Security in Intelligent Transport Systems: Why India should prioritize ITS?

Intelligent transport systems (ITS) promise to enhance the lives of people by improving road safety, reducing traffic congestion, enhancing mobility of people and goods, and bettering the environment.

By Kiran Zachariah

Intelligent transport systems (ITS) promise to enhance the lives of people by improving road safety, reducing traffic congestion, enhancing mobility of people and goods, and bettering the environment. Typical ITS consists of connected or autonomous vehicles, road side units, traffic flow sensors, payment kiosks or apps (for parking, e-tickets, etc.), traffic management hubs and traffic information systems that are all connected to each other.

While investments in public and private transportation systems have grown reasonably well in the last decade, the investments in cybersecurity measures have not increased proportionately. With cybersecurity being grouped with the lowest of investment and resource allocation priorities, hackers and groups with questionable intent have found an avenue to exploit. The result – global and frequent attacks on smart transportation infrastructure.

Vehicles (cars, trucks, buses, etc.) are fundamental units of transportation. They are also the targets for multi-pronged cyber-attacks by hackers. What makes these diverse modes of transit so attractive for hackers? Wide spread disruption, scope for ransom payment by authorities or affected people or simply the ease of attack. It is a well-known fact that in the developed world, some of the most critical infrastructure runs on outdated and degraded operating systems with plenty of unpatched vulnerabilities. Hackers and hacktivist groups have known this for a while now.

Two years ago, around the thanksgiving holidays the citizens of San Francisco were treated to free rides on their metro fondly called “Muni” because of a ransomware attack. The attack was perpetrated by exploiting known vulnerabilities in Muni’s systems. The total ransom demanded was 100 bitcoins (about $73,000 at that time), arguably a smaller price to pay as compared to the losses from not collecting fares on a busy holiday weekend.

Security researchers Charlie Miller and Chris Valasek demonstrated a method to take complete control of a car from miles away. They were able to send commands to the car’s entertainment system, dashboard functions, steering, brakes and transmission from almost across the country.

The ITS system with its diverse interconnected components offers a very large attack surface for cyber security threats. Today we see attacks from opportunistic hackers, script kiddies and hacktivists, but rest assured it is only a matter of time when we see nation states and terrorists exploiting these vulnerabilities. The impact from an ITS cyberattack could be devastating because of its proximity to human life.

Given that ITS elements today exist in both deployed, experimental and lab trial stages. Autonomous driving and drones promise a marked improvement in quality of life. Developing a security posture that protects the infrastructure but is not restrictive to prevent adoption of future innovations is a key criterion.

All ITS control centers should be augmented with a cyber security platform that is essentially agent less and capable of continuously monitoring network traffic for threats across all subsystems of the deployment. Each subsystem should be hardened and have its own agent-based monitoring capable of reporting back threats to the control centers. Scenario planning with back up strategies for different types of attacks and response plans for each of those scenarios must be documented and periodically rehearsed. A combination of vulnerability assessment, hardening, patching and monitoring dictated either through standards or regulations should be used before new subsystems or technologies are added into an ITS.

ITS is a part of a nation’s critical infrastructure, while laws and regulations exist how it is used, protected and governed from a physical perspective, very little of these exists in terms of their cyber dimension. There are arguments that can be made against regulation, chief among them being the stifling innovation in a nascent industry, however the risks from impact to human capital are too large for meaningful regulation or standards to be ignored.

The writer is VP- IoT Business Solutions, Subex.