Cybersecurity and Transit Industry

Vehicles are considered connected when they share data between servers, apps, and various components of the vehicle that enable telematics services, and smart mobility services. As the number of connected vehicles on the road increases, more cyber-related automotive vulnerabilities are anticipated. To limit the expected rise of cyberattacks against connected vehicles, governmental institutions, and independent standardization bodies have made an effort to not only suggest but to demand an increase in ingrained cybersecurity measures from the manufacturers, component and software suppliers, and mobility service providers.

There are five primary modes of vehicle connectivity:

1. V2I (Vehicle to Infrastructure): Between the vehicle and road infrastructure to get information about accidents, construction, & parking
2. V2V (Vehicle to Vehicle): Between vehicles, typically including location, to avoid traffic jams and accidents
3. V2C (Vehicle to Cloud): Between a vehicle and cloud-based backend systems
4. V2P (Vehicle to Pedestrian): Between vehicles, infrastructure, and personal mobile devices
5. V2X (Vehicle to Everything): Between a vehicle and other objects or road users, such as traffic lights, road markings, & traffic signs

Vehicles have been susceptible to cyberattacks since the introduction of the On-board diagnostics? (OBD) port in the 1990s as it provided access to the vehicle engine's management systems. Modern vehicles have several internal subsystems called electronic control units (ECUs), which are computers collecting data from sensors or attached buttons, and switches. The ECU is controlled by the software that controls the functioning of the vehicle. The number of ECUs in vehicles has increased over time, with some vehicles having more than 100 ECUs. The protocols that provide connectivity between these ECU's include the controller area network flexible data-rate (CAN/CAN FD), Media Oriented System Transport (MOST), Local Interconnected Network (LIN), Ethernet, and FlexRay. These protocols were designed to be resistant against failures in harsh vehicle environments but none of them have integrated security features such as data encryption or sender authentication.

Modern vehicles are more susceptible to cyber-attacks because of a vehicle’s connection to a server, and attacks can be carried out remotely. In May 2020, the Texas Department of Transportation was hit with ransomware, followed by another attack in July 2020 against government transportation agency Trinity Metros. In February 2020, Tracker, a South African vehicle recovery company was hacked with ransomware, disrupting access to its entire service and forcing the company to take its systems.

Autonomous vehicles are being developed with a vision of creating safe roads, but they also subject road users to new cyber threats and risks. Compromised vehicles are not like compromised data, and can lead to physical danger and massive disturbances on the road. In February 2020, hackers were able to manipulate a camera system of the vehicle, and speed up the vehicle by 50MPH. The typical attack surface of connected vehicles such as wireless protocols, key fobs, Infotainment systems is most vulnerable. The other common wired and wireless interfaces such as AN-FD, Flexray, MOST, LIN, BroadR-Reach, Automotive Ethernet, NFC, Wifi, Bluetooth, and GSM/LTE/5G and c-V2X based on LTE and IST-5G based on 802.11p interfaces need to be secured by the manufacturer.?

The most common attack vectors are server attacks, keyless entry systems, and mobile apps. External service providers such as telematics service providers (TSP) and fleet management systems (FMS) rely on software for tracking, maintenance, and communications, which makes them an alluring and particularly vulnerable target for attackers. FMS and TSP back-end servers often enable users to run, analyze and use vehicle-generated data, and in some cases, even control vehicle systems, significantly increasing the potential damage of an exploited vulnerability.

The firewalls and passwords are no longer enough to stop hackers, as demonstrated by the rising number of cyber attacks against the Transit industry. Connected vehicles are becoming more prevalent leading to more opportunities for cybercriminals.?

There are several new regulations in the automotive industry that recognize cybersecurity is vital for the safe use of connected vehicles. While there were several guidelines and best practices for automotive industry, such as NHTSA’s “Cybersecurity Best Practices for Modern Vehicles” and Auto-ISAC’s “Automotive ISAC Best Practices”, the 2020 adoption of the UNECE WP.29 cybersecurity regulations and ISO/SAE 21434 standard are evidence of cyber threats to Transit and automotive industry in general.?

WP.29 lists over sixty different attack paths and seven different cyber threat and vulnerability categories such as back-end servers, vehicle communication channels, vehicle update procedures, unintended human actions, external connectivity and connections, vehicle data/code, and potential vulnerabilities due to insufficient hardening. WP.29 includes detailed descriptions of threats related to vehicle communication channels such as:

• Threats regarding back-end servers related to vehicles in the field
• Threats to vehicles regarding their communication channels
• Threats to vehicles regarding their update procedures
• Threats to vehicles regarding unintended human actions facilitating a cyber attack
• Threats to vehicles regarding their external connectivity and connections
• Threats to vehicle data/code
• Potential vulnerabilities that could be exploited if not sufficiently protected or hardened

The vehicle manufacturers and OEMs will be held responsible under these new regulations to ensure best cybersecurity practicers are followed and adequate cyber-risk management practices are followed throughout the vehicle development, production, and post-production, including the ability to implement over-the-air (OTA) software security fixes. Vehicle manufacturers and OEMs will need to prove that their cybersecurity management systems (CSMS) and processes effectively deal with the identification and remediation of threats throughout a vehicle’s lifecycle.?

Manufacturers, OEMs, and suppliers of vehicle parts must use ISO/SAE 21434 as a baseline to ensure that cybersecurity risks are managed efficiently and effectively. The standard was specifically developed to ensure the safety and security of the road user and driver. The ISO/SAE 21434 provides a standardized cybersecurity framework and establishes cybersecurity as an integral element of engineering throughout the lifecycle of a vehicle from the conceptual phase through decommissioning, and ensures that cybersecurity is considered in post-production processes (software updates, service and maintenance, incident response, etc.), and calls for effective methods of lessons learned training, and communication-related to automotive cybersecurity.Secure Bus Technology.