Autonomous vehicles, along with smart highway infrastructure, will influence the design of future vehicles. These technologies promise to bring new benefits in mobility, safety and energy efficiency. But along with intelligent transportation systems (ITS) comes the need for cybersecurity and resiliency.
Essentially, ITS is an operational systems of various technologies that, when combined and managed, improve the operating capabilities of the overall transportation system. With drivers more connected than ever, will there be a greater susceptibility to hacking that might threaten people’s lives and safety?
ITS continues to evolve and introduce new technologies and capabilities, says Michael Bertram, senior ITS/tolls analyst, with Atkins (www.atkinsglobal.com). It also encompasses smartphone applications, roadside networks, toll collection kiosks, CCTV cameras, traffic management centers and more.
Atkins – one of the world’s leading design, engineering and project management consultancies – is at the forefront of smart highway infrastructure, working with federal, state and local government entities.
Systemic Concern
“Product vendors and technical experts are paying attention to the security of individual products, and that is a good start,” Bertram says. “However, security is a systemic concern involving what is seen, such as a ‘smart’ vehicle, and also what is not seen, as in people, processes and technology that permeate in and between organizations.”
Vehicle security and vehicle-to-infrastructure (V2I) communications are a high priority, he says, because the combination of the basic physics of a moving object and a hacker with malicious intent is a dangerous one.
Threats
“The source of and motivations for threats to ITS infrastructure vary greatly – from researchers looking to make a name for themselves to hackers motivated by greed, malice or politics, to nation states looking to create instability or an advantage during times of tension and uncertainty,” Bertram says.
He notes that once hackers gain access to a network, they seek out where they can have the largest impact for their motives. Penetration of one piece of ITS equipment is a notable threat, but the ability to affect more than a single piece of equipment is much more significant, and that has been demonstrated by researchers.
10-Step Fix
Bertram likens cybersecurity to an arms race.
“A robust cybersecurity program implements strong security practices to manage the risk of network compromise and data theft,” he says. “Average adversaries are unable to achieve their aims and many sophisticated adversaries will give up or go elsewhere to easier targets.”
Atkins’ Bertram collaborated with industry experts to develop a 10-step enterprise IT security control plan that can help vehicle manufacturers and governments work together to best address future security and safety threats.
1. Know your environment. Before building a comprehensive and holistic solution, organizations need to know what they have and its value, in order to prioritize available resources to protect critical infrastructure.
2. Start with the basics. Address basic steps, such as those in the Center for Internet Security (CIS) Critical Security Controls – a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous.
3. Know and manage your information-system related risks. Entities which offer/use ITS systems must implement information security risk management programs to effectively secure their organization networks and ITS solutions.
4. Use independent validation paths for information. Keep humans in the loop. Independent validation of operational data allows staff to see conflicts between compromised system data and field conditions.
5. Develop defense-in-depth and incident response as core capabilities. Employ designs, plans and capabilities to respond to and manage security incidents which will occur from time-to-time.
“Assume an ITS device is going to be hacked – not if, but when – whether by an outsider or a malicious insider,” Bertram says. “Force an attacker to conduct a new exploit when trying to move through the network, rather than finding one vulnerability and having unfettered access to everything.”
6. Employ detection technology. For higher risk deployments, detection systems – such as intrusion detection systems (IDS) and intrusion prevention systems (IPS) – can be expensive but are necessary. These systems minimize the risk of a compromise due to an unknown vulnerability or method of attack.
7. Deploy physical security measures. Do not place only a $5 lock on $10,000 worth of equipment that anyone can walk up to on the roadside. Invest in high-tech locks, alarms, cameras and motion sensors that notify security/management personnel immediately of suspicious activity.
8. Protect wireless features. Wireless access offers tremendous convenience but also allows hackers to threaten a network from a distance. Ensure that strong encryption and access control is used.
9. Develop and maintain business continuity and disaster recovery plans. These are vital to assets and systems. Review them regularly to address rapidly-changing threats, networks and ITS equipment.
10. Participate in information sharing with private groups, law enforcement and computer emergency response teams.
About the Author
