Transport security – should we worry?

My blog this month focusses on a completely different aspect of operations; that of security and information. At a meeting of the Parliamentary Advisory Council on Transport Safety (PACTS) held in January this year, members were briefed on automotive cyber security. Whilst this focussed on cars, as they are early adopters of on-board technologies, it can also be relevant to buses and coaches as more and more data is received and transmitted to and from vehicles. This may either be data from the vehicle or to and from passengers.

What sort of items are we talking about that were vulnerable to attack?  Items such as tyre pressure monitoring, vehicle diagnostic port, infotainment systems and telematics just to name a few. Were these theoretical or actual threats? In these cases they were actual attacks on systems, one of these was the widely reported Jeep system where hackers were able to access on board vehicle systems and take over safety critical systems such as engine control and braking etc., this attack led to jeeps being recalled for rectification in order to break the link between the infotainment system and the safety critical systems.

A key problem identified was that the vehicle manufacturers expected the data/systems service providers to provide the security protection and the providers expected the manufacturers to do this so, it never got done and the vulnerability existed. What are the implications for vehicle operators? In the short-term there is a definite vulnerability and operators should be talking to both the vehicle manufacturers and their data system providers and asking what protection is built into their electronic systems to defend the operator. They should also issue written guarantees that the systems are both resilient and data security compliant.

Are we really bothered though? Wi-fi on buses is now becoming standard and we are all used to sending GPS data on vehicle location etc. back to base but, what if someone wants to disrupt our operations or to use our vehicles as a road block to cause chaos in the city or even to stop a bus on the highway to allow an attack to go ahead against passengers, fanciful? Well what about the lone wolf attack on a train in Germany a short time ago, no-one foresaw that happening but it did so we must be thinking about the wider aspects of security on a day-to-day basis.

So where do we go from here, my thought is that we need to look at data security and its security as an industry and not just as one or two operators in isolation and we need to do this both across the UK, Europe and the wider world as this is a worldwide problem for all of us. Could this be a case that Intelligent Transport could lead on, should we hold a conference on cyber security or security in general?

Taking an even wider view of the potential problem how do we make sure that our passengers are not hacking our systems on our vehicles. We need to ensure that any wi-fi public access point is a separate system to that we use for our data and that hardened firewalls are in place to prevent any unauthorised access. Do your systems ensure this? If not, why not?

Now what about the physical aspects of transport, how many of you are comfortable with the security of your bus stations, interchanges, depots and offices? We all rely on our police services and in some cases the security services to provide information as to security risks we might face but how many of us have looked at our offices to ensure that someone cannot just wander in and take control of our radio systems or control rooms, are we sure that all of our people can be trusted. If you work at an airport staff are required to have a security clearance but how many of you check the backgrounds of the support staff such as cleaners etc.? It might sound like overkill but in today’s world there is a threat around every corner and we need to help minimise that threat.

I am going to leave it there but we would be interested in your views on this thorny subject…