The transportation systems for highways and arterials in the U.S. have advanced from a collection of independently operating devices to highly interconnected, far-reaching and integrated systems.
These integrated systems require a reliable communication network that spans a broad geographical region.
Transportation systems are not only becoming more connected, but also more dependent on communications and information technologies. In addition, recently, our society has become more “networked,” with traditionally isolated control systems connecting both to business networks and with each other.
Transportation is not immune from these changes, and there is the very real possibility that infrastructure such as traffic management centers, tunnels, bridges, signal-control systems and rail-control systems may be manipulated via their cyber components (directly or indirectly) to cause crashes, kill and injure the traveling public, and destroy critical systems. Cyber attacks on infrastructure control systems also have the proven potential to cause physical consequences similar to those usually associated with more traditional attacks (such as bombs or equipment sabotage).
More of a threat
Cyber threats represent a near- and long-term challenge because of rapidly growing digitization and networking of operational and business systems used in transportation. However, there is uncertainty about the capabilities and intent of adversaries to damage or disrupt transportation using cyber means.
Consequently, many owners and operators are unsure of their risk level and the type and extent of countermeasures they may need. Cyber-based control systems are networked wirelessly to remote sensors and operational components. These systems are often connected to the Internet and could be accessed through publicly available intrusion software. It is conceivable that terrorists could exploit the possibilities of conducting a cyber attack against critical transportation control systems.
Cyber threats are evolving and growing more frequent; however, terrorism-related cyber attacks have not been directed at U.S. transportation systems thus far. Nevertheless, cyber threats to transportation are a growing security concern due to:
- The dependence of transportation on cyber systems for operations, access control, communications, positioning, navigation and tracking;
- The rapid expansion of applications remotely accessing sensitive systems; and
- The increasing sophistication of adversaries.
The Transportation Security Administration (TSA) strives to maintain high cybersecurity standards and encourages transportation providers to incorporate cybersecurity best practices including the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The National Strategy for Transportation Security includes the following:
A comprehensive delineation of prevention, response and recovery responsibilities and issues regarding threatened and executed acts of terrorism within the U.S. and threatened and executed acts of terrorism outside the U.S. to the extent such acts affect U.S. transportation systems.
A prioritization of research and development objectives that support transportation security needs, giving a higher priority to research and development directed toward protecting vital transportation assets. Transportation security research and development projects shall be based, to the extent practicable, on such prioritization.
The cybersecurity section of this document addresses risk management of the cyber risks posed by terrorists. Cyber vulnerabilities within transportation industries vary greatly in scope and consequence. Although the threat of a terrorist-related cyber attack causing significant loss to the function of transportation systems is low, there is potential for exploitation of cyber vulnerabilities in unanticipated ways with unforeseen consequences. Insiders who combine advanced technological understanding with traditional espionage/terrorist skills have a significantly increased asymmetric capability to cause physical damage through cyber means.
The path forward to secure transportation systems from cyber attacks will require broad-based commitments to improve cybersecurity awareness and the use of best security practices by individuals, industries and government agencies. Sector partners should work together to refine assessments of the cyber threats and vulnerabilities, and to assure timely sharing of cyber-threat information with owners and operators. The partners should continue to implement the Transportation Systems Sector’s Cybersecurity Strategy and support initiatives based on implementation of the NIST Cybersecurity Framework.
For the possibility of an uptick in cyber incidents, the federal government has developed a number of tools to help transportation agencies and infrastructure owners better protect their systems. One of these tools is a generic cybersecurity framework developed by NIST at the U.S. Department of Commerce. A diverse group of stakeholders and security professionals contributed to the development of the framework, which NIST released on Feb. 12, 2014. The Framework for Improving Critical Infrastructure Cyber-securities is available at www.nist.gov/cyberframework.
The cybersecurity framework provides businesses, owners of critical infrastructure, and transportation agencies with an extensive set of tools to develop best practices and industry standards to improve resilience to malicious and incidental disruptions.
The framework can help stakeholder organizations assess and improve existing cybersecurity programs, or create new programs. The framework uses a methodical approach for improving an organization’s cybersecurity capability by identifying, assessing and responding to risk. In addition, the tools help organizations better align their cybersecurity and resiliency program objectives with their strategic plans, identify priority areas for process improvement, and establish a plan to sustain and improve their cybersecurity programs.
The framework has three components: the core, framework profiles and tiers. The core focuses on effectively managing cybersecurity risk and the ability to recover from an attack; in essence, it is the incidence-response process. The framework profiles define the set of baseline activities an organization is currently using and the desired or target capabilities they would like to achieve. The tiers facilitate the gap analysis process, which leads to a tiered implementation for cybersecurity protection. The tiers provide a context for agencies to better understand their cybersecurity risk-management practices and to rate them.
Using the cybersecurity framework, the Federal Highway Administation (FHWA) is creating a tool for state and local transportation agencies. The tool will be one part of the overall agency response to the emergent cyber resilience challenge. To develop the tool, the FHWA will tailor the NIST framework for transportation agencies with help from industry and operating agencies. The tool, now in the early stages of planning, will include a structured cybersecurity assessment and development program for the transportation community of practice. Transportation agencies will be able to use the tailored framework as a self-assessment tool to evaluate their current practices and to identify where they can improve current cybersecurity activities and programs. The goal of the tool is to improve the overall protection and resilience of the nation’s highway infrastructure.
There needs to be more
Research is needed to identify effective practices to protect transportation systems from cyber incidents and attacks on signaling and control systems as well as enterprise data systems.
Government and industry security partners annually identify transportation security needs that cannot be met due to a lack of capabilities. Several partnership mechanisms allow capability gaps to be identified for consideration by the joint Transportation R&D Working Group. The R&D Working Group proposes prioritized R&D projects for consideration by the U.S. DOT and Department of Homeland Security (DHS) Science and Technology Directorate.
The skill sets, knowledge, technology and management practices that comprise a robust all-hazards security (including cyber) and emergency management program are still being defined by DOTs. In this environment, research plays an essential role in helping agencies create effective programs. On topics ranging from how to design blast-resistant structures to supporting emergency traffic operations, research gives DOTs access to technical reports that describe state-of-the-art knowledge; manuals and guidebooks that help them implement new organizational structures and procedures; and briefing papers that can help senior managers and leadership understand emerging issues. In short, research is one of the building blocks for any DOT’s hazards security and emergency-management program.
Since Sept. 11, 2001, 188 security, emergency-management and infrastructure protection-related planning and implementation projects have been initiated through programs managed by the Transportation Research Board. One-hundred-forty-seven of these projects have been completed, 20 projects are in progress and 21 projects have contracts pending or are currently in development. The report includes information on security-related research that is formally coordinated between the Transit Cooperative Research Program and National Cooperative Highway Research Program.
The FHWA Office of Operations is working to establish a formal process of monitoring, alerting and advising owners and operators of the national transportation infrastructure through a single entity. Other organizations and processes cover some aspects of monitoring, alerting or advising industrial control systems or information technology deployments. However, no single entity currently exists to achieve the following objectives under one entity for transportation owners and operators: (1) monitoring cybersecurity incidents on transportation infrastructures; (2) alerting owners, operators and manufacturers of transportation infrastructures about a security breech or vulnerability; (3) advising on post-incident responses; (4) investigating potential system vulnerabilities; and (5) providing education and awareness training and information.
The transportation-focused tool that the FHWA is creating will help to address the need to increase engagement across federal agencies, transportation communities and private industries to support a common operating response to cyber attacks against critical transportation infrastructure. The education and awareness outreach component of the tool also will provide a platform for hosting forums that bring stakeholders together to share best practices in cybersecurity and their experiences with implementing the NIST cybersecurity framework. These functions will foster risk management and cybersecurity management communications among the internal and external transportation stakeholders.
The FHWA, in collaboration with its institutional partners, needs to take several initial steps to improve the cyber resiliency of transportation systems. The agency’s customization of a tool based on the NIST cybersecurity framework will help operating agencies respond to today’s cyber resiliency challenge. In addition, the FHWA’s development of a formal process for monitoring and communicating cybersecurity issues through a single entity may improve the speed of response to incidents on a national scale.
The FHWA, along with state and local agencies, can best address these long-term challenges by making cybersecurity and resiliency an essential component of operations and maintenance.
In the future, to understand our vulnerability from a cybersecurity perspective and how it can be addressed, a series of issues needs to be researched, foremost of which is how decisions are made to implement cybersecurity to protect industrial control systems such as signals and communications systems; for data systems including parking, fare payments, payroll and public information systems; data connections between Centralized Traffic Control (CTC), SCADA and data systems; and data connections with other systems.
Research into detecting malicious attacks can guarantee continuity of operations and ultimately reconfigure and restore full functionality through use of formal methods related to critical infrastructure.
To avoid costly failures due to a cyber attack and simultaneously provide 21st-century infrastructure, an electronic “nervous system” can collect and analyze sensor data to enable better decision-making. This research may help to provide sensor data-driven awareness of the usage and condition of infrastructure (both for components and the entire network), and proactive, intelligent decision support and control of these systems over their lifetime.
Transportation is on the verge of a technology-fueled renaissance. Smart traffic lights will be used to make intersections safer, vehicles will coordinate to reduce congestion and automatic surface monitoring will lead to well-maintained roads. Sensors and actuators within vehicles will assist the driver by performing continuous around-the-vehicle sensing; looking ahead, communication and notification of unsafe/unsecure conditions is needed, as is intervention when necessary.
A survey of current and past practices as well as lessons learned regarding industrial control systems and cybersecurity among relevant state and local agencies (e.g., local, state and regional agencies with emergency management and response responsibilities, transit managers and state transportation agency personnel) is greatly advised. Do they know how their mission-critical networks are configured? What are their worst-case concerns? What are their plans, what have they tested and what do they have budgeted for training? How are they preparing for positive train control?
Identifying gaps and opportunities for improved practices such as real or perceived programmatic, organizational, administrative and regulatory hurdles that limit effective planning and response for transit and DOT cyber and industrial-control system incidents should be addressed, in addition to identifying proposed case studies of effective security practices for transit and DOT cyber and industrial-control systems.
Development of a primer to serve as the cyber counterpart to Security 101: A Physical Security Primer for Transportation Agencies would likewise be a good idea. The primer should contain a list of effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an attack or breach occur.
Cyber education and literacy are not the only means for addressing the human aspects of cybersecurity. Cyber-literate users may still reject cybersecurity tools (such as multi-factor authentication) due to the level of effort imposed by their use. In order to increase their acceptance and adoption, research needs to be conducted in social, behavioral, and economic sciences to enhance and document the efficiency of cybersecurity tools, especially their ease of use.
A more diverse workforce in terms of race, gender, ethnic group, age, personality, cognitive style, education, background and others can provide a richer set of perspectives and innovative solutions to problems. Research is needed to find ways to make cybersecurity a more attractive career option for many people and introduce greater diversity into recruiting and retention practices, promote greater awareness, and motivate young people to seek cybersecurity careers.
Expanding the diversity of expertise beyond technology with engender a deeper understanding of the human facets of cyber threats and secure cyber systems in the cybersecurity research community. To accelerate progress, the skills of traditional cybersecurity researchers should be augmented with expertise from social, behavioral and economic disciplines. Multi-disciplinary research should be promoted by funding agencies and by research institutions.
Supporting privacy in conjunction with improved security is becoming a hot burning issue of late, notably because of lawsuits by the federal government against Apple. Security and privacy are not inherently at odds with each other, but some security controls have privacy implications. Research needs to be started to encourage developers of new cybersecurity controls to evaluate and document any implications for privacy and confidentiality in terms of infrastructure.
To manage risk, organizations should understand the likelihood that an event will occur, so they can anticipate the resulting impact and determine an acceptable level of risk tolerance. While risk management practices offer significant value, the return on investment has historically been influenced by complex and decentralized risk governance, uncertainty in risk assessment techniques and inaccurate cost estimation. The authority, responsibility and decision-making power for information risk management are often distributed, resulting in a delayed, fragmentary or uncoordinated response to risks. The lifecycle costs of security solutions are often underappreciated with respect to operations and management costs, especially for weak solutions. Advances in risk management are needed to integrate cost-modeling techniques that incorporate human factors, such as required expertise and ongoing training, and risk models that incorporate information about the known and projected vulnerabilities. In the long term, it is necessary to better inform risk management by integrating modeling, simulation and exercises into its practice.
Transportation officials also need to learn from the health care, financial services and retail sectors that are facing a new breed of criminals who exploit identified vulnerabilities. Even though the vulnerabilities are shared openly, many asset owners fail to take the proper precautions and, therefore, their systems remain exposed to threats. R&B