Cyber Security Issues Surrounding Transportation Systems

Since early 2013, a renewed focus has been put on the efforts of foreign actors to penetrate our transportation sector through sophisticated and well thought out cybersecurity attacks. Russia, China, North Korea, and Iran are the primary offenders and have made numerous attempts to cause havoc with our transportation management systems. It’s clearer now more than ever that the new battlefield will be fought in cyberspace. With no treaties or rules of engagement, it is imperative that the government and its people know the risks posed by cyber security breaches. Throughout my research, I found three articles that discuss vulnerabilities to our transportation management centers, ideas on how to mitigate cyber-attacks and thoughts on where to begin modernizing our transportation systems.

The first article reviewed concentrates on cybersecurity challenges facing our Transportation Management Centers (TMC). Written by Edward Fok, this article gives an in-depth overview of the cybersecurity risks to the transportation system with an emphasis on targeting transportation management centers. Fok begins section one by describing three groups he calls “threat agents.” The first group described is anyone with cybersecurity technical knowledge. Group 2 outlines anyone attached to organized crime rings, individuals who use another alias, and hackers that use programs like ransomware. Finally, Group 3 focuses on terrorists, which he states usually have significantly more resources than Groups 1 and 2.

In the second section, Fok lays out three steps a cyber attacker will take once they have successfully penetrated our transportation management center.  Step 1 Fok describes as network breaching and calls this an “attack surface.” He explains the reason attackers can complete this step is sometimes but not limited to poorly configured network devices, the opening of malware while on TMC systems, compromised associated systems, outdated firewall, bad authorizations or certificates, and unsanctioned physical access. Step 2 he calls scanning and mapping and describes this as where attackers begin to try to exploit software or organizations by targeting critical components. The example he uses is, if the TMC is attached to outside organizations such as government contractors or other agencies, scanning and mapping could potently expose them to attacks. He goes on by expressing that overlaying companies need to have strong cybersecurity measures in place not only through collaboratively but an individual. In the final step Fok, titles exploitation and egress and clarifies that this is when intruders become attackers and Steps 1 and 2 become a means for the attackers now to accomplish their mission.     

In section three Fok describes ways to address cybersecurity threats toward TMC’s with lessons learned from information technology and e-commerce industries. Understanding that there is no full proof method to defend against these threats Fok outlines potential ways to protect TCM systems better. The first way he mentions is to mitigate risks. He states that using tools like, “Cyber Security Evaluation Tool” will allow for a comprehensive analysis of your cybersecurity systems. Additionally, he believes that cybersecurity information training should be given to TCM operators to greater emphasize ways to protect against security threats. Finally, he believes that limiting outside entities would lessen the opportunity of attackers to create an attack surface or air-gapped networks. Fok further outlines that by reducing unnecessary external traffic, you can reduce the risk of rogue devices to being hidden or stashed in visitor areas.

I think Fok gave compelling examples in ways cybersecurity threats can occur. The main take away from this article to me was the significance everyday people play in the threat. One thing I feel Fok should have mentioned is the increased risk of cyber threats concerning Bluetooth technology. I have seen it firsthand that foreign agents from Russia and China have developed ways to not only track our Bluetooth signal but hack them and use them as listening posts. The ability for this to happen further emphasizes the need for increased training opportunities and the renewed focus on areas we can provide greater resources within our transportation infrastructure. It’s just not enough to prevent or reduce external traffic as Fok describes. The more important piece in my view is that it’s essential for employees to understand the role they play in avoiding direct attacks on our transportation management centers.

The second article reviewed is a piece that concentrates on cyber threats facing autonomous and connected vehicles. I feel this article is important because as autonomous advancements continue to become more and more prevalent supply chains will seek ways to reduce costs. One way I believe they will do this is by increasing dependence on autonomous motor carriers. This article helps illustrate the need for advanced cybersecurity measures due to an increase of networked computing devices, and connectivity requirements. Additionally, this article will help outline vulnerabilities associated with autonomous systems and provides insight to supply chain managers on areas to combat threats as this technology becomes more readily available.   

Beginning in section two the authors review cybersecurity vulnerabilities and ways to mitigate threats from CAVs, human aspect threats, and connecting infrastructure. Throughout the review, the authors present several weaknesses within CAVs ranging from low-level sensors, like light detection and ranging to vehicle control modules such as engine control units. According to the authors, lack of human procedural competence is believed to cause an increased cyber risk. In their eyes, there are several characteristics to blame for these risks such as privacy, and behavioral aspects. The authors expand on their believe that connecting infrastructure is going to play a huge role in how vehicles communicate with other cars, the drivers, and potentially the road. Existing technologies such as Bluetooth, and our dependence on radio, and cellular connections will provide multiple entry point for denial of service attacks. They also believe that manufacturers play a significant role in potential threats because of their use of hardware and software capable of being penetrated through denial of service attacks. The reason for this they say is that manufacturers continue this practice is because of how functional current supply chains are with regards to manufacturing capabilities.

In sections three and four the authors provide a table displaying a list of knowledge gaps they acknowledged throughout the literature review and potential impacts of cyber threats unless adequately addressed. The authors conclude by reestablishing their beliefs that vulnerabilities surrounding this technology are apparent and expressing the need to be proactive researching mitigation techniques.

I would first like to point out this article provided a vast, in-depth analysis of potential security risks to autonomous systems. I realize that this does not directly relate to transportation management now, but it will in the near future. The reason I say that is because most CAV projects are still in their infancy and there just isn’t yet a real focus on cyber security. The central theme of this article, however, was that these technologies are advancing at a rapid rate. Companies like Uber, Volvo, and Amazon are all testing autonomous systems to deliver cargo or provide individual transportation. The problem outlined is that there is substantial evidence that compromises can occur, and we lack reliable wide-ranging mitigation techniques. Additionally, it is my opinion that regulations are needed for foreign manufacturers supplying hardware or software to companies developing these systems within our country. The problem is that manufacturers are reluctant to change precedent regarding where they buy their goods. To them, there’s just too many risks to revenue or time delays. Without regulation imported hardware/software has the potential to be compromised. Furthermore, there are issues with personal identification information (PII) requirements once these systems become online. There is no concrete guidance on what PII if any will be required for the driver to operate these vehicles and lack of research outlining how operators will be able to detect cyber-attacks.

The third and final article reviewed was written by Econolite, Vice President, Gary Duncan and discussed concepts on how to stop cybercriminals at the traffic management system gates. Duncan begins by acknowledging the transportation industry’s technological revolution in intersection control has left systems vulnerable to hackers. He believes that after numerous well planned and thought out cyber-attacks that relying strictly on traffic management systems might not be enough to stop these attacks.

In the body of the article Duncan concedes that the transportation industry has a problem even if hackers have not yet compromised traffic management systems. Sighting the Sony Pictures cyber-attack and similar high-profile data-breaches to companies like Target and Home Depot, Duncan feels as though more and more hackers are becoming relentless in their quest to find vulnerabilities within our systems. Continuing Duncan expresses that he thinks the time is now to begin updating the National Transportation Communications for Intelligent Transportation System (ITS) Protocol (NTCIP) standards adopted in 1997. 

Duncan goes on describing what NTCIP overall responsibility is and expresses that, “no longer is component level security enough.” Additionally, he admits that NTCIP current standards have significant vulnerabilities hackers can access. Ability to access those systems would allow for hazardous deviations to databases and the ability to manipulate traffic movements and clearance timings. That has the potential to cause not only gridlock but cataphoric damage to personnel in worst-case scenario. Furthermore, Duncan closes by imploring his colleagues in ITS to assist him in exploratory cybersecurity threats within the traffic management system.

After reviewing this article, I concur with Duncan that there is a substantial need to address our NTCIP standards. Since 1997, there have been ground breaking advancements surrounding transportation systems. The responsibility for upgrading these systems doesn’t rest solely on the private sector but should be a collaboration with government entities like the State and Highway Transpiration Officials and the Department of Transportation. As more cities become “smart cities” two-way communication between autonomous vehicles and traffic signals will need to be free from cyber threats and the public must feel at ease. Failure to address these concerns will only delay transportation and supply chain advancements holding us stagnant as other countries modernize their infrastructure. 

In conclusion, I feel as though Fok missed an opportunity to address internal security concerns. The ability to access Bluetooth leaves transportation management centers with the responsibility to eliminate or at least limit its use within the workplace. I would further push those management centers to offer annual or semi-annual training to employees. Training on phishing, and malware tactics can ensure transportation management systems are safe from bad actors. Also, limiting employee access to certain sights and outlining the responsibilities employees share against cyber threats would help decrease the potential of an attack. Additionally, increased regulations or even screening of imported hardware and software would reduce the likelihood of foreign entities having a window into our autonomous networks. Setting strict PII guidelines will also reduce the resolve of hackers to perform data breaches. Furthermore, I agree with Duncan that there is pressing need to modernize NTCIP. As I mentioned earlier without upgrading theses system, it ensures vulnerabilities to autonomous carriers leading to an inability for transportation managers to safely modernize.

References

• Fok, E. (2015, February) Cyber Security Challenges: Protecting Your Transportation Management Center. Institute of Transportation Engineers. ITE Journal, 85(2), 32-36. 
• Parkinson, S., Ward, P., Wilson, K., Miller, J. (2017, November) Cyber Threats Facing Autonomous and Connected Vehicles: Future Challenges. IEEE Transactions on Intelligent Transportation Systems. ITE Journal, 18(2), 2898-2915.
• Duncan G., (2015, April) Stopping Cyber Criminals at the Traffic Management System Gates. Institute of Transportation Engineers. ITE Journal, 85(4), 11.