Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
4 Chapter 1 Top Myths of Transportation Cybersecurity If common myths about cybersecurity and transportation systems are understood and misunderstandings are dispelled, then transportation agencies can more efficiently and effectively improve the cybersecurity and resilience of critical transportation infrastructure. 1. âNobody wants to attack us.â Other sectors are more likely targets for cyber-incidents than transportation, it wonât happen in transportation. Transportation systems are vulnerable to the same and/or similar cyber risks as other industries that use industrial control networks and information systems to accomplish their core business functions. Cyber-incidents have occurred in transportation systems and reported instances are growing. In 2013 the security camera apparatus in the Israeli Carmel Tunnels was affected, shutting down the toll road over two days causing major traffic congestion and disruption. Eleven percent of control system incidents reported to Industrial Control Systems (ICS)-CERT in 2012 were in the transportation sector, a number that has been growing over time. Cybersecurity incidents are not always intentional attacks on specific systems such as the 2011 BART website assault by the hacker advocacy group âAnonymousâ to protest the transit agencyâs temporary shutdown of underground cell phone service. Because cyber-intruders want to use unsuspecting systems to attack others or to send bulk email, they conduct network searches to find vulnerable systems and identify any useful resources on the networks found. These âprobesâ can have significant consequences due to inherent vulnerabilities in control systems within transportation systems. In addition, cybercrime is expanding. Modern cybercrime operations are sophisticated, well-funded, and capable of causing major disruption to organizations. Cybercriminals usually have clear business objectives - they know what information they are seeking and they plan to profit from it. Transportation systems are attractive to cybercriminals. Smart parking meters were first hacked in 2009. Transit fare cards have been an ongoing target since then. Some incidents may not have been recognized as âhackingâ and so are not thought of as a cybersecurity issue. In 2006 a disgruntled employee hacked into a traffic control computer in Los Angeles and shut down signals at key points causing delays for four days. Equipment failures or even maintenance procedures can cause unexpected incidents such as a loss of traffic management capabilities or signaling systems. Because of the increasing dependence on connected systems and networks with inherent vulnerabilities (control systems, fare/payment systems, wireless systems, mobile and smart devices), expanding opportunities for cyber incidents (positive train control, ITS, V2V, V2I), and the unique challenges from connectivity of safety-critical control systems such as those found in vehicles and in highway Advanced Traffic Management Systems, cyber risks are significant and growing in transportation.
5 2. âIt canât happen to usâ. Our systems are âair gappedâ or âfirewalledâ. In the past, transportation systems were closed proprietary systems that were protected by âair gapsâ and âsecurity by obscurityâ with limited cyber vulnerabilities. The 2008 derailment of a Polish Tram by a 14-year-old boy using a TV Remote Control unit to manipulate the transit system switches demonstrated that even then an âair gapâ was not enough. Today, the proprietary applications have migrated to open protocols, inheriting vulnerabilities along the way. Remote sites and stand-alone systems are accessed through wireless and public or private networks. For example, remote access for support and maintenance personnel or maintenance laptops connected directly to control systems, bypassing firewalls and policy rules, is not uncommon. Often, the system owner has no knowledge of the systems being used for maintenance, or the personnel using the systems in these ways. Systems are integrated and shared or joint-use enterprise systems with linkages to transportation network systems for management and financial reporting (and sometimes e-commerce) open up âclosedâ systems. Although systems are closed, there may be open connections that are not discovered as systems become integrated. Assuming that the firewall is correctly configured (rules complexity and the specifics of the control systems in place have to be taken into account), a firewall cannot protect against insiders, filter the content of encrypted connections, or protect against connections that do not go through it. In todayâs environment of sophisticated hacker tools and easily available shared techniques that are constantly evolving, firewalls are not enough. Adversaries are developing new methods for embedding malware in networks, remaining undetected for long periods, and stealing data or disrupting critical systems. 3. âItâs all about ITâ. Most of the cybersecurity investment will be in technology. Having technology in place to provide cybersecurity is only one part of effective cybersecurity. People and processes are just as important as technology in improving cybersecurity. Agency personnel need to be aware users of the systems in place: aware of the risks to the systems and to themselves. People are vulnerable to manipulation and social engineering that results in providing confidential information through phishing emails or conversations with strangers. People need to be aware of security policies and procedures that have been put in place. Management must actively support the cybersecurity program in a visible manner. A process tied to the security strategy with policies and procedures to support strategy is critical to establish an agency-wide culture of security. APTA Recommended Practices Securing Control and Communications Systems in Rail Transit Environment, Part 2 recognize the importance of a cybersecurity culture in the agency. Just as transit agencies have created a safety-centric cultureâsaving lives and reducing accidents and accident severityâthey need to foster and create a cybersecurity culture. This requires an awareness program; a training program; an assessment of cybersecurity threats; a reduction of the attack surface (the number of places and ways someone can attack transit systems); a cybersecurity program that addresses: threats, mitigations, the software/firmware update process, monitoring and detection methodologies; and the ability to be audited to check for compliance via logs
6 and change-management systems. 4. âItâs possible to eliminate all vulnerabilities in systemsâ. Cybersecurity incidents can be completely prevented. The DHS National Cybersecurity Division Common Vulnerabilities and Exposures (CVE) list has more than 50,000 recorded vulnerabilities -- with more added hourly. There are 86,000 new pieces of malware reported each day. The odds are high that your transportation systems have already been infiltrated. According to a recent Cisco Security Report, all of the organizations Cisco examined during 2013 showed evidence of suspicious traffic, evidence that these networks have been penetrated. Due to the complexity of todayâs transportation systems and human fallibility, perfect security is impossible to achieve. A more effective strategy is to assume that a cybersecurity incident will happen and focus on mitigating the consequences. 5. âCybersecurity incidents will not impact operations.â A 2005 Report by the National Institute for Advanced Transportation Technology that assessed the security of transportation control networks (Assessing the Security and Survivability of Transportation Control Networks, P. Oman, 2005) found that control center and dispatch communications, equipment for access, safety and monitoring, and real- time actuators regulating transportation flow (e.g., bridges, tunnels, rail crossings, arterial routes, etc.) were at risk. Especially vulnerable were in-the-field devices used to monitor and regulate traffic flows in large urban environments. Since that time some improvements in security have been made but operational systems are still vulnerable. Stuxnet, discovered in June 2010, was the first known instance of cyber sabotage to real world operational systems as opposed to disruption of IT systems. Different from anything seen before, the cyber worm targeted control systems with the intention to reprogram control system components in a manner that would sabotage operations, hiding the changes from programmers or users. 6. âControl system cybersecurity can be handled the same as IT cybersecurity.â Adding cybersecurity components to transportation control systems requires personnel that understand security components and also the controls systems and the operational environments that they control. Securing access to and control of the network is generally the responsibility of information technology (IT) personnel. Control systems are usually the responsibility of the engineering and operations personnel. There are differences between IT systems and control systems that need to be recognized. NIST Special Publication 800- 82 Guide to Industrial Control Systems Security (2011) summarizes some of the differences: Although some characteristics are similar, ICS also have characteristics that differ from traditional information processing systems. Many of these differences stem from
7 the fact that logic executing in ICS has a direct effect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nationâs economy, and compromise of proprietary information. ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems. Special precautions must be taken when introducing security to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. 7. âSecurity is a problem that needs to be solved only once.â Control systems and field devices require active configuration and maintenance. Not only must the systems and devices be secured, their ongoing management and maintenance need to be secured as well, and must be capable of managing changes and adapting to new vulnerabilities or the emergence of new threats. There are approaches to reduce the cybersecurity risks and mitigate the impacts of incidents. In an ever-changing security landscape, cybersecurity must be a continual process with evaluation and monitoring as key components to identify and manage changes to systems and environments.
