The Department of Homeland Security identifies 16 sectors of Critical Infrastructure in the United States. These areas “are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The sector that will be highlighted in this article is the Transportation Systems Sector. This sector is extensive; it includes aviation, maritime, highway and motor carriers, passenger and freight rail, pipelines, postal services, and more.
Not only is it essential to ensure these transportation systems function the way they should, but it is also imperative to protect them.
A Need For Standards
In a race to become more efficient, technology has been integrated quickly with things that previously had no stake in that area. Transportation is undoubtedly one of these areas. The problem is, efficiency does not equal security. It can if there is careful planning and forethought. However, new implementations can likely create attack surfaces we have never seen before. This quote captures it well: “technologies are providing new communication channels that can be exploited. What was once a playground has become a Disneyland for attackers with several software-driven systems that can be hacked.”
The transportation landscape needs to account for these changes by adopting industry-wide security standards. It may be too broad to make a standard that covers all vehicles generally. Although, there is still value in a standard that has general guidelines for all vehicles and groups. CISA currently has the Transportation Systems Sector Cybersecurity Framework Implementation Guide as a framework matching that definition.
A practical method would be to create standards for different kinds of vehicle types. These standards can be more specific and account for unique technologies that may not be shared among vehicles.
Current Standards With A Big Impact
ISO/SAE 21434 – This standard drills down on the life cycle of road vehicles. The different areas covered by this standard include risk assessment methods, cybersecurity management, continuous cybersecurity activities, and more. New features added into a road vehicle made the creation of this standard critical.
UNECE WP.29 regulation R155 for CSMS – This regulation is an essential piece of a secure connected world. It identifies 69 potential attack routes for 7 types of threats and vulnerabilities in vehicles. Fortunately, it doesn’t end there with 23 mitigation recommendations that can help steer us away from the potential risk.
Attacks in this domain are becoming more complex; these standards will help educate manufacturers and consumers. With more education and action, we can avoid attacks like the one in West Yorkshire. A group of car thieves used a key cloning device to steal the key fob information from a Mitsubishi Outlander, ultimately the car itself. The kicker is that they disguised the cloning device like an old Gameboy not to draw any suspicion and throw off the police. The cloned key fob looked normal to the car, and they were granted access to the vehicle as if they had the keys. This allowed them to steal over $245,000 worth of cars before they were apprehended.
While efforts are made to address these problems, there is still a significant gap in creating guidance for all areas of Transportation relative to cybersecurity.
More specific standards would likely produce more effective adoption of cyber hygiene practices and mitigation of growing threats to vehicles.