Navigating the Road to Secure Intelligent Transportation Systems

Balancing Innovation with Protection in Connected Transportation

In my experience planning and implementing intelligent transportation systems (ITS), I quickly learned about the critical importance of cybersecurity in relation to Information Technology (IT) systems at the government level, particularly within municipalities. Initially, in the planning and development stages of our systems, we didn't give cybersecurity the attention it deserved. However, our IT experts quickly educated us and emphasized the significance of cybersecurity, highlighting standards, such as the Open Worldwide Application Security Project (OWASP), as a vital tool for independent third-party product assessments.

Imagine this scenario: you've just acquired a new traffic camera or a central system to manage your traffic signals. How can you be confident that this system is secure and can withstand potential threats from malicious actors like hackers, who could harm your infrastructure? Approximately five years ago, many of the vendors we worked with seemed less educated about the need for proactive cybersecurity practices.

This was especially pertinent as several municipalities in Ontario, in the region near to where I worked, suffered significant security breaches, resulting in multi-million dollar damages and ransomware attacks. These incidents could have been avoided or mitigated with better security practices. Consequently, we collaborated with our procurement team to incorporate specific language into our Request for Tender (RFT) documentation to hold vendors accountable for independent third-party assessments of their hardware and firmware.

Initially, some vendors hesitated and did not appear to take that RFT requirement as strict. However, it soon became clear that we needed to enforce this requirement in cases where non-compliance was not being taken lightly. This expectation was communicated to bidders both during the procurement process and upon the tender's closure.

A typical process would likely involve engaging with vendors shortly after the tender closed and before the contract award to confirm their compliance with the requirements, the same with any tender process. We evaluated their willingness to comply with the security requirements as outlined in the tender documents and specifications. Subsequently, we provided them with a security assessment form questionnaire to help identify potential risks to the owner agency and any known issues, especially related to security vulnerabilities. We also requested that vendors share any existing third-party verifications and assessments of their products. If they had not previously undergone a third-party assessment or had not done so recently, we would ensure that an assessment was undertaken and provided to us for review.

There are numerous reputable, independent third-party companies that offer assessments to municipalities and vendors, providing a risk profile of hardware and firmware within their infrastructure environments. These assessments help the owners and IT professionals to enhance security measures and mitigate potential risks. Reports from these third-party assessors categorize risks as low, medium, high, or critical based on set criteria, aiding owners in understanding the vendor's plan for improving their products.

However, identifying risks is just the beginning. For instance, in one specific incident, a critical vulnerability emerged in December 2021 (Apache Log4j vulnerability) that necessitated immediate contact with various product vendors to address the issue, seeking mitigation plans or patches as appropriate.

Even the process of upgrading firmware can be complex, as these versions are regularly updated with bug fixes and new features, akin to a game of "whack-a-mole" where one issue is resolved and a new feature added can inadvertently create other new issues. This isn't necessarily the fault of independent assessors or vendors but is the result of continuous product development and improvement in an ever-evolving technological landscape.

As an owner responsible for public safety, there's a duty of care to ensure that implemented products are kept up-to-date at a reasonable pace. One criticism from my experience is that the process tends to be slow. By the time approved firmware is ready for implementation, a new version is often available, posing challenges in maintaining up-to-date products without reckless and frequent updates.

Implementing new firmware across an entire city's field devices is not as simple as updating a personal laptop or a home network in a few minutes, particularly with potentially hundreds or even thousands of devices. This can be a substantial process lasting months that requires planning, roll-out, and cost.

It is also important to look at the systems as a whole, meaning undertaking holistic assessment practices that consider the entire transportation system's functionality, rather than focusing solely on individual hardware and firmware components. This approach provides insight into the overall health and risk of the entire system. System diagrams, best practices, and operational procedures can be developed to mitigate known risks and limit access to appropriate personnel who require such access to perform their daily tasks.

In May 2023, Transport Canada issued a Road Infrastructure Cyber Security Self-Assessment Tool to help road authorities better understand and enhance the resiliency of their systems against potential cyber threats. The tool provides a method to determine your current cyber security posture and determine your next steps.

While the cybersecurity assessment process remains challenging and somewhat slow, it's vital to strike a balance between adopting new features that benefit municipalities and the public while being diligent about risk management. Malicious actors, like hackers, can exploit network vulnerabilities, resulting in significant harm and costs. This area will remain crucial as we delve deeper into connected vehicle infrastructure and, eventually, as automated vehicles become more commonplace across our transportation systems.

What have your experiences been with cybersecurity practices - owner, vendor, IT? Do you have any success stories or cautionary tales about risk management and due diligence?