Root cause analysis revealed several vulnerabilities related to a newly created, Internet-accessible virtual server with direct connection directly into the CDOT network and administrative privileges that did not have OIT security controls in place. This server was compromised within two days of creation and was under SamSam ransomware attack within one additional day. Containment, eradication, and recovery of services required approximately four weeks.
Though CDOT operations were degraded, CDOT continued to execute its core mission to provide a multi modal transportation system for Colorado. This success may be attributed to a sound Continuity of Operations Plan that allowed CDOT to continue to operate and an OIT response that brought in the right people at the right time to contain and eradicate the threat. The creation of the UCG provided a clear direction and control structure that unified and focused the efforts of the numerous government agencies and private contractors involved. Though the State effectively responded to and recovered from this incident without paying the ransom, the threat to the State and its networks remains.
(Our website has many links to other organizations. While we offer these electronic linkages for your convenience in accessing transportation-related information, please be aware that when you exit our website, the privacy and accessibility policies stated on our website may not be the same as that on other websites.)