How to Avoid Repeating History in ITS Security February 2016

Authors: Michael Bertram Atkins 3570 Carmel Mountain Rd., Suite 300, San Diego, California 92130 858-514-1015 Michael.Bertram@atkinsglobal.com Chris Waters SC3 11320 Random Hills Rd., Suite 525, Fairfax, VA 22030 703-880-2333 cwaters@sc3.com

Introduction Intelligent transportation systems (ITS) need security. Although the media focuses on vehicle attacks such as recent Chrysler/Jeep and Tesla vulnerabilities (1, 2), only some people realize the breadth of the infrastructure threat. Many product vendors and technical experts are paying attention to security of individual products. This is a good start. However, our industry is clearly not mature yet on security matters. We may repeat errors made in information security on networks, servers and smartphones. Technologists must learn the lessons of recent years where organizations such as Target, Saudi Aramco and the US Office of Personnel Management (OPM) suffered abuse of trusted access leading to financial theft (3), massive data deletion (4) and sensitive information theft (5), respectively. Security is a systemic concern that involves not only what is seen (i.e. the product of concern such as a ‘smart’ vehicle), but also what is not seen; the people, processes and technology, which permeate organizations.

This article describes mistakes made in cyber security’s brief history and offers guidance to those who deploy and protect ITS infrastructure on how to avoid repeating them.

Atkins Version 1.0 | November 16 2016 3

Background Connected and autonomous vehicles offer great advantages over current vehicles but also pose risks to people and property. One terrorism analyst wrote on the threat of autonomous vehicles being used as improvised explosive devices (IEDs) (6). The Department of Homeland Security is leading efforts to secure government vehicles from many threats (7). In the Chrysler/Jeep attack (8), the attackers could search through lists of Internet-connected vehicles, then exploit them one at a time or rapidly through a proposed worm. Similar attacks are coming on ITS infrastructure, which will impact many people, their ability to use the transportation system and their vehicles, whether connected, autonomous or current human-driven vehicles.

Vehicle security is a high-priority because the combination of the basic physics of a moving object and a hacker with malicious intent is a dangerous one. With the growth of vehicle-to-infrastructure (V2I) communications, there is some chance that an infrastructure attack may cause injuries or fatalities, though probably less chance than a direct vehicle attack. Infrastructure threats must still be faced. A cyber attack may be over in seconds or minutes, before an incident response team of people can react. Some ITS experts understand this threat but others seem unaware. Infrastructure threats are not only local to one piece of equipment. They affect the whole network of interconnected vehicles and infrastructure equipment.

What is the Threat? Hackers exploit a weak area in a network. Once inside the network, they seek out where they can have the largest impact for their motives (money, malice, competitive advantage, etc.). Penetration of one piece of ITS equipment is a notable threat but the ability to affect more than that equipment is much more significant, as demonstrated by a group of researchers studying a networked traffic signal system (9). Just as the threat to an individual user of information theft from a home computer or mobile device is small relative to the threats faced by large organizations, the threat to one vehicle or piece of equipment is small compared to the threats to a network’s key points. In some cases, ITS infrastructure is only an intermediate stop on the way to penetrating sensitive networks to which the infrastructure is connected (10).

Consider large data sources such as a repository in a public agency or a company that aggregates data. While state and local DOTs and motor vehicle departments likely realize this threat, private sector companies with access to sensitive data must recognize the risk of someone exploiting their access as one that will grow. From the huge number of security compromises in recent years, this paper focuses on three analogies that apply to the ITS world.

Abuse of Trusted Access Target was compromised by hackers who broke into their point of sale (POS) terminals. The hackers took advantage of a third party who provided them with heating and cooling services and had credentials to Target's POS terminals (11). Since then, many merchants including multiple grocery stores, hotel chains and home improvement stores have experienced POS compromises. ITS scenarios exist where equipment compromises of a third party can lead to compromise of the intended target. Imagine the following:

Scenario I 1. The attacker finds a piece of ITS equipment (e. g., a roadside control box, a traffic light or street camera

attached to a wireless radio) which he suspects has network connectivity to a traffic management center (TMC). From the TMC’s viewpoint, the equipment is made by a third party.

Atkins Version 1.0 | November 16 2016 4

2. The attacker exploits the third party equipment directly or exploits the equipment maker to find a way into the equipment.

3. The next stop for the attacker is the TMC. While a TMC probably has strong protections (firewalls, anti-malware, etc.) for desktops and servers directly connected to the Internet, the attacker circumvents this protection by using the equipment's connection to the TMC network, whether via the public Internet, an intranet or other private network.

Figure 1: Penetrating a Traffic Management Center

Scenario II 1. A vendor contracted to supply an ITS application system to a transportation agency or toll provider

delivers and installs the pre-configured servers into the agency’s back office. Unbeknownst to the vendor, the servers had been attacked and compromised before delivery. This is not merely a theoretical attack (12). The vendor did not have a robust and comprehensive Information Security program and was not able to detect the compromise.

2. Although the servers are installed into a unique security zone, the firewall rules are weakly implemented (inbound port filtering only). No IDS (intrusion detection system) protection or security logging is implemented for the new system by the agency because it was not a “critical” system.

3. The compromised system now communicates with the attackers command and control (C&C) network and the attackers now have a foothold to further exploit the agency’s data center, putting critical systems at significant risk.

Atkins Version 1.0 | November 16 2016 5

Figure 2: Penetrating a transportation agency or toll provider

Scenario II is close to the Target exploitation where attackers penetrate a subcontractor or company who provides service to a TMC or equipment vendor. Another area of concern is the compromise of an administrator-level account. Nation-states are alleged to target such users (13).

The consequences of this type of compromise are large, ranging from financial theft in Target’s case to an ITS company having its intellectual property stolen by foreign nation-state actors. Such events can harm a company’s brand reputation and the ability to sell equipment overseas.

Data Deletion This threat can entail data loss or denial of service. Consider the following example of a future widespread data deletion threat. Here, the “business” (e. g., a TMC) and its “customers” (e. g., vehicle drivers) both experience problems. The scenario unfolds as follows:

Scenario III 1. An attacker breaches infrastructure (say a traffic signal radio) and takes advantage of the radio’s

connection to the TMC system. 2. The attacker places bogus traffic data on road #1 that leads most autonomous vehicles in a certain area

to take road #2 because it is supposedly faster than road #1. This creates gridlock on road #2 and the roads that feed into it.

3. At this point, the attacker has some alternatives:

a. While many traffic light systems have a failsafe to prevent green lights in all directions, the attacker with TMC access can make all lights in the area flash red in all directions. (Similar activity occurred in 2006 (14)). If the attacker’s target area is near a freeway, the attacker could turn all ramp meter lights red. This compounds the gridlock in the area.

b. If the attacker dislikes option a, he could block all traffic data from being sent to vehicles. This further affects the gridlocked area because newly-departing autonomous vehicles might try traveling through what their mapping software says is the shortest route by mileage in the absence of traffic data. Vehicles heading for that area have no indication of the traffic problem.

Atkins Version 1.0 | November 16 2016 6

Vehicle gridlock threatens the ability of police, fire and ambulances to respond to a life emergency temporarily. It also creates skepticism in the traffic data provider and the local TMC. The data provider may suffer financial damage in the loss of future clients.

You might think this scenario sounds bad, but there are worse ones. In the Saudi Aramco hack, 35,000 computers were partially wiped or had their hard drives destroyed. Imagine if all TMC computers that house traffic data software have their disks wiped by malicious code. Much like the scenario in reference (14), a disgruntled current or former employee with a grudge against an ITS company or a TMC presents a well-known risk of this activity (15). The effects of such an event would be far-reaching, lasting for days or weeks. If a disruptive attack against the ITS infrastructure is launched, the effects are potentially dangerous. This kind of attack has been demonstrated against SCADA systems and may also be used to “brick” SCADA or ITS components in a transportation system causing havoc on the Right of Way (16). Pointing the attack at consumers and the consumer systems used to connect to vehicles is not a far jump. A consumer device or computer could potentially be “bricked” causing much frustration to the user and device maker.

Sensitive Information Theft This threat is present in ITS today. Thankfully, there has not been a compromise of the scale of the OPM compromise, which affects millions of Americans. But hackers have found vulnerabilities in traffic light systems (9, 17) and license plate readers (17, 18). Personally identifiable information (PII) from more than 2000 customers was stolen from a San Francisco-area transit system and posted online in 2011 (19).

ITS managers are concerned about the “Italian Job” scenario, from the 2003 movie “The Italian Job” where hackers take over a TMC and a set of traffic lights for criminal gain. A criminal motive is only one reason to attack ITS infrastructure. Others might do it for:

• Terrorism • Warfare (nation-states practicing warfare tactics against vulnerable systems or actually executing them,

which happened in the 2007 Russia-Estonia cyber war (20)) and • Financial gain as referenced above (19).

How Do We Fix It? Experts who work in more developed cyber security areas (e. g., industrial control security, server and endpoint security) realize cyber security is an arms race that will not be “won” at least for several decades. Corporate leaders are realizing the threat and are beginning to act by increasing resources, as shown in a 2015 PWC survey (21). The current state of cyber security is such that the offensive capabilities of certain dedicated, international adversaries make it impossible to prevent compromise and theft without disconnecting from the Internet. However, a robust cyber security program implements strong security practices to manage the risk of network compromise and data theft. By doing so, average adversaries will be unable to achieve compromise/theft and many sophisticated adversaries will give up or go elsewhere to easier targets.

Atkins Version 1.0 | November 16 2016 7

We are not the first to propose ways to address security problems (22, 23). To address the specific threats and vulnerabilities described above in a systemic manner, here are ten actions to follow:

1. Start with the basics. The CIS Critical Security Controls (24) explain the basics. Let’s consider two controls briefly. Control 4 is about continuous monitoring and internal and external assessments of your systems and networks. Control 11 includes examining the default settings that expose your data to the general public. Hackers have a field day exploiting default passwords and credentials (25, 26). Addressing these basic steps would have prevented the exposure described in (17). Implementing patch/update management and changing weak or default passwords are the most basic things you can do to protect ITS hardware and software. Continuous monitoring or even a basic internal and external assessment will uncover your network’s weaknesses in these areas.

2. Know and manage your information-system related risks. ITS vendors and the agencies which deploy ITS systems must implement information security risk management programs to effectively secure their ITS solutions. However, a one size fits all, checklist or component focused approach without identifying and managing risks in an organization’s environment will not get that organization to adopt the most effective information security management practices needed by the organization. Just as every corporate environment is unique and every organization must tailor their security to suit their business needs and risk appetites, ITS vendors and agencies must do the same. NIST (27) states that, through an effective information security risk management program, senior leaders can make informed and business focused decisions that address their unique organizational risks.

3. Identify and defend your intellectual property (IP). ITS vendors must protect their IP or risk loss of it to hackers, less-ethical competitors and aggressive nation-states who share it with their domestic companies. IP includes databases, software, designs, diagrams, etc. Data-loss prevention software, careful use of administrative privileges and detailed understanding of your organization’s cloud data storage are key parts of this defense. Protect your data while it is in transit. Use drive encryption software. Do not become a victim of physical data theft as others have (28). Understand the threats and risks to your data and your IP!

4. Use independent validation paths for information. Keep humans in the loop! In Scenario III, independent validation of traffic data through cameras would allow traffic management personnel to see a conflict between the traffic data and the facts on the roads. Separate your ITS gear in network segments and with firewalls. Isolate data feeds from each other as the data travels within your network.

5. Use Defense in Depth. Target learned this lesson: do not trust all paths into and out of your equipment. Instead use defense in depth. Do not design your networks in a way that allows a compromise in one piece of equipment to exploit that trust to abuse other parts of the network. Use firewalls at your network management center to limit the functionality of fielded ITS equipment. Do not allow the equipment to make connections to arbitrary machines in the management center. Assume your ITS equipment is going to be hacked, whether by an outsider or malicious insider! Force an attacker to conduct a new exploit when trying to move through your network, rather than finding just one vulnerability and having access to everything.

6. Employ IDS/IPS. For organizations with PII or other sensitive data, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be expensive but are necessary. Keep them up to date. Hire experienced personnel in your IT department or work with experienced contractors to operate them. While not a magic bullet, developments in machine learning will lead to IDS/IPS potentially being able to block cyber attacks described in this paper. To minimize the risk of a compromise described in Scenario I, set a TMC’s IDS/IPS to look for unusual connections from ITS equipment.

7. Deploy physical security measures. Do not place only a $5 lock on $10,000 worth of equipment that any person can walk up to on the roadside. Invest in high-tech locks, alarms, cameras and motion sensors that notify security personnel immediately of suspicious activity. Understand the physical security that your ITS equipment needs in the risk assessment that you do in action 2.

8. Protect wireless features. Wireless offers tremendous convenience and is the future of ITS. But wireless access allows hackers to threaten your network from a distance. Does your network have equipment that employs Wi-Fi Protected Access II (WPA2) with pre-shared encryption keys? If so, make them long enough and manage them securely. Are you using Wifi Protected Setup (WPS)? If so, watch for well-known vulnerabilities (29, 30). This article does not aim to single out WPS specifically but uses it an example of vulnerabilities in wireless usage.

Atkins Version 1.0 | November 16 2016 8

9. Develop business continuity and disaster recovery plans. These are vital to a TMC or transportation system. While most ITS-related organizations have these plans on the shelf, review them regularly to address rapidly-changing networks and ITS equipment. Having an incident response plan that is written down and tested is a must so you can put it into use when a hacker strikes.

10. Participate in information sharing with private groups, law enforcement and computer emergency response teams. ITS organizations that are public agencies have an advantage here. But even a small vendor or firm can connect with an organization such as Infragard and the Multi-State Information Sharing & Analysis Center (MS-ISAC) and the industrial control systems (ICS) organizations such as the Cyber Emergency Response Team (ICS-CERT) or the ICS Joint Working Group (ICSJWG). Reference (22) offers a thorough review of the benefits of engagement with these organizations. Build a relationship with them and with local, state and federal law enforcement if you have the resources to do it. Information sharing will open the eyes of your leaders and executives to current threats and keep you apprised of new ones as they emerge.

This article covers only a portion of security threats from more mature industries that are present or looming in ITS. Distributed denial of service (DDoS), source code compromise and tampering/modifications (31), vendor backdoors (32) and social engineering/phishing are topics for future discussion.

Security features are not free but the return on investment is now often worth the cost compared with a compromise. ITS security need not follow the same pattern of compromises and attacks that its predecessor cyber security fields have.

Acknowledgments Thank you to Ed Fok, FHWA, and Carlos Ortiz, Advantec Consulting Engineers, Inc. for security discussions.

References

Atkins Version 1.0 | November 16 2016 10

(1) Chris Valasek and Charlie Miller. “Who’s Behind the Wheel? Exposing the Vulnerabilities and Risks of High Tech Vehicles”. http://icitech.org/wp-content/uploads/2015/09/ICIT-Brief_Whos-Behind-the-Wheel_Car-Hacking2.pdf. Accessed November 2015.

(2) Gina Hall. “Tesla issues software patch to guard against vehicle hack”. http://www.bizjournals.com/sanjose/news/2015/08/07/tesla-issues-software-patch-to-guard-against.html. Accessed November 2015.

(3) Brian Krebs. “Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen”. http://krebsonsecurity.com/2014/01/target-names-emails-phone-numbers-on-up-to-70-million-customers-stolen/. Accessed November 2015.

(4) Jose Pagliery. “The inside story of the biggest hack in history”. http://money.cnn.com/2015/08/05/technology/aramco-hack/. Accessed November 2015.

(5) Wikipedia. “Office of Personnel Management data breach”. https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach. Accessed November 2015.

(6) Jeffrey W. Lewis. “A Smart Bomb in Every Garage? Driverless Cars and the Future of Terrorist Attacks”. http://www.start.umd.edu/news/smart-bomb-every-garage-driverless-cars-and-future-terrorist-attacks. Accessed November 2015.

(7) Annual Computer Security Applications Conference 2015. “DHS Programs: Cybersecurity for Government Vehicles”. https://www.acsac.org/2015/openconf/modules/request.php?module=oc_program&action=page.php&id=75. Accessed January 2016.

(8) Valasek and Miller, pages 47-49.

(9) Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman. “Green Lights Forever: Analyzing the Security of Traffic Infrastructure”. https://jhalderm.com/pub/papers/traffic-woot14.pdf. Accessed January 2016.

(10) Eric Worrall. “Chinese Govt accused of hacking Australian Bureau of Meteorology”. http://wattsupwiththat.com/2015/12/03/chinese-govt-accused-of-hacking-australian-bureau-meteorology/. Accessed January 2016.

(11) Brian Krebs. “Target Hackers Broke in Via HVAC Company”. http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. Accessed November 2015.

(12) Rationally Paranoid. http://www.rationallyparanoid.com/articles/malware-in-commercial-products-list.html. Accessed January 2016.

(13) Sean Gallagher. “NSA hacker in residence dishes on how to “hunt” system admins”. http://arstechnica.com/security/2014/03/nsa-hacker-in-residence-dishes-on-how-to-hunt-system-admins/. Accessed November 2015.

(14) Shelby Grad. “Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced”. http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html. Accessed November 2015.

Atkins Version 1.0 | November 16 2016 11

(15) Teri Robinson. “Disgruntled former employee pleads guitly (sic) to power supplies co. hack”. http://www.scmagazine.com/disgruntled-former-employee-pleads-guitly-to-power-supplies-co-hack/article/402473/. Accessed November 2015.

(16) IT News. “Hackers gain ‘full control’ of critical SCADA systems”. http://www.itnews.com.au/news/hackers-gain-full-control-of-critical-scada-systems-369200. Accessed January 2015.

(17) Sumeet Bhatia, Aadil Hussaini, Snehal Navalakha and Mo Zhou. “MIS 510: Cyber Analytics Project”. http://media.wix.com/ugd/53e79d_ed7432145d234e7dbdfec5f3390ff555.pdf. Pages 10-12. Accessed November 2015.

(18) Kenneth Lipp. “License to Connive: Boston Still Tracks Vehicles, Lies About It, and Leaves Sensitive Resident Data Exposed Online”. https://digboston.com/license-to-connive-boston-still-tracks-vehicles-lies-about-it-and-leaves-sensitive-resident-data-exposed-online/. Accessed November 2015.

(19) Edward Fok. “An Introduction to Cybersecurity Issues in Modern Transportation Systems”. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.377.199&rep=rep1&type=pdf. Accessed November 2015.

(20) Wikipedia. “2007 cyberattacks on Estonia”. https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia. Accessed November 2015.

(21) Price Waterhouse Coopers. “PwC 2015 US CEO Survey”. http://www.pwc.com/us/en/ceo-survey/secure-assets.html. Accessed November 2015.

(22) Edward Fok. “Protecting ITS Networks”. http://www.its-ny.org/pdf/Spotlight.pdf. Accessed January 2016.

(23) Steven H. Bayless, Sean Murphy and Anthony Shaw. “Cybersecurity and Dependable Transportation: System Assurance, Operations and Reactive Defense for Next Generation Vehicles and Intelligent Highway Infrastructure”. http://www.itsa.org/knowledgecenter/technology-assessment/cyber-security-and-dependable-transportation/1660. Accessed January 2016.

(24) SANS. “CIS Critical Security Controls”. https://www.sans.org/critical-security-controls. Accessed November 2015.

(25) Kelly Jackson Higgins. “Researchers Out Default Passwords Packaged With ICS/SCADA Wares”. http://www.darkreading.com/endpoint/researchers-out-default-passwords-packaged-with-ics-scada-wares/d/d-id/1323755. Accessed January 2016.

(26) Traffic Technology Today. “’Godzilla Attack’ Prompts DMS Recommendations”. http://www.traffictechnologytoday.com/news.php?NewsID=59883. Accessed January 2016.

(27) NIST. “NIST Special Publication 800-37rev1; Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach”. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf. Accessed December 2015.

(28) Matthew J. Schwartz. “Stolen NASA Laptop Had Unencrypted Employee Data”. http://www.darkreading.com/attacks-and-breaches/stolen-nasa-laptop-had-unencrypted-employee-data/d/d-id/1107402. Accessed November 2015.

Atkins Version 1.0 | November 16 2016 12

(29) Chris Hoffman. “Wi-FI Protected Setup (WPS) is Insecure: Here’s Why You Should Disable It”. http://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it. Accessed November 2015.

(30) Wikipedia. “Wi-Fi Protected Setup: Vulnerabilities”. https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Vulnerabilities. Accessed November 2015.

(31) Roger Grimes. “Protect your source code before it’s too late”. http://www.infoworld.com/article/2610857/security/protect-your-source-code-before-it-s-too-late.html. Accessed November 2015.

(32) Kim Zetter. “New Discovery Around Juniper Backdoor Raises More Questions About the Company”. http://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/. Accessed January 2016.

© Atkins Ltd except where stated otherwise. The Atkins logo, ‘Carbon Critical Design’ and the strapline ‘Plan Design Enable’ are trademarks of Atkins Ltd.