(Center Identification Number: 71846-00)
Sean J. Barbeau, Ph.D.
Principal Mobile Software Architect for R&D
National Center for Transit Research (NCTR) at the
Center for Urban Transportation Research
University of South Florida
4202 E. Fowler Avenue, CUT 100
Tampa, FL 33620-5375
Phone number: 813-974-7208
Email address: email@example.com
Jay Ligatti, Ph.D.
Department of Computer Science & Engineering
4202 E. Fowler Avenue, ENB 118
Tampa, FL 33620
Phone number: 813-974-0908
Email address: firstname.lastname@example.org
Cybersecurity is a significant concern in all industries. Given the rapid adoption of technology in the area of automated and connected vehicles, transportation infrastructure is a particularly attractive target. The concern is so great that in 2013 the Florida Legislature requested the formation of the Florida Center for Cybersecurity, which named transportation as a key focus area. TCRP Web-Only Document 67 “Protection of Transportation Infrastructure from Cyber Attacks” says:
“The sheer numbers of suddenly visible, interconnected, increasingly vital cyber components now deployed in transportation system and transit operations have created enormous, underappreciated complexity and significantly greater vulnerability across the entire system… This situation is poorly understood by transportation system executives, program managers, employees, elected officials and regulators.”
Public transportation vehicles (e.g., buses) are perhaps the most-exposed component of transit infrastructure—they carry a large number of individuals that are continuously entering and exiting and contain a constantly increasing number of different technologies that can be leveraged as potential attack vectors. Technology on-board a typical transit vehicle includes publicly accessible Wi-Fi networks, traffic signal preemption equipment that can be used to change traffic light timings, wireless fare payment technology interfaces (Near Field Communication, Bluetooth, and barcode scanning), automatic passenger counting systems, and connectivity with dispatch/command and control systems via a wireless modem or dedicated short range communications (DSRC).
According to the American Public Transportation Association (APTA)’s SS-CCS-RP-001-10 Recommended Practice “Security Control and Communications Systems in Transit Environments”, history has shown that most transit agencies do not adequately address cybersecurity issues, despite the known risks.
The goal of this project is to improve the cybersecurity of public transportation systems in Florida.
More specifically, the objectives of the research project are to:
- Identify and mitigate transit cybersecurity liabilities
- Facilitate ongoing cybersecurity information exchange among Florida transit agencies, their vendors, and cybersecurity researchers
Project Kickoff Teleconference
The principal investigator will schedule a kickoff meeting that shall be held within the first 30 days of task work order execution. The kickoff meeting will consist of a webinar at least 30 minutes in length. The purpose of the meeting is to review the tasks, deliverables, deployment plan, timeline, and expected/anticipated project outcomes and their potential for implementation and benefits. The principal investigator shall prepare a presentation following the template provided at http://fdot.gov/research/Program_Information/Research.Performance/kickoff.meeting.pdf.
The project manager, principal investigator, and research performance coordinator shall attend. Other parties may be invited, if appropriate.
The project objectives will be accomplished through completion of the following tasks. As noted in the Deliverables Schedule section some tasks will run concurrently. All deliverables will be submitted to the Research Center at email@example.com.
Task 1: Literature Review
This task will review transit technologies, including equipment and protocols, for known vulnerabilities and defenses. The review will focus on technologies deployed at Florida transit agencies and will cover not only technologies currently deployed, but also those known to be considered for future deployment. Task 1 will also be informed by the survey performed in Task 2, which will run concurrently and collect transportation system deployment information from Florida transit agencies. Technologies of interest include fare payment (on-vehicle and mobile), onboard Wi-Fi, Automatic Passenger Counters (APC), Traffic Signal Preemption (TSP), autonomous and connected vehicles, and general information technology systems such as email (e.g., spear phishing attacks). The literature review will be used to identify the state of cybersecurity in the realm of public transportation.
Deliverable 1: Upon completion of Task 1, the university will submit to the Research Center at firstname.lastname@example.org a written literature review of transit technologies for known vulnerabilities and defenses
Task 2: Transit Agency Survey and Analysis
This task will contain three activities. The first is to create a survey, to be distributed to Florida transit agencies via the Transit Planning network, to collect information on security-relevant technologies (deployed and being considered for deployment), known and potential vulnerabilities, and cybersecurity concerns. The survey will be reviewed by the Project Manager prior to being distributed. The second activity is to find technical contacts at the transit agencies and send the survey to those contacts. The third activity is to collect and present the survey responses in a clear way, identifying any trends and commonalities.
Deliverable 2: Upon completion of Task 2, the university will submit to the Research Center at email@example.com a written report on results of the survey of Florida agencies
Task 3: Organize a Transit Cybersecurity Working Group
This task will organize at least 10 web meetings throughout the project for exchanging cybersecurity information, including concerns and mitigations, between various stakeholders in Florida’s transportation cybersecurity. These stakeholders are to include: Florida transit agencies, the Florida Center for Cybersecurity (FC2, http://thefc2.org/), and Florida cybersecurity researchers (e.g., university faculty).
This Transit Cybersecurity Working Group will provide infrastructure for being proactive and reactive to transit-cybersecurity threats. The group will be proactive in identifying new concerns and mitigations, and sharing this information with other stakeholders. The group will be reactive in considering existing and known vulnerabilities and best practices for preventing their exploit.
Deliverable 3: Upon completion of Task 3, the University will submit to the Research Center at firstname.lastname@example.org summaries of the Transit Cybersecurity Working Group web meetings, including, for each meeting, the date, attendees, agenda, and outcomes of any significant discussions.
Task 4: Create a Taxonomy of Technologies
This task will, based on the results of Tasks 1-3, create a taxonomy of transit technologies. The dimensions along which the transit technologies will be partitioned include:
- The extent to which the technology is deployed in Florida
- The mode of transportation for which the technology is used (for example, bus, rail, paratransit, or first/last mile)
- The technology’s functionality (for example, fare payment, onboard Wi-Fi, APC, TSP, or autonomous or connected vehicles),
- The organization(s) or individual(s) responsible for the technology, where “responsibility” may include owning, controlling, or maintaining the technology. Example organizations and individuals responsible for transit-connected technologies include:
- FDOT, City, and County agencies
- Private owners of mobile devices (which may affect agency-owned equipment)
- Private and public owners and operators of autonomous and connected vehicles
- Industry standards (from SAE, ISO, IEEE, or APTA)
- Liabilities, including the likelihood and severity of successful cyber-attacks and privacy violations. Liabilities include:
- Mobile fare payment apps with insecure transfers
- On-board Wi-Fi exposing data/identifiable information including MAC addresses and other data being accessed.
- Origin or destination information constructed from payments, sniffing on-board Wi-Fi packets, etc.
- Exposure to social engineering vulnerabilities (e.g., spear phishing emails, falsifying visually-validated fare passes, weak passwords)
This taxonomy will be used to focus our analyses on the most important—most widely deployed, critical, or highest-liability—technologies, and to ensure that our analyses have a broad coverage of transportation technologies. Information useful for quantifying the benefits and liabilities of the technologies under consideration will be included in the taxonomy (e.g., the cost of implementation vs. the cost of not doing anything).
Deliverable 4: Upon completion of Task 4, the University will submit to the Research Center at email@example.com taxonomy of transit technologies, vulnerabilities, and liabilities
Task 5: Organize and Host Technical Workshops
For this task the PIs will coordinate with several groups:
- The Florida Center for Cybersecurity (FC2, http://thefc2.org/), a statewide center aimed at improving the state’s cybersecurity posture
- USF Whitehatters Computer Security Club (WCSC, https://www.wcsc.usf.edu/), a group of students dedicated to hands-on exploration and remediation of cybersecurity vulnerabilities
- USF cybersecurity graduate students (e.g., working in the research lab of co-PI Jay Ligatti)
- Participating transit agencies (up to seven)
- Florida cybersecurity researchers (e.g., university faculty)
In coordination with these groups, the PIs will organize and host a minimum of three technical workshops aimed at identifying and evaluating potential vulnerabilities in transit technologies. In this way, this project will bring together the Florida Center for Cybersecurity, students of cybersecurity, cybersecurity researchers, and Florida transit agencies, to consider and evaluate the security of transit technologies.
There will be two types of workshops. The first type will focus on student involvement with hands-on sessions and exposure to transit technology. This will give students an opportunity to investigate vulnerabilities and mitigations in transit systems. The second type of workshop will focus on bringing together cybersecurity researchers and transit agency expertise to provide cybersecurity researchers an opportunity to review technical architectures and implementations of transit technologies, and to provide feedback on potential attacks and mitigations based on their specific areas of expertise. Both types of workshops will include participation from FC2 , cybersecurity graduate students, and transit agencies.
Up to 20 cybersecurity researchers/consultants will be selected by the PIs in coordination with the Project Manager to provide their technical expertise at the workshops. These researchers will be selected using the following criteria:
- Technical Expertise – Researchers will submit a CV describing their past research activities and areas of interest, highlighting any potential applicability to public transportation.
- Representation from multiple institutions – The PIs and PM will consider the institution to which each individual belongs to ensure sufficient representation from various organizations.
Up to $20,000 ($1000 for each consultant) will be provided to the cybersecurity researchers/consultants who attend and participate in a technical workshop in exchange for the following services provided at the workshop:
- Create a Powerpoint presentation on their research area of expertise and any applicability to public transportation, and present this information at the beginning of the workshop
- Create a written summary of a workshop session assigned to them by the PIs
- Present the summary of the assigned session at the end of the workshop
- Revise the summary of the assigned session based on feedback from other workshop attendees and submit this summary to the PIs
Upcoming Cybersecurity Events:
Friday, November 9, 2018
USF Kopp Engineering Building (ENG) Room 003
5:00pm – 7:00pm
Deliverable 5: Upon completion of Task 5, the University will submit to the Research Center at firstname.lastname@example.org summaries of the technical workshops, including, for each workshop, the date, attendees, agenda, and the outcomes of the workshop sessions.
Task 6: Draft Final and Closeout Teleconference
Deliverable 6A: Ninety (90) days prior to the end date of the task work order, the university will submit a draft final report to email@example.com
The draft final report will contain recommendations for reducing cybersecurity liabilities, including sample policies and processes for ongoing monitoring and improvement of transit cybersecurity. The report, and all deliverables for this project, will follow industry-standard responsible disclosure practices for any discovered vulnerabilities, including following the publication provision defined below.
The draft final and final reports will follow the Guidelines for University Presentation and Publication of Research available at http://www.fdot.gov/research/docs/T2/University.Guidelines.2016.pdf
The report will be well-written and edited for technical accuracy, grammar, clarity, organization, and format.
Deliverable 6B: Thirty (30) days prior to the end date of the task work order, the principal investigator will schedule a closeout teleconference. The principal investigator shall prepare a Powerpoint presentation following the template provided at http://www.fdot.gov/research/Program_Information/Research.Performance/closeout.meeting.reqs.pdf.
At a minimum, the principal investigator, project manager, and research performance coordinator shall attend. The purpose of the meeting is to review project performance, the deployment plan, and next steps.
Task 7: Final Report
The final report will take into account all of the feedback received for the draft final report.
Deliverable 7: Upon Department approval of the draft final report, the university will submit the Final Report in PDF and Word formats electronically to the Research Center at firstname.lastname@example.org. The Final Report is due by the end date of the task work order.