Transportation systems must be resilient to deliver safe and efficient infrastructure. Security is a component of resilience. In the last decade, the transportation professions have tackled the challenge of the modern cybersecurity landscape. As modern transportation infrastructure increasingly relies on cyber physical components to maximize available physical infrastructure, the path taken over the past 10 years has improved the resilience and security of the transportation system. Emerging technologies in automation and machine intelligence offer an opportunity to continue improving safety and mobility on available physical infrastructure.

“The threat to roadway cybersecurity comes from malicious attack, operational errors, and lack of system reliability,” says FHWA Director of Field Service—North Bob Arnold. “A multiprong approach to combat this must include operator awareness, developing best practices, and advisory capabilities. If done well, the public will never know it’s been successful; that should be the goal.”

In the past, our most frequent cyber incidents were pranksters changing construction zone traffic signs. Today, we face risk from criminal organizations who are targeting nonfinancial organizations with ransomware. We have seen studies—and fortunately these are only studies—predicting the potential for massive disruption in urban areas by bad actors just targeting strategic locations in the transportation system. Security researchers have also demonstrated that poor organizational practices have enabled vulnerabilities that could lead to an immediate threat to travelers’ safety on the roadway. The surface transportation systems are also in the crosshairs of nation-state cyber threat actors. While there have not been any known attacks against our transportation system by a foreign nation, we are certain attackers affiliated with nation-state actors have been taking a very close look at our connected field devices.

Since the last article on this topic in 2015, new technologies have helped both infrastructure owner operators and cyber threat actors. Systems using machine learning and artificial intelligence (AI) offer significant advances in detection and decision support systems. AI systems can be trained to perform tedious tasks—such as system log reviews—to improve frequency and accuracy of abnormality detection. Attackers have demonstrated the use of AI systems—trained with software codes—to automatically generate new malware codes. This effectively lowers the technical skills needed to conduct certain types of cyberattacks, making it possible for larger volume of varied and sophisticated malware systems that defenders need to protect themselves against. Generative adversarial networks can be used for high-quality audio generation that cybercriminals have used to commit scams. (For more information on generative adversarial networks, visit: https://www.govinfo.gov/content/pkg/USCODE-2022-title15/pdf/USCODE-2022-title15-chap117-sec9204.pdf.) The same tools will be invaluable for use in social engineering attacks, and attacks that target personnel and staff, instead of cyber systems.

Improved Collaborations

Over time, FHWA has seen improved collaboration between transportation operations and information technology departments in more agencies. We have seen the early benefits of this collaboration from incident responses in San Francisco, CA, and Texas. In both cases, the information technology (IT) department protected the transportation system during a cyberattack, limiting the disruption to operationally critical systems to a minimum while halting the greater cyberattack and returning the system to normal function. In the past decade, FHWA has consistently messaged its desire to see agencies develop close collaboration between transportation operations and their IT support teams. The two examples highlight close teamwork between transportation operations staff and IT specialists. This involves transportation operations staff helping IT specialists familiarize themselves with how critical operational technologies are different from common enterprise technologies. Additionally, IT specialists can recommend processes and information technologies tools that are compatible with the capabilities of the operational technologies systems.

“Across State, local, territorial, and Tribal transportation (SLTT) agencies, there is a notable shift in agency mindset from a presumption of trust to a presumption of no trust resulting from the FHWA’s operations cybersecurity working group efforts to raise ITS cybersecurity awareness,” says Marisa C. Ramon, a private research institute senior research engineer. “For several years, the group has produced detailed documents and tools that aid SLTTs take actions now that increase their cyber readiness, inform their cyber response and management strategies, and raise operations staff cybersecurity awareness.”

FHWA has always focused on reducing vulnerabilities of the transportation systems to attacks and speeding up information dissemination when security incidents involved multiple agencies such as SUN_HACKER, an attacker who hacked numerous changeable message signs in 2014, and Not Petya, a fast-spreading ransomware. As an agency focused on surface transportation operations, FHWA does not have the ability to monitor threats or sustain support 24 hours a day, 365 days a year.

In 2018, legislation created the Cybersecurity and Infrastructure Security Agency (CISA). CISA addresses a critical gap that exists in the early warning of threats against the Nation’s transportation infrastructure and has the staff to support round the clock operation. CISA has access to information that can offer advanced warning of impending threats—obtained through classified national technical means—that FHWA cannot openly share with its public sector colleagues. To remedy this, FHWA is collaborating with CISA by sharing our transportation domain expertise to help their specialists assess risk and identify mitigation steps that FHWA can share with its public sector colleagues. The FHWA Office of Intelligence, Security and Emergency Response manages the collaboration between CISA and FHWA.

Created in 2014, the FHWA operations cybersecurity working group continues to support FHWA leadership in developing information and identifying best practices to help State and local transportation agencies improve their transportation cybersecurity capabilities. Some FHWA division offices are developing cybersecurity incident reporting guidance in their stewardship agreements with State department of transportation partners. For example, the New Jersey Department of Transportation, as part of its emergency reporting procedures covered under FHWA Order 5181, will be reporting cyber incidents that could affect their operations.

FHWA Resources

Educating operating staff on the importance of cybersecurity is an ongoing challenge at the operating agencies level, especially for smaller transportation operators with limited resources. The National Highway Institute now has an online course to introduce new transportation staff to the challenges of securing transportation systems. The course is based on an instructor-led workshop the operations cybersecurity working group delivered in person to State and local agency colleagues in the past. By providing this material in an online, self-paced course, FHWA can improve access to relevant information in a timely manner to those new to the subject of cybersecurity and transportation at other agencies.

FHWA is developing a self-paced wargaming exercise where agencies can test their knowledge and procedures on how to respond to a cybersecurity incident. The wargame is designed for a small agency or an individual to take part in without an external party serving as the referee. While this wargame will not be as comprehensive or resource intensive as large-scale cybersecurity exercises, it plays an important role in helping smaller agencies test their own cybersecurity capability and procedures.

FHWA currently has a set of cyber incident communication recommendations available for agencies to use as a guide to develop internal policies on how to respond and communicate with their internal and external partners. The recommendations were developed in response to the 2014 “SUN_HACKER” incident where it was a sheer stroke of luck that FHWA identified that the threat actor operated across multiple State lines. Since publication of the incident, FHWA has seen improved cooperation between IT departments and transportation operations agencies in many localities. These recommendations are still useful in helping operating agencies connect with their IT partners to support each other efficiently during a cybersecurity incident.

Tools to Improve Awareness

To help agencies improve awareness of the vulnerabilities within their transportation management systems, FHWA created a penetration testing guide for operating agencies to test their transportation operational technology networks and systems for vulnerabilities. FHWA also produced a document to help traffic management center operators apply commonly accepted best practices to improve security within the management center. While these recommendations already exist within common IT best practices, this guidance helps the transportation operators better understand how those IT best practices apply to them. In many instances, having basic understanding of threats and vulnerabilities will help transportation engineers and managers have more productive discussions with their agencies’ IT administration to develop better policies and procedures.

FHWA continues to update transportation-focused standards to address long-standing vulnerabilities within partner agencies that threat actors can exploit. Most notably, FHWA is creating a transportation-specific profile for the National Institute of Standards and Technology (NIST) cybersecurity framework that agencies of all sizes can use to improve their organizational cybersecurity preparedness. FHWA is also developing numerous tools that will help smaller agencies improve their understanding of the cybersecurity challenge. To expedite assistance to smaller agencies, FHWA created example procurement specifications for devices that those agencies purchase. These specifications, published in January 2024, make cybersecurity features into an essential element that is required for the devices during the acquisitions process. These changes also help device manufacturers and vendors that address cybersecurity concerns sell their products. These device manufacturers and vendors had told FHWA that it is difficult for them to compete in a market that favors the lowest cost, but technically feasible option. By providing security guidelines to the smaller agencies, FHWA helps to level the playing field for manufacturers and vendors who sell to smaller agencies while also improving cybersecurity throughout the public sector.  The specifications document, Procurement Language, Cybersecurity, Apps, Intelligent Transportation System, ITS, is available at https://rosap.ntl.bts.gov/view/dot/73792.

Field personnel also need help securing these increasingly sophisticated and complex field devices, such as advanced traffic controllers and roadside units, to make them safe and secure from potential threats and vulnerabilities. As a result, FHWA is developing a functional prototype application for transportation device manufacturers. This application will keep sensitive security and intellectual property information private and make the devices current with the best security practices recognized by the original manufacturers.

This functional prototype application is also intended to address the need for field personnel access to vendor specific security settings. The application will demonstrate to field personnel the usefulness of such information and show manufacturers both the potential customer needs of such an application and how layers of security build into it help protect intellectual property. All developmental information will be available to any equipment manufacturer who wants to build their own version based on this functional prototype application. It is hoped that this approach will shorten the time to adoption and deployment of this type of application.

The National Transportation Communication for Intelligent Transportation Systems (ITS) Protocol (NTCIP) was created in 1996 to enable interoperability between components and devices within a closed and private transportation communication network. Today, many of these closed and private networks have added open connections to support modern operation and maintenance. Due to the open connections and increased risk from cyber threat actors, the original standards are no longer adequate. FHWA and the ITS Joint Program Office (JPO) funded development of NTCIP 9014 to help guide the individual NTCIP working groups in determining the best ways to update their products and meet the current security challenges.

A similar effort is also underway to reduce the vulnerability of the advanced transportation controller to cyber threats.

“The Advanced Transportation Controller (ATC) Cybersecurity Project began in late 2021 and is supported by the USDOT [United States Department of Transportation]. It is supported by the Institute of Transportation Engineers (ITE), the American Association of State Highway Transportation Officials (AASHTO), and the National Electrical Manufacturers Association (NEMA). The project’s primary purpose is to identify and address cybersecurity needs in the ATC family of standards made up of the ATC 5201 Controller Standard, the ATC 5401 Application Programming Interface (API) Standard, and the ATC 5301 Cabinet Standard,” says Ralph Boaz, president of a private consulting firm. “Collectively, these standards represent the latest national standards for transportation field cabinet systems (TFCSs). Most of the issues addressed in the ATC Cybersecurity Project will also apply to other ITS standards and specifications. The primary goal of the project is the development of a cybersecurity standard.”

The update to the ATC standard was identified after the Transportation Research Board’s (TRB) National Cooperative Highway Research Program 3-127 project uncovered critical vulnerabilities. The update applies a system engineering process, taking in the known threats and controller functions, and determining how the specifications could be modified to reduce the number of vulnerabilities that could disrupt ATC operations.

Challenges Ahead

“When I started working with FHWA and the ITS JPO on cybersecurity in 2017, the awareness of cybersecurity issues in the operational technologies deployed by transportation agencies was at best mixed,” says Raymond Resendes, senior cybersecurity advisor for Research, Development and Technology at the USDOT Volpe National Transportation Systems Center. “Today, when I engage with SLTT leadership and staff at TRB, AASHTO and other venues, I see the operations cybersecurity working group efforts have helped achieve widespread understanding of the importance of cybersecurity in transportation agencies’ ability to achieve their mission.”

Developing a cybersecurity aware workforce in transportation will continue to be an important goal for DOT. Public agencies will always have financial and human resource constraints and will frequently prioritize safety and mobility over other goals. The workforce developed with improved cybersecurity awareness can help transportation professionals at the State, local, Tribal and territory level to correctly identify their security needs and goals and allocate resources appropriately. Many of the resources developed so far and cited previously are aimed at elevating the capabilities of these transportation workforces.

Software continues to be a powerful tool to deliver transportation services but still represents a major challenge to infrastructure resiliency and security. Increased sophistication of software tools will present challenges for troubleshooting, configuration, and life cycle management for many contractors and agencies. The addition of adding modern data intensive neural-network and machine learning assisted transportation tools further increases both the reward and the challenges to responsible contractors and public agencies. Use of such tools by cyber threat actors also increases the risk from attacks to the transportation system. Software written by machine learning systems can increase the technical ability of cyber threat actor groups as cited earlier. A challenge in this area is how consultants and public agencies can use modern machine learning systems to improve operating codes and use managed system configuration and life cycle to negate advantages to the threat actors.

Increasing connectivity between transportation users (vehicles, vulnerable road users, and other innovative modes such as micromobility devices) and traditional infrastructure (such as traffic signal systems) can further improve safety and mobility but also present new challenges. The data exchange between these disparate connected systems assumes some fundamental building blocks that have been around but were never critical to operations. Building blocks such as common precision time references, and reliable and consistent performances of precision satellite-based navigation systems such as the Global Positioning System are increasingly critical for transportation safety and mobility. While operations of these systems are beyond the ability of surface transportation system owner and operators, they are susceptible to reliability and security risks. Independent owner operators will need to understand the status and health of these systems so they can better determine what connected services can be delivered reliability to meet their expected safety and mobility performance.

Next Steps

Taming the cybersecurity risks to and within transportation systems resembles a cross-country marathon rather than a sprint, and methodical planning designed for long-term results that are proactive and focused on the future and not merely stop-gap measures meant for reactive events. FHWA’s ultimate vision, however, is a transportation system that stands resilient against cyberattacks. The three following goals have emerged from that vision:

• Increasing State and local agencies’ senior leadership understanding as to why cybersecurity is important and their roles and responsibilities in its development.
• Improving FHWA, State and local staff’s cybersecurity knowledge, skills, and abilities, so they can establish protocols to defend, respond to, and recover from cyberattacks.
• Enabling stakeholders to identify, mitigate, and report cyber threats and vulnerabilities.

To achieve these goals, FHWA must maintain a consistent level of effort to develop the workforce and maintain tools to meet an ever-changing environment. FHWA must continue to cultivate a culture that supports transportation cybersecurity and increases capabilities within FHWA and among State and local stakeholders. FHWA will continue to work with its existing partners, such as NIST, the Institute of Transportation Engineers, ITS America, and SAE International, while looking for new partners, such as CISA. These partnerships bring valuable insights that will lead to the formation of national standards and policies for reducing future cyber threat vulnerabilities in the transportation system.

For more perspective on FHWA’s challenges in cybersecurity—over the last decade—and a look back at FHWA’s goals for transportation cybersecurity in 2015, visit the September/October 2015 issue of Public Roads: https://highways.dot.gov/public-roads/septemberoctober-2015/taming-cyber-risks.
For more information about CISA, visit: https://www.cisa.gov/.

Edward Fok helps agencies deploy technologies to solve mobility problems and watch for emerging challenges and opportunities for FHWA. Ed holds multiple engineering licenses and degrees from the University of California and University of Southern California.

Robert Sheehan is a program manager for Architecture, Standards, and Cybersecurity with ITS JPO. Bob led the development of the AI for the ITS Program.

John Harding leads a team that advances the safe and effective integration of emerging technologies such as connected and automated vehicles into the U.S. roadway system for FHWA.

For more information, see https://www.its.dot.gov/research_areas/cybersecurity/ or contact ITS_CybersecurityResearch@usdot.onmicrosoft.com.