CVs Dramatically Expand ITS Threat Surface - Part 2
September 24, 2019

Steve Johnson

The implementation of connected vehicles has increased exponentially the possibility of unauthorized access to both ITS and IT networks. Agencies and related organizations that are deploying connected vehicle (CV) infrastructure face a multitude of new vulnerabilities. Here's HNTB's take on where those threats lie and how transportation agencies can begin addressing them.

Start with CVs Dramatically Expand ITS Threat Surface - Part 1

Security Standards Still in Development

It may be a while before we have national standards for CV cybersecurity. The only standard currently in place for CV is IEEE1609.2: The Standard for Wireless Access in Vehicular Environments — Security Services for Applications and Management Messages. SAE International has set standards for formatting and communications but has not addressed encryption, certification or validation. A large consortium made up of consultants, device manufacturers, original equipment manufacturers (OEMs) and others is working to develop a consensus on access security certificates for CV devices. This is currently coordinated by the US DOT, but we anticipate it will eventually evolve into an industry-managed national model funded through subscriptions based on the number of enrolled devices.

Cybersecurity Workforce

Exacerbating the threat to agencies deploying CV technology is the dearth of cybersecurity talent in the transportation sector. A large western DOT fell victim to ransomware and other prominent invasions have highlighted this vulnerability as well. HNTB has begun working with several DOTs to develop more robust cyber postures and is participating in U.S. DOT's professional capacity building program to jump-start the training aspect. But some agencies have been forced to partner with cybersecurity experts from other industries as there are few specifically focused on the transportation sector. More training and education solutions are needed to develop cybersecurity skillsets within the existing transportation workforce.

What Agencies Can Do in the Meantime

To get started on managing the risks surrounding your CV projects, we recommend using the Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology. It helps you understand the threat surface, inventory your assets and assign a risk level to their loss — quantitatively and qualitatively. This exercise won't tell you how to solve those issues, but it will help you see the gaps you need to fill.

We also suggest joining an information sharing and analysis center (ISAC) network that allows members to share vulnerabilities and attack information to help one another learn and plan for similar possibilities.

ITS America and the Transportation Research Board are working on programs similar to an ISAC. Until one of those is available, you might want to join the Auto ISAC Community, which is the closest to the transportation sector. Auto ISAC also publishes the Automotive Cybersecurity Best Practices Guide, which is a great starting point.

Threats are real. Education and preparedness are vital. Ultimately, every transportation agency involved in ITS would be wise to learn more, assess potential weaknesses and take advantage of available cybersecurity expertise. Connected and automated vehicles will revolutionize transportation and improve safety and mobility for all, but we should be proactive in leveraging the experience of other sectors and national resources in ensuring cybersecurity.

Steve Johnson, CISSP, CVP, is Associate VP, Connected Vehicle Program Manager, at HNTB Corporation