Transportation Cyber Security Edward Fok Federal Highway Administration – Resource Center Operations Technical Service Team [email protected]
August 13, 2015
Transportation Cyber SecurityEdward FokFederal Highway Administration – Resource CenterOperations Technical Service Team
August 13, 2015
Age of the Dinosaurs – IR Signal Preemption SystemsAge of the Dodo – Ethernet switches on broadband cable modem2008 - West Coast Toll tag vulnerability discovered2009 – Portable DMS Hack instruction online2010 - Hardcoded backdoor in field hardened Ethernet switch2010 – Unlimited Smart Parking Meters2011 - T3 Webinar on Cyber Security 2011 – Transit system targeted by Hacktivist & PII released2012 - Transit depot and transit vehicle control vulnerability discovered2012 - Contactless Transit pass vulnerability discovered2012 - Licensed public safety radio spectrum (4.9GHz)2012 - Train ticketing Kiosk and control system (Foreign)2012 - TRB Cyber Security Sub-committee formed2013 - Perception of privacy breach (East Coast Toll Tag hacked)2013 – ITE Journal article on Transportation Cyber Security2014 - Cellular connected Center to Field Network2014 - Wireless sensor interconnect2014 - Vendor specific traffic signal features2014 – Creation of FHWA Cyber Security Working Group2015 – ITE Article on Traffic Management Center Cyber Security Issues
August 13, 2015
OMG HACKERS ARE EVERYWHERE!!!!3
It’s Hopeless!
August 13, 2015
August 13, 2015
August 13, 2015
What are we trying to protectSafe surface operationEfficient surface mobilityReliable and trusted information to the public
August 13, 2015
August 13, 2015
EDGE DEVICES
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
Hacking the Workld’s Traffic Control System
August 13, 2015
Payment Card Christchurch transport card
• Kiwicon7 – November, 2013• http://youtu.be/gB3EcBp34Xc
MARTA Breeze Card – December 27, 2013• https://www.myfoxatlanta.com
MiFare Ultralight cards continues to be a problem
August 13, 2015
Hacking Crowd Sourced Traffic DataMarch 12, 2013 Blackhat EU - Messing with Google and Waze traffic
information (bh-eu-13-floating-car-data-jeske-wp.pdf)
August 13, 2015
August 13, 2015
NSA Playbook• Use radio waves to hack air gapped computer• Hack computer using a fake wireless connection• USB thumb drives to open a wireless connection
August 13, 2015
CONNECTING EDGE DEVICES – TO EVERYONE ELSE…
August 13, 2015
Field NetworksWired – Copper, Fiber OpticsWireless• Leased – Cellular• Owned – APCO P25, 4.9GHz, DSRCTopology
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
August 13, 2015
SUN_HACKERDynamic Message Sign HackMultiple States – at least 4 confirmed. There could be othersAttack took place over a 72 hour period (maximum)Twitter Handle: SUN_HACKER
• Claimed credit on both DMS sign and on Twitter• Twitter account originated from the Middle East• User name is an experienced Group 1 attacker
Automated Attack Tool maybe involvedFirst publicized foreign hack into domestic transportation system
August 13, 2015
August 13, 2015
Green Lights ForeverGraduate school class project partnered with Public AgencyPublished in USENIX Technical Proceeding – this is a penetration
test• Exploited vulnerabilities with Center to Field systems• Demonstrated remote control of signal controller• Unable to produce “Bruce Willis” or “The Italian Job” effect –
specifically confirm effectiveness of Conflict Monitor
Mass media did not read the paper – the world did not end
August 13, 2015
PSA – ABOUT THEM PASSWORD…
August 13, 2015
PIN numbers5 (9.21%) 6 (17.78%) 7 (7.28%)
PSWD PSWD PSWD12345 22.80% 123456 11.68% 1234567 3.44%11111 4.48% 123123 1.37% 7777777 1.72%55555 1.77% 111111 1.30% 1111111 0.64%
http://www.datagenetics.com/blog/september32012/
8 (11.26%) 9 (2.95%) 10 (1.52%)PSWD PSWD PSWD
12345678 11.83% 123456789 35.26% 1234567890 20.43%11111111 1.33% 987654321 3.66% 0123456789 2.32%
88888888 0.96% 123123123 1.59% 0987654321 2.27%
August 13, 2015
Source: Trustwave2013 Global Security Report
August 13, 2015
Back office/traffic management center..The chew center of the whole network…
August 13, 2015
TransportationManagement CenterGeneral Office
USBCharging
Cable
Internal Network
Smartphones/PMP/USB Drives
Contractor
Office Administrative Network
Wireless Peripherals
Application Servers
Backup
Storage ArrayATIS/511Date Servers
DMS SignTrafficSignal
TrafficSignal
The Internet
Wireless Peripherals
August 13, 2015
August 13, 2015
August 13, 2015
TransportationManagement CenterGeneral Office
USBCharging
Cable
Internal Network
Smartphones/PMP/USB Drives
Contractor
Office Administrative Network
Wireless Peripherals
Application Servers
Backup
Storage ArrayATIS/511Date Servers
DMS SignTrafficSignal
TrafficSignal
The Internet
Wireless Peripherals
August 13, 2015
DMZ.
TransportationManagement CenterGeneral Office
Internal Network The Internet
Contractor
Office Administrative Network
Wireless Peripherals
Application Servers
Backup
Storage ArrayATIS/511 Date Servers
4.
1.
DMS SignTrafficSignal
TrafficSignal
IntrusionDetectionSystem
2.
3.
EncryptedConnection
PeripheralsData Diode
August 13, 2015
So you engineered a “Perfect System”
August 13, 2015
Social Engineering• Hacking the human• Example – DEFCON 21 Social Engineering Capturer The Flag:
• Physical Logistics• Contractor information• Staff schedules• IT Equipment and software inventory• Helped to circumvent security to visit rogue website.• Obtained name of real company executive• All of this in about 10 minutes…
August 13, 2015
Evil…
August 13, 2015
August 13, 2015
The Future…
August 13, 2015
Connected Vehicles
August 13, 2015
August 13, 2015
“Look Mom No Hands” – hacker…
August 13, 2015
Where to Get HELP!Multi-State Information Sharing & Analysis Center (MS-ISAC)
http://msisac.cisecurity.org
Computer Emergency Response Team (CERT)http://www.cert.orgDocument: Roadmap to Secure Control
Systems in the Transportation SectorVery good source on Insider Threat and
Prevention
Microsoft TechnetISO/IEC 27000Information Security Forum
“Standard of Good Practice”
Industrial Control Systerm-CERT Self Assessment
http://ics-cert.us-cert.gov/Assessments
National Institute of Standards and Technology
http://csrc.nist.gov/index.html
SANS Institutehttp://www.sans.orghttp://ics.sans.org
National Vulnerability Databasehttp://nvd.nist.gov
AntiVirushttp://av-comparatives.org/EICAR virus scanner tester
August 13, 2015
2015 and still going strong!