Lock combination

April 8, 2016

Keeping ITS secure requires a multi-tier approach

Many a traffic engineer is familiar with fiddling the door lock on a traffic controller cabinet.

Not too long ago, that was the only security task in maintaining traffic systems for technicians in the field. Security controls for these kinds of traffic management systems, in particular for older legacy technologies, typically focused on the simple necessity of reducing the risk of physical tampering, destruction or theft of the equipment.

Those simpler times have passed. There have been several documented attacks on public transit and road operators, such as the hacking of websites and in-the-field traffic control devices. These have been limited primarily to hacks to roadside dynamic message signs (DMS) where there is likely very little impact on public safety. There is greater concern, however, that as the sophistication of attacks grow, the costs of securing and, ultimately, deploying intelligent transportation systems (ITS) will grow disproportionately and potentially choke innovation.

Feeling insecure

Transportation is not only becoming more connected, but also more and more dependent on very complex computing systems and software. Current automotive electronics and advanced traffic management systems (ATMS) and their component field devices (e.g. traffic signals, ramp meters, roadside sensors and dynamic message signs) include a large number of computing hosts, electronic microcontrollers and application software. Traffic control such as detectors, traffic signals, ramp meters and dynamic message signs are often connected to traffic management centers (TMCs) to support remote management and monitoring.

The security and threat environment is beginning to shift around ITS as they become connected and more familiar to a wider world. Traffic engineers now must worry about devices in the traffic cabinet being hacked remotely through a TMC. Where the attack surface of a traffic signal was once the door of the controller cabinet, now it is any number of entry points—from a USB drive to a serial port to a cellular router.

Furthermore, the “Internet of Things” services model is finding a market foothold in traffic management, with data at risk. Some new devices such as camera-based detectors are managed directly from the cloud (known as virtual TMC functions, which provide cloud-based remote diagnostics, management and reporting tools on the web), centralizing and scaling services across multiple road operators. Cloud-based virtual TMCs centralize sensitive data and processes, which lowers the cost of providing services to each additional road operator. However, such centralization risks creating a larger, and more visible and valuable asset for a cyber attack. 

Although you can fault greater connectivity for all of our security ills, the real culprit is often a poorly designed and/or implemented host and application security. The root of most technological innovation, and the source of most of our vulnerability, is software found in applications and devices. The demands for more software functionality have outstripped the capacity for engineers to design systems with any degree of assurance that the software will be reliable or secure. If software were not so buggy and access controls not so poorly designed and easy to circumvent, then hackers scanning for vulnerable connected systems would find pickings far less lucrative and abundant.

Industrial equipment is often not designed with security as a clear requirement. For example, most traffic controllers use commercially available real-time operating systems (RTOS) to allocate green lights to varying directions of traffic. One common RTOS in traffic controllers is VxWorks. The default build settings for some versions of VxWorks left a “debug” port open for testing purposes. This port was meant to be disabled for operational environments but was often left enabled. As a result, a hacker could access the debug port without a password, allowing him or her to alter traffic-control parameters. This vulnerability was easily fixed by changing the system configuration to close the port, and vendors addressed the issue in a software patch. The Industrial Control Systems Cyber Emergency Response Team  (ICS-CERT) marked it as a vulnerability in 2010.

In the parlance of traffic engineering, an open port is the cyber equivalent of leaving the traffic controller cabinet door not just unlocked, but wide open. Poorly designed access controls have been discovered in experimental vulnerability analysis of vehicle systems too. The famous white-hat hack of Jeep vehicles with the UConnect Telematics unit in 2015 was the equivalent of leaving the door ajar and the keys in the ignition. Researchers discovered that the wireless Internet service provider did not block traffic/ports between devices on its network—and they were able to scan and identify remotely more than 2,000 vehicles. 

Insecurity is not just the result of connectivity, and there are always a large number of contributing factors to the emergence of any successful attack. In the case of the Jeep hack, security researchers Chris Miller and Charlie Valasek were able to reverse-engineer the systems in the vehicle to find vulnerabilities in the telematics unit that let them access the controller area network and key systems such as braking. The Jeep vulnerability suggested a worm could be created to scan for vulnerable vehicles, deliver a malicious payload through a telematics unit and compromise control systems. However, they would not have been able to exploit these vulnerabilities if they had not been able to find an attack vector that allowed remote exploitation through the cellular carrier that acted as the Internet service provider. (Fiat Chrysler subsequently issued a recall and developed and distributed a patch to its telematics system and the wireless service provider blocked ports to remove the vulnerability in 2015).

Defense in depth

The core challenge in cybersecurity is to establish trust. Trust means confidence that software is reliable and free from potential security vulnerabilities, and that it can establish connections with other entities (TMCs, traffic signals, emergency vehicles, etc.)  that will not compromise its critical resources or functions. Software vulnerabilities are dangers to which countermeasures must be applied; alternatively, “patches” must be developed, tested, distributed and installed—a costly, complex and burdensome process for government and industry. The process is so burdensome, in fact, that many public agencies likely defer investment in new technologies to avoid the downside risk of a cyber attack.

However, a reasonable level of security is attainable. Security in intelligent transportation requires sensible planning and implementation of a “defense-in-depth” strategy. Defense-in-depth is a three-fold approach employing “constructive,” “operational” and “reactive” strategies. The combination of strategies over the long term can create a robust defense, where overall security can be achieved in scales greater than the sum of their parts.

Constructive strategies, while difficult, are the most effective. Constructive strategy relies on better software design. It requires a lifecycle approach to software development that seeks to reduce the likelihood of vulnerabilities being introduced in the product development phase, before systems are deployed to end users. However, most road operators have little control over the design and development of the products they use, and therefore must rely on manufacturers to do their constructive part. Consumers over time may demand more secure products, and manufacturers of traffic management systems may respond in the marketplace by providing a level of security assurance and services as part of their offerings. This would be a shift from the fix-it-yourself “buyer beware” security assurance model that is so problematic for expertise- and resource-challenged road agencies.

There is some additional hope. New traffic management technologies will not treat security as an afterthought. A “security-by-design” approach is currently being taken with the development of vehicle-to-external (V2X) cooperative crash avoidance and mobility applications as a part of the U.S. DOT’s connected vehicle research program. V2X cooperative crash avoidance and mobility applications utilize dedicated short-range communications. V2X communications will greatly increase the scope and reliability of future crash avoidance and driving automation systems in the next generation of smart cars and smart roads. The National Highway Traffic Safety Administration and the Federal Highway Administration intend to issue a manual of guidance in reference to V2X communications in the next several years. 

Until the security of the current crop of traffic control products and services catch up, road operators must rely overwhelmingly on “operational” strategies focusing on continual remediation. This means patching vulnerabilities quickly and implementing and maintaining strong authentication and access controls. Operational strategies also may mean scaling back ambitions, proactively shrinking a system’s total attack surface by reducing exposure of a critical element or making an executive decision not to offer a particular service in the first place.

Less of a risk

So what can be done? Risk must be reduced to an acceptable level but it is hard to know where the line is for a lot of agencies. Security is not, after all, about achieving a complete (and unrealistic) state of unassailability, but rather mitigating important risks to a system at a reasonable cost (both in terms of costs and lost opportunities). It is hard to know which risks are important and can be mitigated at a reasonable cost. Most risks you must live with because they are outside of your control or integral to your mission, but you can plan and implement countermeasures. Operational strategies for the most part focus on common vulnerabilities such as unmaintained software, firewalls, weak encryption and weak authentication. Some risks are structural and cannot be proactively prevented (e.g. denial of service attack) so contingencies must be established to deal with such scenarios.

Defense-in-depth also requires mitigation, not just remediation. Some risks can only be detected and mitigated after compromise (e.g. zero-day attacks and advanced persistent threats). Reactive strategies assume the inevitability of compromise and instead seek to actively outsmart and shut out attacking adversaries through real-time operational intelligence and state-of-the-art analytics. This is often a challenge, because it requires great expertise and lots of data analysis that can be applied to pull out attackers’ tracks from the noise of millions of daily connections and processes. Only the most sophisticated agencies can implement reactive capabilities.

Connecting roadway infrastructure has tremendous benefits in making our transportation system resilient. Sensors that monitor bridge integrity, cameras that spot crash incidents, traffic signals that dynamically react to waves of traffic—all these systems boost the performance of our infrastructure. Road agencies must learn not only how to implement these new technologies, but must be disciplined about risk management and security. The private sector needs to bake security into its products, but also provide services and expertise to ensure road operators’ missions are not endangered. With some forethought and investment in security, the benefits of new technology in transportation are still achievable now. R&B

About The Author: Bayless is vice president of technology and markets for ITS America, Washington, D.C.