or shortly after any significant data breach, including threat identification and response and other risk-mitigation steps that they have in place and are currently following.
This report does not constitute a rating action.
|Primary Credit Analyst:||Scott Shad, Centennial (1) 303-721-4941;|
|Secondary Contacts:||Tiffany Tribbitt, New York + 1 (212) 438 8218;|
|Geoffrey E Buswick, Boston + 1 (617) 530 8311;|
|Kurt E Forsgren, Boston + 1 (617) 530 8308;|
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.