Cybersecurity and the Transportation Space · James Scott, Senior Fellow, Institute for Critical Infrastructure Technology” ― James Scott, Senior Fellow, Institute for Critical

Cybersecurity and the Transportation SpaceSUZANNE L IGHTMAN

SENIOR ADVISOR, INFORMATION SECURITY

NIST

ElementsWhy Consider Cybersecurity?

The Risk Environment◦ Places to Begin◦ Progression of Attacks

Cybersecurity and Safety

Privacy

What Is the Industry Doing?

Beyond the Vehicle

Is There Help Available?

Questions?

Why Consider Cybersecurity?Most…devices that lack security by design simply pass the security responsibility to the consumer, thus, treating the customers as techno-crash test dummies.

James Scott, Senior Fellow, Institute for Critical Infrastructure Technology” ― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

The Risk EnvironmentHuman stupidity is finite, but human maliciousness appears to be infinite

The Risk Environment Cont.Large attack surface

The Risk Environment Cont.Cybersecurity risks change constantly◦New vulnerabilities are uncovered◦New ways to exploit those vulnerabilities are developed

The Risk Environment Cont.You can’t just make the vehicle and wave bye-bye

◦ Increased use of electronics to allow ADAS means more exposure

◦Everything cyber needs updates!!!!!

Progression of Attacks

Proof of Concept by Sophisticated

Adversary

Code Developed to Automate

Attack

Everyone Can Use Attack

Where Do I Start Looking?“I” in the metaphorical sense

Where Do I Start Looking?Communication Channels◦You have to start with a way in◦Every channel is a way in and they all have to be considered

◦ It’s not what you think the channel is for, it’s what others can make it do

Where Do I Start Looking Cont.Places where people interact with the vehicle◦ People are easy to fool◦ The worst attacks often depend on people being the weak link

◦ Target hack was traced to phishing◦ Sony◦ Thyssen-Krupp

◦ NEVER depend on people

Where Do I Start Looking Cont.Where You Depend on Others

Cybersecurity and SafetyThey are complementary◦They are NOT the same◦Cybersecurity can help protect safety measures◦Cybersecurity can also inhibit safety measures

Misunderstanding safety and understanding cybersecurity (or vice versa) can get you into a lot of trouble!

Cybersecurity and Safety Cont.A cybersecurity issue can lead to a safety issue◦ Exfiltration of proprietary data

◦ Might not be a problem for safety immediately◦ Until they figure out how to leverage the information

◦ Malware is an example◦ Depending on how it manifests

◦ Botnets – can effect safety communications by hogging bandwidth◦ Ransomeware – could effect operations in an unsafe manner

PrivacyYes, I know you don’t want to hear about it

But you are going to have toBecause of ◦ Government regulation◦ Problems with Data Sharing

◦ The Equifax issue◦ People disabling safety features because of perceived (or real) privacy threats

◦ V2V◦ Black boxes

What Is the Industry Doing?The vehicle manufacturing industry is very concerned◦ They have liability◦ It is part of the safety culture

Actions◦ SAE – SDO – J3061 guidance on cybersecurity◦ JWG – ISO/SAE – 21434 – standard on developing and

maintaining cybersecurity in vehicles

Beyond the VehicleEveryone always wants to talk about autonomous vehicles

But What About the Infrastructure?True autonomous vehicles will need infrastructure…

And that infrastructure will depend on cybersecurity

Rising Interest in InfrastructureAs autonomous vehicles come closer to reality, interest in infrastructure hacks rise.

Attack against SF light rail system

Researchers use ghost messages to cause traffic jam

Researchers able to trick “smart” traffic lights

Issues to Consider for Infrastructure Owners1. Lack of knowledge

2. Lack of resources

3. Lack of awareness

Ok, Now You Are ScaredWhat can I do? Who Will save us?

Is There Help Available?NIST (well, duh)◦ NISTIR 8062 Privacy Engineering

◦ Places privacy in a risk management framework◦ So you can think of business objectives and risks

◦ Introduces privacy objectives that can be used in evaluating systems◦ Predictability◦ Manageability◦ Dissassociability

◦ NIST Cybersecurity Framework◦ Provides a common language to discuss cybersecurity from executive to technical◦ Helps everyone understand where you are and where you want to be◦ Can be used to transfer expertise

Is There Help Available? Continued◦States with Experience

◦ Michigan◦ California◦ Wyoming

◦Cities with experience◦ Tampa◦ New York City◦ Los Angeles

Is There Help Available? ContinuedSAE has several committees on cybersecurity◦ The electrical systems committee

◦ Shares latest news and information◦ Good place to keep up to date

◦ The cybersecurity committee◦ SAE side of the JWG

UNECE has a working group that is looking at concerns from a regulatory perspective (very EU focused)

Questions?

[email protected]