Cybersecurity for traffic and transportation systems: What can we learn from NERC CIP and IMO?

 From traffic operations centers and Advanced Traffic Management Systems (ATMS) to field signal cabinets and traffic control devices, transportation systems use digital and automated components to manage physical processes—the flow and control of traffic, vehicles, and pedestrians. These components present numerous attack vectors for cyber attack, against both the signaling systems and the networks and control systems that manage them. Developments such as intelligent transportation systems and autonomous vehicles exponentially magnify the threat landscape for the controlled, safe, and reliable operation of transportation systems.

Given the expanding opportunity for adversaries to inflict significant disruption, confusion, or damage, cybersecurity attacks directed at roadways and transportation networks will only intensify in both frequency and magnitude.

How do localities and governments secure transportation systems from cyber threats, and how do existing regulations and standards support or impede those efforts? Securing cyber-physical systems is a challenge not unique to the transportation industry, but one being dealt with throughout various sectors and governments at large. By analyzing multi-national, industry-specific regulations and standards, we can gain insights into the best strategy for building cybersecurity into transportation systems and ensuring their safe, controlled, and reliable operation.

In the United States, work has been undertaken by the American Public Transportation Association (APTA), National Highway Traffic Safety Administration (NHTSA), Transportation Research Board (TRB), the Transportation Systems Cybersecurity Framework (TSCF) partnership, and Department of Homeland Security on cybersecurity for transportation or specific parts of the transportation ecosystem (e.g., airports or public transit).

Cybersecurity efforts in other sectors, such as the maritime industry’s IMO cybersecurity standards or NERC CIP standards for power generation, transmission, and distribution, can provide additional data points on what works and what doesn’t in moving industry-wide cybersecurity efforts forward.

Lessons Learned: NERC CIP

The North American Electric Reliability Corporation Critical Infrastructure Protection standards (NERC CIP) represents a regulatory application with enforcement via external audits and fines through a governing body. Having existed for more than 15 years, NERC CIP also provides a lengthy history through which we can analyze success as well as deficiencies.

Compliance is not security; reliability is the goal

One of the significant lessons learned from NERC CIP is that compliance with cybersecurity standards does not necessarily equate to stronger cybersecurity. In the earlier days of NERC CIP, many organizations focused their efforts on simply "checking the box" in the simplest way possible. Recent updates to the standards have attempted to move organizations towards  consideration of real-world system security and reliability needs rather than just compliance.

The need to future-proof

Of particular interest to the transportation industry, the lack of future-proofing cybersecurity measures within NERC CIP is also a key lesson learned. Similar to the transportation and smart city industries, the power industry is also seeing a proliferation of new devices from microgrids and smart meters to the smart grid. These new technologies, while beneficial in many ways, expand the attack surface for adversaries and are not yet fully addressed by NERC CIP standards. Moreover, current practices do not embed cybersecurity within new devices or technologies, further amplifying the problem.

Lessons Learned: IMO Cyber Risk Management

International Maritime Organization (IMO) Resolution MSC.428(98) “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems.” The IMO cyber risk management standards represent a new effort to address cybersecurity within the shipping industry, and to treat cybersecurity as a fundamental aspect of safety. Compared to the relatively mature NERC CIP, the IMO effort is in its very early stages, as organizations and the industry grapple with compliance by the first enforcement date without precedent on which to rely.

Lacking urgency

One of the common criticisms of the IMO cyber risk management approach is the lack of urgency given the maritime industry’s economic importance, the current state of cybersecurity within the industry, and today’s threat landscape. The maritime industry represents a very low level of cybersecurity and sophistication in cyber awareness, and the current IMO standards have little power to motivate operators to take meaningful action.

A heterogeneous industry with complicated challenges

Another criticism of the IMO standards is their failure to address the heterogeneity and complexity of the maritime industry. Realities of maritime operations, such as the frequency of crew changes and a heavy reliance on third-party service providers, make it difficult for operators to provide cybersecurity training and management in the same way as organizations in other industries.

The unpredictable life cycle of maritime assets is another key cybersecurity challenge. Maritime assets are typically designed with an operational life expectancy of over 25 years, may be repurposed several times, and represent highly dissimilar environments across the sector. Cybersecurity initiatives should address these industry-specific factors, rather than attempting to apply a broad set of requirements that may not be entirely applicable or relevant.

Resources, enforcement, and effectiveness

In addition to addressing the challenges mentioned above, an effective maritime cybersecurity program will require a long-term commitment and investment in resources, money, and time. As a price-competitive industry, resources and thin profit margins are always a concern and may present obstacles to adopting new technology. These concerns, paired with the current IMO regulations’ lack of enforceability, have greatly reduced the effectiveness of the initiative.

Best practices for securing surface transportation systems

NERC CIP and the IMO standards arguably exist on different ends of the spectrum regarding their approaches, nature, and stages. Comparing the two and their lessons learned provides several insights into how to build stronger cybersecurity into the transportation sector.

Cybersecurity and safety go hand-in-hand

In aligning cybersecurity and safety, the IMO cyber risk management regulations attempt to set up a robust framework through which to deal with various cyber risks as one would with safety risks. This method gives organizations greater control, the ability to address threats proactively (versus reactive), and the ability to evolve with new and emerging threats.

The transportation sector should also address cyber risk with the same mindset as safety. Cyber risk is an ongoing, evolving threat with just as dire consequences and potential viability repercussions as safety incidents. Moreover, in aligning the two risks, organizations may more easily address cybersecurity challenges such as creating a cybersecurity culture, increasing awareness, and deploying cyber risk training. In many ways, cybersecurity is the ‘safety’ of the 21st century.

Cyber resiliency is the goal. Protect where the impact matters most.

Resources, costs, heterogeneous systems and environments, inadequate protections, uncovered endpoints, and managing new or unknown cyber risks were all lessons learned or criticisms of NERC CIP and the IMO standards. Similar to the cybersecurity-safety alignment, a shift in perspective could enhance cyber risk protections today while overcoming these challenges; cyber resiliency should be the goal, and to that end, protections need to be installed where the impact matters, or hurts, the most.

Cyber visibility and protection need to focus on assets most critical to operations, typically those in the lower levels of the Purdue Reference Model. This “bottoms up” approach is a crucial paradigm shift from, but complementary to, traditional cybersecurity, which typically evolves from the corporate IT network down to the OT or control system levels, deploying barriers to keep adversaries at bay. Moreover, a “bottoms up” approach assumes that a determined adversary will get into a protected network, and, in that event, operator control and cyber resiliency of mission-critical assets is the last line of defense.

In leveraging a “bottoms up” approach, the transportation industry can prioritize resources, costs, and investments towards the assets critical to operational resiliency and control. Likewise, heterogeneous systems and environments can be simplified by focusing on the lower assets controlling physical processes. Managing new or unknown cyber risks can also be addressed in focusing on cyber and operational resiliency, knowing the processes at the lowest levels of an operation are being monitored and protected. Lastly, a “bottoms up” approach combined with traditional corporate IT cybersecurity will further expand coverage and limit the number or inadequacies of cyber protections in place.

Conclusion

Various governmental bodies and industries continue to grapple with securing cyber-physical systems. With both digital and kinetic impacts, it is clear what is at stake for the transportation industry. Faced with mounting cyber threats and significant potential implications from a cyber attack, it is not a matter of if an attack will occur, but when. It’s a situation that can no longer be ignored, requiring an aggressive approach to remediate existing risks and protect the future of transportation.

With the promise of autonomous vehicles and more sophisticated smart cities, the implications for securing the assets where the impact matters most is clear. Therefore, while securing corporate IT networks and middle-tier enterprise systems, the transportation industry should take particular interest in establishing visibility, protection, and resiliency for the critical systems on which the industry relies on for safe operations.

By leveraging the work and lessons learned from other multinational sector regulations, the transportation industry can make strides in its own regulatory or voluntary standards to ensure the safe, controlled, and reliable operation of traffic systems everywhere. 

Mission Secure is already working with many organizations at the federal, state, and local level to create the future of traffic and transportation cybersecurity. To learn more about how we can help your organization, explore our solutions for smart cities and transportation systems, or schedule a consultation today.