Public transportation threat matrix evolves with geo-political climate

Dec. 13, 2019
New security challenges face transportation sectors on both the physical and cyber fronts

Over the past month, public transportation networks in three major metropolitan cities on three different continents were shut down because of political ideology. In Hong Kong, Barcelona, and Santiago, Chile, protesters all focused demonstrations - and sometimes violent attacks - against public train stations and networks. In some cases, violent individuals smashed glass panels, destroyed ticketing machines and wrecked turnstiles, forcing system operators to either close individual stations or sometimes entire lines, disrupting hundreds of thousands of passengers.

Public transportation networks are a popular target for a variety of hostile actors: from terrorists to criminal extortionists; cyber attackers, and protest movements. The central role public transportation systems have in the functioning of major cities (and countries), and the very fact that they are “public” and therefore open to virtually anyone, makes them obvious targets. Disrupting public transportation networks requires surprisingly little effort but allows even the smallest group of people (sometimes just individuals) to gain leverage on the governments or government-owned companies that are responsible for keeping transportation channels open.

Profiling the Threat

The attractiveness of attacking public transportation nodes for political gain is nothing new: transnational jihadist groups targeted public buses, subways, and trains in a series of mass-casualty attacks from 2004-2010 in Madrid, London, Mumbai and Moscow. Hundreds of attacks preceded those, including one of the deadliest post-World War II attacks in Europe: the 1980 train station bombing in Bologna, Italy blamed on the neo-fascist Armed Revolutionary Nuclei that killed more than 80 people. Terrorist actors continue to target public transportation networks: in 2017, an Islamic State trained citizen of Kyrgyzstan blew himself up on a subway car in St. Petersburg, Russia killing 14 people and himself. However, most recent terrorist attacks on public transportation have paled in comparison to the massive, multi-point attacks from the previous decade.

This is due to the shift in terrorism in the west away from a threat based on professional cadres to grassroots operatives, combined with security enhancements put in place following earlier attacks that makes public transportation a harder target. An attack in 2017 - this time targeting New York’s metro system - involved the detonation of a shoddy pipe bomb in an underground passageway. That attack injured three people, but only the bomber was seriously injured. A few months earlier on the London Tube, a bucket filled with homemade triacetone triperoxide caught on fire but failed to detonate. Passengers were able to evacuate and the bomb squad to render the device safe.

Some individuals motivated by groups like the Islamic State (but not necessarily trained by them) have tried for spectacular attacks. European authorities coordinated to arrest a group of three earlier this year who were connected to two attempts to derail high-speed trains in Germany in late 2018. While the attacks had the potential to be catastrophic, they ultimately failed on technical execution - a sign of inexperience and a lack of training on the part of the attackers. The dissolution of the Islamic State in Iraq and Syria, thanks to sustained military pressure, and increased domestic police surveillance on returning fighters or Islamic State supporters in Western countries have so far been successful at preventing trained terrorists from carrying out sophisticated and highly lethal attacks on public transportation networks in recent years. The threat of grassroots Islamist State sympathizers or mentally disturbed individuals (the difference is blurry) using a knife to target people at random in a busy train station is still very real, but the damage is much lower compared to previous terrorist campaigns.

It is also important not to forget the threat of anarchist terrorist threats or localized politically motivated campaigns against public transportation systems – which occur mostly in Europe. Suspected anarchists set fire to a transformer along a high-speed rail line in Italy in July 2019, disrupting travel along the rail line for 24 hours. The attack coincided with a trial against anarchists for a previous attack, but also fit the profile of a long-running sabotage campaign targeting the development of a rail line between Italy and France. While such attacks are often disruptive, they rarely target human lives.

A New Wave of Protest Threats

The terrorist threat to public transportation remains quite active. Counter-terrorism officials and local law enforcement will surely face continued efforts to attack busses, subways, and trains over the coming months and years as supporters of the Islamic State, al-Qaeda, and other regional groups try to cause catastrophic damage and create massive death tolls in spectacular attacks.

But the biggest disruptive threat to public transportation networks in 2019 has been protest actions. As noted earlier, in the month of October alone, protest movements in three major cities caused serious disruptions to public transportation. In Hong Kong, protests ongoing since June have increasingly targeted the city’s Mass Transit Railway (MTR). Radical protesters have smashed up ticketing machines, destroyed turnstiles, and otherwise defaced individual stations with graffiti and other acts of vandalism. MTR authorities have been forced to close stations early and, during particularly intense protest actions over the weekend, suspend service along entire lines to allow for clean-up and maintenance crews to do their work. On Oct. 5, the MTR took the unprecedented move of closing their entire subway system - including the airport express line - amidst an especially angry response to the government’s use of a colonial-era emergency ordinance law to crack down on ongoing protests. Hong Kong’s MTR averaged well over four million passengers a day during 2018 and, while the shutdown was less disruptive on a Saturday, it’s no exaggeration to say that millions of people were affected by that day’s closure.  Dozens of other more localized closures and abbreviated operating hours over the course of several months have affected millions - if not tens of millions - more riders.

On Oct. 14, massive protests in Barcelona erupted following the sentencing of political leaders of an attempted secessionist movement in Catalonia two years prior. A highly coordinated social media campaign organized protesters to target the city’s international airport, as well as roads and public transportation links to the airport. They were ultimately successful, forcing the airport to suspend flight operations and blocking public trains and buses from getting passengers to and from the airport.

And, on Oct. 20, protests rising public transportation costs in Santiago, Chile grew from small and sporadic to a big, countrywide phenomenon. Innocuous fare-jumping protest actions by students metastasized into direct attacks by anarchists using Molotov cocktails on metro stations that caused major damage to ticketing machines and turnstiles, along the lines of what protests were doing across the Pacific Ocean in Hong Kong. Damages shut down an entire line of the metro network that officials were still working to repair two weeks later. Unlike Hong Kong and Barcelona protests, which started over demands for more independence from central governments and spread to public transportation because it was a target of opportunity, the Santiago protests started over a public transportation issue (a $0.04 fare hike) and spread to massive demonstrations and rioting in pursuit of more fundamental political changes.

Amidst the current wave of protest movements across South America and the world, public transportation is too tempting a target for demonstrators to pass up. We expect more disruptive protest actions to come. Extinction Rebellion and other climate change-related groups have made it a point to disrupt major cities by targeting ground transportation infrastructure and airports; however, environmental activists recently faced backlash in London from the very public they were trying to win over when they caused delays to the Tube during evening rush hour. It was a reminder that protest movements that rely on popular support are limited in how disruptive they can be when targeting public transportation infrastructure.

The Future is More Anonymous

Another long-term trend that Stratfor is monitoring is the use of hostile network activity (cyber-attacks) to target public transportation infrastructure. Network attacks on public transportation have not been nearly as common as ransomware attacks on municipal governments or hospitals, but there are certainly precedents. In 2017, Sacramento, California’s Regional Transit authority’s homepage was defaced after city officials chose not to pay a hacker who was threatening follow on attacks if they weren’t paid $8,000. The hacker followed through on the threat, deleting files from Sacramento Regional Transit’s database. Ultimately, transport operations were not disrupted, but employees had to scramble and run things manually while technicians restored the automated systems. Other major attacks against public transportation networks in San Francisco (2016), Sweden (2017), and Denmark (2018) caused little to no service disruptions but did lead to lost revenue due to either disabled ticketing systems or lost employee productivity - not to mention repairs.

The motivation for cyber-attacks on public transportation networks is similarly diverse: hostile nation state-backed hackers certainly have an interest and capability to wreak havoc on transportation support services dependent upon external connectivity, but common criminals can also use the tactic in attempts to extort money from local governments and transport authorities. As we’ve seen in the rash of ransomware attacks on cash-strapped municipal governments, sometimes the ransom demand (typically in the 4-5 figure range) is much cheaper than the process of fixing the underlying problem. Public transportation authorities are often similarly situated and are under public pressure to restore services as quickly as possible, a dynamic that helps criminal hackers collect extortion payments.

Protest movements can rally individuals to target public transportation as a force multiplier and adding network disruptions, or substituting physical protest for cyber protest actions, amplify the disruption even further. In Chile, we have seen hackers who are either part of the protest movement or sympathetic to it target Chilean police databases and release personal information on officers, jeopardizing their personal security and undermining their authority to deal with the unrest. Given that particular protest movement’s grievances with public transportation, the cyber threat to Santiago’s public transportation networks is very high. The anonymous nature of cyber threats means that attacks don’t even need to be manufactured in-house by protest movements - they can pay criminals to carry out a Distributed Denial of Service attack or appeal to a foreign government that has something to gain by maintaining unrest. The U.S. State Department has already warned of signs of foreign online support for the Chilean protests, but Chile’s case certainly is not unique in this regard.

New Physical and Cyber Threats Shape Transportation Security’s Future

Public Transportation infrastructure faces a diverse threat environment that ranges from attacks against individuals by mentally unstable actors to cyber threats from common criminals or state actors - or state actors posing as common criminals. In order to protect the integrity of public transportation services that billions of people rely on every day around the world, system operators must maintain vigilance against the old threats while adapting to an environment of newer threats.

First, they must understand the political leverage attackers of any motivation can gain by compromising public transportation infrastructure: its openness and criticality make it a soft yet highly impactful target for anybody seeking political or financial concessions. Second, physical security and cooperation with national and international law enforcement and intelligence communities are crucial to preventing transnational or domestic terrorist groups from coordinating another massive attack against public buses, subways, and trains. Third, public transport authorities must have plans in place for how to respond to protest movements that target their infrastructure - even when the underlying grievances have nothing to do with transportation infrastructure. Fourth, and finally, network security and employee digital hygiene is just as important to public transportation as it is to governments and international financial institutions. The fate of millions of commuters can literally hang in the balance of one negligent click on a link.

About the author: Ben West, who is a Senior Global Security Analyst with Stratfor ThreatLens, a leading geopolitical intelligence platform that brings global events into a valuable perspective. As a global security analyst, West studies trends in terrorism, crime and espionage around the world. Since first joining Stratfor in 2007, his work has been featured by media outlets such as The Guardian, The Wall Street Journal, Bloomberg and The Washington Post. West has extensive experience abroad, having studied and worked in Germany, the United Kingdom, China, and Italy. Throughout this time, he worked in the international political and commercial sectors. He earned his master’s from Johns Hopkins School of Advanced International Studies, focusing his research on terrorist and criminal financial networks, and received his bachelor’s in International Relations from Boston University. West currently lives in Ho Chi Minh City, Vietnam.