Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
1 Introduction Todayâs âcyberâ transportation systems consist of a convergence of operating control systems and information technology networks that are blended together to enable the delivery of mission critical services to the travelling public, shippers, and other users. This convergence has created a unique set of expanding opportunities for the transportation industry to deliver top quality services; but simultaneously a new downside risk vector has evolved that threatens the functionality of transportation systems and the people who have come to rely upon them. In the past, transportation systems were closed proprietary systems. Protected by âair gapsâ and âsecurity by obscurityâ they had very limited cyber vulnerabilities compared to IT networks and systems. Over time there has been a shift from isolated systems to more connected systems. Proprietary applications have migrated to open protocols, inheriting vulnerabilities along the way. Remote sites and stand-alone systems are accessed through wireless and public or private networks. Formerly âclosedâ systems are integrated and shared or there are in-place joint-use systems for the enterprise with linkages to transportation network systems. In addition to customary concerns about the physical security of transportation systems now information and control system security has been brought to the forefront. Indeed the risk of harm, including the potential for significant loss of life to the public, intolerable financial burden or bankruptcy, or long-term damage to business reputation that is associated with the movement of people and goods has grown substantially through an increased reliance by transportation operators upon sophisticated interconnected information networks and technologies that are used to control and influence the performance of transportationâs critical infrastructure. The âcyberâ threat vector is now becoming known. Well publicized incidents in finance and banking, and perhaps most frequently the retail sector have elevated public awareness of the potential for serious injury, mostly financial injury, through the intentional exploitation or disruption of information networks. However the added dimensions of cyber risk now associated with operating control systems that go well beyond financial concerns are not as well understood. And transportation industry leaders because of the nature of their services, must take accountability for downside cyber risk and prioritize their thinking to increase preparedness and reduce cyber vulnerabilities, Transportation, energy, water, and banking all represent a combination of public and private interdependent systems that are exploitable by intentional cyber-attacks or susceptible to accidental compromise. There is an immediate need for those responsible managers and operators in these industries to engage in risk assessments and planning for the security of cyber control systems. All transportation systems today rely on both physical and cyber systems to support mission critical services. And even these physical and cyber aspects of transportation are converging at an accelerating pace. Fortunately neither the occurrence of accidents nor the exploitation of transportation industry cyber assets has resulted in the types of events that grab national headlines. However the ease of c o m p r o m i s e of transportation systems is becoming more and
2 Average Cost of Cyber Incidents in U.S. Average cost of cybercrime: $12.7 million. Average cost of data breach: $3.5 million based average cost of $145/ record. Transportation industry cost per record is $121/record. Source: 2014 Cost of Data Breach Study: Global Analysis, Ponemom study more evident. And the likelihood of new or more significant events is increasing along with the cost of cyber incidents and cyber-crime: ⢠In 2006, two employees hacked into the traffic control computer in Los Angeles as part of a labor dispute and demonstrated how easily a major city could become gridlocked. Choosing locations they knew would cause significant backups, e.g. close to freeway entrances and major destinations such as airports, the engineers caused major traffic congestion that took four days to completely resolve. Although no reported accidents or injuries were associated with the incident, the full impact was significant with delays and potential inabilities of emergency vehicles to get to their destinations and loss of economic productivity as people were stuck in their cars. ⢠In 2008, a Polish teenager proved that even proprietary closed systems are vulnerable by using a modified a TV remote to control the track switches of the Tram system. The resulting derailment fortunately did not cause any loss of life, but 12 passengers were injured in the incident. ⢠In 2009, a computer crash in Maryland showed that unintentional and accidental events can have serious consequences. The crash caused the loss of traffic signal controls and power failures in the system, resulting in significant delays for thousands of commuters. ⢠In 2009, the hack of smart parking meter introduced transportation agencies to the new world of cybercrime, where incidents are now being planned and targeted so as to acquire significant profits. The impact for the transportation agency can now include significant revenue loss along reputational and mission-related consequences. ⢠In 2011, the politically active hacker group, Anonymous, took aim at transportation to protest a transit agencyâs policies. The group defaced the BART public information website to make their presence known and collected agency customerâs personally identifiable information from the agencyâs data systems to use to be used as a weapon to obtain concessions from BART. Anonymous threatened to release the customer information. ⢠In recent years, dynamic message signs have been a frequent target for hackers, changing them to display humorous and sometimes obscene messages. Fortunately none of these incidents resulted in more than mischief. The potential for more serious consequences such as traffic accidents did not occur. In 2014, the stakes were raised when multiple signs in different locations were changed at the same time by a hacker, demonstrating the ability to do more serious damage. FHWA and US Computer Emergency Response Team (CERT) quickly worked to understand the incident and contain the risk in the future. A good working definition of cybersecurity for transportation is one put forth by ISA/IEC- 62443 (formerly ISA-99), a baseline security standard for industrial control systems (ICS). It
3 defines cybersecurity more broadly as âelectronic securityâ whose compromise could result in any or all of the following situations: ⢠Endangerment of public or employee safety ⢠Loss of public confidence ⢠Violation of regulatory requirements ⢠Loss of proprietary or confidential information ⢠Economic loss ⢠Impact on national security As previously mentioned unintentional incidents should be of equal concern to transportation leaders. From the standpoint of consequence or end result it usually matters not whether a harm was deliberately caused. And typically structural network failures and human errors have the potential to occur more frequently than intentional cyber-attacks. The objective of this Cybersecurity Guide is to identify effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an incident or breach occur. There is a rich body of cybersecurity guidance and resources from an IT perspective that has developed over the past 40 or so years. There is a growing body of cybersecurity guidance and resources developing today for control system cybersecurity. The Guide will highlight cybersecurity practices and countermeasures that are âbest practicesâ from both these perspectives. The Guide is designed for all surface transportation - both transit and highway - agencies and is intended to cover all transportation systems - industrial control, transportation control, communications and enterprise data systems. However, a special focus has been placed on systems associated with the control of transportation infrastructure assets. This approach is a recognition that viewing cybersecurity from an IT perspective alone is proving to be both short- sighted and of limited effectiveness. Because technology is rapidly evolving, cybersecurity involves addressing a rapidly changing set of vulnerabilities and risks. Today, transportation agencies today are wrestling with approaches to handle use of mobile, tablet and other small hand-held devices in the systems. The ramifications of driverless and other connected vehicles are currently being explored. The Internet of Things is already here and changing every day. The Guide was developed with a forward looking with an eye towards what risk related exposures appear on the landscape for the industry. Forward looking cybersecurity guidance and resources must also include a focus upon the interface and inclusion of critical infrastructure operating systems with other facilitative information technology processes and systems. In summary, the Cybersecurity Guide aims for implementable goals: to increase awareness of cybersecurity in transportation agencies; to support an operational, as opposed to a technical, approach to cybersecurity; to identify those situations where the greatest cyber risk lies; and to provide transportation-specific approaches to monitoring, responding to and mitigating cyber threats.