Being connected is part of our everyday lives. We expect to have connectivity whether we are on a train, on a cruise or while driving. While it may seem that connected vehicles are a relatively recent development, work on connected cars has been underway for almost two decades.
The US Department of Transportation (DOT) initiated a program in 2005 to develop and test a Vehicle Infrastructure Integration (VII) program Proof of Concept (POC) in support of a nationwide deployment decision. The US DOT and its private‐sector partner the VII Consortium (VIIC)—an organization that consisted of nine original equipment manufacturers (OEMs) and industry participants—executed the POC test. Many technological innovations were in play in the POC, but a key one was the 5.9GHz‐based Dedicated Short-Range Communications (DSRC) wireless communication technology (based on IEEE 802.11p) used for vehicle-to-vehicle and vehicle-to-infrastructure communications.
The US DOT engaged with my employer at the time, Booz Allen Hamilton, to design the national VII network architecture, act as system integrator, and implement the POC. I had the opportunity to lead the cybersecurity & privacy team for a couple of years.
The primary goals of the POC included demonstrating the technical performance and functionality of the VII architecture and associated concept and proving that safety, mobility, and commercial (private) applications could be effectively implemented. A critical requirement was the need for vehicular users to maintain their anonymity. We were also to test the susceptibility of the POC to intrusion (hackers). So, we applied many cybersecurity best practices throughout the lifecycle to ensure that the POC had a high level of security.
While the POC was successful, the rapid adoption of Wi-Fi eclipsed the DSRC technology used in the POC and DoT decided not to deploy VII technology. This conclusion of the VII program saddened me, especially after so much work had gone into making the POC successful. However, it’s an example of how quickly today’s transportation ecosystem is transforming.
Transportation systems are undergoing a transformation. An entirely new digital global transportation system is emerging. This digital transportation ecosystem will revolutionize commerce in ways that I never would have thought possible a mere decade ago – but we need to ensure these systems are resilient against bad actors.
What is Transportation System Sector?
The Transportation System Sector can be thought of as a complex “system of systems” at work within the U.S. to support the mobility of goods, services, and people. The current system of systems has two primary components: a system of modes (airports and air traffic control systems, seaways and ports, roadways, railways and mass transit, pipelines, space, and postal shipping) and a system of means (aircraft, maritime vessels, vehicles of all types, trains, and spacecraft).
In addition to maintaining the safety, reliability, and resiliency of the modes of travel, federal agencies, and local municipalities responsible for the management of these pathways of mobility also have significant responsibility for instituting governance to ensure the safe, reliable, and resilient function of the means by which mobility takes place.
The federal agencies responsible for this Sector in the U.S. are the Department of Homeland Security (DHS) and the Department of Transportation (DOT). DHS delegates its responsibilities to the Transportation Security Administration (TSA) and the United States Coast Guard (USCG). DOT, TSA, and the USCG jointly perform Sector management functions through a steering group and co-leadership of Government Coordinating Councils (GCCs). Close coordination among these partners ensures unified Federal representation for security partners.
Nationally, our systems of modes are operating primarily in an analog fashion, while the system of means is transitioning quickly into one that is digitized. The pace at which the means of digitized transportation are being developed and operated far outpace national governance, which can create security gaps.
Transportation modes that are undergoing transformation share common functionality attributes: the consummation of sophisticated software, hardware, and persistent digital connectedness. These features are exposed and prone to manipulation by threat actors’ malicious intent. We must take note that these bad actors exist, will certainly exploit vulnerabilities, and will be highly disruptive.
Subsector Cyber Risks
The Transportation Sector has multiple subsectors made up of the various modes and means of transportation. Major, widespread cybersecurity incidents in any of these subsectors could cause significant harm to the national and economic security of the nation.
Rail systems are increasingly recognized as vulnerable critical infrastructure worldwide, resulting in regulatory pressures on industry.
In July 2021, a non-state group caused chaos in Iran by hacking into train station display systems across the country and showing travelers false information. The hacked screens also urged citizens to call a number that was reportedly the number of the Supreme Leader.
In January and February of 2022, a “group of Belarusian politically motivated hackers” attacked and successfully disrupted Belarusian railways. The group reportedly intended to make a statement with the latter attack about the use of those railways for Russian military strategy in the February invasion of Ukraine. These hackers apparently deleted some systems, encrypted others, made it “impossible to buy tickets,” and stopped trains in Minsk, Orsha, and Osipovichi by compromising routing and switching devices.
In combining railways with Internet of Things (IoT) solutions, the U.S. rail system becomes vulnerable to cyber threats, with potential harm ranging from mischief like what occurred in Iran, or to loss of life and serious economic damage.
On December 1, 2021, the TSA release two Security Directives (SDs) focused on both passenger and freight rail systems known as 1580-2021-01 “Enhancing Rail Cybersecurity” and SD 1582-2021-01 “Enhancing Public Transportation and Passenger Railroad Cybersecurity.” These SDs apply to all freight railroad carriers and Public Transportation/Passenger Rail (PTPR) system owners and operators of a passenger railroad or rail transit system.
On October 18, 2022, the TSA rolled out a third SD titled Enhancing Rail Cybersecurity – SD 1580/82-2022-01 that extends cybersecurity requirements to achieve critical cybersecurity outcomes. According to the TSA, this new SD focuses on performance-based measures and “will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations.”
These directives present a fundamental shift in how safety and security are viewed in the rail industry and how the Biden Administration is revisiting and reassessing their rail cybersecurity policies. TSA’s security directive joins Europe’s NIS Directive and APAC’s rail-specific frameworks in Australia, Singapore, and India.
Occurrences of ransomware inside the aviation supply chain are up 600% in just one year—an indicator of escalating cybersecurity risks the industry is facing.
“There are increasing interfaces to the airframe both in regulated and unregulated portions of the aircraft,” Boeing’s Chief Security Officer Richard Puckett said on a panel at Aviation Week’s recent MRO Americas Conference. “We have to begin to account for the extended ecosystem of connectivity ... Increasing requests for sensors on almost every working part of the aircraft makes it more efficient but it also makes it more vulnerable because anything that sends or receives a signal can be hacked. Anybody who says differently isn’t really paying attention.”
The largest cybersecurity threat may be the supporting aviation ecosystem, rather than the airframe itself. For some airlines with contracts that are a decade old or more, stipulations on cybersecurity may not exist.
“There’s a lot of things around the world that are motivating folks to attack the aviation industry,” Aviation-ISAC CEO Jeffrey Troy said on the conference panel. “We have to be concerned about that. We’ve even seen ‘hacktivists,’ people who essentially do some type of cyber activity with the sense of supporting a particular political agenda.”
In October 2022, the TSA announced plans to issue new cybersecurity requirements for critical aviation systems after several U.S. airport websites were hit with apparently coordinated denial-of-service attacks. On 7 March, TSA issued an emergency Security Directive for airports and aircraft operators.
TSA’s new emergency SD is designed to strengthen cybersecurity resiliency by focusing on performance-based measurements along the same lines as the SD announced in October 2022 for passenger and freight railroad carriers. TSA-regulated airport and aircraft operators must develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, including:
- Develop network segmentation policies and controls to ensure that OT and IT systems can continue to operate if either has been compromised;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.
TSA will continue to roll out prescriptive, mandatory security rules rather than relying on incident reporting requirements and voluntary adoption of security measures.
As pipeline owners/operators begin integrating IT and OT systems into their ICS (industrial control system) environment to further improve safety, enable efficiencies, and/or increase automation, these environments increasingly become more vulnerable to new and evolving cyber threats.
The DarkSide ransomware group’s compromise of the Colonial Pipeline networks heighted awareness of impact cyber risks can have to our pipeline operators. Apart from this incident, there have been other ransomware attacks that have demonstrated the necessity of ensuring that critical infrastructure owners/operators are proactively deploying cyber risk management measures.
In July 2022, after the 2021 Colonial Pipeline ransomware attack, the TSA issued revised cybersecurity requirements for U.S. pipeline operators with a focus on performance-based measures to achieve critical cybersecurity outcomes.
Maritime Transportation System (MTS)
This vital subsector of transportation has infrastructure that supports tens of thousands of container ships, oil and gas carriers, chemical tankers, tugs and barges, cruise ships, ferries, and other vessels that drive a large portion of the U.S. economy and global trade. Operators rely on technologies and ICSs to navigate, communicate, and control various aspects of maritime operations. The subsector is a highly distributed and composed of subsystems — ships, ports, shipping lines, shipbuilders, cargo handlers, traffic controllers, and many more — each of which represents a network of systems on its own.
Cyberattacks against the MTS ecosystem have intensified alongside the growing interconnectedness of the industry. Examples of MTS cyberattacks include NotPetya, James Fisher, MSC, ARA, DNV, and Port of Lisbon. To date, the damage from cyberattacks against ports and shipping companies has been localized and contained. While the attacks are significant, none has had cascading effects across other sectors of the global economy.
The impact of cybersecurity attacks on this subsector has long been recognized. Below are some of the legislation and guidance that’s been enacted:
- Maritime Transportation Security Act of 2002 (MTSA) was amended to include cybersecurity requirements;
- National Maritime Cybersecurity Plan (2020) provides a roadmap for U.S. government departments and agencies to work with the private sector to manage and reduce cyber risk;
- USCG Cyber Strategic Outlook (2021) is a culmination of the USCG’s efforts to develop a prevention and response framework; and
- USCG Maritime Cybersecurity Assessment and Annex Guide (2023) provides additional guidance beyond the 2020 version that could be useful not only for assessing the cybersecurity risks of MTSA-regulated facilities but also for continuing to monitor improvements in existing security measures at U.S. ports.
In March, the Cyberspace Solarium Commission (CSC) published Full Steam Ahead Enhancing Maritime Cybersecurity noting that more needs to be done. While the CSC believes that the latest updates from the USCG signals a positive step toward better securing the MTS, they also see a pressing need for the USCG to mature and expand their programs. Fortunately, the USCG is making efforts to build external cybersecurity partnerships, especially with CISA, and that should help.
As I alluded to in my opening, there’s a long history and body of knowledge associated with cybersecurity and privacy for connected vehicles. In fact, too much to try and summarize in this blog.
Rob Aragao and I had an opportunity to speak with Ikjot Saini in a Reimagining Cyber podcast episode entitled “Connected Vehicles and the Cyber Equivalent of Seatbelts and Airbags”. I encourage you to listen to the episode. Saini is an Assistant Professor at the University of Windsor in Windsor, Ontario and is an expert in connected and autonomous vehicles and vehicle security.
Saini observed that the automotive industry houses an intricate and delicate ecosystem with many industry-specific details and nuances, particularly regarding cybersecurity and privacy, that need to be considered.
The rise and popularity of autonomous vehicles (AVs) have brought about a myriad of additional cybersecurity challenges beyond those in connected vehicles. With regards to AVs, Saini recommended asking:
- Are you making decisions based on the data?
- Who is feeding the data?
- How are you creating these algorithms?
“If you think a little bit futuristic…you start seeing more problems. If they are not addressed today when we are not having that kind of autonomy, then I think it's a huge gap that we would have, and we would never be able to fill that up.”
Saini observed that one way to prevent this gap from happening is to implement standards and regulations regarding automotive security. Standards and regulations should be granular, down to the specific electric components of the vehicles. Though she admits that the industry is still figuring out what exactly that means.
The Infrastructure Investment and Jobs Act (IIJA) has released funding for cyber resilience, with an allocation of US $2.5 billion in grant funding to state, local, and tribal governments to fuel infrastructure. Grant recipients must ensure that their plans address cybersecurity and privacy considerations to use the funds. The funding grants are largely expected to nudge transportation agencies to ensure that cybersecurity principles are baked into every stage of the modernization process, from strategy and design to implementation and operations.
The Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines calling for asset owners and operators within the transportation industry to implement the cybersecurity framework created by the National Institute of Standards and Technology (NIST).
The TSA SDs cited above (and more coming) align with the Biden administration’s National Cybersecurity Strategy to shore up essential infrastructure against cyberattacks and shift to mandatory minimum requirements.
The USCG is also taking steps to secure the MTS, but more work is needed. Hopefully, Congress will also take up the recommendation on MTS cybersecurity made by the Cyberspace Solarium Commission.
The principle of cyber resiliency is to prepare for when, not if, an attack will occur, with the awareness and admission that some attacks will be successful. There is a growing need to make the transportation industry resilient and ready for the future.
Like other critical infrastructure sectors, there’s a push for each subsector within the Transportation Sector to make their operations a less-lucrative target – reducing risk and raising costs for would-be attackers. The risk of attack against transport agencies will certainly continue, and passenger safety is of the utmost importance. The actions by TSA, USCG and CISA are helping to raise awareness, impose new minimums requirements, and lower the chances of harm. However, individual transport organizations have responsibility to prioritize protecting their systems and traveler safety from cyberattacks.
OpenText Cybersecurity brings the expertise of one of the world's largest security portfolios to help our customers navigate the changing cyber threats impacting the Transportation Sector by building in cyber resilience.
Join our Security Community | What is Cyber Resilience? | What is Cybersecurity? | Reimagining Cyber Podcast