Most citizens who use modes of mass transportation every day, be it commuter trains, light rail subways or buses understand the potential physical risk posed by a random act of terrorism. Deadly transportation attacks from 1995 through 2016 involving trains, subways and buses have claimed the lives of close to 400 commuters worldwide. From Sarin gas attacks in Tokyo to suicide bombers aboard subways and buses in Moscow, London and Brussels, the attacks have been infrequent yet deadly.
Last week in New York City, a man with a crude homemade bomb strapped to his belly had it explode as he was leaving the Port Authority Bus Terminal subway station. Luckily there were only five injured, including the suspect. Certainly, the threat of physical mayhem grabs the headlines, and rightly so. But as the interdependence of present and future modes of transportation hinge on network systems and digital frameworks, the risk of catastrophic physical and financial events triggered by cyber attacks have emerged as a major threat.
Survey Sez
“Risks to critical transportation infrastructure include natural disasters as well as manmade physical and cyber threats. Man-made threats include terrorism, vandalism, theft, technological failures, and accidents. Cyber threats to the Sector are of concern because of the growing reliance on cyber-based control, navigation, tracking, positioning, and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation. Terrorist attacks, whether physical or cyber, can significantly disrupt vital transportation services and cause long-term sociological and economic consequences,' says a recent IBM X-Force security research report entitled, “Security Trends in the Transportation Industry.”
Back in 2013, the American Public Transportation Association (APTA) released its “Cybersecurity Considerations for Public Transit’’ stating the dependence on and seamless integration of technology into everyday activities and operations has exposed and brought to the forefront the critical need to address cybersecurity. APTA understands the real cyber threats against transit infrastructure and agencies across the nation.
Securing mass public transportation became a priority with the past administration as it teamed with DHS, TSA and the Department of Transportation to help APTA identify key elements of vulnerability and potential mitigation that addressed the management, operational and technical aspects of protecting federal information and information systems. They included:
- Standards, policies and procedures: Transit agencies should develop, formalize and document thorough standards, policies and procedures in protecting against cyber threats and improving resilience to such incidents.
- Information system technology and infrastructure: Transit agencies should ensure the capability, maintenance, serviceability and interoperability of the organization’s ICT infrastructure. Transit agencies should implement a thorough system development life cycle (SDLC) process that integrates risk management into the process.
- Awareness, training and education: Transit agencies should focus on developing a general culture of awareness on cybersecurity. Further, transit agencies should identify specific individuals necessary to receive further training and education as part of their professional development and career progression, to enhance the organization’s internal capabilities against cyber threats.
- Information security risk management integration: Transit agencies should integrate information security into the organization’s risk management strategy from the very top to align with the organization’s strategy, mission and goals. Integrating information security into the risk management process will ensure proper identification and allocation of essential resources in enhancing the organization’s ability to mitigate increase resiliency against cyber attacks
For Stan Engelbrecht, the Director of Cyber Security Practice at D3 Security, a developer of incident response and case management solutions, addressing the present threats and being cognizant of evolving technologies that are driving social transportation habits are important to staying ahead of the chaos.
Planes, Trains, and Automobiles
“You really have to break it down into two different areas. You have the older forms of public transportation; the SCADA systems for rail transportation and subways as well. Then you have the new wave of transportation like the autonomous vehicles and semi-autonomous vehicles that are internet connected,” says Engelbrecht. ”So when it comes to the transportation industry, it needs to be looked at in these two separate veins. That’s a lot of autonomous cars that are driving people around. So, in essence, you have two totally disparate transportation modes we need to be concerned about and create appropriate strategies to address them.”
The high-profile concern remains traditional modes of mass transit like trains and buses. Yet he points to the fact that Uber will buy up to 24,000 XC90 SUVs from Volvo to form a fleet of driverless vehicles to be delivered between 2019 and 2021 that could drastically change the transportation landscape. The base vehicles feature core autonomous driving technologies that will enable Uber to add its own automation features as well.
Jeff Miller, head of auto alliances at Uber said in a statement to Bloomberg News recently, “This new agreement puts us on a path towards mass-produced self-driving vehicles at scale.”
Engelbrecht admits the potential cybersecurity issues could be staggering for Uber as they roll out their planned autonomous taxi fleet, but he remains focused on today’s real-life risk scenarios for what he considers the biggest target for cyber-attack – commuter and light rail.
“Let’s take a look at public rail. I use it every day in Vancouver whether it is the main rail station for the commuter trains or the SkyTrain system, which are both centralized systems that rely on SCADA systems,” says Engelbrecht, who adds that the SkyTrain is the oldest and one of the longest automated driverless light rapid transit systems in the world.
The Expo and Millennium SkyTrain Lines connect downtown Vancouver with the cities of Burnaby, New Westminster and Surrey. The Canada Line connects downtown Vancouver to the Vancouver International Airport (YVR) and the city of Richmond.
“SkyTrain, in particular, was constructed for the World Expo here in 1986, so we’re talking essentially eight years before the internet went public. This system was never designed with security in mind. Looking at these types of systems that employ PCL and RTUs that get used are human-built devices that ultimately have flaws,” he explains. “Siemens released a vulnerability report regarding their PLCs in July of this year describing some of the vulnerabilities and the breakdowns in relation to things like potential Denial of Service (DoS) attacks on things like the S7400 Programmable Logic Chip.”
Engelbrecht says it is most interesting to see the list of verticals today that are using that particular chip: automotive, mechanical equipment manufacturers, warehousing facilities, steel industry, power generation, paper mills and wood producers, pharmaceuticals, the chemical industry and the food and beverage industry.
“They are pretty much ubiquitous. So if you look at a Denial of Service (DoS) attack on a train system, it could be vulnerable from the smallest chip, which could result in denying personnel the ability to control the train itself. Our SkyTrain system here is mostly semi-autonomous, so if the controllers get locked out of the navigation system you better hope they have a fail-safe, which I imagine they do,” he says, hinting that rail security doesn’t share that fact with the general public. “If you don’t have a way to shut your trains down you are at the mercy of someone who has the controls and if they are a terrorist organization, there is the potential for a lot of damage and loss of life in these public transportation systems.”
Cyber Attacks on Track
The APTA report also stated that cyber attacks may exploit and target specific system layers within the transit agency, including but not limited to the following:
- Operational systems: These systems integrate supervisory control and data acquisition (SCADA), original equipment manufacturer (OEM) and other critical component technologies responsible for the control, movement and monitoring of transportation equipment and services (i.e., train, track and signal control). Often such systems are interrelated to multimodal systems such as buses, ferries and metro modes.
- Enterprise information systems: This describes the transit agency’s information system, which consists of integrated layers of the operating system, applications system and business system. Holistically, enterprise information systems encompass the entire range of internal and external information exchange and management.
- Subscribed systems: These consist of “managed” systems outside the transportation agency. Such systems may include Internet service providers (ISPs), hosted networks, the agency website, data storage, cloud services, etc.
The IBM X-Force report highlighted the techniques adopted by attackers and noted that DoS attacks and malicious attachments and links accounted for over 44 percent of the attacks targeting organization in the mass transportation sector between March 1, 2015, and May 15, 2016. The research said the practice of extortion is very common using the threat of DoS attacks and to a lesser extent ransomware.
Engelbrecht agrees with the findings, stressing that DoS attacks aren’t the most sophisticated of attacks but perhaps the most high profile. He says that a lot of juvenile hackers or amateur hackers trying to make a reputation gravitate to DoS attacks in the hopes they will make enough of a name for themselves to be afforded entry into some of the Dark Web sections of the net.
“Oftentimes, before a hacker is allowed into this world, he needs to prove his abilities and a DoS attack is very public and visual in nature. It can put them on the map,” he relates, citing one such attack that occurred in Dallas this past spring when the city’s emergency warning systems were breached as a hacker took control of the frequency and transmitted the tones that turned on all 156 sirens across the city. The sirens were first heard at about 11:45 p.m. and sounded on and off intermittently for almost two hours. The city has spent more than $100,000 to upgrade the system’s security since. “This was not an attack on a train or a bus, but it demonstrates these DoS attacks are the easiest and most prevalent and will continue to happen. The incident in Dallas was a juvenile hacker out of the U.K. that turned on the fire alarms. It was a pretty unsophisticated attack and was a Denial of Service attack of sorts, but this is the kind of event we will probably see more of in the public transportation space because it is so potentially disruptive.”
Targets That Attract
The bottom line in any attack still remains motivation. If terrorists can carry out a combined cyber-attack where they can gain financial reward and create physical mayhem at the same time then that is a win-win. Cybercriminals are going to go after the most attractive targets.
“So getting back to the 27,000 autonomous Uber cars, they are going to be housing a lot of valuable data; they are going to be interconnected to the central systems providing a potential gateway to hack into data that houses people’s credit card information and loyalty accounts. Those are really attractive targets especially if they can be accessed remotely through these types of systems,” Engelbrecht explains. “This is an entirely different attack vector. Once you start deploying these types of remote systems like autonomous cars into the mix the attack surface grows as do the vulnerabilities.”
But as Engelbrecht speculates on the risks to the Uber autonomous fleet and what some people are still viewing as science fiction, he is extremely adamant regarding the ubiquitous train and its known susceptibilities.
“Personally I think rail systems are the most vulnerable. While there have been some fairly public reports of intrusions to onboard systems on airlines, they are stepping up and taking these threats seriously and putting safeguards in place,” he says. “Rail systems are an entirely different story. You are dealing with a lot older technology, so my guess is that within the next two or three years you’re going to see a major U.S. rail system targeted. The next most attractive target will be autonomous vehicle fleets -- whether they are buses, trams or autos. It won’t be so much for creating mayhem like with the train system, but more for financial gain given the type of proprietary information that will be stored in the systems.”
About the Author:
Steve Lasky is the Editorial Director of SouthComm Security Media, which includes print publications Security Technology Executive, Security Dealer & Integrator, Locksmith Ledger Int’l and the world’s top security web portal SecurityInfoWatch.com. He is a 30-year veteran of the security industry and a 26-year member of ASIS. He can be contacted at [email protected]