AASHTO Journal

Commerce Committee Hearing Explores Cybersecurity Vulnerabilities

As the number and strength of cyberattacks against U.S. infrastructure targets continues to increase, the Senate Commerce, Science, and Transportation Committee held a hearing to illuminate the possible defensive strategies a wide array of organizations – from private companies to state departments of transportation – can deploy to minimize or stop them entirely.

Donna Dodson, chief cybersecurity advisor and director of the national cybersecurity center of excellence for the National Institute of Standards and Technology or "NIST" within the U.S. Department of Commerce, stressed in her testimony that "weaknesses found in software, firmware, and hardware that, if exploited, can impact the confidentiality, integrity, or availability of information or information systems."

She noted that cybersecurity "vulnerabilities" can include: manual configuration and operational mistakes, including: bad passwords; insider malfeasance; functional bugs; purposefully introduced malware; and general weaknesses in code. 

071318commerce2.png"Different types of vulnerabilities—and depending on where the affected products are being used—will require different types of responses," Dodson (seen at right) stressed. "Given the complexities and broad use of these technologies, fundamental to NIST's approach towards vulnerabilities is the idea that – like risk – an organization can never fully eliminate vulnerabilities."

She added that the hardware and firmware components that make up computer platforms are critical parts of these systems and that their "secure and reliable operation" is necessary for defensible, resilient systems. 

"Those components are the platform on which the rest of the system will be built," Dodson noted. "Improving the security of these systems must start with their design. Security and resiliency should be integrated into architecture, design, and development of systems to reduce the risks of vulnerabilities and mitigate the impact of incidents that occur [and] NIST is developing guidelines on how to apply system security engineering and cyber resiliency principles, concepts, and activities into development processes."

Art Manion, vulnerability analysis technical manager for the Carnegie Mellon University Software Engineering Institute, stressed in his testimony that "we all depend on software and software-based systems. The devices we use to communicate and coordinate our lives, transport us from place to place, and keep us healthy include computers, network connections, and software."

As a result, he said, society has increased its dependence on software-based products and services that communicate both to each other and to the world at large.

"The drawback is our modern and connected products and services have vulnerabilities— weaknesses that can compromise the security of the system in unexpected and undesirable ways," Manion noted. "Vulnerabilities leave our devices and systems susceptible to attacks. Smart phones, ATMs [automatic teller machines], security cameras, cars, airplanes, and the like have become network-enabled software-dependent systems, making it nearly impossible to avoid participating in the world without the potential to be affected by cybersecurity vulnerabilities."

In order to maintain assurance in the systems and devices society uses daily, he explained, "We need clear public policy and socio-technical norms encouraging the discovery of vulnerabilities, notification of their existence, and cooperative defense in the form of repair or mitigation. Otherwise, adversaries can take advantage of vulnerabilities to achieve goals at odds with the creators and users of the systems we depend on."

Such concerns are echoed within a transportation cybersecurity study currently being conducted by the Center for Urban Transportation Research or "CUTR" at the University of South Florida.

Sean Barbeau, principal mobile software architect for research and development at the CUTR's National Center for Transit Research, noted in said in that study that "cybersecurity is a significant concern in all industries … and transportation infrastructure is a particularly attractive target." 

He added that public transportation vehicles such as buses "perhaps the most-exposed component of transit infrastructure; they carry a large number of individuals that are continuously entering and exiting and contain a constantly increasing number of different technologies that can be leveraged as potential attack vectors."

Barbeau pointed out that technology on-board a typical transit vehicle can include: publicly accessible Wi-Fi networks, traffic signal preemption equipment that can be used to change traffic light timings, wireless fare payment technology such as Bluetooth and barcode scanning, plus dispatch/command and control systems connected via a wireless modem or dedicated short range communications.

And the level of technology integrated into U.S. transportation systems as a whole is only going to increase, added Carlos Braceras, executive director of the Utah Department of Transportation.

"I would put operating the transportation system right at the top of the list of things that is changing today and probably going to change even faster in the future," Braceras noted during a video interview in late May at the American Association of State Highway and Transportation Officials spring meeting in Franklin, Tennessee.

"You start to couple that with what we're seeing with technology and with technology now getting into the cars, where they will be talking to our infrastructure," he said. "At the end of the day we are about moving people and goods and doing it in as safe as way as possible and it so important because our economy and our quality of life depend on how we do this."

Questions regarding this article may be directed to editor@aashtojournal.org.

Recommended Stories

Shuster Lays Out ‘Framework’ for Infrastructure Discussion

Outgoing Rep. Bill Shuster, R-Penn., released a 108-page "infrastructure proposal" on July 23 that he hopes can serve as a "discussion draft" that is intended to "further the national conversation about the current state of America's infrastructure and highlight some of the...

July 27, 2018

Discussion Continues Over Finding New Sources of Transportation Funding

The broad infrastructure proposal unveiled July 23 on Capitol Hill by Rep. Bill Shuster, R-Penn., chairman of the House Transportation and Infrastructure Committee, also serves to underscore a long-running debate over how to return the Highway Trust Fund to solvency.

July 27, 2018

Debate over Rider for Autonomous Vehicles in FAA Bill Heats Up

Oft-delayed legislation sponsored by Sen. John Thune, R-South Dakota, designed to promote broader adoption of connected-autonomous vehicles or CAVs, may be attached to an updated version of the Senate's Federal Aviation Administration reauthorization bill – an effort that is encountering pushback...

July 27, 2018

Past Issues

Issue Date: