Last month we released a research paper that delved into what sort of threats could possibly plague the fully automated, online-integrated transportation system of tomorrow. The research paper, titled “Cyberattacks Against Intelligent Transportation Systems,” includes our dissection of and observations on the multi-layered system that would soon be changing how we work, travel, and do business on a global scale. It also contains our findings on what security issues and incidents could arise from the integration and operation of such a system. Securing the physical and cyber infrastructure of an ITS is a huge undertaking for all stakeholders. What would it take to secure and protect such a massive system against cyber threats, especially for those who are or will be responsible for one (i.e., a Chief Information Security Officer [CISO])? The first step is to know what the threats are and which ITS components are high risk.
In our research paper, we enumerated three broad types of attacks that threaten an ITS: network attacks, wireless attacks, and physical attacks. Having rated various threats against ITS using the industry-standard DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability) threat model, we concluded that network attacks pose the most serious threat to ITS, followed by wireless attacks and then physical attacks.
It’s not hard to see why this is the case. An ITS is made up of multiple systems that are not only online but are also composed of interconnected, IoT-capable devices. It stands to reason that network-based attacks could cause the most harm. Aside from causing operations downtime in an ITS due to a targeted disruption of service of the system’s devices, attacks on the network could also lead to information theft/data breaches, both of which can affect revenue. Many (if not all) potential attackers of systems similar to ITS such as nation states, criminal gangs, hacktivists, and terrorists are known for leveraging network-based attacks against their targets, making the threat of network attacks against ITS inevitable, not just possible.
The key to successfully securing an ITS infrastructure is to focus heavily on network security. By doing so, stakeholders can mitigate the worst attacks that can be launched against an ITS through the network vector as well as defend against the other threats that can use the other two vectors.
But how should those in charge of ensuring an ITS’s security go about this process? What kind of defense strategies should they employ and what security technologies should they procure for their overall defense plan?
Securing Transportation Networks
Defense strategies for ITS should be formulated with one key principle in mind: No defense is impregnable and it is safer to assume compromise and take countermeasures. As such, an ITS defense system and team should be able to do the following:
A defense system with these capabilities ensures not only protection that is quick to react and mitigate ongoing attacks but also one that evolves with the threats. It should also incorporate the following security technologies as a mandatory minimum:
These already-available security technologies have been proven to help protect against cyberattacks and could have defended against the real-world attacks against ITS that we’ve seen wreaked upon ITS components (e.g., hacked signboards and public utilities infected with ransomware). For example, the WannaCry ransomware that recently infected computerized transportation systems could have been detected and blocked by anti-malware solutions. Virtual patch management could also have resolved the SMB vulnerability (MS017-010) that the WannaCry variant uses to propagate as well as infect systems.
Protection Through Collaboration and Cooperation
In addition to setting up proven security technologies, CISOs and decision-makers in charge of developing and maintaining ITS infrastructure should consider working with the myriad government and public and private institutions and organizations — which will either benefit from a secure ITS or contribute to its construction and maintenance, or both — in securing the ITS itself. The widest net should be cast: from manufacturers, national authorities, police agencies and insurance companies, to political organizations and, most importantly, the primary users of the ITS itself, the drivers.
Such involvement and collaboration will enable the development of useful legislation and technology that will aid in the future infrastructure’s security. The soon-to-be-implemented General Data Protection Regulation (GDPR) is a good example of a security-centric legislation and policy, one that will no doubt benefit future ITS infrastructure with its focus on state-of-the-art technology and data protection. The International Organization for Standardization (ISO) has a technical committee (TC 204) tackling standardization of ITS technology pertaining to information, communication, and control systems — with organizations and experts in Europe, the US, and Asia taking part. In terms of security, one of the standardization efforts is WG (Working Group) 1’s development of guidelines for protecting privacy in the development of ITS standards and systems (TR 12859). WG 5 also has data security-focused work items which aim to create security frameworks for electronic fee collection (EFC) systems (TS 19299). No doubt more will be created in the future as more ITS technology gets developed and rolled out into production.
With all of this, protecting an ITS must seem like a herculean task. But an essential and interconnected infrastructure system such as an ITS warrants it. If we start thinking about cybersecurity as early as now, then we can ensure that we reap all the benefits of the roads of tomorrow — convenience, safety, and revenue.For a more detailed look at the ITS threat landscape and comprehensive advice for security professionals, policy- and decision-makers, and CISOs, read our full report: “Cyberattacks Against Intelligent Transportation Systems.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.