7 February 2020

Cybersecurity for transportation

New York connections

Protecting critical connected infrastructure from cyberattacks is an important part of deploying intelligent transportation systems

In 2003 the Hollywood movie The Italian Job was released to the public. In this remake of the classic 1969 British heist flick, the protagonists hack the Los Angeles intersection control system to manipulate it for their own dishonest purposes. Traffic professionals of the time will remember the onslaught of questions from friends and family, all wanting to know the same thing: Is that possible? Of course it was mostly far fetched and impossible at the time, but fast forward to today, and the threat to infrastructure has moved from fantasy to reality, and the industry as a whole must come together to confront it. 

The exposure of critical infrastructure has increased as the Internet of Things era has begun. The connectivity of previously isolated/unconnected equipment has increased, but so has the risk that it can be compromised. 

Equipment that was previously locked down in embedded custom written microsystems now runs common operating systems and relies more heavily on commercially available or open-source software. Field equipment running the very popular Linux operating system is an example. Much of the equipment in the past was protected mostly through obscurity. It had minimal or no connection to the outside world and the risk of discovery by those who wished harm was low. Today the features wanted by operators increasingly require connections to the outside world, and thus comes the risk. 

Furthermore, the motivation of many hackers has changed. There used to be no discernible motive for someone to hack into uninteresting infrastructure. 

There was no profit to be had. But with the emergence of ‘hacktivism’ (hacking carried out for geopolitical purposes) the attraction is the potential economic and psychological disruption.

2013: The year the executive order was issued in the USA to create the Cybersecurity Framework to protect critical infrastructure


Building protected systems 

In the USA the threat of foreign and domestic hacking has been front page news in recent years. In February 2013 a presidential executive order was issued to create a Cybersecurity Framework to protect critical infrastructure. That task was given to the National Institute of Standards and Technology (NIST). The executive order also directed government agencies with threat information to share unclassified information with the private sector companies affected. 

In May 2017 another presidential order was issued focusing on federal networks and again critical infrastructure. It reiterated the role of the United States’ Department of Homeland Security (DHS) in the shared national interest of cybersecurity and reinforced using the NIST Cybersecurity Framework as a resource. 

The USA is not alone in the realization that cybercrime poses a real threat to a country’s security, and even sovereignty. The European Union Agency for Network and Information Security (ENISA) is at the forefront of transportation security for its member states. 

One of the biggest challenges that researchers in this space point to as a hinderance to enacting cybersecurity best practices is the industry and operator’s lack of understanding of cyber risks, and the lack of focus and importance given to the topic. With this lack of focus comes a lack of funding priority in already stressed budgets. 

In addition to the lack of understanding of importance, there are technological challenges. One is that much transportation technology is old and upgrading is either not economically feasible or simply not possible given the original technology chosen and the era of the design. 

Finally, there is the human factor of operators and vendors not wanting to share information. To some, the disclosure of attempted or successful attacks on organizations and equipment could create embarrassment, loss of reputation and even reveal legal liability. This can stifle collaboration in the battle to protect this important sector.


12,460 - The number of traffic-signal controlled intersections in New York City


Collaborative effort 

One of the organizations in the USA that is working to increase collaboration between equipment and systems manufacturers is the National Electrical Manufacturers Association. NEMA is a privatesector, member-driven organization formed and organized into market sectors to increase collaboration between competitors for the benefit of standardization, safety and outreach. Earlier this year it released NEMA Standards Publication TS-8 – Cyber and Physical Security for Intelligent Transportation Systems. It is a best practices standard focusing on physical local access, communications and central system security. 

Now that the intersections are being connected to roadside equipment for the purpose of connected and autonomous vehicles, the stakes are being raised and the challenges discussed earlier are amplified. Communication between all components of a connected vehicle system must be secure as there would be major safety concerns if this system were compromised. The geometry and signal timing of the intersection and the speed, location and direction of moving vehicles and pedestrians must be trusted not only to be accurate, but also unaltered by outside threats. 


Protecting New York 

As an example of these efforts, the US Department of Transportation is currently running a Connected Vehicle Pilot Deployment Program. One of the largest of these pilots is in New York City and is deploying connected vehicle technology to a few hundred intersections communicating with a few thousand vehicles. Peek Traffic Corporation is working as part of the project, supplying the City of New York with field traffic controllers for its 12,460 communications enabled intersections, and is a vital partner in the cybersecurity effort. 

As part of the pilot deployment, the city’s central traffic management system sends configuration information to the Peek Traffic Controller through encrypted communication channels. The controller, in turn, generates SPaT (signal phase and timing) data to the RSU (roadside unit), again through encrypted means. The RSU then communicates bilaterally with the vehicles across an encrypted wireless DSRC (dedicated short-range communication) link, as well as back to the central network. 

This project is now a leading example of end-to-end security and it is hoped that it will serve as a model for future deployments. 

As the 21st century progresses, and is defined by technological gains, we are confronted with rapid change in this era of connectivity. This rapid change is not only evident by its effect on societies, business, government and social norms, but also by the risks that were not even thought of a few decades ago. Technology, properly managed, has huge potential for the future of mankind. Addressing cybersecurity in our infrastructure is just one more hurdle to overcome.

Expert advice

For more information about our products and services, please contact us.

Contact Us