National Academies Press: OpenBook
« Previous: Chapter 3 - Security Countermeasures
Page 88
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 88
Page 89
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 89
Page 90
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 90
Page 91
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 91
Page 92
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 92
Page 93
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 93
Page 94
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 94
Page 95
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 95
Page 96
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 96
Page 97
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 97
Page 98
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 98
Page 99
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 99
Page 100
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 100
Page 101
Suggested Citation:"Chapter 4 - Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2020. Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 101

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

88 C H A P T E R 4 The past 40 years have seen an escalating competition between developers and users of systems that employ cyber technology and those who seek to do harm. Each generation of cyber- security solutions is countered by ever-more sophisticated threats; each potential threat spawns additional layers of defense. This Darwinian struggle takes place around the clock and around the globe, involving many thousands of adversaries targeting millions of cyber components. During much of this time, transportation system owners and operators were relatively insu- lated from this arena. Vehicles were “dumb,” roads were even dumber, and save for the occasional embarrassment over roadside message signs being hacked, neither transportation engineers nor the traveling public was aware of or concerned with the need for cybersecurity, particularly as it related to the operations of the transportation highway and transit infrastructure. The emergence of ITS did little to change things: transit vehicles got smarter, the first genera- tion of digital roadside devices and systems were stand-alone solutions with advisory responsi- bility only (e.g., variable message signs, road weather systems), and the few technologies that had safety ramifications, such as traffic signal controllers, remained isolated and difficult to access. Minimal attack exposures coupled with negligible consequences to human safety translated to low risk. Indeed, during most of this time, there were very few (reported) cybersecurity breaches involving transportation system operations, reinforcing the sector’s complacency. Today’s “cyber” transportation systems consist of a convergence of operating control systems and information technology networks that are blended together to enable the delivery of mis- sion-critical services to the traveling public, shippers, and other users. In the past, transporta- tion systems were closed proprietary systems. Protected by air gaps and “security by obscurity” they had limited cyber vulnerabilities compared to IT networks and systems. Over time there has been a shift from isolated systems to more connected systems. Proprietary applications have migrated to open protocols, inheriting vulnerabilities along the way. Remote sites and stand- alone systems are accessed through wireless and public or private networks. Control system components and networks are now accessible from anywhere and are increasingly connected to enterprise data, customer satisfaction, and entertainment networks. Analog controls are being replaced by networked digital counterparts, allowing remote monitoring and control of signals, signs, bridges, tunnels, and vehicles—public and private. Although core functionality has greatly increased due to this new connectivity, so also has the exposure to multiple threats coming from local and distant sources. Well-publicized incidents in finance and banking, and perhaps most frequently, the retail sector have elevated public awareness of the potential for serious, mostly financial injury, through the intentional exploitation or disruption of information networks. Fortunately, neither the occurrence of accidents nor the exploitation of transportation industry cyber assets has resulted in the types of events that grab national headlines. However, the ease of compromise Cybersecurity

Cybersecurity 89 of transportation systems is becoming more and more evident, and the likelihood of new or more significant events is increasing along with the cost of cyber incidents and cybercrime. • In 2006, employees hacked into the traffic control computer in Los Angeles as part of a labor dispute and demonstrated how easily a major city could become gridlocked. Choosing loca- tions they knew would cause significant backups, e.g., close to freeway entrances and major destinations such as airports, engineers caused major traffic congestion that took 4 days to resolve completely. Although no reported accidents or injuries were associated with the inci- dent, the full impact was significant, with delays and potential inabilities of emergency vehicles to get to their destinations, and loss of economic productivity as people were stuck in their cars. • In 2008, a Polish teenager proved that even proprietary closed systems are vulnerable by using a modified TV remote to control the track switches of the tram system. The resulting derail- ment did not cause any loss of life, but 12 passengers were injured in the incident. • In 2009, a computer crash in Maryland showed that unintentional and accidental events can have serious consequences. The crash caused the loss of traffic signal controls and power fail- ures in the system, resulting in significant delays for thousands of commuters. • In 2009, the hack of smart parking meters introduced transportation agencies to the new world of cybercrime, where incidents are now being planned and targeted to acquire signifi- cant profits. The impact for the transportation agency can now include significant revenue loss along with reputational and mission-related consequences. • In 2011, the politically active hacker group Anonymous took aim at transportation to protest a transit agency’s policies. The group defaced California’s Bay Area Rapid Transit (BART) public information website to make their presence known and collected agency customers’ personally identifiable information to use as a weapon to obtain concessions from BART. Anonymous threatened to release the customer information. A No Justice No BART demon- stration, protesting the shooting of a homeless man by transit police, took place at the same time as the attack by Anonymous. This was a joint or hybrid action conducted by different groups; a physical demonstration intended to disrupt rail transit service and the cyberattacks reinforced one another to magnify the impact. • In recent years, dynamic message signs have been a frequent target for hackers, who change the signs to display humorous and sometimes obscene messages. None of these incidents has resulted in more than mischief. Potential serious consequences, such as traffic accidents, have not occurred. In 2014, the stakes were raised when multiple signs in different locations were changed at the same time by a hacker, demonstrating the ability to do more serious damage. FHWA and the U.S. Computer Emergency Readiness Team (CERT) quickly worked to under- stand the incident and contain the future risk. • In November 2016, San Francisco Municipal Transportation Agency (SFMTA) experienced a ransomware attack that encrypted SFMTA’s information systems. The impact on physical control systems was minimized because SFMTA used a segmentation approach to separate operational control and communications systems from other IT systems, and disconnected their fare gates and ticket vending machines systems from the network. • Due to a June 2017 cyberattack using the ransomware Petya, AP Moller-Maersk, one of the world’s largest container shipping lines, found IT systems down across multiple sites and business units across the world. Unlike typical ransomware, Petya locked down systems and irrecoverably wiped data from infected machines. Maersk handles around 25% of all con- tainers shipped on the key Asia-Europe route. The breakdown affected all business units at Maersk, including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers. Maersk estimated the financial impact of the incident as up to $300 million in lost revenues. The same ransomware attack affected computer servers across Europe and in India, impacting banks and oil companies. A May 2017 attack using Wanna- Cry ransomware infected Britain’s National Health Service, the Spanish phone company Telefónica, and German state railways.

90 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The relatively few numbers of catastrophic incidents in transportation reported to date has resulted in a false sense of security within the sector. Recent research estimated that on the physi- cal security side, as many as 75% of security breaches go unreported. In terms of cyberattacks, much less is known about prospective breach percentages, but there is little reason to believe that the numbers are more accurate for cyber incidents. What is known is that the ease of com- promise of transportation cybersystems is becoming increasingly evident, and the likelihood of new or more significant events is increasing along with the per event costs of cyber incidents and cybercrime. A good working definition of cybersecurity for transportation is one put forth by ISA/ IEC-62443 (formerly ISA-99), a baseline ICS security standard (International Society of Automation/International Electrotechnical Commission 2017). It defines cybersecurity more broadly as “electronic security,” whose compromise could result in any or all of the following situations: • Endangerment of public or employee safety; • Loss of public confidence; • Violation of regulatory requirements; • Loss of proprietary or confidential information; • Economic loss; and • Impact on national security. Unintentional incidents should be of equal concern to transportation leaders. From the standpoint of consequence or end result, it usually does not matter whether harm was caused deliberately. As one cybersecurity expert put it, “Unintentional impact doesn’t mean insignifi- cant impact.” And typically, structural network failures and human errors have the potential to occur more frequently than intentional cyberattacks. A rich body of cybersecurity guidance and resources from an IT perspective has developed over the past 40 or so years. There is now a growing body of cybersecurity guidance and resources developing for control system cybersecurity. Myths of Cybersecurity When common myths about cybersecurity and transportation systems are understood and misunderstandings are dispelled, transportation agencies can more efficiently and effectively improve the cybersecurity and resilience of critical transportation infrastructure. Myth 1: “Nobody wants to attack us.” Other sectors are more likely targets for cyber incidents than transportation, it won’t happen in transportation. Transportation systems are vulnerable to the same or similar cyber risks as other industries that use industrial control networks and information systems to accomplish their core business functions. Cyber incidents have occurred in transportation systems, and reported instances are growing. In 2013 the security camera apparatus in Haifa, Israel’s Carmel Tunnels was affected, shutting down the toll road over 2 days and causing major traffic congestion and disruption. Eleven percent of control system incidents reported to Industrial Control Systems (ICS)-CERT in 2012 were in the transportation sector, a number that has been growing over time. Cybersecurity incidents are not always intentional attacks on specific systems, such as the 2011 BART website assault by the group Anonymous to protest the transit agency’s temporary shutdown of underground cell phone service. Because cyber intruders want to use unsuspecting systems to attack others or to send bulk email, they conduct network searches to find vulner- able systems and identify any useful resources. These probes can have significant consequences

Cybersecurity 91 due to inherent vulnerabilities in control systems within transportation systems. In addition, cybercrime is expanding. Modern cybercrime operations are sophisticated, well funded, and capable of causing major disruption to organizations. Cybercriminals usually have clear busi- ness objectives—they know what information they are seeking, and they plan to profit from it. Transportation systems are attractive to cybercriminals. Smart parking meters were first hacked in 2009. Transit farecards have been an ongoing target since then. Some incidents may not have been recognized as hacking, and so are not thought of as a cybersecurity issue. In 2006, when disgruntled employees shut down signals at key points of the Los Angeles network and caused delays for 4 days, that was not seen primarily as a cybersecurity issue. Equipment failures or even maintenance procedures can cause unexpected incidents such as a loss of traffic management capabilities or signaling systems. Because of the increasing dependence on connected systems and networks with inherent vul- nerabilities, such as control systems, fare/payment systems, wireless systems, mobile and smart devices; expanding opportunities for cyber incidents, such as positive train control, ITS, vehicle- to-vehicle (V2V), and vehicle-to-infrastructure (V2I); and the unique challenges from connectivity of safety-critical control systems, such as those found in vehicles and in highway Advanced Traffic Management Systems, cyber risks are significant and growing in transportation. Myth 2: “It can’t happen to us.” Our systems are air gapped or firewalled. In the past, transportation systems were closed proprietary systems that were protected by air gaps and “security by obscurity” with limited cyber vulnerabilities. The 2008 derailment of a Polish tram by a 14-year-old boy using a TV remote control to manipulate the transit system switches demonstrated that even then an air gap was not enough. Today, the proprietary applications have migrated to open protocols, inheriting vulnerabilities along the way. Remote sites and stand-alone systems are accessed through wireless and public or private networks. For exam- ple, remote access for support and maintenance personnel or maintenance laptops connected directly to control systems, bypassing firewalls and policy rules, is not uncommon. Often, the system owner has no knowledge of the systems being used for maintenance or the personnel using the systems in these ways. Systems that are integrated and shared or joint-use enterprise systems with linkages to transportation network systems for management and financial report- ing (and sometimes e-commerce), open up “closed” systems. Although systems are closed, there may be open connections that are not discovered as systems become integrated. Assuming that the firewall is correctly configured (rules complexity and the specifics of the control systems in place have to be taken into account), a firewall cannot protect against insiders, filter the content of encrypted connections, or protect against connections that do not go through it. In today’s environment of sophisticated hacker tools and easily available shared techniques that are constantly evolving, firewalls are not enough. Adversaries are developing new methods for embedding malware in networks, remaining undetected for long periods and stealing data or disrupting critical systems. Myth 3: “It’s all about IT.” Most of the cybersecurity investment will be in technology. Having appropriate technology in place is only one part of effective cybersecurity. People and processes are just as important as technology in improving cybersecurity. Agency personnel need to be aware users of the systems in place—aware of the risks to the systems and to them- selves. People are vulnerable to manipulation and social engineering that results in providing confidential information through phishing emails or conversations with strangers. People need to be aware of security policies and procedures that have been put in place. Management must actively support the cybersecurity program in a visible manner. A process tied to the security strategy with policies and procedures to support strategy is critical to establishing an agency- wide culture of security. APTA Recommended Practice: Securing Control and Communications

92 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Systems in Rail Transit Environments, Part 2, recognizes the importance of a cybersecurity culture in the agency (APTA 2019): Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture. This requires an awareness pro- gram; a training program; an assessment of cybersecurity threats; a reduction of the attack surface (the number of places and ways someone can attack transit systems); a cybersecurity program that addresses: threats, mitigations, the software/firmware update process, monitoring and detection methodologies; and the ability to be audited to check for compliance via logs and change-management systems. Myth 4: “It’s possible to eliminate all vulnerabilities in systems.” Cybersecurity incidents can be completely prevented. The DHS National Cybersecurity Division Common Vulnerabilities and Exposures (CVE) list has more than 50,000 recorded vulnerabilities, with more added hourly (DHS n.d.a). There are 86,000 new pieces of malware reported each day. The odds are high that your transportation systems have already been infiltrated. According to a 2014 security report, all of the organizations Cisco examined during 2013 showed evidence of suspicious traffic, evidence that these networks have been penetrated (Cisco 2014). Due to the complexity of today’s transportation systems and human fallibility, perfect security is impossible to achieve. A more effective strategy is to assume that a cybersecurity incident will happen and focus on mitigating the consequences. Myth 5: “Cybersecurity incidents will not impact operations.” A 2005 report by the National Institute for Advanced Transportation Technology that assessed the security of transportation control networks found that control center and dispatch com- munications, equipment for access, safety and monitoring, and real-time actuators regulating transportation flow (e.g., bridges, tunnels, rail crossings, arterial routes) were at risk. Especially vulnerable were in-the-field devices used to monitor and regulate traffic flows in large urban environments. Since that time some improvements in security have been made, but operational systems are still vulnerable. Stuxnet, a malicious computer worm uncovered in June 2010, was the first known instance of cyber sabotage to real-world operational systems, as opposed to disruption of IT systems. Dif- ferent from anything seen before, the cyber worm targeted control systems with the intention of reprogramming control system components in a manner that would sabotage operations and hide the changes from programmers or users. Myth 6: “Control system cybersecurity can be handled the same as IT cybersecurity.” Adding cybersecurity components to transportation control systems requires personnel who understand security components and the control systems and operational environment they control. Securing access to and control of the network is generally the responsibility of IT personnel. Control systems are usually the responsibility of the engineering and operations personnel. There are differences between IT systems and control systems that need to be recognized. NIST Special Publication 800-82 Guide to Industrial Control Systems Security (2013b) summarizes some of the differences: Although some characteristics are similar, ICS also have characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial is- sues such as production losses, negative impact to a nation’s economy, and compromise of proprietary information. ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems.

Cybersecurity 93 Special precautions must be taken when introducing security to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. Myth 7: “Security is a problem that needs to be solved only once.” Control systems and field devices require active configuration and maintenance. Not only must the systems and devices be secured, their ongoing management and maintenance need to be secured as well, and must be capable of managing changes and adapting to new vulnerabili- ties or the emergence of new threats. There are approaches to reduce the cybersecurity risks and mitigate the impacts of incidents. In an ever-changing security landscape, cybersecurity must be a continual process with evaluation and monitoring as key components to identify and manage changes to systems and environments. Cyber-Physical Systems Cybersecurity cannot be easily separated from physical security. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. Evidence of intrusion into physical assets, especially control system cabinets, devices, or terminals or com- munications devices or networks, is an indicator of a suspected cyber breach. Along with more obvious damage or telltale evidence of intrusion and unreconciled door and/or cabinet alarms, inexplicable loss or behavior of communications links or behavior of control system devices could be indications of physical security breaches. Policies and practices for responding to physi- cal security breaches need to address cybersecurity as well, and incorporate considerations that a cyber-related incident may have also occurred. ICS Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites (SANS Analyst Whitepaper, ICS-CERT) (2014) provides recommendations for responses to physical breaches with potential cybersecurity impacts. SANS/ICS-CERT recommends a three-level cyber response approach after conducting a physical examination of the location for anything that appears to be missing or out of place. The three levels are: 1. Initial physical examination to assess physical connections, evidence of tampering, alarm status/indicators, and unfamiliar or new hardware or media (e.g., USB devices, wireless cards, access points, or any other cover hardware devices used to compromise cyber systems). 2. Systems and configuration checks to identify forensic evidence of intrusions, such as new user accounts, hidden files, unauthorized configuration changes, and unusual network activity. 3. Detailed examination of files system and binaries, if necessary, to confirm files are clean and uncorrupted, proper configuration of network devices, and no evidence of unauthorized firmware updates. Each level in the response approach requires more technical and operational expertise and closer coordination between the cybersecurity experts and the operational engineers. Hardware and software installation for the potentially impacted control systems may be necessary, and appropriate vendors and consultants may need to be involved with the in-house technicians. Procurement Language Guidance for Vendor Contracts Technology systems are often purchased from vendors, not developed in-house. Transporta- tion IT systems and applications are often maintained by outside vendors and suppliers. Cyber- security must include vendor relationships to secure critical technology systems, including the physical security of vendor-hosted and -maintained systems.

94 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The DHS worked with industry cybersecurity and control system subject matter experts and the DOE to produce Cybersecurity Procurement Language for Control Systems (DHS 2009). The report summarizes security principles that should be considered when designing and procur- ing products and services for control systems (software, systems, maintenance, and networks) and provides examples of procurement language mapped directly to vulnerabilities of control systems, to incorporate into procurement specifications. Created in a process that brought together leading control system security experts, purchasers, integrators, and technology pro- viders and vendors across many industry sectors (e.g., electricity, natural gas, petroleum and oil, water, transportation, and chemical), the guidance was designed to assist both system owners and integrators in establishing sufficient control systems security controls within contract rela- tionships to ensure an acceptable level of risk. The NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST 2014a) identi- fies a common language to address and manage cybersecurity risk. This may be leveraged as a tool to help communicate cybersecurity requirements in the procurement process. The Energy Sector Control Systems Working Group, a public-private partnership consisting of asset owners, operators, and government agencies, used the 2009 DHS report as a foundation for developing baseline guidance to cybersecurity procurement language, Cybersecurity Procure- ment Language for Energy Delivery Systems (2014). The document, guided by the NIST Frame- work, was tailored to the specific needs of the energy sector, but the suggested procurement language is relevant to all sectors, including transportation. The 2014 energy sector report provides cybersecurity procurement language for individual components (e.g., programmable logic controllers, digital relays, or remote terminal units) and individual systems (e.g., a SCADA system, EMS, or DCS). It also “differentiates the cybersecurity- based procurement language that is common to the procurement of individual compo- nents and systems from language that is only applicable to individual components or systems. Furthermore, this document differentiates language that is applicable to specific technologies (e.g., Transmission Control Protocol/Internet Protocol [TCP/IP] communication between systems or components, and remote access capabilities).” A section provides general cybersecurity considerations that apply to many types of procured products grouped into the following topic areas: • Software and services; • Access control; • Account management; • Session management; • Authentication/password policy and management; • Logging and auditing; • Communication restrictions; • Malware detection and protection; and • Reliability and adherence to standards. A number of procurement language elements presented request summary documentation or verification from the supplier. Examples include: The Supplier shall provide summary documentation of procured product’s security features and security-focused instructions on product maintenance, support, and reconfiguration of default settings. and The Supplier shall provide a method to restrict communication traffic between different network security zones. The Supplier shall provide documentation on any method or equipment used to restrict communication traffic.

Cybersecurity 95 Additional sections provide language to consider when acquiring intrusion detection systems, focused on physical security considerations and wireless technologies, and on cryptographic technology. The procurement language presented in these documents is not all-inclusive. Depending on the product and services required by the transportation agency, additional cybersecurity-based procurement language may be necessary. As the cybersecurity landscape continues to evolve, new threats, technologies, techniques, practices, and requirements may need to be considered during the procurement process. The procurement language will need to evolve to meet the challenges of this changing landscape. Other organizations, such as AASHTO, may develop guidance on how to address cybersecurity in procurements. Federal government IT contracts must include requirements and clauses that address the cybersecurity and privacy controls that are specified in a number of publicly available guidance documents, standards, and laws. These include the Federal Information Security Modernization Act; the special publications and standards posted at the computer security website maintained by NIST; cybersecurity guidance distributed by the Office of Management and Budget; and various other related cybersecurity and privacy guidance. Both the DHS and the energy sector working group documents focus on the cybersecurity of control systems and do not address cybersecurity-based procurement language for IT. Recommendations for IT cybersecurity procurement are included in the NIST 800 series of publications and other standards and guidance documents. In 2017, the U.S. Department of Defense produced guidance for contractors to implement the security requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST 2017). The guidance Safeguarding Covered Defense Information and Cyber Incident Reporting is provided for DOD acquisition personnel and outlines how a con- tractor can use a system security plan to document the security requirements with examples (DOD 2017). The guidance can be found online at https://www.acq.osd.mil/dpap/policy/ policyvault/USA003939-17-DPAP.pdf Surface Transportation Cybersecurity Issues In spite of staggering amounts of time, money, and effort being spent on cybersecurity initia- tives across the industry, some issues are considered to be intractable and persistent. • Resilience—In this context, resilience refers to the ability of a system to operate adequately when stressed by unexpected or invalid inputs, subsystem failures, or extreme environmental conditions. • Privacy—A system’s ability to protect sensitive information from unauthorized access by humans or machines. • Malicious attacks—The ability to deter and recover from internal vulnerability exploits, even in air-gapped systems. • Intrusion detection—A system’s ability to monitor its internal baseline “normal” operating parameters and issue an alert when deviations are detected. As increasingly complex combinations of computation, networking, and process inter- connected with an array of feedback loops, connecting humans and machines begin to resemble living organisms and ecosystems, and new models of cybersecurity are beginning to emerge. Concepts borrowed from human physiology, such as active and passive immune functions, are being researched with the intent to replace strategies such as defense-in-depth.

96 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The addition of tens of millions of connected vehicles will only accelerate the need for more subtle solutions. Emerging Trends in Transportation Control Technologies Emerging trends in transportation control technologies have potential impact on transporta- tion cybersecurity. Connected Vehicle Program Fifty billion connected vehicles are anticipated to be on the road within a decade. Accom- panying these vehicles will be Machine to Machine (M2M) devices sending and receiving data through wireless solutions. U.S.DOT’s Connected Vehicle research program addresses key trans- portation challenges—vehicle crashes, congestion, and pollution—through the technology areas of safety—V2V and V2I; mobility—Dynamic Mobility Applications; and environment—AERIS and Road Weather Applications. Automakers, fleet managers, and DOTs are working toward the centralized control of systems within connected vehicles; however, the many peripheral, aftermarket devices and software not within this centralized control have introduced potential vulnerabilities as they access various elements of the connected vehicles. As early as 2013 concerns were raised about the potential for hackers to gain access to smart electric vehicle charging stations, obtaining not only log-in infor- mation and payments, but also the abilities to access the utility systems that run the chargers, or shut down the networks themselves. A Wired magazine article, Hackers Remotely Kill Jeep on Highway, described a demonstration, carried out with the driver’s consent, of taking remote control of a Jeep Cherokee, causing unex- pected dashboard activity and making the vehicle slow to a crawl on a busy Interstate highway (WIRED.com 2015). While this incident was planned, it serves to illustrate the vulnerability of vehicles to cyber attacks. I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/) Security and privacy are key policy issues being considered and addressed in the connected vehicle program. Security challenges include message validity, security entity, network security, security operations business models, and equipment and system certification processes. Privacy issues include the ability of users to opt out of tracking applications and activities. A common framework for connected vehicle technologies and interfaces is under develop- ment and will include Enterprise, Functional, Physical, and Communications views. Various applications have been developed or are under development. Pilot tests have been completed or are under way (Sheehan 2014). Concerns include safety, mobility, environment, and M2M. Safety. The Connected Vehicle’s Safety program is expected to prevent or mitigate as much as 80% of crashes caused by unimpaired drivers through the implementation of Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) safety applications. V2V applications include for- ward collision warning, blind spot/lane change warning, do not pass warning, left turn assist, and intersection movement assist. V2I applications include curve speed warning, red light viola- tion warning, stop sign gap assist, and transit pedestrian warning (Sheehan 2014).

Cybersecurity 97 At the same time, this program may exponentially increase the number of vehicles accessible by hackers and bad actors through the implementation of dedicated short-range communica- tions (DSRC) between vehicles, between vehicles and the roadway, between vehicles and traffic signals and other infrastructure, and between vehicles and pedestrians and obstacles. A key security feature that will be included in the program is the security credential man- agement system (SCMS) currently under development. The system will ensure the integrity of V2V and V2I applications and anonymity of data emanating from vehicles and traffic signals. As shown in Figure 4-1, the SCMS will be focused on security and privacy by design and will include on-board security elements and security of interactions between on-board elements and the SCMS (RITA/U.S.DOT, Security Credential Management System Design, (U.S.DOT 2013); Drew Van Duren, FHWA Presentation Slides on Cybersecurity (2014)). Mobility. The Mobility program includes applications such as the Multimodal Intelligent Traffic Signal System; Intelligent Network Flow Optimization; Response, Emergency Staging, Communications, Uniform Management, and Evacuation; and the Enable Advanced Traveler Information Systems. Road user mobility concerns include integrity, availability, and privacy/ anonymity of data, including payment data. These concerns will likely increase as more road users utilize mobility services and applications. Appropriate policies and user authentication methods can mitigate these issues. Public transportation, freight carriers, taxis, and emergency Source: Van Duren 2014. Figure 4-1. SCMS functionality.

98 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies responders use fleet management systems, AVL, and computer-aided dispatch (CAD) technolo- gies to track and manage buses, trucks, and other fleets. Environment. The Environment program contains AERIS applications such as Eco-Integrated Corridor Management and Eco-Traveler Information and road weather applications. While these may be less attractive targets to potential hackers, any vulnerability in these applications may potentially lead to the compromising of safety-critical systems. Machine to Machine M2M (Internet of Things). White-hat security tests of intelligent vehicles and their electronic components have proven that they are indeed vulnerable to hackers; how- ever, as the required effort was high, only sophisticated hackers will be able to launch successful attacks (ITSA 2015). At the same time, aftermarket mobile applications are proliferating, making mobile security an increased concern for transportation providers. Examples of these applica- tions include location-based mapping and navigation software and real-time traffic incident alerting applications for drivers, and real-time next-bus arrival information and transit delay alerting applications for transit customers. These applications may have lax security measures, especially when storing user location and other user-associated data. The ITSA report notes that while documented vulnerabilities have increased and mobile devices are subject to theft, operat- ing systems for mobile devices are more secure than those using legacy systems. M2M is used to deliver these technology applications and offers numerous benefits to drivers, such as automated diagnostics of safety systems and driver alerts regarding engine maintenance. When the manufacturer offers M2M, testing for safety and cybersecurity issues is typically per- formed. Aftermarket devices and applications used by the traveling public provide significant benefits and convenience but use open platforms and have specific security vulnerabilities as well. As noted in the ITSA Connected Vehicle Assessment Report 2012–2014, most vulnerabilities arise from design flaws and bugs in software and the best long-term countermeasure is quality software and the actions (requirements definitions, reduction in system complexity) that lead to such software (ITSA 2015). Also, both aftermarket devices and manufacturer technology use wire- less communications that may be attacked from a long distance from the network. In addition, bugs in wireless systems cannot easily be eliminated. Additional issues include authentication, telecommunications carrier insider threats, and denial of service. Connections with ATIS/511 traveler information servers can provide a way for hackers to penetrate the TMC’s network. Connected Vehicles Technology System Types The three technology system types for connected vehicles are operation technology (OT), information technology (IT), and networking and communications. Operational technology is product- or system-oriented and includes automotive electronics and traffic management systems. OT systems are usually safety- and operational-critical systems, and therefore availability and integrity are paramount. While legacy OT was isolated, next- generation OT is not. Next-generation OT makes use of “Internet of Things” applications. “Internet of Things” links objects and formerly unconnected systems to the internet using standardized protocols and architectures; this standardization, in turn, makes it easier for hackers to access next-generation OT systems (ITSA 2015). Information technology risk stems primarily from third-party software used by the traveling public. Sub-optimal software design, security measures, and patch management are also key IT cybersecurity issues. IT attack-vector categories include unauthorized access, malicious code, and reconnaissance and networking-based service attacks. Networking and communications vulnerabilities include security protocols, authentication of communication partners, telecommunications threats, and denial of service.

Cybersecurity 99 Wireless networks used for transmission of connected vehicle and traffic data are vulnerable to attack from miles away. Telecommunications infrastructure vulnerabilities are difficult to address and have tended to remain unaddressed for years after they are discovered. Telecom- munications insiders also pose a threat, as they have access to subscriber information. The 2014 NHTSA Summary of Cybersecurity Best Practices report observes that the telecommunications industry supplies the wireless services used for ITS and other automotive services, and the tele- communications industry, along with the internet, have facilitated hackers. The U.S.DOT, in conjunction with the public and private sectors, is developing DSRC communications standards, interface standards for other media, and information exchange standards. NHTSA sponsored research into cybersecurity best practices applicable to auto- motive cybersecurity by reviewing and analyzing industry practices of IT and telecommu- nications, NIST, industrial control and energy, aviation, financial payments, and medical devices. The report also presents an Information Security Lifecycle consisting of the Assess- ment, Design, Operation, and Implementation Phases. The research was conducted by the Volpe Center. Big Data and Preventive Maintenance ITS produce large amounts of data, or “big data.” There are many positive uses for this data, including the creation of predictive algorithms to determine future congestion and traffic pat- terns, and likely incident locations. There are also predictive maintenance applications based on data that will be generated through the Connected Vehicle program. Weaknesses in data storage policies and practices can expose individual financial data and location-based data to hackers. Also, compromised data can result in no or incorrect maintenance alerts being issued to drivers and vehicle owners. Bring Your Own Device The Bring-Your-Own-Device practice of TMC employees and contractors can introduce vul- nerabilities into the environment. BYOD uses wireless networks that are prone to hacking, so BYOD policies and procedures should be established and enforced. Transportation Roadmap for Cybersecurity In 2012 the DHS National Cybersecurity Division’s Control Systems Security Program (CSSP) released the Roadmap to Secure Control Systems in the Transportation Sector, a voluntary frame- work for improving the cybersecurity across all transportation modes (DHS/NCSD/CSSP 2012). The roadmap is intended as an action template for individual organizations and provides a series of activities and benchmarks used “to identify the cybersecurity features currently in place and to determine the next activities for consideration to improve cybersecurity performance.” The roadmap proposes four national cybersecurity goals with corresponding end states and consistent with the National Policy Guidance extant in 2012. Each goal is supported by mul- tiple objectives, milestones, and metrics to be accomplished over three timeframes of a 10-year planning horizon. As new or modified policy guidance becomes available, and as significant accomplishments occur, DHS, U.S.DOT, and other key stakeholders will need to revisit and revise the Roadmap. Two years after the release of the U.S. transportation roadmap, the SECured URban Trans- portation—European Demonstration released an international version of the Cybersecurity Roadmap for Public Transportation Operators (PTOs) (SECUR-ED 2014). Although the primary

100 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies audience for this document was European transit agencies, the document provides much infor- mation of use to U.S. operators. Topics include: • How cybersecurity fits in the overall risk management strategy of a PTO; • A comprehensive framework of assets, architectures, and technologies used by a PTO, taking into account the different types of transport operated by PTOs as well as cases in which the transport operator is not the infrastructure owner; • A set of security standards and regulations that may be applicable to a PTO; • How cybersecurity will impact PTO organizations; • A set of baseline security requirements for future procurement; • An implementation approach and first affordable security measures; and • Further directions toward standardization and, eventually, regulation. Cyber Resilience Cybersecurity approaches must be adaptable to emerging threats in a constantly evolving world. Vulnerabilities are evolving, and new risks are growing by the hour. Maintaining situ- ational awareness of cyber threats, both intentional and unintentional, is important. However, complete protection against cyber incidents is not achievable. Perfect security is not possible, and incidents will happen. Cyber resilience is the ability to identify, prevent, detect, and respond to cyber incidents and recover while minimizing service impact, customer harm, reputational damage, and financial loss. Establishing strategies to support resilience—plan for it, isolate it, contain its damage, and recover from it gracefully—is a more effective approach (Table 4-1). DHS Cyber Resilience Review The Cyber Resilience Review (CRR) is a no-cost, voluntary, nontechnical assessment to evalu- ate an organization’s operational resilience and cybersecurity practices. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and abil- ity to manage operational risks to critical services and their associated assets. The CRR assesses enterprise programs and practices across a range of 10 domains, including risk management, incident management, service continuity, and others. The assessment is designed to measure Capability Definition Cybersecurity Activities Anticipate Maintaining a state of informed preparedness— understanding of potential threats and existing vulnerabilities—in order to forestall compromises of mission/business functions from adversary attacks Threat identification and analysis Systemic vulnerability assessment Contingency planning Training and exercises Withstand Continuing essential mission/business functions despite successful execution of an attack by an adversary Continuous scanning and monitoring Indications and warnings Intrusion detection and prevention Recover Restoring mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary Impact analysis Incident response plans Recovery plans Evolve Changing missions/business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks After-action forensics Post-incident analysis Adaptive cybersecurity adoption Source: Adapted from MITRE 2011 and Booz | Allen | Hamilton 2011. Table 4-1. Cyber resilience capabilities.

Cybersecurity 101 existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices. Resource guides were developed to help organizations implement practices identified as con- siderations for improvement in a CRR report. The guides were developed for organizations that have participated in a CRR, but are useful to any organization interested in implementing or maturing operational resilience capabilities for critical cyber-dependent services. Topics of the CRR resource guides include: • Asset management; • Controls management; • Configuration and change management; • Vulnerability management; • Incident management; • Service continuity management; • Risk management; • External dependencies management; • Training and awareness; and • Situational awareness. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals.

Next: Chapter 5 - Workforce Planning and Training/Exercises »
Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing and can impact not only data, but the control systems—like tunnel-ventilation systems—operated by transportation agencies.>

The TRB National Cooperative Highway Research Program's NCHRP Research Report 930: Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

The report is accompanied by a PowerPoint for the project and NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!