Article on potential attackers, common cyber-attack processes, and potential points of TMC vulnerability offers TMC managers and operators strategies to prepare for and respond to incidents.
In response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity, the U.S. Department of Transportation (USDOT) developed a Cyber Security Action Team to implement the Department’s Incident Response Capability Program. The team leveraged U.S. transportation system security threat and vulnerability assessments and research conducted by the Federal Highway Administration (FHWA) staff and offered insights in a series of articles on transportation security that began in the July 2013 ITE Journal and includes this article.
All networks can be breached and exploited, given enough time and resources. A TMC can make cyber-attacks harder by taking a "Defense in Depth" approach and interrupting as many of the attacker's steps as possible. The mitigation methods described below are based on Information Technology (IT) and e-commerce industry lessons learned, where losses frequently result in immediate and extensive economic losses with legal repercussions.
- Assess risk: Resources include the Industrial Control Systems Cyber Emergency Response Team's Cyber Security Evaluation Tool (CSET).
- Include TMC staff and staff from other departments in social engineering risk evaluation, and train TMC management and staff to identify and defend against social engineering.
- Implement network segmentation, proper firewall deployment, and best practices in edge device communication.
- Each agency should develop an IT and Information Security policy, which TMC operators should understand and follow.
- Each agency should have a visitor policy commensurate with the perceived risk of the transportation system, to prevent potential attackers from creating a new attack surface or breaching an "air gapped" network. A high-risk TMC could take additional steps, such as eliminating physical features that could hide a rogue device or designating a visitor-only area.
Disrupting Scans and Network Mapping:
- Implement an Intrusion Detection System (IDS) on the TMC internal network to detect abnormal behaviors from field devices and other network components.
- Consider using a honeypot to help trap intruders on the TMC's internal network and collect attack information for potential future prosecution against the attackers.
- Encrypt communication on the control network to make it more difficult for the attacker to understand the control system.
- Consult with the agency's legal department or Chief Information Security Officer (CISO) on legal repercussions, should an attacker illegally break encryption used on government systems.
- Breaking encryption may indicate Group 2 or 3 threat agent involvement.
Limiting the Effects of Exploitation and Locking the Gate:
- Realize an attack is happening: Maintain TMC operator and IT support team vigilance.
- Execute an existing and understood response plan.
- Monitor TMC data traffic between trusted partners to prevent operational partners from becoming a source of unprotected backdoor attacks into the TMC network.
- Limit data connections and connection types into the internal TMC network to those required to maintain TMC operations.
- Conduct and protect frequent backups of critical applications and databases.
- For systems such as traffic signal control, keep parameters on the local controller current to allow local control to take over if the TMC is compromised.
Defending Against DOS Attacks:
- Stop an attack at the Internet Service Provider (ISP) connection: DOS attacks typically come from the Internet.
- Most DOS attacks will target the ATIS/511 server. Consider moving the server into the network's Demilitarized Zone (DMZ), keeping it separated from the internal network with a backend firewall to prevent an attack on this server from affecting core function.
- Know Your Vulnerability: Use the CSET tool to understand the TMC's current vulnerabilities, and institute continuous evaluation and monitoring of the configuration and health of the TMC's IT infrastructure. If possible, review vulnerabilities when planning a new TMC.
- Understand Your Risk: TMC operators within a jurisdiction encompassing a national security facility may want to reach out to the facility to determine whether the TMC's risk exposures are elevated. TMC owners should determine the damage potential from a breach, considering potential immediacy and breadth of disruption and TMC complexity.
Have a Plan:
- Protecting a TMC's IT infrastructure deserves the same planning as addressing operational issues. Planning will take time and help from the IT support group.
- Planning resources include The Roadmap to Secure Control Systems in the Transportation Sector, which was created to help agencies develop and sustain a plan, and resources from the IT industry.
- Include in the plan a procedure for managing vulnerabilities discovered by "white hat hackers." Hackers could report a vulnerability to the TMC and claim credit for discovery after you fix it, disclose the vulnerability widely and immediately, or sell it to a Group 2 or 3 threat agent.
- Ensure the TMC and IT teams know how to execute the plan.