Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
56 Chapter 4 Transportation Operations Cyber Systems Introduction Along with other sectors of the nationâs critical infrastructure, over the past three decades the surface transportation sector has gradually added various operations technologies that augment â and in many cases interoperate with â existing back office enterprise data systems and also newer customer-focused internet applications. Some of these technologies, such as rail crossing signals, were adapted from earlier Industrial Control System (ICS) architectures; others, such as vehicle location and tracking, grew from other roots and are unique to transportation. Although the trend in automating transportation control processes has been most accelerated in public transportation (i.e., transit) operations, recent initiatives in the highway operations arena highlight the challenges of maintaining adequate levels of cybersecurity in this area, as well. Although the scope of this Primer encompasses those activities involved with operating all components of the surface transportation infrastructure, the differences between the technologies typically used in highway, public transportation and railroad operations are significant enough to view them as largely distinct subdomains. Similarly, while such diverse issues such as the threat space and attack surface; enterprise and information security architectures; personnel; facilities; supply chain relationships; organizational governance and culture; procurement and acquisition processes; organizational policies and procedures and many organizational assumptions facing transit operators and their highway manager counterparts may also be converging, significant differences still exist and this Chapter will discuss cybersecurity associated with each modality separately. This Chapter introduces general concepts associated with this amalgamation of industrial control technologies, enterprise data management systems and traffic management technologies. The Chapter will describe essential differences between data-centric systems and control-centric ones. The Chapter will provide a brief overview of the types of systems used in infrastructure operations and potential cybersecurity issues associated with each. General and system specific countermeasures will be presented in the next Chapter. Finally, the Chapter discusses recent and on-going national initiatives leading to standards and recommended practices. Transportation Operations Cyber Systems A single transportation agency may own, operate and use hundreds of automated systems supporting all aspects of its transportation infrastructure management business (i.e., planning, engineering, construction/maintenance, operations, and business management). This technology portfolio contains a unique and constantly changing set of proprietary (i.e., custom built) plus commercial-off-the-shelf (COTS) software and hardware investments. Some agencies have made recent major investments in state-of-the art major upgrades or replacement systems; conversely, others still maintain technology assets (e.g., railroad crossing signals) that may be decades old. This state of affairs leads to legacy systems in use today spanning over four generations of
57 computing architectures (i.e., mainframe, client/server, Web 1.0 to Web 4.0 and mobile) and at least two generations of control system architectures (i.e., analog and digital). As a consequence, most of the systems used in transportation are poorly integrated, barely interoperable and in many cases, technically incompatible both within and across subsystems, systems and organizational boundaries. Each of these technical architectures presents different operational characteristics and technical security challenges. Of specific importance, the modern security manager should be aware that for the most part, the legacy systems he or she inherits were not designed with cybersecurity in mind. Legacy system governance (including security) models also encompass a wide spectrum of institutional oversight and control options ranging from highly centralized state-level or enterprise-wide structures at one end to those permissive of fragmented user autonomy (i.e., anarchy) at the other extreme. A common governance pattern found in many agencies assigns the responsibility for infrastructure control systems to the engineering operations group while assigning the responsibility for general computing and information security to an IT bureau usually located in the business management side of the organization. These two groups are far removed from each other in their respective chains-of-command, knowledge, skills and culture, often making communication and cooperation difficult. In many cases, governance alternatives to this status quo are strictly proscribed by a complex and unique set of Federal, State, local and agency-level regulations, policies and administrative procedures. Each of these governance approaches also results in different organizational and behavioral norms and leads to unique operational security challenges. Until recently, most technology investment decisions were justified based solely on the effectiveness or efficiency impacts of that investment on a transportation service, product or business process. Cybersecurity was treated as a system externality and was generally not included in cost/benefit analysis, user needs or technical requirements pieces although recent highly publicized cyber incidents compromising commercial and consumer privacy and financial information have begun to change this practice, particularly in the government, banking and retail sectors. Over the past generation, the clear trend in the surface transportation industry has been to rely on 3rd party technology partners (e.g., external IT agencies, vendors, manufacturers, consultants and system integrators) more interested in achieving contract-based performance metrics and maintaining profit margins than in maintaining cybersecurity. Indeed, in many cases, adding âaftermarketâ cybersecurity components such as anti-virus software may invalidate warranties; violate contractual provisions or negatively impact system performance. Consequently, the resultant transportation operations technology ecosystem itself places severe constraints on an individual agencyâs ability to incorporate cybersecurity enhancements. In other words, the system customer may not be able to implement necessary and foundational technology- based cybersecurity enhancements, in spite of their best intentions. These four aspects of transportation systems create the background against which the security manager must evaluate the best practice recommendations contained in this Primer. 1. Large, complex cyber asset bases. 2. Cumbersome and inflexible governance structures. 3. Incompatible mission requirements. 4. Security-agnostic technology ecosystem.
58 Two conclusions derived from this discussion offer essential cautions: 1. No âone-size-fits-allâ cybersecurity program, technology or training exists or can ever be developed; each agency must determine, deploy and operate countermeasures unique to its local circumstance. These circumstances are continuously evolving forcing the continual evaluation and evolution of effective cybersecurity measures. 2. Although this Primer contains guidance on a variety of possible countermeasures, many recommended practices may be unavailable or not implementable due to local regulatory, governance, commercial, technical or other resource constraints. IT Systems used in Transportation Infrastructure Operations Most Information Technology (IT) used in transportation operations focuses on customer- centric data processing and as such, contains and communicates a wide variety of personally identifiable information (PII) - sensitive information about agency customers and employees such as name, SSN, address, credit card, insurance and banking details, driverâs license data, digital ID photo and more. Examples in the highway domain include driver licensing and vehicle registration systems, electronic toll collection and other use-permitting applications; several transit systems also maintain PII including fare sales and some rider alert systems. Other IT or enterprise data systems used in both highways and transit agencies include general business administration systems (e.g., Financial systems including bidding, purchasing and supplies inventory systems and Human Resource systems including payroll and banking subsystems), asset management systems including asset location, condition and inventories and also asset engineering data including sensitive data such as engineering plans and inspection data. The primary emphasis of information security as it relates to IT is the protection of information assets (i.e., data plus all associated information infrastructure) from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide: (A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; (B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and (C) availability, which means ensuring timely and reliable access to and use of information. (44 USC, Sec 3542 (b)(1)) Transportation organizations, as do many other public- and private-sector organizations, typically place a higher emphasis on the confidentiality and the integrity of their IT systems and data resources since the short-term disruption of data system availability at worst creates a delay in business operations and is not considered to be a threat to public or environmental health and safety. This assessment is generally made by the individual information system owner who, in most cases, is not the organizationâs security officer. Moreover, this assessment is always made at the local level and is not determined through a uniform national consensus
59 process or required by regulation. Loss of data confidentiality (i.e., cyber theft) was minimal (i.e., non-reported or not known to the agency), particularly due to the arcane, isolated nature of the technical architectures employed. The risk of cyber theft is increasing however as transportation data applications move to more open and accessible platforms and as the number of motivated and competent thieves increase. New Federal guidelines for the protection of PII resulting from the increasing level of highly publicized PII cyber theft (e.g., the Chase bank, Home Depot, Federal OPM and Target store breaches of 2014 and 2015) may have a significant impact on these systems and their users in the near future. Emerging security issues in transportation IT include: ⢠âBring your own Deviceâ ⢠Customer self-service internet applications ⢠Technical interdependencies These issues are expected to/will undoubtedly impact ICS security as increased integration of IT and ICS occurs and with the advent of hybrid ICS-IT systems. Industrial Control Systems used in Transportation Operations At the same time that the transportation industry was building IT systems, it was also automating many aspects of traffic, transit and related infrastructure operations. Beginning with the simple electro-mechanical devices of the early 20th century, the industry has installed billions of dollars of technology to monitor and control vehicles, operate signs, signals, gates, bells and warning lights; surveil traffic, inspect infrastructure, collect fares and tolls and control HVAC, lighting and fire alarm systems; and install operate and maintain other infrastructure devices, sensors and alarms. This combination of sensors, controllers, effectors and Human Machine Interfaces is collectively referred to as Industrial Control Systems (ICS). Over time the first generation of ICS devices were replaced by solid-state components which are now increasingly both digital and network connected. âSmartâ meters, âsmartâ signs, âsmartâ phones and other smart devices with embedded processors and network connectivity are the order of the day. Even as the underlying technical architectures of IT and ICS began to converge (and in many cases to be shared), the basic distinction between IT and ICS remains. Simply put for the purposes of this Primer: IT systems manage data or information; ICS systems control the physical world. Stated another way, if the end result of a user interaction is to add, update or delete data in a permanent record, file or database, the underlying technology is IT. On the other hand, if the end result of an interaction is to control one or more physical entities based on real- time environmental variables, the technology is ICS-based. Highway-rail grade crossing automated warning systems are ICS-type technology where trains approaching at- grade crossings will trip a train circuit, activating warning signals and crossing barriers and in some cases changing nearby traffic signals. Of course, there are many hybrid systems which have both effects. For example, some Highway Road and Weather Systems (RWIS) not only activate warning signs and close access gates based on such variables as visibility but may also communicate status information to a traffic management center or to a 411 database. These systems may also generate and store
60 persistent data for subsequent post-storm analysis and modeling. Another hybrid application uses smartphones as smart keys working with smart locks installed in vehicles and buildings. The Table below illustrates common examples of ICS and IT technology used in surface transportation. Table 2: Transportation Operations Systems Historically IT and ICS used separate and distinct architectures, hardware, software and communications components and protocols. Each technology was acquired and operated by different user groups with different backgrounds, training, and mission. This organizational and technical âair-gapâ strategy essentially allowed these two domains to independently exist without any cross-domain interdependence or impacts. However, over the past generation, ICS vendors/manufacturers began to incorporate IT protocols (e.g., Ethernet, IP, NTCIP), operating systems (OS) (e.g., MS Windows), and other low cost, widely available technologies (e.g., processors, routers and storage devices) replacing older proprietary components. In addition, ICS systems used in transportation now routinely share enterprise IT solutions promoting network connectivity, data sharing and remote access capabilities. In extreme cases the same communication infrastructure carries voice traffic, along with enterprise data and control system signals. Other enterprise capabilities such as data archiving may also be shared between IT and ICS. This convergence and connectivity of IT and ICS technologies has now created a situation where ⢠Newer ICS systems are beginning to converge with IT systems inheriting their vulnerabilities as well as their capabilities; ⢠ICSs are no longer technically obscure and isolated from the âoutside world;â ⢠Interconnecting IT and ICS networks may create unanticipated âpivot pointsâ and
61 cascading interdependencies that inadvertently increase the attack surface of both systems; ⢠Role/responsibility, knowledge/skill/training and other gaps/overlaps between the IT and ICS communities are emerging creating cultural/procedural conflicts Unlike IT systems, where possible incidents may result in disrupted business operations or loss of information, ICS may face the following incidents: ⢠Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation; ⢠Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life; ⢠Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects; ⢠ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects; ⢠Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment and imperil maintenance staff; ⢠Interference with the operation of safety systems, which could endanger human life. (NIST Special Pub 800-82, Revision 2, Draft 2015) Differences between IT and ICS Cybersecurity Not surprisingly, the differing characteristics and purposes of IT and ICS systems have an impact on their cybersecurity priorities and requirements. As previously discussed, the three key concepts of information security are Confidentiality, Integrity, and Availability. Availability is considered to be extremely important for ICS while integrity is next in terms of importance and confidentiality is of low importance. In contrast, IT systems prioritize confidentiality and integrity of information stored and transmitted via IT assets and treat system availability as the least important. The following table summarizes the importance placed by IT versus ICS on each information security concept: Table 3: IT vs. ICS Security Concept Value The major risk impact for IT systems is generally experienced as business operations
62 delays while the risk impacts for ICS systems are regulatory non-compliance, environmental impacts and loss of life or equipment. For ICS, field devices are a particular cybersecurity concern as many of them are installed in publically accessible locations with little or no physical protection from malicious actions, natural disasters, or from the effects of exposure to the harsh environment of the roadside or roadway. Another key factor differentiating ICS from enterprise IT systems is ICSâ real-time and time- sensitive performance and availability requirements. ICS requirements are more stringent than IT requirements and, for ICS, availability is more important than the data confidentiality as disruptions endanger operations and can affect life safety or environmental quality. ICS must be operational and available 24/7. Therefore, many cybersecurity countermeasures may be infeasible to use with ICS systems. Also, ICS availability requirements may necessitate redundant systems and pre-deployment testing. These requirements also affect the type of access control that may be used. Because ICS systems are time-critical, authorized personnel must be able to access the systems in a timely manner especially during emergencies. On the other hand, IT systems may tolerate some delay and therefore a higher level of access control may be acceptable. The following table provides a summary of other significant differences.
63 Table 4: Differences Between IT vs. ICS (Source: NIST SP-800-82 Rev 2 Draft, 2015) Category Information Technology System Industrial Control System Performance Requirements Non-real-time Response must be consistent High throughput is demanded High delay and jitter may be acceptable Less critical emergency interaction Tightly restricted access control can be implemented to the degree necessary for security Real-time Response is time-critical Modest throughput is acceptable High delay and/or jitter is not acceptable Response to human and other emergency interaction is critical Access to ICS should be strictly controlled, but should not hamper or interfere with human-machine interaction Availability (Reliability) Requirements Responses such as rebooting are acceptable Availability deficiencies can often be tolerated, depending on the systemâs operational requirements Responses such as rebooting may not be acceptable because of process availability requirements Availability requirements may necessitate redundant systems Outages must be planned and scheduled days/weeks in advance High availability requires exhaustive pre-deployment testing Risk Management Requirements Manage data Data confidentiality and integrity is paramount Fault tolerance is less important â momentary downtime is not a major risk Major risk impact is delay of business operations Control physical world Human safety is paramount, followed by protection of the process Fault tolerance is essential, even momentary downtime may not be acceptable Major risk impacts are regulatory non- compliance, environmental impacts, loss of life, equipment, or production
64 System Operation Systems are designed for use with typical operating systems Upgrades are straightforward with the availability of automated deployment tools Differing and possibly proprietary operating systems, often without security capabilities built in Software changes must be carefully made, usually by the component manufacturer because of the specialized control algorithms and perhaps the modified hardware and software involved Resource Constraints Systems are specified with enough resources to support the addition of third-party applications such as security solutions Systems are designed to support the intended industrial process and may not have enough memory or computing resources to support the addition of security capabilities Communications Standard communications protocols Primarily wired networks with some localized wireless capabilities Typical IT networking practices Many proprietary and standard communication protocols Several types of communications media used including dedicated wire and wireless (radio and satellite) Networks are complex and sometimes require the expertise of control or signal engineers Change Management Software changes are applied in a timely fashion in the presence of good security policy and procedures. The procedures are often automated. Software changes must be thoroughly tested and deployed incrementally throughout a system to ensure that the integrity of the control system is maintained. ICS outages often must be planned and scheduled days/weeks in advance. ICS may use OSâs that are no longer supported Managed Support Allow for diversified support styles Service support is usually via a single vendor Component Lifetime Lifetime on the order of 3-5 years Lifetime on the order of 10-15 years Components Location Components are usually local and easy to access Components can be isolated, remote, and require extensive physical effort to gain access to them Similar to the language rift experienced by security and emergency management professionals, terminology shared by one group may not be well-understood or be subtly redefined by the other. Knowledge, skill and experience acquired working in one domain may only be marginally relevant in the other. CIOâs of organizations housing both IT and ICS responsibilities need to be sensitive to the very real differences between them and tread cautiously when contemplating fusing their security structures, expecting economies of scale returns. Unsurprisingly, since the characteristics of ICS and IT are so distinct, so too are their
65 cybersecurity profiles. The following table outlines key differences between IT and ICS cybersecurity aspects. Table 5: : IT vs. ICS Cybersecurity Aspects (Source: APTA Recommended Practice, Part 2) Security Topic Information Technology (IT) Control Systems (ICS) Antivirus and Mobile Code Very common; easily deployed and updated Can be very difficult due to impact on ICS; legacy systems cannot be fixed Patch Management Easily defined; enterprise wide remote and automated Very long runway to successful patch install; OEM specific; may impact performance Technology Support Lifetime (Outsourcing) 2-3 years; multiple vendors; ubiquitous upgrades 10-20 years; same vendor Cybersecurity Testing and Audit (Methods) Use modern methods Testing has to be tuned to system; modern methods inappropriate for ICS; fragile equipment breaks Asset Classification Common practice and done annually; results drive cybersecurity expenditure Only performed when obligated; critical asset protection associated with budget costs Incident Response and Forensics Easily developed and deployed; some regulatory requirements; embedded in technology Uncommon beyond system resumption activities; no forensics beyond event re-creation Physical and Environmental Security Poor (office systems) to excellent (critical operations systems) Excellent (operations centers; guards; gates; guns) Secure Systems Development Integral part of development process Usually not part of systems development Security Compliance Limited regulatory oversight Specific regulatory guidance (some sectors)
66 Highways Operational Systems Beginning with the 1986 USDOT Intelligent Vehicle Highway System initiative - later recast in the 1991 ISTEA legislation as Intelligent Transportation Systems (ITS) - the USDOT and its stakeholder partners in government and industry have aggressively pursued the deployment of âelectronic and IT applicationsâ to improve transportation safety, enhance mobility and promote environmental sustainability. Throughout the past 25 years, the ITS Joint Program Office responsible for ITS research, standards, and technology transfer has emphasized enterprise data and data interoperability as essential components of the national ITS architectural vision. The National ITS Architecture has included an information security dimension since 2012 (Version 7.0). Although the national architecture and ITS technical standards make no distinction between deployed IT or ICS systems, applications or technologies, the transportation layer component of the architecture clearly identifies operations subsystems in each of the previously discussed categories (e.g., control systems, SCADA systems, communication systems, toll collection systems and other field deployed systems). This blurring of IT and ICS is also reinforced in the National Architectureâs definitions of the over 100 service packages included in physical subsystem architecture. Some equipment packages, such as On-Board Emergency Vehicle Barrier System Control clearly satisfy the definition of ICS-based; others such as the ITS Data Repository are just as obviously IT-centric. The latest version of the ITS strategic plan and the National Architecture also includes priority support for autonomous and connected vehicle subsystems and communications and the deployment of automation of all types, including embedded control and communication automation.
67 Figure 12: National ITS Architecture 7.1 - Transportation Layer+ . Source: USDOT ITS Joint Program Office Figure 13: ITS Security Architecture. Source: USDOT ITS Joint Program Office Moreover, since 2012 the National Architecture has included ITS (i.e., Infrastructure Operations) security areas intended to protect surface transportation infrastructures and also a cross-cutting security function focused on the protection of IT and ICS components of the architecture. These foundational security services provide security requirements in four inter-related areas:
68 1. Information (i.e., Data) Security encompassing the origin, transmission and destination of ITS information; 2. Operational (i.e., Physical) Security of information assets focused on the protection of ITS assets from physical and environmental threats; 3. Personnel Security emphasizing the need to protect ITS assets and data from accidental or malicious human activity; and 4. Security Management covering the policy, procedural and administrative dimensions of ITS security while also monitoring and enforcing the processes defined in the Information, Operational and Personnel aspects. The ITS Security Architecture also identifies potential security services, objectives and threats for each of the Architectureâs 15 major information flows and provides security considerations for each of the 22 ITS subsystems and 100 plus service packages. In part, this was in response to the emerging recognition that the ITS attack surface was much larger than it was at the inception of Program. Four specific dimensions of this issue have been identified as contributing sources of this expanding risk: 1. Use of insecure and aging control devices. 2. Widespread implementation of the National Transportation Communications for ITS Protocol (NTCIP) using open communication channels with increasing reliance on wireless communications. NTCIP is a joint standard that was created by the AASHTO, ITE and NEMA organizations. The NTCIP protocol has very little encryption capabilities because it was assumed that the devices using this protocol would be on a secured network. 3. Integration of multiple agency systems using shared telecommunications networks. 4. Location of much of the distributed ITS field components are in unsecured public areas. Traffic Management Centers TMCs use ITS technologies to manage traffic, address incidents, provide travel and incident data and information, and communicate with the regionâs transportation agencies, media, and other relevant stakeholders. TMCs contain a computer network, application servers, data servers, and wireless peripherals. Field equipment such as sensors transmit information and data back to the TMC for analysis and dissemination. TMCs also control and manage traffic signals to enhance the efficiency of traffic flows. Dynamic message signs help disseminate analyzed information and provide guidance to travelers. Possible threat agents include terrorists and nation states, organized crime, âhactivists,â disgruntled employees, and anyone who desires to tamper with and post messages on dynamic message signs. Common attack surfaces include the following: (Fok, February, 2015) ⢠Poorly configured field network devices; ⢠Malware delivered using email or a compromised website; ⢠Malware walked in by a user either inadvertently or deliberately; ⢠Compromised partner networks; ⢠Poorly configured external firewall, switches, or agency webpages; ⢠Compromised user credentials; and
69 ⢠Unauthorized physical entry. In addition, physical design of the TMC and TMC policies (such as allowing public tours) can facilitate breaches. This primer and Ed Fokâs 2015 ITE article (cited preciously) provide recommendations on how to counter these cyber threats. These recommendations include use of encryption, an intrusion detection system and âhoneypotâ to attract/trap attackers, monitoring all data traffic including those from partner agencies and reviewing trusted partner connection policies, and separating the ATIS/511 server from the internal network by moving it to a DMZ. Transit Operational Systems Advanced control and communications technologies have made transit systems safer, more efficient and customer-oriented. For instance, Automated Train Protection constantly monitors the system for potential crashes and prevents them by halting the movement of a train. At the same time, if these technologies are compromised or tampered with, the consequences to life and property may be severe. These control and communications systems are crucial to the smooth and safe functioning of transit systems. A breach in ICS security can make the transit system vulnerable to severe consequences. Any delay in information flows as well as false information sent to system operators can disrupt normal operations and the functioning of safety systems. Unauthorized changes to commands, ICS software, configuration settings, or alarm thresholds may cause derailments or crashes. (NIST 2011, APTA Recommended Practice, Part 1 and Part 2) According to APTAâs Protection Philosophy for rail transit systems, the most critical systems to protect are those that involve the highest risk to life and property: such as the control and communication systems that let the train or train operator start, control the speed of or stop the train. (page 10, APTA Recommended Practice, Part 2) Cybersecurityâs role is to ensure that systems including crossings cannot be duped and do not fall under the control of unauthorized persons, and to reduce the chance of human errors. In addition, rail safety systems prevent trains from veering off their prescribed paths or crashing into other trains, vehicles, workers, or pedestrians. Cybersecurity must protect the safety and reliability of systems to ensure smooth and continued operations. The key aspects of protection include prevention, tamper detection, and auditability. Auditability is the âwho, what, where, when, and howâ pertaining to cyber incidents. (page 10, APTA Recommended Practice, Part 2) Another key protection concept is the separation of zones and avoiding where possible or securing the connection of systems across zones. Adding to the challenge is the fact that train control and communications systems must often co- exist with legacy systems. Older systems were not intended to be connected to multiple other systems or the internet, and did not anticipate cyber threats. In addition, digital communications have been replacing old, analog communications and offer greater standardization and efficiency. At the same time, additional vulnerabilities have been created. Complicating matters is the longevity of many of the systems.
70 This section presents certain Transit Operational Systems including Control and Communications Systems. Readers are cautioned that the information provided is of a general nature and may not apply to all installations. Moreover, there are certainly other aspects of these systems important to cybersecurity but not discussed in the Primer. Rail Transit Systems Rail transit systems are complex, cover large distances, integrates many systems, and have control and communications systems located in different areas of the agency: in wayside bungalows, stations, road crossings, signal towers, tunnels, maintenance yards, power stations, refueling depots, equipment storage yards/parking lots, storage depots, local control rooms and operations control rooms. In addition, rail transit systems are publicly accessible and carry large numbers of passengers and accommodate them in stations, and must do so safely. There are two types of equipment: legacy systems and advanced technology. Legacy systems are standalone systems that are usually isolated from other systems and are not accessible from external sources or devices. These older systems may require different cybersecurity countermeasures than more modern ones and in some cases may not require any additional security. Advanced technology systems, however, are connected to other systems and may be accessible remotely. These systems require cybersecurity measures as well as physical and administrative security. (APTA Recommended Practice Part 1) The key components of a rain transit system are: ⢠Transportation: Rail(s) that guide the train-set including switches to change track/guide and devices built into the track/guide (e.g., to ensure wheel placement). ⢠Control signaling system: Signals (if present), road crossings and speed controls. ⢠Communications: Between and among operating trains, crews, station attendants, police and the operations center ⢠Stations: Below ground, at grade, or above ground. A system may be a mix of these station types. ⢠Notification methods: Signs, electronic signs, public address (PA) systems, horns and other types of displays ⢠Train-sets: which may have separate locomotives; these may be powered by different methods. ⢠Traction power systems: For electrified railways. More specifically, a transit rail system may include the following systems: ⢠access control systems ⢠advertising ⢠closed-circuit television (CCTV) ⢠control and communication ⢠credit card processing ⢠detection systems for environmental threats (CO, CO2, poisons) ⢠emergency communications
71 ⢠emergency notification ⢠emergency ventilation systems ⢠fare sales/collection ⢠fire detection/alarms/fire suppression ⢠grade crossings ⢠lighting ⢠passenger information systems ⢠people-moving systems (elevators, escalators, people movers) ⢠police dispatch ⢠pumping systems ⢠signals and train control ⢠ticketing systems ⢠traction power ⢠vertical lift devices (elevators, escalators) ⢠vital communication-based train control (CBTC), automatic train protection (ATP) and signaling Train Control and SCADA Systems Train control systems provides real-time monitoring of train movements and can also provide automatic train protection or ATP, automatic train operation or ATO, automatic train regulation or ATR, and automatic train supervision or ATS. ATP, a wayside and/or on-board system, automatically applies emergency brakes if a signal is missed. ATO is an on-board system which supports driverless or driver-assist train operations. ATR is an off-board system which works with ATO to support safe and efficient train movements. ATS provides advanced train control, typically including advanced automatic routing and train regulation. The Rail Safety Improvement Act of 2008 directed the installation of Positive Train Control (PTC) by the end of 2015 although severe resistance from the industry will delay this date for some time. This legislation was introduced in response to a Metrolink train collision on Sept. 12, 2008 where the Metrolink train went through a red signal and crashed into a freight train, killing 25 and injuring 135. PTC is a Communications-Based Train Control (CBTC) technology which automatically protects against train-to-train collisions, excessive train speeds and derailments, and improper movements such as incursions through work zones. As shown in Figure below, the communications network is the core of the PTC system. PTC systems provide varying degrees of functionality, train control, and automation; and use differing system architectures and wayside systems. If a PTC/CBTC system is compromised, life safety may be affected due to the possibility of derailments and train-to-train collisions. SCADA systems may or may not be included in train control systems. SCADA systems remotely control and monitor field equipment and systems including control of traction power, control of emergency ventilation systems, and monitoring of drainage pumps and equipment alarms.
72 Typically, central office (control center) equipment offers supervision, monitoring and dispatch functions; train controllers manage train movement and schedules; and field equipment supplies logic controls. The main components of a rail control center include the following: ⢠the head-end equipment, including the primary and backup control center; ⢠the field or slave equipment; ⢠the transmission media between the head-end and slave equipment ; ⢠the system networks connecting the head-end components together; and ⢠the system networks connecting the field components together. Any necessary connections from train control systems to external devices should incorporate the APTA Recommended Practices. Any internet connections require heightened security measures. Also, field devices can be more vulnerable to attack; once an attacker gains access they may be able to access the central SCADA system due to the trusted nature of the connection. Figure 14: Metrolinkâs Positive Train Control Source: http://www.metrolinktrains.com/agency/page/title/ptc; Accessed July 2015 Cyber threats and threat vectors apply to Train Control and SCADA systems. Even though some cyber threats do not intend to harm passengers or transit infrastructure, their tools may still infect train control and SCADA systems and inflict considerable physical as well as system damage. Furthermore, vulnerabilities in these systems can facilitate threat vectors in carrying out their missions. Communication Systems Examples of communications systems include CCTV, radio, intercom, public address, security, and copper and fiber optic data transmission systems. They may or may not be connected to other systems.
73 Surface radio systems allow surface communications with maintenance and other non- revenue vehicles. Surface vehicle radio systems allow communications between vehicle operators and the control center. Subway radios allow communications with vehicles and personnel below ground. Emergency services radio systems can reach below-ground areas through retransmission through transit agency equipment or another system. Phone service includes emergency, maintenance and administrative phones, and passenger assistance intercoms at stations, waysides, and yards. Electronic passenger information displays at station platforms transmit messages from the control center to passengers. Public address systems can also provide real-time train and system information. Security Control and Detection Systems Transit facilities require monitoring to restrict physical access to the system. Technologies used for intrusion/access control include CCTVâs, perimeter detection, and card access. Closed- circuit television (CCTV) systems are used for surveillance, deterrence and detection purposes. They may be connected with physical intrusion detection and intercom systems and may allow recordings. Since CCTV systems are now digital and enable wireless uploads to computers and servers, cybersecurity needs to be incorporated into the system design. For additional information, see APTA Recommended Practice Selecting Cameras, Recording Systems, High-Speed Networks and Trainlines for CCTV Systems. Other threat monitoring/detection systems that alarm when a specific threat/condition is detected include Fire Detection, Elevating Devices Monitoring, Tunnel Drainage Monitoring, Gas and Pathogen Monitoring, and Seismic Monitoring. Underground stations have emergency management panels which integrate alarms, phone, PA, elevator/escalator, ventilation and other controls and systems. Data Transmission Data transmission may occur through physical or wireless methods. Physical methods include fiber optic network, copper network, and leased lines. Fiber optic network has higher bandwidth than copper network and is used for transmission between the control center and passenger stations, electrical substations, and other transit facilities. Copper networks are used for short-run Local Area Network (LAN) transmissions. Leased lines are used for Wide Area Network (WAN) data and voice transmissions. Wireless communication-based systems include Communications-Based Train Control, positive train control, SCADA and local monitoring and control. Wireless may not be appropriate for time-critical applications. In any case, the use of multiple technologies versus a single technology is advisable. Fare Collection Systems
74 Fare collection systems are used not only for revenue collection purposes but for ridership counts as well. These systems can include the following equipment and technologies: fare boxes, automated passenger counters, fare validators, entry/exit gates, handicapped-accessible gates, emergency gates, GPS, radio systems, ticket vending machines, ticket office machines, and parking machines. Theft of service and selling spoofed fare media are often the intent of hackers. Also, vending machines accept credit cards and debit cards making them attractive targets of criminals. Recently, skimming devices were discovered in the MTA LIRR and NYCT vending machines. Vehicle Monitoring Systems for Surface Systems Vehicle monitoring systems include automatic vehicle monitoring (AVM) for surface systems such as buses and streetcars. Note that vehicle monitoring systems for rail transit are included in train control systems. Automatic Vehicle Location (AVL) System AVL systems are used in fixed route and demand response transit systems in conjunction with Computer-Aided Dispatch (CAD) systems to locate and more efficiently manage transit bus and demand response vehicle fleets. The primary elements of the AVL system include an on-board computer, GPS, and mobile data communications. Train Control Systems (TCS) Train control systems were described earlier. Traction Power Control The SCADA system provides traction power control which monitors and controls electrical substation equipment at electrical substations and along the rapid transit ROW. Newer systems are PLC-based. Ventilation Control The SCADA system also provides ventilation control which monitors and operates fans, dampers, and doors. These systems can be controlled from a central control center or from individual stations. Newer systems are PLC-based. Fully Integrated Systems A fully integrated system will perform the remote monitoring, control, and data collection functions using a common client/server architecture which is connected to various devices including field equipment. While these systems have benefits, security issues can arise with
75 these systems as they are interconnected and serve many users. System Boundaries and Interfaces All system boundaries and interfaces to other systems should be identified, catalogued, and secured. These include local ports for direct connection, internet connections, intranet and extranet connections, and modem-based connections. Surface Transportation Cybersecurity Issues In spite of staggering amounts of time, money and effort being spent on cybersecurity initiatives across the industry, some issues are considered to be intractable and persistent. ⢠Resilience â In this context, resilience refers to the ability of a system to operate adequately when stressed by unexpected or invalid inputs, subsystem failures or extreme environmental conditions. ⢠Privacy - The ability of a system to protect sensitive information from unauthorized access by humans or machines. ⢠Malicious Attacks â the ability to deter and recover from internal vulnerability exploits even in âair-gappedâ systems. ⢠Intrusion Detection â The ability of a system to monitor its internal baseline ânormalâ operating parameters and issue an alert when deviations are detected. Indeed, as increasingly complex combinations of computation, networking and process, interconnected with an array of feedback loops, connecting humans and machines begin to resemble âlivingâ organisms and ecosystems, new models of cybersecurity are beginning to emerge. Concepts borrowed from human physiology such as active and passive immune functions are being researched with the intent to replace already impotent strategies such as âdefense-in-depth.â The addition of tens of millions of connected vehicles and their âsmart slabâ enabled owners will only accelerate the need for more subtle solutions. Emerging Trends in Transportation Control Technologies 1. Connected Vehicle program 2. Machine to Machine (M2M) 3. Transportation Management Centers (TMCs) 4. Big Data and Preventive Maintenance 5. âBring your Own Deviceâ (BYOD) Connected Vehicle Program USDOTâs Connected Vehicle research program addresses key transportation challenges â vehicle crashes, congestion, and pollution through the following technology areas. Safety ⢠Vehicle-to-Vehicle (V2V) ⢠Vehicle-to-Infrastructure (V2I) Mobility
76 ⢠Dynamic Mobility Applications Environment ⢠AERIS ⢠Road Weather Applications Fifty billion connected vehicles are anticipated to be on the road within a decade. Accompanying these vehicles will be Machine to Machine (M2M) devices sending and receiving data through wireless solutions. Auto makers, fleet managers, and DOTs are working towards the centralized control of systems with the connected vehicles; however, the many peripheral, aftermarket devices and software not within this centralized control has introduced potential vulnerabilities as they access various elements of the connected vehicles. A 2015 Wired magazine article, Hackers Remotely Kill Jeep on Highway, described a demonstration, with the driverâs consent, of taking remote control of a Jeep Cherokee, causing unexpected dashboard activity and the vehicle to slow to a crawl on a busy interstate highway. While this incident was planned, it serves to illustrate the vulnerability of vehicles to cyber attacks. I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadnât touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in- seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. (http://www.wired.com/2015/07/hackers-remotely-kill- jeep-highway/ accessed July 28, 2015) Security and privacy are key policy issues being considered and addressed in the program. Security challenges include message validity, security entity, network security, security operations business models, and equipment and system certification processes. Privacy issues include the ability of users to opt out of tracking applications and activities. A common framework for Connected Vehicle technologies and interfaces is under development and will include Enterprise, Functional, Physical, and Communications views. Various applications have been developed or are under development. Pilot tests have also been completed or are underway. (Robert Sheehan, Connected Vehicle Research Program Presentation, ITSJPO, USDOT) Safety. The Connected Vehicleâs safety program is expected to prevent or mitigate as much as 80% of crashes caused by unimpaired drivers through the implementation of Vehicle- to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) safety applications. V2V applications include Forward Collision Warning, Blind Spot/Lane Change Warning, Do Not Pass Warning, Left Turn Assist, and Intersection Movement Assist. V2I applications include Curve Speed Warning, Red Light Violation Warning, Stop Sign Gap Assist, and Transit Pedestrian
77 Warning. (Robert Sheehan, Connected Vehicle Research Program Presentation, ITSJPO, USDOT) At the same time, this program may exponentially increase the number of vehicles accessible by hackers and bad actors through the implementation of Dedicated Short Range Communications (DSRC) between vehicles, between vehicles and the roadway, between vehicles and traffic signals and other infrastructure, and between vehicles and pedestrians and obstacles. A key security feature which will be included in the program is the Security Credential Management System (SCMS) currently under development. The system will ensure the integrity of V2V and V2I applications and anonymity of data emanating from vehicles and traffic signals. As shown in the accompanying figure, the SCMS will be focused on security and privacy by design and will include on-board security elements and security of interactions between on-board elements and the SCMS. (RITA/USDOT, Security Credential Management System Design, April, 2013; Drew Van Duren, FHWA Presentation Slides on Cybersecurity TRB: Connected Vehicles Security, Oct., 2014) Figure 15: : Security Credential Management System (SCMS) Functionality Source: Van Duren, FHWA, Presentation Slides on Cybersecurity TRB: Connected Vehicles Security, Oct., 2014 Mobility. The Mobility program includes applications such as the Multimodal Intelligent Traffic Signal System; Intelligent Network Flow Optimization; Response, Emergency Staging and Communications, Uniform Management, and Evacuation; and the Enable Advanced Traveler Information Systems. Road user mobility concerns include integrity, availability, and privacy/anonymity of data including payment data. These concerns will likely increase as more and more road users utilize mobility services and applications. Appropriate policies and user authentication methods
78 can mitigate these issues. The public transportation, freight carriers, taxis, and emergency responders use fleet management systems, automated vehicle location (AVL) and computer- aided dispatch (CAD) technologies to track and manage buses, trucks, and other fleets. Environment. The Environment program contains AERIS applications such as Eco- Integrated Corridor Management and Eco-Traveler Information and road weather applications. While these may be less attractive targets to potential hackers, any vulnerability in these applications may potentially lead to the compromising of safety critical systems. Machine to Machine M2M (Internet of Things). White-hat security tests of intelligent vehicles and their electronic components have proven that they are indeed vulnerable to hackers; however, as the required effort was high only sophisticated hackers will be able to launch successful attacks. (ITSA Connected Vehicle Assessment Report (2012-2014)) At the same time, aftermarket mobile applications are proliferating, making mobile security an increased concern for transportation providers. Examples of these applications include location- based mapping and navigation software and real-time traffic incident alerting applications for drivers, and real-time next-bus arrival information and transit delay alerting applications for transit customers. These applications may have lax security measures especially when storing user location and other user-associated data. The ITSA report notes that while documented vulnerabilities have increased and mobile devices are subject to theft, operating systems for mobile devices are more secure than those using legacy systems. M2M is used to deliver these technology applications and offer numerous benefits to drivers such as automated diagnostics of safety systems and driver alerts regarding necessary engine maintenance. When the manufacturer offers M2M, testing for safety and cybersecurity issues is typically performed. However, aftermarket devices and applications used by the traveling public provide them with significant benefits and convenience but use open platforms and have specific security vulnerabilities as well. As noted in the ITSA Connected Vehicle Assessment report (2012-2014), most vulnerabilities arise from design flaws and bugs in software and the best long-term countermeasure is quality software and the actions (requirements definitions, reduction in system complexity) that lead to such software. Also, they use wireless communications that may be attacked from a long distance from the network. In addition, bugs in wireless systems cannot easily be eliminated. Additional issues include authentication, telecommunications carrier âinsiderâ threats, and denial of service. Connections with ATIS/511 traveler information servers can provide a way for hackers to penetrate the TMCâs network. Connected Vehicles Technology System Types The three technology system types for connected vehicles include: ⢠Operation Technology (OT) ⢠Information Technology (IT) ⢠Networking and Communications Operational Technology (OT) is product- or system-oriented and includes automotive electronics and traffic management systems. OT systems are usually safety and operational
79 critical systems and therefore availability and integrity are paramount. While legacy OT was isolated, next generation OT is not. Next generation OT makes use of âInternet of Thingsâ applications. âInternet of Thingsâ link objects and formerly unconnected systems to the internet using standardized protocols and architectures; this standardization, in turn, makes it easier for hackers to access the next generation OT systems. (ITSA Connected Vehicle Assessment â Cybersecurity and Dependable Transportation, Connected Vehicle Technology Scan Series, 2012-2014) IT IT risk stems primarily from third-party software used by the traveling public. In addition, sub- optimal software design, security measures and patch management are also key cybersecurity issues for IT. IT attack vector categories include unauthorized access, malicious code, and reconnaissance and networking-based service attacks. Networking and Communications Systems Networking and communications vulnerabilities include security protocols, authentication of communication partners, telecommunications threats, and denial of service. Wireless networks used for transmission of connected vehicle and traffic data are vulnerable to attack from miles away. Also, telecommunications infrastructure vulnerabilities are difficult to address and have tended to remain unaddressed for years after they are discovered. Telecommunications insiders also pose a threat as they have access to subscriber information. The 2014 NHTSA Cybersecurity Best Practices report makes the observation that the telecommunications industry supply the wireless services used for ITS and other automotive services, and that the telecommunications industry along with the internet have, at the same time, facilitated hackers as well. The USDOT in conjunction with the public and private sectors is developing DSRC communications standards, interface standards for other media, and information exchange standards. NHTSA sponsored research into cybersecurity best practices applicable to automotive cybersecurity by reviewing and analyzing industry practices of IT and telecommunications, NIST, industrial control and energy, aviation, financial payments, and medical devices. The report also presents an Information Security Lifecycle consisting of the Assessment, Design, Operation, and Implementation Phases. The research was conducted by the VOLPE Center. Big Data and Preventive Maintenance Big Data and Preventive Maintenance: ITS produces large amounts of data or âBig Dataâ â there are many positive uses for this data including the creation of predictive algorithms to determine future congestion and traffic patterns, and likely incident locations. There are also predictive maintenance applications based on data which will be generated through the Connected Vehicle program. Weaknesses in data storage policies and practices can expose
80 individual financial data and location-based data to hackers. Also, compromised data can result in no or incorrect maintenance alerts being issued to drivers and vehicle owners. Bring Your Own Devices (BYOD) The Bring Your Own Devices practice of TMC employees and contractors can introduce vulnerabilities into the TMC environment. BYOD use wireless networks that are prone to hacking. Hence, BYOD policies and procedures should be established and enforced. Transportation Roadmap for Cybersecurity In August of 2012, the U.S. Department of Homeland Securityâs (DHSâs) National Cybersecurity Division (NCSD), Control Systems Security Program (CSSP) released The Roadmap to Secure Control Systems in the Transportation Sector (Transportation Roadmap, a voluntary framework for improving the cybersecurity across all transportation modes). The Transportation Roadmap is intended to act as a template for action for individual organizations and provides a series of activities and benchmarks used âto identify the cybersecurity features currently in place and to determine the next activities for consideration to improve cybersecurity performance.â The Roadmap proposes four national cybersecurity goals with corresponding end states and consistent with the National Policy Guidance extant in 2012. Each goal is supported by multiple objectives, milestones and metrics to be accomplished over three timeframes encompassing a 10- year planning horizon. As new or modified Policy Guidance becomes available, and as significant accomplishments occur, DHS, DOT and other key stakeholders will need to revisit and revise the Roadmap. Two years after the release of the US Transportation Roadmap, the SECUR-ED Urban Transportation â European Demonstration (SECUR-ED) released an international version of the Cybersecurity Roadmap for Public Transportation Operators (PTOâs). Although the primary audience for this document was European transit agencies, the document provides much information of use to US operators. Topics included address: ⢠How cybersecurity fits in the overall risk management strategy of a PTO; ⢠A comprehensive framework of assets, architectures and technologies used by a PTO taking into account the different types of transport operated by PTOâs as well as the cases where the transport operator is not the infrastructure owner; ⢠A set of security standards and regulations that may be applicable to a PTO; ⢠How cybersecurity will impact PTO organizations; ⢠A set of baseline security requirements for future procurement; ⢠An implementation approach and first affordable security measures; ⢠Further directions towards standardization and eventually regulation.
