Cybersecurity on the Information-Enabled Superhighway
By Joe Beckman, Lead Information Security Analyst, cyberTAP, Purdue University
Visions of the future of human transportation have existed as long as there have been people to envision it. Current visions of the future of our transportation include high-speed, subterranean tubes that accommodate passenger “pods”, as well as electric and driver-less cars, among others. Regardless of the direction our transportation systems ultimately take, we can be confident that transportation will be driven by the collection and transmission of electronic data by sensors and computer control of at least some aspects of transportation systems. We can also be confident that transportation systems will need to have the flexibility to change to meet yet unforeseen demands of travelers. In fact, information technology (IT) has been used in open road tolling, for directional switching of roadway lanes, and in control of traffic signals as the vehicle by which flexibility has been added to roadway infrastructure. In exchange for this flexibility, those responsible for the infrastructure now have the additional responsibility of managing the complexities of information systems, including the security of those systems. As a result, maintaining safe and secure roadways now requires consideration of the role played by IT systems and cybersecurity in: roadway and road system design, management, and in the training of those who maintain roads and road systems. Because the intersection of roadway and IT systems is well described as systems-of-systems (SoS), this article discusses cybersecurity considerations in roadway design, management, and the training of personnel in terms of SoS concepts.
Cybersecurity by Design
A fundamental challenge facing design at the intersection of information technology and roadway management is the asynchronous lifecycles of IT equipment and roadways. Roadways are designed to last for decades and may be used for a century or longer. The useful life of IT equipment is usually less than a decade. Advances in information technology, as well as the security of IT devices and their transmitted information, are important factors that limit the useful life of IT devices. But, like trying to predictions of the future state of transportation, predicting the future state of information technology and approaches to cybersecurity is a guessing game.
The challenge presented by asynchronous lifecycles of road and IT systems can be addressed by deciding on mutually agreed upon stop points at which the most current thinking in each domain will be designed in so that the whole of the SoS can be tested and implemented. Because roadway design already considers how a roadway must interact with other domains like storm water drainage and property rights, considering cybersecurity in roadway design can begin by adding IT and cybersecurity professionals to existing conversations. But, full integration of cybersecurity into the design process requires that cybersecurity considerations be allowed to move stop points for testing and implementation when appropriate. Full integration of cybersecurity into the design of the rail tram system in Lodz, Poland in could have eliminated technical (and possibly physical) vulnerabilities that caused twelve people to be injured when a teenager with a modified television remote control interfered with the rail switching system in 2008. As the use of information technology increases in roadway control systems, cybersecurity considerations in roadway design will have an increasing impact on the safety of travelers. Full integration of cybersecurity into the roadway design process will be required.
The Cybersecurity of Roadway Management
Managing roadways that utilize IT devices require expertise in information technology and cybersecurity, as well as more traditional roadway management expertise. In cases where critical information is gathered from devices on or around the roadway, or if IT-enabled control systems are in use on roadways, the function and security of these devices and their communications network must be properly configured and monitored. If highway networks are compromised, the ability of highway departments to maintain roadways is reduced and casualties may result. States, and increasingly, counties have dedicated IT departments, with which highway departments should partner to provide advice related to purchasing, configuring and monitor highway networks. IT and cybersecurity experts within IT departments should help highway department personnel better understand the impacts of different device purchase decisions and device configuration decisions, assist with connectivity among devices, and adapt cybersecurity frameworks and best practices to the environments in which roadways are run and maintained. If information technology and cybersecurity expertise are not available within the organization that owns and operates the roadways, roadway managers should contract for these services independent of expertise provided by device vendors prior to the design of IT-enabled road systems.
Training Roadway Managers and Maintenance
Even with considerable support from information technology and security experts in managing IT-enabled road systems, those tasked with performing roadway maintenance and management should be armed with a basic level of IT and cybersecurity knowledge. Without basic IT and cybersecurity knowledge through which to understand the risks to IT devices and networks, roadway maintenance personnel are not properly equipped to be aware of threats to these devices and networks in their work environments. Awareness of cybersecurity risks among those in the environment is critical to a strong cybersecurity posture. Defacements of highway message boards provide non-critical examples of the importance of cybersecurity knowledge in roadway maintenance. Application of basic cybersecurity authentication best practices may have prevented prior incidents in which malicious actors accessed and modified messages on roadway signs, had such controls been implemented. If cybersecurity best practices are not understood and followed in the field for more critical roadway information or control devices, the risk of casualties from such “hacks” increase. Therefore, road maintenance agencies that service IT-enabled roads and road systems should be trained in basic cybersecurity principles, as well as how these principles are implemented in devices that they need to maintain.
Training in cybersecurity principles for highway managers and maintenance personnel should both principles and practice, and be role-specific. Practical instruction focused on the security of devices in the field is necessary to fulfill whatever aspects of support or device maintenance roadway managers assign to maintenance personnel. Teaching maintenance personnel principles of cybersecurity hygiene provides the “why” as a complement to device-specific training. In some cases, teaching roadway maintenance workers basic cybersecurity principles may facilitate communication of previously undiscovered cybersecurity problems from those in the field to roadway designers and IT security personnel. This type of bi-directional communication about cybersecurity issues in fielded equipment is one marker of an environment that fosters a strong cybersecurity posture. Cybersecurity training for roadway managers should also include practical and theoretical components, but should build on training given to road maintenance personnel in way that facilitate communication of cybersecurity information between those with expertise in roadways and those with expertise in IT and cybersecurity.
Information technology is beginning to be integrated into roadways and road systems for information gathering and control functions. As both domains continue to advance, integration of IT and roadways is expected to grow. Traveler safety demands that those who own and maintain roadways and systems take new approaches to design, management, and the training of personnel. By embracing IT and cybersecurity in roadway management comprehensively throughout the roadway lifecycle, roadway stakeholders can create safer, more effective road systems for the traveling public.