Accelerating Security for Intelligent Transportation Systems: A New Trend Micro Report

CERT-LatestNews ThreatsActivists

Connected cars and autonomous vehicles are getting all the headlines these days, especially when it comes to cybersecurity concerns. But that’s only half of the story. An under-reported but hugely important piece of the puzzle relates to the Intelligent Transportation Systems (ITS) needed to create truly smart cities. Governments around the world, including the US, are already investing in these systems – and cyber attacks on them are already beginning to make the news.

Make no mistake, the stakes are as high as they come, with cyber attacks having the potential to cause serious traffic accidents, economically damaging traffic jams, and major financial losses for businesses and governments. That’s why Trend Micro is launching a new in-depth report, Cyberattacks Against Intelligent Transportation Systems, which assesses future threats to ITS.

By sharing our knowledge, we hope ITS stakeholders can better plan ahead to fortify these systems from attack and keep us all that bit safer on the roads.

What’s an ITS?

It might not surprise you to learn that a typical ITS involves a highly complex ecosystem of advanced and emerging technologies. To focus our efforts, we narrowed it down to six main categories:

  • Vehicles: connected and autonomous
  • Roadway reporting: cameras and sensors like bus lane cameras that send real-time data back to control centers, with the goal of making high-volume traffic movement more efficient
  • Traffic flow controls: monitor traffic and roadway conditions in real-time to improve traffic flows, such as railway crossings  or emergency services vehicles
  • Payment apps/systems: kiosk payment machines, e-ticket apps, and RFID transponder toll systems designed to regulate traffic density and generate revenue for businesses and municipalities
  • Management apps/systems: control all aspects of the ITS from the nerve center
  • Communications apps/systems: facilitate exchange of information between ITS components

The cyber threat to these systems is very real. Nation states, cybercriminals, hacktivists, cyber-terrorists, malicious insiders, and even unscrupulous operators all have their motives; whether it’s making money, causing chaos and disruption, or stealing sensitive IP. We should also add natural disasters in here too – adverse weather can often do just as much damage as a committed  hacker.

Ransomware attacks, covert data theft, DDoS, and broader information warfare are all very real risks. Roadside message boards have been hacked to display joking ro subversive messages; surveillance cameras have been infected with ransomware; emergency sirens have been set off en masse; even internet-connected drive-through car washers have been hijacked to physically attack vehicles and their occupants.

Driving change

The bad news continues: ITS can be attacked physically, wirelessly or over the network. Vehicular Ad hoc Networks (VANETs) – which are comprised of smart vehicles and Roadside Units (RSU) – are particularly at risk for their use of unreliable wireless communications technology. The impact of attacks could be serious, especially when vehicles depend on VANET data for making critical driving decisions.

To provide more concrete insight into ITS cyber-threats, we assigned cyber-attack vectors across the six ITS applications and systems highlighted earlier, applying the industry-standard DREAD threat model to calculate risk.

Over half (54%) of all threats we modelled were rated High Risk and 40% Medium Risk, with network attacks accounting for the majority (71%) of High Risk attacks.

That should ring alarm bells among all ITS stakeholders. So, what happens next? Although it’s challenging to protect the entire ecosystem against cyber-attacks, there are broad best practice measures outlined in the report, which will go a long way to making these systems more resilient. These include:

  • Network segmentation
  • Firewalls/UTM gateways
  • Anti-malware
  • Anti-phishing solutions
  • Breach detection systems
  • Encryption
  • Patch management
  • Vulnerability scanning
  • Shodan scanning

For a more detailed look at the ITS threat landscape and concrete advice for security professionals and policy decision-makers, take a look at the full report: Cyberattacks Against Intelligent Transportation Systems. If we start thinking about cybersecurity today, we can ensure the roads of tomorrow are a safer place for all of us.

Please add your thoughts in the comments below or follow me on Twitter; @WilliamMalikTM.