National Academies Press: OpenBook
« Previous: Chapter 3 Security Countermeasures
Page 98
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 98
Page 99
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 99
Page 100
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 100
Page 101
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 101
Page 102
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 102
Page 103
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 103
Page 104
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 104
Page 105
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 105
Page 106
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 106
Page 107
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 107
Page 108
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 108
Page 109
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 109
Page 110
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 110
Page 111
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 111
Page 112
Suggested Citation:"Chapter 4 Cybersecurity." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 112

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

98 Chapter 4 Cybersecurity Over the past 40 years there has been a never-ending, escalating competition between developers and users of systems that employ cyber technology and those who seek to do harm. Each generation of cybersecurity solutions is countered by ever-more sophisticated threats; each potential threat spawns additional layers of defense. This Darwinian struggle takes place around the clock and around the globe, involving many thousands of adversaries targeting millions of cyber-components. During much of this time, transportation system owners and operators were relatively insulated from this arena. Vehicles were “dumb,” roads were even dumber and save for the occasional embarrassment over roadside message signs being hacked, neither transportation engineers nor the traveling public were aware of or concerned with the need for cybersecurity, particularly as it related to the operations of the transportation highway and transit infrastructure. The emergence of Intelligent Transportation Systems (ITS) did little to change things: transit vehicles got smarter, the first generation of digital roadside devices and systems were stand- alone solutions with advisory responsibility only (e.g., variable message signs, road weather systems) and the few technologies that had safety ramifications such as traffic signal controllers remained isolated and difficult to access. Minimal attack exposures coupled with negligible consequences to human safety translated to low risk. Indeed, during most of this time, there were very few (reported) cybersecurity breaches involving transportation system operations, reinforcing the sector’s complacency. Today’s “cyber” transportation systems consist of a convergence of operating control systems and information technology networks that are blended together to enable the delivery of mission critical services to the travelling public, shippers, and other users. In the past, transportation systems were closed proprietary systems. Protected by “air gaps” and “security by obscurity” they had very limited cyber vulnerabilities compared to IT networks and systems. Over time there has been a shift from isolated systems to more connected systems. Proprietary applications have migrated to open protocols, inheriting vulnerabilities along the way. Remote sites and stand-alone systems are accessed through wireless and public or private networks. Control system components and networks are now accessible from anywhere and are increasingly connected to enterprise data, customer satisfaction and entertainment networks. Analog controls are being replaced by networked digital counterparts, allowing remote monitoring and control of signals, signs, bridges, tunnels and vehicles – public and private. Although core functionality has greatly increased due to this new connectivity, so also has the exposure to multiple threats coming from local and distant sources. Well publicized incidents in finance and banking, and perhaps most frequently the retail sector have elevated public awareness of the potential for serious injury, mostly financial injury, through the intentional exploitation or disruption of information networks. Fortunately neither the occurrence of accidents nor the exploitation of transportation industry cyber assets has resulted in the types of events that grab national headlines. However the ease of compromise of transportation systems is becoming more and more evident. And the likelihood of new or more significant events is increasing along with the cost of cyber incidents and cyber-crime:  In 2006, an employee hacked into the traffic control computer in Los Angeles as part of a labor dispute and demonstrated how easily a major city could become gridlocked. Choosing locations they knew would cause significant backups, e.g. close to freeway entrances and major destinations such as airports, the engineers caused major traffic congestion that took four days to completely resolve. Although no reported accidents or injuries were associated with the incident, the full impact was significant with delays and potential inabilities of emergency

99 vehicles to get to their destinations and loss of economic productivity as people were stuck in their cars.  In 2008, a Polish teenager proved that even proprietary closed systems are vulnerable by using a modified a TV remote to control the track switches of the Tram system. The resulting derailment fortunately did not cause any loss of life, but 12 passengers were injured in the incident.  In 2009, a computer crash in Maryland showed that unintentional and accidental events can have serious consequences. The crash caused the loss of traffic signal controls and power failures in the system, resulting in significant delays for thousands of commuters.  In 2009, the hack of smart parking meter introduced transportation agencies to the new world of cybercrime, where incidents are now being planned and targeted so as to acquire significant profits. The impact for the transportation agency can now include significant revenue loss along reputational and mission-related consequences.  In 2011, the politically active hacker group, Anonymous, took aim at transportation to protest a transit agency’s policies. The group defaced the BART public information website to make their presence known and collected agency customer’s personally identifiable information from the agency’s data systems to use to be used as a weapon to obtain concessions from BART. Anonymous threatened to release the customer information. A No Justice No BART demonstration, protesting the shooting of a homeless man by transit police, took place at the same time as the attack by Anonymous on BART. This was a joint or hybrid action conducted by different groups; a physical demonstration intended to disrupt rail transit service and the cyber- attacks reinforced one another to magnify the impact.  In recent years, dynamic message signs have been a frequent target for hackers, changing them to display humorous and sometimes obscene messages. Fortunately none of these incidents resulted in more than mischief. The potential for more serious consequences such as traffic accidents did not occur. In 2014, the stakes were raised when multiple signs in different locations were changed at the same time by a hacker, demonstrating the ability to do more serious damage. FHWA and US Computer Emergency Response Team (CERT) quickly worked to understand the incident and contain the risk in the future.   In November 2016, San Francisco Municipal Transportation Authority (SFMTA) experienced a ransomware attack that encrypted SFMTA’s information systems. The impact on physical control systems was minimized because SFMTA used a segmentation approach to separate operational control and communications systems from other IT systems and disconnected their fare gates and ticket vending machines systems from the network.  Due to a ransomware cyber-attack “Petya” AP Moller-Maersk, one of the largest container shipping lines, found IT systems down across multiple sites and business units across the world in June 2017. The Petya ransomware locked down systems and irrecoverably wiped data from infected machines, unlike typical ransomware. The company handles around 25% of all containers shipped on the key Asia-Europe route. The breakdown affected all business units at Maersk, including container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers. Maersk estimates the finanical impact of the incident to up to $300m in lost revenues. The same ramsonware attack affected computer servers across Europe and in India impacting banks, oil companies. A previous ransomware attack, “WannaCry” in May 2017 infected Britain’s National Health Service (NHS), the Spanish phone company Telefónica and German state railways.

100 The relatively few numbers of catastrophic incidents in transportation to date has resulted in a false sense of security within the transportation sector. Recent research estimated that on the physical security side as many as 75% of security breaches go unreported. In terms of cyber much less is known about prospective breach percentages, but there is little reason to believe that the numbers are any better for cyber incidents. What is known is that the ease of compromise of transportation cyber systems is becoming more and more evident, and the likelihood of new or more significant events is increasing along with the per event costs of cyber incidents and cyber-crime. A good working definition of cybersecurity for transportation is one put forth by ISA/IEC-62443 (formerly ISA-99), a baseline security standard for industrial control systems (ICS). It defines cybersecurity more broadly as “electronic security” whose compromise could result in any or all of the following situations: • Endangerment of public or employee safety • Loss of public confidence • Violation of regulatory requirements • Loss of proprietary or confidential information • Economic loss • Impact on national security Unintentional incidents should be of equal concern to transportation leaders. From the standpoint of consequence or end result it usually matters not whether harm was deliberately caused. As one cybersecurity expert put it, “Unintentional impact doesn't mean insignificant impact." And typically structural network failures and human errors have the potential to occur more frequently than intentional cyber-attacks. There is a rich body of cybersecurity guidance and resources from an IT perspective that has developed over the past 40 or so years. There is now growing body of cybersecurity guidance and resources developing today for control system cybersecurity. Myths of Cybersecurity When common myths about cybersecurity and transportation systems are understood and misunderstandings are dispelled, transportation agencies can more efficiently and effectively improve the cybersecurity and resilience of critical transportation infrastructure. 1. “Nobody wants to attack us.” Other sectors are more likely targets for cyber-incidents than transportation, it won’t happen in transportation. Transportation systems are vulnerable to the same and/or similar cyber risks as other industries that use industrial control networks and information systems to accomplish their core business functions. Cyber- incidents have occurred in transportation systems and reported instances are growing. In 2013 the security camera apparatus in the Israeli Carmel Tunnels was affected, shutting down the toll road over two days causing major traffic congestion and disruption. Eleven percent of control system incidents reported to Industrial Control Systems (ICS)-CERT in 2012 were in the transportation sector, a number that has been growing over time. Cybersecurity incidents are not always intentional attacks on specific systems such as the 2011 BART website assault by the hacker advocacy group “Anonymous” to protest the transit agency’s temporary shutdown of underground cell phone service. Because cyber-intruders want to use unsuspecting systems to attack others or to send bulk email, they conduct network searches to find vulnerable systems and

101 identify any useful resources on the networks found. These “probes” can have significant consequences due to inherent vulnerabilities in control systems within transportation systems. In addition, cybercrime is expanding. Modern cybercrime operations are sophisticated, well-funded, and capable of causing major disruption to organizations. Cybercriminals usually have clear business objectives - they know what information they are seeking and they plan to profit from it. Transportation systems are attractive to cybercriminals. Smart parking meters were first hacked in 2009. Transit fare cards have been an ongoing target since then. Some incidents may not have been recognized as “hacking” and so are not thought of as a cybersecurity issue. In 2006 a disgruntled employee hacked into a traffic control computer in Los Angeles and shut down signals at key points causing delays for four days. Equipment failures or even maintenance procedures can cause unexpected incidents such as a loss of traffic management capabilities or signaling systems. Because of the increasing dependence on connected systems and networks with inherent vulnerabilities (control systems, fare/payment systems, wireless systems, mobile and smart devices), expanding opportunities for cyber incidents (positive train control, ITS, V2V, V2I), and the unique challenges from connectivity of safety-critical control systems such as those found in vehicles and in highway Advanced Traffic Management Systems, cyber risks are significant and growing in transportation. 2. “It can’t happen to us”. Our systems are “air gapped” or “firewalled”. In the past, transportation systems were closed proprietary systems that were protected by “air gaps” and “security by obscurity” with limited cyber vulnerabilities. The 2008 derailment of a Polish Tram by a 14-year-old boy using a TV Remote Control unit to manipulate the transit system switches demonstrated that even then an “air gap” was not enough. Today, the proprietary applications have migrated to open protocols, inheriting vulnerabilities along the way. Remote sites and stand-alone systems are accessed through wireless and public or private networks. For example, remote access for support and maintenance personnel or maintenance laptops connected directly to control systems, bypassing firewalls and policy rules, is not uncommon. Often, the system owner has no knowledge of the systems being used for maintenance, or the personnel using the systems in these ways. Systems are integrated and shared or joint-use enterprise systems with linkages to transportation network systems for management and financial reporting (and sometimes e-commerce) open up “closed” systems. Although systems are closed, there may be open connections that are not discovered as systems become integrated. Assuming that the firewall is correctly configured (rules complexity and the specifics of the control systems in place have to be taken into account), a firewall cannot protect against insiders, filter the content of encrypted connections, or protect against connections that do not go through it. In today’s environment of sophisticated hacker tools and easily available shared techniques that are constantly evolving, firewalls are not enough. Adversaries are developing new methods for embedding malware in networks, remaining undetected for long periods, and stealing data or disrupting critical systems. 3. “It’s all about IT”. Most of the cybersecurity investment will be in technology. Having technology in place to provide cybersecurity is only one part of effective cybersecurity. People and processes are just as important as technology in improving cybersecurity. Agency personnel need to be aware users of the systems in place: aware of the risks to the systems and to themselves. People are vulnerable to manipulation and social engineering that results in providing confidential information through phishing emails or conversations with strangers. People need to be aware of security policies and procedures that have been put in place. Management must actively support the cybersecurity program in

102 a visible manner. A process tied to the security strategy with policies and procedures to support strategy is critical to establish an agency-wide culture of security. APTA Recommended Practices Securing Control and Communications Systems in Rail Transit Environment, Part 2 recognize the importance of a cybersecurity culture in the agency. Just as transit agencies have created a safety-centric culture—saving lives and reducing accidents and accident severity—they need to foster and create a cybersecurity culture. This requires an awareness program; a training program; an assessment of cybersecurity threats; a reduction of the attack surface (the number of places and ways someone can attack transit systems); a cybersecurity program that addresses: threats, mitigations, the software/firmware update process, monitoring and detection methodologies; and the ability to be audited to check for compliance via logs and change-management systems. 4. “It’s possible to eliminate all vulnerabilities in systems”. Cybersecurity incidents can be completely prevented. The DHS National Cybersecurity Division Common Vulnerabilities and Exposures (CVE) list has more than 50,000 recorded vulnerabilities -- with more added hourly. There are 86,000 new pieces of malware reported each day. The odds are high that your transportation systems have already been infiltrated. According to a recent Cisco Security Report, all of the organizations Cisco examined during 2013 showed evidence of suspicious traffic, evidence that these networks have been penetrated. Due to the complexity of today’s transportation systems and human fallibility, perfect security is impossible to achieve. A more effective strategy is to assume that a cybersecurity incident will happen and focus on mitigating the consequences. 5. “Cybersecurity incidents will not impact operations.” A 2005 Report by the National Institute for Advanced Transportation Technology that assessed the security of transportation control networks (Assessing the Security and Survivability of Transportation Control Networks, P. Oman, 2005) found that control center and dispatch communications, equipment for access, safety and monitoring, and real-time actuators regulating transportation flow (e.g., bridges, tunnels, rail crossings, arterial routes, etc.) were at risk. Especially vulnerable were in-the-field devices used to monitor and regulate traffic flows in large urban environments. Since that time some improvements in security have been made but operational systems are still vulnerable. Stuxnet, discovered in June 2010, was the first known instance of cyber sabotage to real world operational systems as opposed to disruption of IT systems. Different from anything seen before, the cyber worm targeted control systems with the intention to reprogram control system components in a manner that would sabotage operations, hiding the changes from programmers or users. 6. “Control system cybersecurity can be handled the same as IT cybersecurity.” Adding cybersecurity components to transportation control systems requires personnel that understand security components and also the controls systems and the operational environments that they control. Securing access to and control of the network is generally the responsibility of information technology (IT) personnel. Control systems are usually the responsibility of the engineering and operations personnel. There are differences between IT systems and control systems that need to be recognized. NIST Special Publication 800‐82 Guide to Industrial Control Systems Security (2011) summarizes some of the differences:

103 Although some characteristics are similar, ICS also have characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nation’s economy, and compromise of proprietary information. ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems. Special precautions must be taken when introducing security to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. 7. “Security is a problem that needs to be solved only once.” Control systems and field devices require active configuration and maintenance. Not only must the systems and devices be secured, their ongoing management and maintenance need to be secured as well, and must be capable of managing changes and adapting to new vulnerabilities or the emergence of new threats. There are approaches to reduce the cybersecurity risks and mitigate the impacts of incidents. In an ever-changing security landscape, cybersecurity must be a continual process with evaluation and monitoring as key components to identify and manage changes to systems and environments.   Cyber-Physical Systems Cybersecurity cannot be easily separated from physical security. Inadequate physical security can put cyber assets in jeopardy. Physical damage can compromise cyber assets. Evidence of intrusion into physical assets, especially control system cabinets, devices or terminals, communications devices or networks, is an indicator for a suspected cyber breach. Along with more obvious damage or telltale evidence of intrusion and unreconciled door and/or cabinet alarms, inexplicable loss or behavior of communications links or behavior of control system devices could be indications of physical security breaches. Policies and practices for responding to physical security breaches need to also address cybersecurity, and incorporate considerations that a cyber-related incident may have also occurred. ICS Cybersecurity Response to Physical Breaches of Unmanned Critical Infrastructure Sites (SANS Analyst Whitepaper, ICS-CERT, 2014) provides recommendations for responses to physical breaches with potential cybersecurity impacts. SANS/ICS CERT recommends a three level cyber response approach after conducting a physical examination of the location for anything that appears to be missing or out of place. The three levels are: 1. Initial physical examination to assess physical connections, evidence of tampering, alarm status/indicators and unfamiliar or new hardware or media (e.g. USB devices, wireless cards, access points or any other cover hardware devices used to compromise cyber systems). 2. Systems and configuration checks to identify forensic evidence of intrusions such as new user accounts, hidden files, unauthorized configuration changes, and unusual network activity. 3. Detailed examination of files system and binaries, if necessary, to confirm files are clean and uncorrupted, proper configuration of network devices, and no evidence of unauthorized firmware updates. Each level in the response approach requires more technical and operational expertise and closer

104 coordination between the cybersecurity experts and the operational engineers. Along with the skills and of hardware and software installation for the potentially impacted control systems, the appropriate vendors and consultants may need to be involved with the in-house technicians. Procurement Language Guidance for Vendor Contracts Technology systems are often purchased from vendor and not always developed in-house Transportation IT systems and applications are many times maintained by outside vendors and suppliers. Cybersecurity needs to include vendor relationships to secure critical technology systems. This will include physical security of vendor hosted and maintained systems as well. The U.S. Department of Homeland Security (DHS) worked with industry cybersecurity and control system subject matter experts and the U.S. Department of Energy (DOE) to produce Cybersecurity Procurement Language for Control Systems, published in 2009. The document summarizes security principles that should be considered when designing and procuring control systems products and services (software, systems, maintenance, and networks), and provides examples of procurement language text mapped directly to vulnerabilities of control systems to incorporate into procurement specifications. Created in a process that brought together leading control system security experts, purchasers, integrators, and technology providers and vendors across many industry sectors (e.g., electricity, natural gas, petroleum and oil, water, transportation, and chemical), the guidance was designed to assist both system owners and integrators in establishing sufficient control systems security controls within contract relationships to ensure an acceptable level of risk. The NIST Framework for Improving Critical Infrastructure Cybersecurity, in identifying a common language to address and manage cybersecurity risk, provides a language that may be leveraged in the procurement process – it can be used as a tool to help communicate cybersecurity requirements in the procurement process. The energy sector cybersecurity working group (ESCSWG) - a public-private partnership consisting of asset owners, operators, and government agencies – using the 2009 DHS documents as a foundation developed a baseline cybersecurity procurement language guidance document, Cybersecurity Procurement Language for Energy Delivery System (2014), guided by the NIST Framework. Although it was tailored to the specific needs of the energy sector, the suggested procurement language has relevance for all sectors including transportation. The 2014 energy sector provides baseline cybersecurity procurement language for individual components (e.g., programmable logic controllers, digital relays, or remote terminal units) and individual systems (e.g., a SCADA system, EMS, or DCS). It also “differentiates the cybersecurity- based procurement language that is common to the procurement of individual components and systems from language that is only applicable to individual components or systems. Furthermore, this document differentiates language that is applicable to specific technologies (e.g., Transmission Control Protocol/Internet Protocol [TCP/IP] communication between systems or components, and remote access capabilities)”. There is a section that provides general cybersecurity considerations that apply to many types of products

105 being procured grouped into the following topic areas: • Software and Services • Access Control • Account Management • Session Management • Authentication/Password Policy and Management • Logging and Auditing • Communication Restrictions • Malware Detection and Protection • Reliability and Adherence to Standards A number of procurement language elements presented request summary documentation or verification from the Supplier. For example: The Supplier shall provide summary documentation of procured product’s security features and security-focused instructions on product maintenance, support, and reconfiguration of default settings. Another example: The Supplier shall provide a method to restrict communication traffic between different network security zones. The Supplier shall provide documentation on any method or equipment used to restrict communication traffic. Additional sections provide language to consider when acquiring intrusion detection systems, focused on physical security considerations and wireless technologies, and on cryptographic technology. As noted in both of the resources cited above, the procurement language presented in the documents is not all-inclusive. Depending on the product and services required by the transportation agency, additional cybersecurity-based procurement language beyond what has been identified in these documents may be necessary.  As the cybersecurity landscape continues to evolve, new threats, technologies, techniques, practices, and requirements may need to be considered during the procurement process. The procurement language will need to evolve to meet the challenges of this changing landscape. Other organizations such as AASHTO may be developing guidance in the future on how to address cybersecurity in procurements. Federal government information technology (IT) contracts must include requirements and clauses that address the cybersecurity and privacy controls that are specified in a number of publicly available guidance documents, standards, and laws. This includes the Federal Information Security Modernization Act (FISMA), the special publications and standards posted at the computer security website maintained by the National Institute of Standards and Technology (NIST), cybersecurity guidance publicly distributed via memoranda issued by the Office of Management and Budget (OMB), OMB Circular A-130, and various other related cybersecurity and privacy guidance. It should be noted that both the DHS and the ESCWG documents focus on the cybersecurity of control systems and do not address cybersecurity-based procurement language for IT. Recommendations for IT cybersecurity procurement are included in the NIST 800 series of publications and other standards and guidance documents. In 2017, the Department of Defense has produced guidance for contractors to implement the security requirements of NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. The guidance “Safeguarding Covered Defense

106 Information and Cyber Incident Reporting” is provided for DoD acquisition personnel and outlines how a contractor can use a system security plan to documents the security requirements with examples. The Guidance can be found online at https://www.acq.osd.mil/dpap/policy/policyvault/USA003939-17-DPAP.pdf Surface Transportation Cybersecurity Issues In spite of staggering amounts of time, money and effort being spent on cybersecurity initiatives across the industry, some issues are considered to be intractable and persistent.  Resilience – In this context, resilience refers to the ability of a system to operate adequately when stressed by unexpected or invalid inputs, subsystem failures or extreme environmental conditions.  Privacy - The ability of a system to protect sensitive information from unauthorized access by humans or machines.  Malicious Attacks – the ability to deter and recover from internal vulnerability exploits even in “air-gapped” systems.  Intrusion Detection – The ability of a system to monitor its internal baseline “normal” operating parameters and issue an alert when deviations are detected. Indeed, as increasingly complex combinations of computation, networking and process, interconnected with an array of feedback loops, connecting humans and machines begin to resemble “living” organisms and ecosystems, new models of cybersecurity are beginning to emerge. Concepts borrowed from human physiology such as active and passive immune functions are being researched with the intent to replace already impotent strategies such as “defense-in-depth.” The addition of tens of millions of connected vehicles and their “smart slab” enabled owners will only accelerate the need for more subtle solutions. Emerging Trends in Transportation Control Technologies The section addresses some of the emerging trends in transportation controls technologies that have potential impact on transportation cybersecurity. Connected Vehicle Program USDOT’s Connected Vehicle research program addresses key transportation challenges – vehicle crashes, congestion, and pollution through the following technology areas. Safety  Vehicle-to-Vehicle (V2V)  Vehicle-to-Infrastructure (V2I) Mobility  Dynamic Mobility Applications Environment  AERIS  Road Weather Applications Fifty billion connected vehicles are anticipated to be on the road within a decade. Accompanying these vehicles will be Machine to Machine (M2M) devices sending and receiving data through wireless solutions. Auto makers, fleet managers, and DOTs are working towards the centralized control of systems with the connected vehicles; however, the many peripheral, aftermarket devices and software not within this

107 centralized control has introduced potential vulnerabilities as they access various elements of the connected vehicles. As early as 2013, concerns have been raised about the potential for hackers to gain access to smart electric vehicle charging stations, not only obtaining login information and payments, but also the ability to access utility systems that run the chargers or shut down the networks themselves. A 2015 Wired magazine article, Hackers Remotely Kill Jeep on Highway, described a demonstration, with the driver’s consent, of taking remote control of a Jeep Cherokee, causing unexpected dashboard activity and the vehicle to slow to a crawl on a busy interstate highway. While this incident was planned, it serves to illustrate the vulnerability of vehicles to cyber-attacks.  I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in- seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee- lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/) Security and privacy are key policy issues being considered and addressed in the program. Security challenges include message validity, security entity, network security, security operations business models, and equipment and system certification processes. Privacy issues include the ability of users to opt out of tracking applications and activities. A common framework for Connected Vehicle technologies and interfaces is under development and will include Enterprise, Functional, Physical, and Communications views. Various applications have been developed or are under development. Pilot tests have also been completed or are underway. (Robert Sheehan, Connected Vehicle Research Program Presentation, ITSJPO, USDOT) Safety. The Connected Vehicle’s safety program is expected to prevent or mitigate as much as 80% of crashes caused by unimpaired drivers through the implementation of Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) safety applications. V2V applications include Forward Collision Warning, Blind Spot/Lane Change Warning, Do Not Pass Warning, Left Turn Assist, and Intersection Movement Assist. V2I applications include Curve Speed Warning, Red Light Violation Warning, Stop Sign Gap Assist, and Transit Pedestrian Warning. (Robert Sheehan, Connected Vehicle Research Program Presentation, ITSJPO, USDOT) At the same time, this program may exponentially increase the number of vehicles accessible by hackers and bad actors through the implementation of Dedicated Short Range Communications (DSRC) between vehicles, between vehicles and the roadway, between vehicles and traffic signals and other infrastructure, and between vehicles and pedestrians and obstacles. A key security feature which will be included in the program is the Security Credential Management System (SCMS) currently under development. The system will ensure the integrity of V2V and V2I applications and anonymity of data emanating from vehicles and traffic signals. As shown in Figure 50, the SCMS will be focused on security and privacy by design and will include on-board security elements and security of interactions between on-board elements and the SCMS. (RITA/USDOT, Security Credential Management System Design, April 2013; Drew Van Duren, FHWA Presentation Slides on Cybersecurity TRB: Connected Vehicles Security, October 2014)

108   Figure 50: Security Credential Management System (SCMS) Functionality. Source: Van Duren, FHWA, Presentation Slides on  Cybersecurity TRB: Connected Vehicles Security, October 2014  Mobility. The Mobility program includes applications such as the Multimodal Intelligent Traffic Signal System; Intelligent Network Flow Optimization; Response, Emergency Staging and Communications, Uniform Management, and Evacuation; and the Enable Advanced Traveler Information Systems. Road user mobility concerns include integrity, availability, and privacy/anonymity of data including payment data. These concerns will likely increase as more and more road users utilize mobility services and applications. Appropriate policies and user authentication methods can mitigate these issues. The public transportation, freight carriers, taxis, and emergency responders use fleet management systems, automated vehicle location (AVL) and computer-aided dispatch (CAD) technologies to track and manage buses, trucks, and other fleets. Environment. The Environment program contains AERIS applications such as Eco- Integrated Corridor Management and Eco-Traveler Information and road weather applications. While these may be less attractive targets to potential hackers, any vulnerability in these applications may potentially lead to the compromising of safety critical systems. Machine to Machine M2M (Internet of Things). White-hat security tests of intelligent vehicles and their electronic components have proven that they are indeed vulnerable to hackers; however, as the required effort was high only sophisticated hackers will be able to launch successful attacks. (ITSA Connected Vehicle Assessment Report 2012-2014) At the same time, aftermarket mobile applications are proliferating, making mobile security an increased concern for transportation providers. Examples of these applications include location-based mapping and navigation software and real-time traffic incident alerting applications for drivers, and real-time next-bus arrival information and transit delay alerting applications for transit customers. These applications may have lax security measures especially when storing user location and other user-associated data. The ITSA report notes that while documented vulnerabilities have increased and mobile devices are subject to theft, operating systems for mobile devices are more secure than those using legacy systems.

109 M2M is used to deliver these technology applications and offer numerous benefits to drivers such as automated diagnostics of safety systems and driver alerts regarding necessary engine maintenance. When the manufacturer offers M2M, testing for safety and cybersecurity issues is typically performed. However, aftermarket devices and applications used by the traveling public provide them with significant benefits and convenience but use open platforms and have specific security vulnerabilities as well. As noted in the ITSA Connected Vehicle Assessment Report (2012-2014), most vulnerabilities arise from design flaws and bugs in software and the best long-term countermeasure is quality software and the actions (requirements definitions, reduction in system complexity) that lead to such software. Also, they use wireless communications that may be attacked from a long distance from the network. In addition, bugs in wireless systems cannot easily be eliminated. Additional issues include authentication, telecommunications carrier “insider” threats, and denial of service. Connections with ATIS/511 traveler information servers can provide a way for hackers to penetrate the TMC’s network. Connected Vehicles Technology System Types The three technology system types for connected vehicles include:  Operation Technology (OT)  Information Technology (IT)  Networking and Communications Operational Technology (OT) is product- or system-oriented and includes automotive electronics and traffic management systems. OT systems are usually safety and operational critical systems and therefore availability and integrity are paramount. While legacy OT was isolated, next generation OT is not. Next generation OT makes use of “Internet of Things” applications. “Internet of Things” link objects and formerly unconnected systems to the internet using standardized protocols and architectures; this standardization, in turn, makes it easier for hackers to access the next generation OT systems. (ITSA Connected Vehicle Assessment – Cybersecurity and Dependable Transportation, Connected Vehicle Technology Scan Series, 2012-2014) Information Technology (IT)   IT risk stems primarily from third-party software used by the traveling public. In addition, sub- optimal software design, security measures and patch management are also key cybersecurity issues for IT. IT attack vector categories include unauthorized access, malicious code, and reconnaissance and networking- based service attacks. Networking and Communications Systems Networking and communications vulnerabilities include security protocols, authentication of communication partners, telecommunications threats, and denial of service. Wireless networks used for transmission of connected vehicle and traffic data are vulnerable to attack from miles away. Also, telecommunications infrastructure vulnerabilities are difficult to address and have tended to remain unaddressed for years after they are discovered. Telecommunications insiders also pose a threat as they have access to subscriber information. The 2014 NHTSA Cybersecurity Best Practices report makes the observation that the telecommunications industry supply the wireless services used for ITS and other automotive services, and that the telecommunications industry along with the internet have, at the same time, facilitated hackers as well. The USDOT in conjunction with the public and private sectors is developing DSRC communications

110 standards, interface standards for other media, and information exchange standards. NHTSA sponsored research into cybersecurity best practices applicable to automotive cybersecurity by reviewing and analyzing industry practices of IT and telecommunications, NIST, industrial control and energy, aviation, financial payments, and medical devices. The report also presents an Information Security Lifecycle consisting of the Assessment, Design, Operation, and Implementation Phases. The research was conducted by the VOLPE Center. Big Data and Preventive Maintenance Big Data and Preventive Maintenance: ITS produces large amounts of data or “Big Data” – there are many positive uses for this data including the creation of predictive algorithms to determine future congestion and traffic patterns, and likely incident locations. There are also predictive maintenance applications based on data which will be generated through the Connected Vehicle program. Weaknesses in data storage policies and practices can expose individual financial data and location-based data to hackers. Also, compromised data can result in no or incorrect maintenance alerts being issued to drivers and vehicle owners. Bring Your Own Devices (BYOD) The Bring Your Own Devices practice of TMC employees and contractors can introduce vulnerabilities into the TMC environment. BYOD use wireless networks that are prone to hacking. Hence, BYOD policies and procedures should be established and enforced. Transportation Roadmap for Cybersecurity In August of 2012, the U.S. Department of Homeland Security’s (DHS’s) National Cybersecurity Division (NCSD), Control Systems Security Program (CSSP) released The Roadmap to Secure Control Systems in the Transportation Sector (Transportation Roadmap, a voluntary framework for improving the cybersecurity across all transportation modes). The Transportation Roadmap is intended to act as a template for action for individual organizations and provides a series of activities and benchmarks used “to identify the cybersecurity features currently in place and to determine the next activities for consideration to improve cybersecurity performance.” The Roadmap proposes four national cybersecurity goals with corresponding end states and consistent with the National Policy Guidance extant in 2012. Each goal is supported by multiple objectives, milestones and metrics to be accomplished over three timeframes encompassing a 10- year planning horizon. As new or modified Policy Guidance becomes available, and as significant accomplishments occur, DHS, DOT and other key stakeholders will need to revisit and revise the Roadmap. Two years after the release of the US Transportation Roadmap, the SECUR-ED Urban Transportation – European Demonstration (SECUR-ED) released an international version of the Cybersecurity Roadmap for Public Transportation Operators (PTO’s). Although the primary audience for this document was European transit agencies, the document provides much information of use to US operators. Topics included address:  How cybersecurity fits in the overall risk management strategy of a PTO;  A comprehensive framework of assets, architectures and technologies used by a PTO taking into account the different types of transport operated by PTO’s as well as the cases where the transport operator is not the infrastructure owner;

111  A set of security standards and regulations that may be applicable to a PTO;  How cybersecurity will impact PTO organizations;  A set of baseline security requirements for future procurement;  An implementation approach and first affordable security measures;  Further directions towards standardization and eventually regulation. Cyber Resilience Cybersecurity approaches must be adaptable to emerging threats in a constantly evolving world. Vulnerabilities are evolving and new risks are growing by the hour. Maintaining situational awareness of cyber threats – both intentional and unintentional – is important. However, complete protection against cyber incidents is not achievable. Perfect security is not possible and incidents will happen. Cyber resilience is the ability to identify, prevent, detect and respond to cyber incidents and recover while minimizing service impact, customer harm, reputational damage and financial loss. Establishing strategies to support resilience— plan for it, isolate it, contain its damage and recover from it gracefully—is a more effective approach. Cyber resilience includes the capabilities summarized in the Table 14. Table 14: Cyber Resilience Capabilities  Capability Definition Cybersecurity Activities Anticipate Maintaining a state of informed preparedness - understanding of potential threats and existing vulnerabilities - in order to forestall compromises of mission/business functions from adversary attacks  threat identification and analysis  systemic vulnerability assessment  contingency planning  training and exercises Withstand Continuing essential mission/business functions despite successful execution of an attack by an adversary  continuous scanning and monitoring  indications and warnings  intrusion detection and prevention Recover Restoring mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary  impact analysis  incident response plans  recovery plans Evolve Changing missions/business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks  After-action forensics  post-incident analysis  adaptive cybersecurity adoption Source: Adapted from Cyber Resiliency Engineering Framework (MITRE, 2011) and Maturity Model for Cyber Operations (Booz| Allen Hamilton, 2011). DHS Cyber Resilience Review The Cyber Resilience Review (CRR) is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR captures an understanding and qualitative measurement of an organization’s operational resilience and its ability to manage operational risks to critical services and their associated assets. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices. Resource guides were developed to help organizations implement practices identified as considerations for improvement in a CRR report. The guides were developed for organizations that have participated in a

112 CRR, but are useful to any organization interested in implementing or maturing operational resilience capabilities for critical cyber dependent services. The CRR Resource Guides include  Asset Management  Controls Management  Configuration and Change Management  Vulnerability Management  Incident Management  Service Continuity Management  Risk Management  External Dependencies Management  Training and Awareness  Situational Awareness The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals.    

Next: Chapter 5 Workforce Planning and Training/Exercises »
Security 101: A Physical and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing, and can impact not only data, but the control systems - like tunnel-ventilation systems - operated by transportation agencies.

This update, a pre-publication draft of NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies, provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!