According to the U.S. DOT, ITS consists of the “operational systems of various technologies that, when combined and managed, improve the operating capabilities of the overall system.” ITS continues to evolve and introduce new and exciting technologies and capabilities, including smart and connected vehicles, but ITS also encompasses smart phone applications, roadside networks, toll collection kiosks, CCTV cameras and traffic management centers to name a few examples.
Product vendors and technical experts are paying attention to security of individual products. This is a good start. However, our industry is clearly not yet mature on security matters. ITS may repeat errors made in other industry sectors. Technologists must learn the lessons of recent years where organizations such as Target, Saudi Aramco and the US Office of Personnel Management (OPM) suffered abuse of trusted access leading to financial theft, massive data deletion and sensitive information theft, respectively. These serve as examples of high-profile data breaches and hacking, but the stakes for ITS are much higher—namely the safety and trust of roadway users. Users implicitly trust that retailers are at least attempting to address their security and privacy concerns holistically and with due care. Users also trust that their governments will ensure the safety and security of the roadway infrastructure they use every day.
Security is a systemic concern involving what is seen (i.e. the product of concern such as a ‘smart’ vehicle), but also what is not seen; the people, processes and technology which permeate in and between organizations. Vehicle security is high-priority because the combination of the basic physics of a moving object and a hacker with malicious intent is a dangerous one. With the growth of vehicle-to-infrastructure (V2I) communications, there is some chance that an infrastructure attack may cause injuries or fatalities, though probably less chance than a direct vehicle attack.
What is the threat?
The source of threats to ITS infrastructure varies greatly, as do their motivations—from researchers looking to make a name for themselves, hackers motivated by greed, malice or politics, to nation states looking to create instability or an advantage during times of tension and uncertainty. Once hackers gain access to a network, they seek out where they can have the largest impact for their motives. Penetration of one piece of ITS equipment is a notable threat, but the ability to affect more than a single piece of equipment is much more significant and has been demonstrated by researchers.
How do we fix it?
Cyber security is an arms race. A robust cyber security program implements strong security practices to manage the risk of network compromise and data theft. Average adversaries are unable to achieve their aims and many sophisticated adversaries will give up or go elsewhere to easier targets. To address the specific threats and vulnerabilities in a systemic manner, here are ten enterprise IT security controls to consider:
1. Know your environment: The first step before building a comprehensive and holistic solution is for organizations to know what they have and it’s value, in order to prioritize available resources to protect critical infrastructure.
2. Start with the basics. Address basic steps such as those found in the CIS Critical Security Controls. For example, continuous monitoring and basic internal and external assessments will uncover weaknesses in a network.
3. Know and manage your information-system related risks. Entities which offer/use ITS systems must implement information security risk management programs to effectively secure their organization networks and ITS solutions.
4. Use independent validation paths for information. Keep humans in the loop! Independent validation of operational data allows staff to see conflicts between compromised system data and field conditions.
5. Develop defense-in-depth and incident response as core capabilities. Just as roadway managers employ designs, plans and capabilities to respond to and manage physical roadway events (such as accidents or dangerous weather events), knowing these occur from time-to-time, roadway managers must also employ designs, plans and capabilities to respond to and manage security incidents which will occur from time-to-time. Assume an ITS device is going to be hacked (not if, but when), whether by an outsider or malicious insider. Force an attacker to conduct a new exploit when trying to move through the network, rather than finding one vulnerability and having unfettered access to everything.
6. Employ detection technology. For higher risk deployments, detection systems such as intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be expensive but are necessary. These detection systems minimize the risk of a compromise due to an unknown vulnerability or method of attack.
7. Deploy physical security measures. Do not place only a $5 lock on $10,000 worth of equipment that anyone can walk up to on the roadside. Invest in high-tech locks, alarms, cameras and motion sensors that notify security personnel immediately of suspicious activity.
8. Protect wireless features. Wireless access offers tremendous convenience, but also allows hackers to threaten your network from a distance. Ensure that strong encryption and access control is used.
9. Develop and maintain business continuity and disaster recovery plans. These are vital to customer assets and systems. Review them regularly to address rapidly-changing threats, networks and ITS equipment.
10. Participate in information sharing with private groups, law enforcement and computer emergency response teams. Encourage communication with organizations such as Infragard, the Multi-State Information Sharing & Analysis Center (MS-ISAC), industrial control systems (ICS) organizations such as the Cyber Emergency Response Team (ICS-CERT) or the ICS Joint Working Group (ICSJWG). The benefits of engagement and partnership with these organizations far outweigh the minimal resources and effort needed to get involved.
For more information, download the Cyber Resilient Infrastructure Report or read my white paper "How to Avoid Repeating History in ITS Security" co-authored by Chris Waters, SC3.