Challenges in Transportation Cyber
Security
TRB Cyber Security Subcommittee Meeting
January 23, 2012
Michael Dinning
Director, Transportation Logistics and Security
Cyber Security is a Growing Concern in All
Modes of Transportation
• Increasing threats, potential vulnerabilities and risks
• Without cyber security you can’t have safety or efficiency
• Need an all hazards approach addressing safety, security
and reliability to ensure resilience
2
Threats Are Increasing & Targeting Transportation
Employee hacks signals
Researchers hacked autos
3
ITS signage hacks common
Anonymous hacks myBART
14 year old derails trams
Stuxnet virus attacked
control systems
Growing Dependencies Could Increase Risk
4
Need a Complete Understanding of the Systems,
Interdependencies & Importance
Cyber-physical Control Systems
Safety Management Systems
Traffic Control & Operations Management Systems
Traveler & Operator Services: 511, E-commerce, E-payment
Must Understand Dependencies on Critical
Information
Example: Fatal SpanAir Crash
• Cause: pilot error
– Failed to deploy flaps
– Warning disabled
• Related factor: Virus in
management system
– Virus had slowed
maintenance management
system
– Data not entered
– Would have grounded
plane
6
Understanding and Risk Mitigation
Requires Collaboration
•
•
•
•
•
Example: Airborne Network Security
7
•
•
•
•
•
Designers & manufacturers
Equipment suppliers
System integrators
Expert consultants
University & government
researchers
Testing organizations
Users (airlines)
Infrastructure operators
Standards organizations
Certifiers and regulators
Developing Understanding of Risks: FAA Leads Collaboration on
Airborne Network Security
Manufacturing
Airline Operations
Airbus, Boeing, Bombardier,
Astronautics, ARINC, CMC
Electronics, Curtiss-Wright,
General Electric, Panasonic,
Rockwell-Collins, Thales
Equipment / Engineering
American Airlines, British
Airways, Delta Airlines,
Lufthansa, United Airlines
Airborne Network
Subject Matter Experts
Research / Facilities
Funding / Strategic Direction
Security Simulator
FAA, U.S. Air Force, Defense
Information Systems Agency, Dept of
Homeland Security (DHS), DOT Volpe
Center, UK Center for Protection of
National Infrastructure, UK Computer
and Electronic Security Group
Government
Wichita State University,
Louisiana Tech University
Academia
Transit Vehicles are E-enabled
RF Cellular Wi-Fi WiMAX DSRC
Control Domain
Operations Domain
Vehicle Controls
Automated Dispatching
Vehicle Diagnostics
Vehicle Location
Traffic Signal Priority
Route/Schedule Status
Video Surveillance
Passenger Counters
Duress Alarms
Stop Annunciation
Vehicle Immobilizers
Electronic Payments
Infotainment Domain
Customer use of Wi-Fi and WiMAX
9
Real-time Travel Info & Trip Planning
We’re Demanding Connectivity and
Increasing the Potential Attack Surface
Satellite
10
Cellular
WiFi
Radio
DSRC
Blue Tooth
& RF
CD & MP3
Wireless
Sensors
Mechanics’
Diagnostic
Tools
Addressing All Hazards: NHTSA Developing
Strategy for Reliability & Security
• Benchmarking
• Standards
• Roadmap
• Program plan
11
Roadmap: Strategy to Ensure
Resilience
Risk assessments
Standards
Design practices
Certification
Monitoring
Aviationlawmonitor.com
Goals: systems safety, security, reliability and resilience
12
DOT, DHS and TSA Collaboration
DHS Control System Security
Program: assisting asset owners
• Vulnerability and risk
assessments
• Standards and best practices
• Transportation Control System
Security Roadmap
TSA IA & Cyber Security Division
& TSA Network Management
• Outreach and training
• Transportation Sector Plan
13
Cyber Security Resources and Tools
•
•
•
•
•
•
14
TSA Transportation Systems Sector Cyber Working Group
– Newsletter, monthly meetings, summit, training, case studies
DHS Control System Security Program - Transportation
– Assessments (i.e. CSET), information sharing, standards, training
Industry associations
– APTA Control & Communications Security Working Group
– AAR Rail Information Security Committee
– SAE Automotive Systems Security Committee
– RTCA SC216 Aeronautical System Security Committee
– AAPA Security Committee
TRB Transportation Cyber Security Sub Committee
Information Sharing and Analysis Centers & Computer Emergency Response
Teams
DOT Volpe Center Transportation Cyber Security Team/Lab
Actions for the Transportation
Community
• Make sure all programs address cyber security
• Coordinate with safety and reliability initiatives to
ensure resilience
• Address entire the system life cycle
• Collaborate with programs in other modes,
agencies and sectors to leverage research and
experience
15
Contact Information
Mike Dinning
Director, Transportation Logistics & Security
US DOT Volpe Center, RVT-50
michael.dinning@dot.gov
617 494 2422
16
Discussion: Role of the Cyber
Security Subcommittee
•
•
•
•
•
Focal point, catalyst & advocate in TRB
Resource for other committees
Clearinghouse for information
Guidance for TRB projects
Identify research needs & initiate new TRB
projects
• Other?
17