BACKGROUND
Over the past several years, our society has become more “networked,” with traditionally isolated control systems connecting to business networks and with each other. Government agency websites and databases have been hacked, and corporate secrets have been compromised. Further, cyber attacks on infrastructure control systems also have the proven potential to cause physical consequences similar to those usually associated with more traditional attacks (such as bombs or equipment sabotage). Transportation is not immune from these changes, and there is the very real possibility that infrastructure such as Traffic Management Centers, signal control systems, and rail control systems may be manipulated via their cyber components (directly or indirectly) to cause crashes, kill and injure the traveling public, and destroy critical systems. The protection of “infostructure” is especially important for transit agencies entrusted by the public to provide safe transportation services. Many transit agencies have been deploying or planning to deploy Transit Intelligent Transportation Systems (ITS) technologies such as Automatic Train Control (ATC) systems for rail transit. Indeed, signal systems are essential for the safe functioning of bus, heavy rail, light rail, and commuter rail systems. As these systems become more “intelligent” through the use of computers and networks, they also grow in complexity and vulnerability. While physical attacks are more likely to be carried out by terrorists or hostile foreign nation-states, cyber attacks may also be carried out by a wide array of adversaries, from teenage hackers and protest groups to organized crime syndicates as well as terrorists. Research is needed to identify effective practices to protect transportation systems from cyber incidents and attacks on signaling and control systems as well as enterprise data systems.
OBJECTIVE
The objective of this research is to develop (1) a primer and (2) a briefing for transportation system owners and operators explaining the nature of cyber events and their operational and safety impacts. These products should contain a list of effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an attack or breach occur. The types of cyber events to be considered include cyber incidents and attacks on transit and traffic control/command centers, electronic security/surveillance systems, signal systems, control systems [such as Supervisory Control and Data Acquisition (SCADA)], and electronic signage; database breaches; phishing; and intranet and website breaches. This research is being coordinated through panel liaisons with (1) APTA standards working groups on (a) industrial control systems and (b) enterprise cyber security as well as (2) work at the Volpe National Transportation Systems Center and work by DHS/TSA.
TASKS
PHASE I
(1). Based on a review of literature and current practice, identify, for North American transit systems, how decisions are made to implement (1) cyber security to protect industrial control systems such as signals and communications systems; (2) cyber security for data systems including parking, fare payments, payroll, and public information systems; (3) data connections between Centralized Traffic Control (CTC), SCADA, and data systems; and (4) data connections with other systems. (2). Based on a review of literature and current practice, identify, for North American highway/traffic agencies, how decisions are made to implement (1) cyber security to protect industrial control systems such as signals and communications systems; (2) cyber security for data systems including parking, fare and toll payments, payroll, and public information systems; (3) data connections between Traffic Monitoring and Management Systems, SCADA, and data systems; and (4) data connections with other systems such as draw bridges.(3). Conduct a survey of current and past practices as well as “lessons observed” regarding industrial control systems and cyber security among relevant state and local agencies (e.g., local, state, and regional agencies with emergency management and response responsibilities; transit managers; and state transportation agency personnel). Do they know how their mission-critical networks are configured? What are their “worst case” concerns? What are their plans, what have they tested, and what do they have budgeted for training? How are they preparing for Positive Train Control? (4). Prepare draft briefing materials (including a set of slides and handouts) suitable for a 20-minute briefing to senior executives on current effective security practices for transit and DOT cyber and industrial control systems, including (but not limited to) identifying gaps and opportunities for improved practices. Identify real or perceived programmatic, organizational, administrative, and regulatory hurdles that limit effective planning and response for transit and DOT cyber and industrial control systems incidents. (5). Prepare a detailed Phase II work plan. At a minimum, it should (1) identify proposed case studies of effective security practices for transit and DOT cyber and industrial control systems, and (2) provide a detailed outline for the primer. (6). Prepare an interim report documenting the results of Tasks 1 through 5.
PHASE II
(7). Execute the approved Phase II work plan to develop (1) detailed case studies of effective security practices for transit and DOT cyber and industrial control systems; (2) refined Task 4 briefing materials for transportation system owners and operators explaining the nature of cyber events and their operational and safety impacts; and (3) a primer that will serve as the cyber counterpart to Security 101: A Physical Security Primer for Transportation Agencies. The latter two products should contain a list of effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an attack or breach occur. (8). Develop and deliver 2 in-person pilot briefings to senior executives on current effective security practices for (1) transit and (2) state DOT cyber and industrial control systems. Refine the briefings and deliver 2 webinars, 1 for transit and 1 for state DOTs. (9). Prepare final deliverables, including (1) a final report documenting the entire research effort, including (a) a project implementation plan (updated from the project proposal and identifying potential follow-on research), (b) an executive summary of the project, (c) detailed case studies, (d) appendices (e.g., a white paper for consideration under the APTA Security Standards Program); (2) updated Task 8 briefing materials for transportation system owners and operators explaining the nature of cyber events and their operational and safety impacts, including (but not limited to) identifying gaps and opportunities for improved practices; and (3) a primer that will serve as the cyber counterpart to Security 101: A Physical Security Primer for Transportation Agencies. The latter two products should contain a list of effective practices that can be used to protect transportation systems from cyber events and to mitigate damage should an attack or breach occur.
-
-
