Cyber Safety Risk, Part 2: Planes, Trains and Automobiles
What is the cyber safety risk for transport sectors and what should be done about them?
Last time I explored the emerging safety risk to transport from cyber security breaches. I set out why the risks hypothesised in Hollywood disaster movies may well emerge as genuine threats.
In this second post I’ll be taking a deep dive into what these challenges mean for the safety of transport and what is being done about it.
Transport Cyber - The risks of transformation
COVID has had a brutal impact on all modes of transport and each is now locked in competition for survival. This competition will intensify as the world recovers and people are freed from lockdown in 2021. Each sector also has to meet the challenge of reducing carbon emissions and improving air quality. In this atmosphere competition will drive greater interconnection of technology and digitisation of transport assets. But this risks creating more and more cyber vulnerabilities that hostile actors can exploit. All in all, the transport sector is in danger of exposing an unprotected underbelly that is ripe for attack.
Are train, plane and bus crashes a threat?
It is a terrible cliche to quote Sun Tzu at every opportunity. But here I go anyway…
The supreme art of war is to subdue the enemy without fighting.
The US government has concluded that the Solarwinds attack is a Russian state action. It’s fairly clear that Russia’s intent isn’t to immediately start a military confrontation but rather to gather information and to create the credible threat of a cyber attack for political advantage.
Nevertheless, noone is ruling out the possibility of a major infrastructure attack. US cyber defence policy has for many years been based around the prevention of a sudden offensive leading to a realignment of power - a Cyber Pearl Harbour. It is sometimes said that there are easier ways to cause a train or airline crash than through complex cyber attacks. But the perpetrators of ‘simple sabotage’ can usually be tracked down, whilst definitively proving who undertook a digital attack can be much more difficult. The downing of Malaysia airlines flight MHA17 over the Ukraine in 2014 was also attributed to the Russian state (by the Dutch led investigation into it). This accident was caused by a surface-to-air missile, not a hack of its control systems. But from Russia’s denials we might infer that some nation states are not overly concerned about such terrible outcomes, as long as there is a plausible degree of deniability for them.
Transport sectors need to take the risk that terrorists or state actors might seek to causes major fatal incidents seriously. They need to do this to prevent a sudden attack that might occur in extreme circumstances, but also to take away any political threat.
Automotive
The cyber challenge for the automotive sector has long been recognised and it has experienced a number of high profile breaches. At the start of 2020 hackers shut down the German car parts company Gedia in a ‘massive cyber attack.’ There has also been high profile analysis of cyber safety vulnerabilities, in particular the demonstration that hackers could remotely control a Jeep Cherokee’s control systems. There are known vulnerabilities in in-car entertainment and keyless entry systems. Remote software updates are a great cause for concern too. I spoke about these topics recently with my colleague Dr Simon Parkinson, the Director of the Centre for Cyber Security at the University of Huddersfield:
The majority of the vulnerabilities involve third-party products where the vulnerability has come through the supply chain. However, there is still significant concern around the security of the internal vehicle network used for essential communication. If anyone can gain access here, they are effectively in a network where everything is assumed to be trusted.
But despite these vulnerabilities and the challenges that might arise in what is a de-centralised and highly commercial environment, it appears that in many ways the automotive sector is leading the way in its response. Simon notes that:
There has been a shift in best-practice and legislation, which has resulted in cyber security becoming a core activity within vehicle manufacturers. This has resulted in security requirements which are now forming part of supply chain contractual obligations. Security is now ‘by design’ rather than reactive. This is a fundamental step and it will result in the reduction and removal of the easy vulnerabilities.
This provides a model for other transport sectors to follow, both to minimise risks and ultimately to stay in business.
Aviation
Unlike the automotive sector, there are a small number of vendors of commercial aircraft - essentially Boeing and Airbus - and the level of commercial competition is in practice very different. Given this, it seems that regulators are leading the conversation on cyber security.
In 2018 Cathay Pacific experienced the largest breach of data the sector had seen. Some breaches indicate a threat to operating technology (OT) as well as data loss. A Vietnamese hacker stole “a significant amount of data” from Perth airport in 2017, including building schematics and details of physical security at airport buildings.
In addition to on board ‘fly-by-wire’ software systems for flight control, modern commercial airplanes use highly connected avionics systems and networks to share critical data with air traffic controllers, maintenance crews and other airplanes. This critical data includes information for positioning, navigation and weather conditions. The US government accountability office recently published a review of the FAA’s oversight of avionics cyber security issues. It concluded that:
…the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety.
Recommendations were made for a wholesale strengthening of the FAA’s avionics cybersecurity oversight program. It is interesting to note that the report seems to focus less on the deeper supply chain. Elsewhere this is being considered. In Europe, EASA has recently bolstered certification requirements.
Rail
High profile threats to date in the rail industry have involved ransomware. The Wannacry cyber attacks in 2017 caused significant disruption to Deutsche Bahn and the German railway network. Ransomware attacks can test assumptions about the independence of IT and OT, in particular where data from the train is transferred to the office or depot or where software is written to go back on the train. Vulnerabilities are increasing as railways evolve to use fully computerised on-board signalling systems and new rolling stock is built around centralised computers networked to on-board control units.
The UK rail industry seems to be gradually awakening to the risks and is due to reissue its national strategy soon. I’ve being trying to play my part in raising awareness with an article in Q4 2020 issue of Rail Review and undertaking a joint podcast with the Office of Rail and Road’s Deputy Chief Inspector Paul Appleton, for Rail Technology Magazine.
OT cyber security is still emerging as a distinct field. Certification requirements across Europe are immature: there are currently no legally binding cyber security authorisation requirements. Although cyber causes of safety incidents should in principle be caught by safety regulations, there’s isn’t sufficient awareness yet to rigorously enforce this in the supply chain. It is notable that this legislative gap has been spotted in aviation - an indicator that rail legislation needs to catch up quickly.
So where do we go from here?
The NIS directive and its equivalents require that those operating and maintaining critical infrastructure understand vulnerabilities, monitor them and manage significant breaches. We’re seeing investment in threat monitoring technologies in key transport sectors like aviation and rail. This is all essential stuff but as any good health and safety professional knows, prevention is better than cure. The race to computerise is challenging key principles of safe system architecture and assurance and its pretty clear that we need a concerted push on ‘design for security.’ This should include:
Quickly evolving regulations and standards so that they bite in the supply chain.
Educating those buying assets to specify systems whose underlying architectures are both safe and cyber secure.
Creating open, trusted mechanisms for sharing vulnerability information to all those who need to be aware.
Unfortunately, it’s major incidents that usually drive change. I hope that SolarWinds is the shot across the boughs that we all need and that it doesn’t take a subsequent, more physically impactful incident to trigger a concerted response. In terms of raising awareness, a good start might be to share this article right now with someone you think might have an interest in the topic.
The hard work to address these risks will take time and effort from a wide range of people but I’m confident that the necessary progress will be made.
In the next issue…
These are topics that I’ll inevitably be returning to in Tech Safe Transport as the environment continues to evolve. But in the next issue I’ll be changing focus to safe automation and the increasing use of complex software. I’ll be looking in particular at the strategic learning from the Boeing 737 Max crashes and subsequent investigations. Please subscribe now so you don’t miss it…
Thanks for reading
I hope you enjoyed the this edition of Tech Safe Transport. All views are my own and I reserve the right to change my opinion. If you have any thoughts or comments please feel free to send me a message on Twitter. Many thanks to FLY:D for the photograph. And finally, thanks again to my editor, Nicola Gray.