Security and Reliability of Current and Emergent Automated Transportation Networks

(A final report as part of a graduate seminar in Securities and Infrastructure at Georgia Tech)

Introduction

Automated transportation is at the cusp of a consumer paradigm shift. Over the past few decades, large-scale transportation networks have already made the jump towards automation – representative examples include subway systems and air transport. Over the next few decades, the current trajectory of innovation in this space ensures the same leap in small-scale transportation such as the trucking industry, consumer vehicles, and military and delivery drones. This paper presents a brief overview of such transportation networks and discusses the security and reliability issues inherent in current and emergent automated transportation networks.

Regarding security, I cover both current and emerging attacks against such transportation networks, and their impacts on the short and long-term functionality, where applicable, on such critical infrastructures. The discussion on emergent attacks is necessarily speculative as such attacks, while demonstrated in research, have not yet been encountered in practice precisely because emergent transportation networks are as yet theoretical. Regarding reliability, I characterize the emergent networks on their probable rate of failure as well as possible mitigation approaches.

Forms of Automated Transport

Let us first cover the two classes of transportation networks to be discusses – current and emergent. The former includes subway systems and airplanes, and the occasional deployment of military drones, and the latter includes automated trucking, consumer vehicles, and large-scale drone networks for military and consumer applications.

Current Forms

Automated subway networks range from fully automated networks to partially automated networks. There are four classifications schemes for automation [1]:

In air transport, the situation is somewhat more unified. Most modern large passenger airliners have near complete automation. While pilots are still present for take-off and landing, the aircraft handles slight, obstacle avoidance, path planning, and communications [2]. In addition, automation plays a role in airports as well, where scheduling algorithms and path planning approaches reduce system load and allow the infrastructure to function smoothly through crises and delays [3].

Emerging Forms

The success of Google’s self-driving platform, along with research vehicles from other automobile companies such as BMW, Toyota, Tesla, and Uber, suggests a major shift in consumer driving [4]. Self-driving cars allow for safer and faster road travel. In addition, self-driving consensus can reduce traffic congestion in conjunction with centralized management protocols.

Another emergent form is automated trucking, poised to overhaul the national transportation infrastructure. Trucking is a major component of land shipping and forms a core part of food transportation and food supply chain tracking. Tesla has recently proposed a major overhaul in the trucking industry, which seems probable given the numerous advantages self-driving vehicles seem to offer over human-directed vehicles, from constant operation without need for labor benefits to superhuman response times to reducing fuel costs by platooning.

Finally, drone networks are a recent area of research. Such networks can be used in various applications, from disaster monitoring [5], military operations, delivery, and construction [6]. While they do not constitute a critical infrastructure, it is possible for them to become more important in our society as their applications expand and their use case increase. As such, this is necessarily speculative; however, I believe it is warranted because some of the application cases (military operations and disaster management, e.g.) would be extremely useful [7].

Existing Attacks

I focus on two broad attack categorizations – attacks that have already taken place, and novel attack forms that have recently been discovered. This section covers prior attacks against modern transportation networks. Each case will also characterize the attack, discuss impact and possible impacts in future cases, and possible mitigation strategies.

Lodz Derailments

In January 2008, a 14 year old student, described by his teachers as an electronic ‘genius’, re-engineered the Lodz tram system and caused four derailments. 12 people were injured, though no one was killed [8]. The case itself is limited in scope. The tram system was a Grade 1 Automated system, i.e. extremely limited automation. The attack itself did not target any computer systems; instead the student used an infrared transmitter to change tracks, causing the accidents. This uncovers a potentially dangerous security flaw – unsecured embedded devices that are commonly used for mundane tasks, from rail switching to traffic light changes to timing trains. Such embedded devices are low-power systems with often unsecure communication interfaces that perform raw data exchange [9]. As such, they are vulnerable to interception and live-tweaking. Further, updating such systems to secure standards is difficult, and in large networks, may be infeasible. By their low-level implementations, embedded devices are rarely connected to a network, run on mostly assembly code, and often do not have appropriate documentation.

While the Lodz derailments were small scale, they point to troubling future attacks. Due to the lax security around embedded devices, it is entirely possible for knowledgeable attackers to reprogram such a device, e.g. a rail switcher or a traffic light controller at a subway, to cause mass derailments or crashes. The lack of alarm systems and networked monitoring also means such attacks may remain undetected. A similar attack vector was discovered by Rich Smith from HP Systems Lab, who demonstrated using such unsecure communications and hardware vulnerabilities to permanently damage embedded devices during firmware updates [10]. Stuxnet is an advanced form of such an attack – a hybrid vector that co-opted centralized command and control interfaces to reprogram embedded systems that controlled centrifuges. Possible mitigation strategies include maintain historical code records, ensuring secure communications between embedded devices, installing alarms systems and monitoring to ensure secure build sites.

Odessa (and other) Cyberattack

The Odessa Cyberattack was a major incident in October 2017 that affected the airport scheduling system and the subway system in Odessa, Ukraine [11]. During the attack, believed to be perpetrated by Russian agents, commuters could not enter the subway system or pay for rides. In addition, a ransomware attack crippled the airport scheduling and information system. While the airport was able to quickly deal with the issue, it did cause some delays. More recently, a cyber-attack against Hartsfield-Jackson Airport’s website forced the airport to take down its Wi-Fi network.

Airports are a vital component of international travel, and the escalating rate of cyberattacks against airports indicates a future where such attacks are more commonplace. The impact of such attacks can best be described by considering a similar event that grounded flights across a region – the Eyjafjallajökull eruption in Iceland grounded flights across Europe, with spotty travel for a month. A major cyberattack on a busy airport such as Heathrow would have similar impact – with flights stopped as the attack progressed. In addition, airports are already some of the most secure places. Cyberattacks against such locations, then, are sophisticated attacks that are perpetrated by nation-states – an example is the probable attack on Vietnamese airports by Chinese agents in 2017 that leaked the Vietnam Airlines’ customer database in retaliation for an arbitration against the Chinese claim on the South China Sea [12]. In such cases, mitigation goes beyond technical preparation and borders on diplomatic actions, such as international cooperative groups to combat cyberterrorism, information sharing to mitigate similar attacks, and open research to preempt novel attacks.

Emergent Attacks

I now cover emergent attacks that have recently been published for newer automated transportation networks and their subsystems. Since these attacks are necessarily state-of-the-art and tested in theoretical settings, their replicability is a matter of speculation. However, it is evident that as self-driving vehicles replace human-driven vehicles and as more and more transportation becomes automated, novel attack forms will be used by terrorists and hackers.

Pixel Attacks

A core mechanism in self-driving navigation is object and environment recognition and subsequent obstacle avoidance and understanding. This involves sophisticated vision systems that must detect human beings, other vehicles, and objects around the car and must also recognize traffic signs and lights to conform to traffic laws.

Such vision systems use image recognition algorithms to perform their tasks. Modern image recognition uses convolutional neural networks to get impressive results. State-of-the-art models developed by Google and Microsoft achieve better-than-human performance on object recognition and description [13]. The prevalence of data makes training and testing such models easier than in years past. Recent research has shown, however, that relatively simple attacks can easily fool such networks using single-pixel or patch attacks. Such attacks involve placing a visual artifact – usually a sticker or a patch – on an object. The patch can be designed such that the target platform – a vision system on a self-driving car, for example – will recognize the object as something else; a stop sign can be ‘patched’ to read as a green signal, and a speed limit sign can be ‘patched’ to read a stop sign [14].

Consensus Attacks

Modern drone networks use consensus protocols to achieve cooperative communication and performance. Consensus protocols are a subset of communication protocols that are used in networked systems without a centralized control center. Such distributed systems require consensus to ensure a variety of requirements [15]: - Drone-to-drone communication: without centralized control, drones must use analogues of parallel processing to communicate to arbitrary drones in a network. Consensus protocols provide a standard for communication that ensures source drones know when target drones have received such communication and/or acted on messages. - Obstacle avoidance and environment mapping: With large networks, maintaining a complete map of the environment is infeasible on the onboard memory of such drones. As such, consensus can ensure drones maintain only the environment map they require and can exchange such maps when they move. - Global distributed knowledge: Without centralized control, there may not be a knowledgebase to access. As such, this combines the above two tasks – knowledge can be distributed across the network and parallel communication paradigms ensure drones can query for knowledge across the consensus network.

Attacks against consensus networks take advantage of the consensus protocol limitations. The consensus protocols are necessary, as mentioned, because IoT networks operate on limited equipment. Each element in a drone network has access to small memory, limited power and computation ability, and narrow range of communication choices. It becomes difficult then to ensure encrypted communication between drones as this would increase communication times – a difficult trade-off for a system where real-time communication is key – and require significant computation for perform the encryption itself.

Metadata exploitation is an older technique for hacking that has been adapted for modern communication. This approach makes use of communication metadata – for example source, target, message size, message time, and other informational content – to obtain compromising information [16]. Such attacks have already been performed against static networks – the Deep Panda attack on the Office of Personal Management in the US leaked more than 20 million clearance forms used by the US government for international travel and for determining security clearance [17]. The forms’ metadata can enable demographic targeting, while insecure differential privacy can allow for individual identification. Attacks on consensus networks can use such attacks towards exploiting the unsecured communication between consensus drones – the metadata itself would be enough to identify information stores, for example, and track central nodes in a network.

A key approach to mitigation involves secure differential privacy – a set of techniques that attempt to minimize metadata exploitation by encrypting key features or datasets in a database.

Conclusions

The rapid pace of research in transportation networks, combined with the merging of disparate research spaces such as transportation, computer vision, consensus communication, and data privacy present an intriguing and complex landscape for critical infrastructure. The tendrils of communication and data privacy will be at the heart of most future critical infrastructure. As mentioned, land shipping will include vision systems and autonomous networks. Military operations will presumably include large scale drone networks. The electric grid is already moving towards automated alarms and management systems, while healthcare has already progressed towards data-based service delivery. With all of these, networked and personal data form the backbone of the new infrastructure, and by extension, privacy is their shield.

So, we have seen several automated transportation networks, both existing and emergent, as well as impacts on critical infrastructure from their attacks. One additional note: future attacks converge on data communication, and mitigation of such attacks involves implementing strong privacy measures for communication.

References

[1] Automation Essentials. International Association of Public Transport (UITP).
[2] Kuok Kang Liu (1997). Section 2 (The New Generation Airplane and its New Generation Accident Style). “The Highly-Automated Airplane: Its Impact on Aviation Safety and an Analysis of Training Philosophy.” Thesis. Air Force Institute of Technology.
[3] Alexander Bayen, Claire Tomlin, Yinyu Ye, and Jiawei Zhang (2004). An Approximation Algorithm for Scheduling Aircraft with Holding Time. IEEE Conference on Decision and Control.
[4] Craig Giffi, Joe Vitale, Ryan Robinson, and Gina Pingitore (2017). The Race to Autonomous Driving. Deloitte Review. (20).
[5] Milan Erdelj, Enrico Natalizi, Kaushik R. Chowdhury, and Ian F. Akyildiz (2017). Help from the Sky: Leveraging UAVs for Disaster Management. IEEE Pervasive Computing.
[6] The Construction Industry Is in Love with Drones. Claw Dillow, Fortune Magazine
[7] Unmanned Aircraft Systems: Addressing Critical Infrastructure Security Challenges. DHS Report
[8] Polish teen derails tram after hacking train network. The Register
[9] Lyes Khelladi, Yacine Challal, Abdelmadjid Bouabdallah, Nadjib Badache. On Security Issues in Embedded Systems: Challenges and Solutions. International Journal of Information and Computer Security, Inderscience, 2008, 2 (2), pp.140-174.
[10] Rich Smith (2008). Phlashdance: Discovering Permanent Denial of Service Attacks Against Embedded Systems. EUSecWest 08.
[11] New Cyber Attacks Are Hitting Airports and Metro Systems in Ukraine. Reuters.
[12] Chinese cyber spies broaden attacks in Vietnam, security firm says. Matthew Tostevin, Reuters.
[13] Kaiming He, Xiangyu Zhang, Shaoqing Ren, Jian Sun (2015). Deep Residual Learning for Image Recognition. CVPR.
[14] Tom B. Brown, Dandelion Mané, Aurko Roy, Martín Abadi, Justin Gilmer (2017). Adversarial Patch. MLSEC 17.
[15] Yaohong QuXu ZhuYoumin M. Zhang (2012). Cooperative Control for UAV Formation Flight Based on Decentralized Consensus Algorithm. ICIRA 2012.
[16] Ram Narayanan, Martin Oberhofer, Sushain Pandit (2012). Metadata Exploitation in Large-scale Data Migration Projects. AMCIS 2012.
[17] Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar. Jeremy Wagstaff, Reuters.