Advances in technology and connectivity are challenging the transportation community to improve cybersecurity.

Transportation systems for highways and arterials have advanced from a collection of independently operating devices to highly interconnected, far-reaching, and integrated systems. In congested urban environments, highly integrated and dynamic controls of the highway and arterial systems are required to provide basic and safe mobility services. These integrated systems require a reliable communications network that may span a broad geographical region.

The elements of these complex control systems have been designed for safety, ease of maintenance, and reliability. For example, the conflict monitor--which is found in all traffic signal controllers--is, in its most basic form, a simple analog electrical circuit designed to immediately turn all signal lights to flashing red when it detects electrical currents that could simultaneously energize conflicting green lights. Most control systems were not designed, however, to operate in the adversarial environment (with potential security threats) now faced by highway agencies that are leveraging the benefits of modern communications technologies.

The Intelligent Transportation Society of America, in its report titled Connected Vehicle Assessment: Cybersecurity and Dependable Transportation, estimates that by 2020 there may be more than a billion machine-to-machine devices in transportation (such as those found in intelligent transportation systems and advanced transportation management systems), and more than half of those will be road vehicles.

Transportation systems are not only becoming more connected, but also more dependent on communications and information technologies. These technological advances improve the efficiency and functionality of transportation systems, but they also increase potential vulnerabilities to transportation safety. In response, transportation agencies across the country are rising to the challenge to learn more about cybersecurity issues and develop and implement solid cybersecurity programs.

Security Through Obscurity

Historically, public agencies relied on “security through obscurity” as the guiding principle for security. A system might be vulnerable, but operators thought that if these weaknesses were not known, then persons with malicious intent were unlikely to find them. Agencies believed that the secrecy surrounding design and use was sufficient protection.

Prior to the digital revolution, this approach worked well because no one paid much attention to communications systems on the low-performance networks used by highway agencies. However, beginning in the late 1990s, many public agencies began switching to common commercial technologies such as Wi-Fi and Ethernet for field devices (traffic signals, roadside sensors, and dynamic message signs, among others) to communicate with central monitoring systems. These technologies enable agencies to use inexpensive, readily available equipment that is easy to use and maintain. However, this equipment also reduces any value from reliance on security through obscurity because the technologies are well known.

Hobbyists and car enthusiasts have shown interest in manipulating the transportation system for nearly 30 years. Today, some of these hobbyists are known as “hackers.” In general, hackers exhibit a strong sense of curiosity and enjoy investigating systems for the sheer challenge of the task. Their curiosity is similar to a mountain climber’s desire to be the first to overcome a challenge. An early example of this interest in the transportation realm occurred with the optical traffic signal priority system. Curious hackers reverse engineered these devices and published online the plans to build a vehicle emitter that could signal the infrastructure to change the traffic signal using components available in most electronics stores. Hackers’ interest in the transportation system has continued today to include transit cards, smart parking meters, dynamic message signs, and many other transportation field systems.

In 1997, the Federal Highway Administration’s Intelligent Transportation Systems Joint Program Office (now part of the Office of the Assistant Secretary for Research and Technology) produced Intelligent Transportation Systems (ITS) Information Security Analysis (FHWA-JPO-98-009). This report was an assessment of vulnerabilities in the early National ITS Architecture. However, the report was ahead of its time and did not receive widespread attention at the time of publication.

Risk in the 21st Century

FHWA’s interest in cybersecurity risk to transportation systems was rekindled in the first decade of the 21st century. The renewed interest began when a State department of transportation requested from FHWA established guidelines to secure transportation communication networks. Until this request, the only known cyber incidents related to transportation were directed against portable dynamic message signs. Changing a dynamic message sign to read “Zombies Ahead” instead of “Slow Down, Work Zone Ahead,” while embarrassing to the operating agency, does not pose an immediate threat to public safety. In fact, an argument could be made that the altered message may cause drivers to slow down more effectively than the original message.

The DOT’s request prompted FHWA to take a closer look at the transportation system from the perspective of a cyber attacker. After identifying the most serious weaknesses, FHWA launched an awareness campaign to inform State and local DOTs about the importance of securing their transportation systems. FHWA’s biggest challenge is to increase awareness in a way that reaches system operators without drawing attention to the vulnerability of the transportation system. The campaign began in 2011 with a webinar titled, “Who’s Minding Your Data? An Introduction to Cyber Security Issues in Transportation.” Additional and ongoing campaign efforts include consultations at Institute of Transportation Engineers’ events, presentations at the Transportation Research Board’s annual meetings, outreach to FHWA division offices, and various published articles and communications.

The transportation system is no longer immune to cyber-related risks, as evidenced by some recent security breaches. For example, vulnerabilities in the transportation system allowed hobbyists to unwittingly derail light rail trains. Hackers have also exploited other vulnerabilities, from electronic toll tags to traffic signal controllers. In addition, hackers/activists, or “hacktivists,” have taken advantage of system vulnerabilities to enhance the effectiveness of real-world protests through simultaneous cyber attacks. More specifically, hacktivists may launch cyber attacks by trying to shut down computer networks of targeted companies or industries in protest of actions they consider to be political or social injustices.

Transportation officials also seek to learn from the health care, financial services, and retail sectors that are facing a new breed of criminals who exploit identified vulnerabilities. Even though the vulnerabilities are shared openly, many asset owners fail to take the proper precautions and, therefore, their systems remain exposed to threats. A scan of the news in 2014 shows a number of major cybercrime incidents that took place because of failure to take action against known vulnerabilities. A prominent example was the cyber attack targeting one of the largest motion picture production and entertainment companies in the world. The cyber attack destroyed its systems, disrupted business operations, and compromised large quantities of proprietary information, as well as employees’ personally identifiable information and confidential communications.

The New Normal

In 2009, the ITS Joint Program Office announced efforts to research vehicle-to-vehicle and vehicle-to-infrastructure communications for safety. Technologies developed from the research have the potential to improve highway safety and mobility significantly. However, by 2011 the hacker community had picked up on the potential vulnerabilities of such technology. At an annual hacker event called DEFCON, after a presentation about hacking a car’s electronic control system, a presenter showed a news segment on the ITS Joint Program Office’s announcement to an audience of approximately 400 hackers. One of the first questions asked from the audience was, “Can we write a virus to go from car to car?” With this question, it was clear that the hackers’ interest was piqued.

This effectively ended the transportation system’s happenstance security through obscurity.

The final indicators that cyber risk is “the new normal” for transportation management were three major transportation cyber incidents in 2014. One of the incidents, involving wireless sensor vulnerabilities, captured the attention of the media, but was not a serious threat to transportation systems. The other two events were significant enough for FHWA to assist the infrastructure owners with analysis and then issue cyber incident advisories to agency partners. The technologies involved included a traffic signal controller and fixed dynamic message signs.

As of April 2015, FHWA had issued three cyber incident advisories, including the two in 2014, and a third issued in April 2012. “The recent uptick in major cybersecurity incidents in the transportation sector is really an eye-opener,” says Bob Arnold, director of transportation management with FHWA.

With trends continuing to move to more complex, networked transportation systems, transportation professionals must be aware of vulnerabilities and work to prepare the systems to mitigate risk as much as possible.

Cybersecurity Framework

In tandem with the uptick in cyber incidents, the Federal Government has developed a number of tools to help transportation agencies and infrastructure owners better protect their systems. One of these tools is a generic cybersecurity framework developed by the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce.

In February 2013, President Barack Obama issued an executive order, “Improving Critical Infrastructure Cybersecurity,” to enhance the cybersecurity and resiliency of infrastructure critical to national economic and security interests. The executive order directed NIST to create a voluntary cybersecurity framework for agencies and organizations to use to develop the capabilities to identify vulnerabilities, and mitigate and respond to cyber threats.

A diverse group of stakeholders and security professionals contributed to development of the framework, which NIST released on February12, 2014. The Framework for Improving Critical Infrastructure Cyber-security is available at www.nist.gov/cyberframework.

The cybersecurity framework provides businesses, owners of critical infrastructure, and transportation agencies with an extensive set of tools to develop best practices and industry standards to improve resilience to malicious and incidental disruptions. The framework can help stakeholder organizations assess and improve existing cybersecurity programs, or create new programs. The framework uses a methodical approach for improving an organization’s cybersecurity capability by identifying, assessing, and responding to risk. In addition, the tools help organizations better align their cybersecurity and resiliency program objectives with their strategic plans, identify priority areas for process improvement, and establish a plan to sustain and improve their cybersecurity programs.

The framework has three components: the core, framework profiles, and tiers. The core focuses on effectively managing cybersecurity risk and the ability to recover from an attack; in essence, it is the incidence response process. The framework profiles define the set of baseline activities an organization is currently using and the desired or target capabilities they would like to achieve. The tiers facilitate the gap analysis process, which leads to a tiered implementation for cybersecurity protection. The tiers provide a context for agencies to better understand their cybersecurity risk management practices and to rate them.

Using the cybersecurity framework, FHWA is creating a tool for State and local transportation agencies. The tool will be one part of the overall agency response to the emergent cyber resilience challenge. To develop the tool, FHWA will tailor the NIST framework for transportation agencies with help from industry and operating agencies. The tool, now in the early stages of planning, will include a structured cybersecurity assessment and development program for the transportation community of practice. Transportation agencies will be able to use the tailored framework as a self-assessment tool to evaluate their current practices and to identify where they can improve current cybersecurity activities and programs. The goal of the tool is to improve the overall protection and resilience of the Nation’s highway infrastructure.

FHWA’s Vision For Cybersecurity

Many infrastructure owners and operators already are challenged with operating and monitoring their transportation systems with limited resources, expertise, and funding. The new challenges in cybersecurity and resiliency impose additional demands on these resources. FHWA’s Office of Operations is striving to assist owners and operators with proactive methods to improve resiliency in the transportation system.

The Office of Operations is working to establish a formal process of monitoring, alerting, and advising owners and operators of the national transportation infrastructure through a single entity. Other organizations and processes cover some aspects of monitoring, alerting, or advising industrial control systems or information technology deployments. However, no single entity currently exists to achieve the following objectives under one entity for transportation owners and operators: (1)monitoring cybersecurity incidents on transportation infrastructures; (2)alerting owners, operators, and manufacturers of transportation infrastructures about a security breech or vulnerability; (3)advising on post-incident responses; (4)investigating potential system vulnerabilities; and (5)providing education and awareness training and information.

Monitoring. The monitoring component will provide transportation owners and operators with a secure method of notifying a single entity regarding events, incidents, or vulnerabilities without exposing the suspected activities to the public. The two primary reasons for maintaining a secure method of communication are to ensure the confidentiality of the owner or operator and to avoid exposing unresolved vulnerabilities.

The established entity also will monitor alerts from other sources, such as the U.S. Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team, which works to reduce risks across all critical infrastructure sectors. In addition, the entity will monitor the Center for Internet Security’s Multi-State Information Sharing and Analysis Center, which focuses on networking cyber threat prevention, protection, response, and recovery for the Nation’s State, local, tribal, and territorial governments.

Alerting. The alert component will concentrate on warning owners and operators, operating professionals, manufacturers, and FHWA division offices regarding transportation infrastructure vulnerabilities. The warning system will enable quick responses to ongoing investigations with initial remedial advice.

Advising. The advising component will bring together experts who can investigate the unresolved vulnerabilities through collaboration among the owner and operator, DHS and the Cyber Emergency Response Team, and the Multi-State Information Sharing and Analysis Center. The team of experts will develop specific advice and present the information to technical and nontechnical stakeholders.

Investigating. The investigation component will use a vulnerability assessment to identify, quantify, and prioritize the transportation infrastructure threat. Typically, an assessment is performed according to the following steps:

1. Cataloging assets and capabilities (resources) in a transportation system.
    
2. Assigning quantifiable value (or at least rank order) and importance to those resources.
    
3. Identifying the vulnerabilities or potential threats to each resource.
    
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources.
    

Providing Education and Awareness. The education and awareness component will provide educational resources, as well as outreach and awareness, to owners, operators, and FHWA division offices on fundamental principles and best practices in cybersecurity for transportation systems. The transportation-focused tool that FHWA is creating based on the NIST framework will play a major role in education and improvement of awareness.

The tool will help to address the need to increase engagement across the Federal agencies, transportation communities, and private industries to support a common operating response to cyber attacks against critical transportation infrastructure. The education and awareness outreach component of the tool also will provide a platform for hosting forums that bring stakeholders together to share best practices in cybersecurity and their experiences with implementing the NIST cybersecurity framework. These functions will foster risk management and cybersecurity management communications among the internal and external transportation stakeholders.

Rising to the Challenge

Highly networked and connected infrastructure is a critical component of a modern highway transportation system. These systems can no longer rely on security through obscurity and maintaining a low profile, as they did historically. With today’s hacker community revealing myriad vulnerabilities in transportation systems, any pretense to the effectiveness of this old approach to security has evaporated. Transportation leaders and infrastructure owners and operators now understand the importance of protecting their systems from potential cyber risks.

FHWA, in collaboration with its institutional partners, has taken several initial steps to improve the cyber resiliency of transportation systems. The agency’s customization of a tool based on the NIST cybersecurity framework will help operating agencies respond to today’s cyber resiliency challenge. In addition, FHWA’s development of a formal process for monitoring and communicating cybersecurity issues through a single entity will improve the speed of response to incidents on a national scale.

“The transportation industry has a lot of ground to make up to address the current cybersecurity and resiliency challenges,” says Grant Zammit, operations technical service team leader with the FHWA Resource Center. “But we’ve benefitted from the hard lessons learned by other industries, which is helping to guide our field of practice to develop capabilities and rise to the challenge.”

The current cybersecurity challenges are just the beginning. Connectivity in the transportation system will increase to include new devices, operational partners, and connected services never imagined by the original designers of these systems. Connected vehicle technology is just one example of an increasingly connected future in transportation. Although the operational benefits of these technologies and services are significant, they will test the resilience of existing and planned systems.

FHWA and State and local agencies can best address these long-term challenges by making cybersecurity and resiliency an essential component of their operations and maintenance.

“This is the new reality that the transportation community is facing, and there is no magic bullet,” says Dennis Motiani, executive director of the National Operations Center of Excellence. “But it is our job to use the knowledge we have about our systems and the tools we are building to make the job of a hacker significantly more difficult.”

This article is a collaborative effort of the voluntary members of FHWA’s Transportation Cyber-security working group within the Office of Operations.

Edward Fok is a transportation technologies specialist at FHWA’s Resource Center. Fok is experienced in many facets of advanced transportation systems for both metropolitan and Federal governments. One of his current roles is FHWA’s lead on tackling transportation cyber resiliency challenges. He holds an M.S. in electrical engineering and a B.S. in mechanical engineering, and he is a licensed electrical engineer and transportation engineer.

Ray Murphy is an ITS specialist with more than 30 years in the transportation industry. As a member of FHWA’s Operations Team in the Resource Center, Murphy provides support for real-time data systems, cybersecurity, and road weather operations. Previously, he was an ITS project manager and field engineer with the Illinois Department of Transportation. Murphy served as an officer in the U.S. Navy Civil Engineers Corps and he holds a B.S. in electrical engineering from the Illinois Institute of Technology.

Ekaraj Phomsavath is an ITS engineer and currently oversees New Jersey’s transportation operations programs in the FHWA New Jersey Division Office. He has worked for FHWA for 10 years. Phomsavath’s primary responsibilities include ITS deployments, traffic incident management, traveler information, work zones, and national ITS initiatives. Phomsavath has a B.S. in computer science from the University of the District of Columbia.

Jonathan Walker has a major responsibility with the oversight of vehicle-to-infrastructure deployment on a national level with the FHWA Office of Transportation Management. Walker received an M.S. in engineering from Johns Hopkins University and a B.S. in electrical engineering from Howard University. He served 4 years in the U.S. Marine Corps as an electro-mechanical technician and is a licensed professional engineer in the District of Columbia, Maryland, and Virginia.

For more information, contact Edward Fok at 415–744–4848 or edward.fok@dot.gov.