Enhancing cyber-security in public transportation

The development of transportation technologies has recently exploded, having grown from isolated devices to large, interconnected networks of devices. While these developments can bring significant overall benefits, such as increasing safety and ridership, they have also introduced security concerns that had previously been limited to classical computer and information systems.

Public transportation vehicles are perhaps the most-exposed component of transit infrastructure – they carry a large number of individuals that are continuously entering and exiting the vehicles and contain an increasing number of different technologies, including wirelessly connected systems like on-board Wi-Fi, that can be leveraged as potential attack vectors.

Transit agencies are also deploying an increasing number of technologies outside of the vehicle, including mobile apps for collecting fares and providing real-time arrival information, automatic vehicle location devices, and traffic signal priority transmitters and receivers.

This rapid growth, especially in the area of connected and autonomous vehicles, has made the transportation industry a potentially attractive target for attackers seeking to cause costly, widespread damage.

The status quo

Unfortunately, the complexity and vulnerability of transportation technologies may be underappreciated by agency executives and employees. Based on a survey of Florida transit agencies we recently conducted, 11 agencies stated that they and their vendors had not been affected by cyber-security issues, and two agencies didn’t know if they had been affected by cyber-security issues. Those who were concerned with cyber-security-related problems perceived employee training, awareness and funding as primary obstacles to improving cyber-security in transportation systems. Given the rapid development of transit technologies, it seems the complexity of these systems has outpaced the development of training programmes.

However, community awareness of cyber-security appears to be growing – especially for connected and autonomous vehicles. A steady stream of research projects and initiatives are being funded by federal and state organisations seeking to improve the state of cyber-security. New and existing vendors are beginning to offer security-oriented products. Security in transportation was considered a ‘hot topic’ at the Transportation Research Board’s 98th annual meeting. In addition, the Florida Department of Transportation has sponsored workshops and working groups to improve cyber-security for public transportation, in part by opening communication channels between transit professionals and computer-security researchers.

Potential threats to transportation systems

Unlike traditional IT systems, transportation technologies must directly interact with the physical world. Technologies such as traffic signal priority and autonomous vehicles must monitor for infrastructure and moving objects and take physical action based on that monitoring. Attacks on these devices may have costly effects, for example traffic jams, service outages or equipment damage – they could even result in physical injury.

These cyber-physical systems are often not designed with security in mind; many are installed and configured with disabled or default security features. For example, many traffic cabinet controllers have password authentication disabled, granting any user with physical or remote access full control of the controller. Misconfigured systems are a common problem both in cyber-physical systems and classic IT systems; in 2017, the Open Web Application Security Project (OWASP) rated misconfiguration as the sixth most dangerous vulnerability. If quantified, it seems likely that misconfiguration would also be in the top 10 vulnerabilities for transportation systems.

Another unique problem commonly seen in cyber-physical systems is the expected lifetime of hardware and software. In IT systems, software and hardware are updated frequently, while cyber-physical systems may be using the same hardware and software for 10 years or more, often from specialised manufacturers. Service and support for these devices may become difficult or impossible to access, for example if a manufacturer goes out of business. If vendors have moved on to new products, then they may not receive regular security updates. The long lifetime of this technology also means threats may quickly become widespread when discovered. Systems are increasingly supporting remote updates, easing update management and the ability to apply more frequent updates, which may otherwise be a logistical nightmare. However, these remote update systems may introduce new remote attack vectors, potentially giving attackers the ability to apply malicious updates.

Transit agencies must not only be prepared for the unique threats present in cyber-physical systems but also for common threats already seen in classic IT systems. Ransomware is one such threat that has been well publicised. Ransomware is a type of malware that is designed to encrypt a computer system and demand a ransom to unencrypt it. Ransomware attacks can be quite costly and are difficult to recover from without the proper preparations. Transportation agencies have already been affected by ransomware; the SamSam ransomware attack on the Colorado Department of Transportation is estimated to have caused over $1 million in damages. Agencies are encouraged to review their backup practices in order to ease the recovery process in the case of a ransomware attack.

Inside a CUTR traffic cabinet donated by the City of Tampa

Agency systems may also be susceptible to attackers seeking to gain access to private consumer information. In October 2018, our research team discovered a vulnerability in a Florida mobile fare payment application that allowed attackers to access rider information. The application did not correctly validate the pairing of session and user data, allowing unauthorised access to the user’s name, phone number, license plate number, parking location, and the last four digits of the used credit card number. The vulnerability was patched by the vendor within four weeks of being discovered. Because the app was a white-labelled solution and shared the same back-end server system with other regions, up to 40 organisations may have been affected by this vulnerability.

Working towards more secure public transportation

The first step in working towards more secure public transportation should be increasing agency awareness and employee training. By increasing the discussion of cyber-security in the public transportation community, vendors will be encouraged to consider cyber-security during the design process. Federal and state organisations should consider developing new requirements to guide transit agency policy and communicate with agencies about the challenges they face.

Agencies should be sure to use security features that are currently provided by their vendors – a disabled or unused feature provides no protection. If a particular security feature is disabled or otherwise unused, agencies should monitor those devices for malicious activity. Agency employees should also voice any security or usability concerns to their vendors and to researchers, who may be able to design more flexible and robust systems to better suit the needs of agencies.

In addition, agencies should ensure their employees are trained to recognise suspicious activity. Phishing emails, for example, have been used recently to disburse ransomware, further increasing the danger of clicking a rogue link or opening a malicious attachment. As phishing emails continue to be an issue, many researchers have developed free and interactive training for identifying them. Agencies should have a clear process for employees to follow when phishing emails are discovered.

Agencies should also be sure to understand their vendors’ stances on security-related incidents and should ask the following questions before entering into contracts:

• What’s the plan for handling breaches?
• How will the agency be informed of potential breaches?
• Will the agency be charged for managing vulnerabilities?
• How will customers be informed of breaches?
• Does the vendor conduct independent audits?

These recommendations will help agencies begin to consider cyber-security as a part of their normal work activities, not only when considering the deployment of new technology. However, there is still much work to do; new technologies such as mobile fare payment applications need to be analysed for unique vulnerabilities, new training programmes need to be designed, and the communication between agencies, vendors, and researchers needs to be improved. 

Biographies 

Sean Barbeau is the Principal Mobile Software Architect for R&D at the Center for Urban Transportation Research at the University of South Florida. His research focuses on intelligent traveller information systems (including security and privacy concerns), location-aware mobile apps, open multimodal data and open-source software.

Jay Ligatti is a Professor at the University of South Florida. His research focuses on software security and programming languages, including authentication, code-injection attacks and defenses, policy composition, type systems, security models, and provable security.

Maxat Alibayev is a Master’s student from the College of Computer Science and Engineering at the University of South Florida. He is a graduate research assistant for the Enhancing Cybersecurity in Public Transportation project.

Kevin Dennis is a Ph.D. student at the University of South Florida and a graduate research assistant for Enhancing Cybersecurity in Public Transportation. His research interests are in the area of computer security, with a recent focus on security in public transportation systems.