Challenges in Transportation Cyber Security

1. Challenges in Transportation Cyber Security TRB Cyber Security Subcommittee Meeting January 23, 2012 Michael Dinning Director, Transportation Logistics and Security

2. Cyber Security is a Growing Concern in All Modes of Transportation • Increasing threats, potential vulnerabilities and risks • Without cyber security you can’t have safety or efficiency • Need an all hazards approach addressing safety, security and reliability to ensure resilience

3. Threats Are Increasing & Targeting Transportation Employee hacks signals ITS signage hacks common 14 year old derails trams Stuxnet virus attacked control systems Anonymous hacks myBART Researchers hacked autos

4. Growing Dependencies Could Increase Risk

5. Need a Complete Understanding of the Systems, Interdependencies & Importance Cyber-physical Control Systems Traffic Control & Operations Management Systems Safety Management Systems Traveler & Operator Services: 511, E-commerce, E-payment

6. Must Understand Dependencies on Critical Information Example: Fatal SpanAir Crash Cause: pilot error Failed to deploy flaps Warning disabled Related factor: Virus in management system Virus had slowed maintenance management system Data not entered Would have grounded plane

7. Understanding and Risk Mitigation Requires Collaboration Designers & manufacturers Equipment suppliers System integrators Expert consultants University & government researchers Testing organizations Users (airlines) Infrastructure operators Standards organizations Certifiers and regulators Example: Airborne Network Security 7

8. Developing Understanding of Risks: FAA Leads Collaboration on Airborne Network Security Manufacturing Airline Operations Airbus, Boeing, Bombardier, Astronautics, ARINC, CMC Electronics, Curtiss-Wright, General Electric, Panasonic, Rockwell-Collins, Thales American Airlines, British Airways, Delta Airlines, Lufthansa, United Airlines Airborne Network Equipment / Engineering Subject Matter Experts Research / Facilities Funding / Strategic Direction Security Simulator FAA, U.S. Air Force, Defense Information Systems Agency, Dept of Homeland Security (DHS), DOT Volpe Center, UK Center for Protection of National Infrastructure, UK Computer and Electronic Security Group Wichita State University, Louisiana Tech University Academia Government

9. Transit Vehicles are E-enabled RF Cellular Wi-Fi WiMAX DSRC Control Domain Vehicle Controls Vehicle Diagnostics Traffic Signal Priority Video Surveillance Duress Alarms Vehicle Immobilizers Operations Domain Automated Dispatching Vehicle Location Route/Schedule Status Passenger Counters Stop Annunciation Electronic Payments Infotainment Domain Customer use of Wi-Fi and WiMAX Real-time Travel Info & Trip Planning

10. We’re Demanding Connectivity and Increasing the Potential Attack Surface Satellite Cellular WiFi Radio DSRC Blue Tooth & RF Wireless Sensors CD & MP3 Mechanics’ Diagnostic Tools 10

11. Addressing All Hazards: NHTSA Developing Strategy for Reliability & Security • Benchmarking • Standards • Roadmap • Program plan 11

12. Roadmap: Strategy to Ensure Resilience Risk assessments Standards Design practices Certification Monitoring Aviationlawmonitor.com Goals: systems safety, security, reliability and resilience 12

13. DOT, DHS and TSA Collaboration DHS Control System Security Program: assisting asset owners • Vulnerability and risk assessments • Standards and best practices • Transportation Control System Security Roadmap TSA IA & Cyber Security Division & TSA Network Management • Outreach and training • Transportation Sector Plan

14. Cyber Security Resources and Tools • TSA Transportation Systems Sector Cyber Working Group • Newsletter, monthly meetings, summit, training, case studies • DHS Control System Security Program - Transportation • Assessments (i.e. CSET), information sharing, standards, training • Industry associations • APTA Control & Communications Security Working Group • AAR Rail Information Security Committee • SAE Automotive Systems Security Committee • RTCA SC216 Aeronautical System Security Committee • AAPA Security Committee • TRB Transportation Cyber Security Sub Committee • Information Sharing and Analysis Centers & Computer Emergency Response Teams • DOT Volpe Center Transportation Cyber Security Team/Lab

15. Actions for the Transportation Community • Make sure all programs address cyber security • Coordinate with safety and reliability initiatives to ensure resilience • Address entire the system life cycle • Collaborate with programs in other modes, agencies and sectors to leverage research and experience

16. Contact Information Mike Dinning Director, Transportation Logistics & Security US DOT Volpe Center, RVT-50 michael.dinning@dot.gov 617 494 2422

17. Discussion: Role of the Cyber Security Subcommittee • Focal point, catalyst & advocate in TRB • Resource for other committees • Clearinghouse for information • Guidance for TRB projects • Identify research needs & initiate new TRB projects • Other?