**3. Critical issues related to the cybersecurity of intersection management**

As the components and technologies of intersection management have evolved to address the needs of a growing municipalities and transportation systems, new problems have been created. By having various elements of ITS connected via wireless and wired networks, threats of a cybersecurity nature are now a higher risk. This section will discuss the critical cybersecurity issues related to intersection management, and provides an overview of the current regulatory framework in California, USA.

Transportation systems include many modes: air, ships, and a variety of ground modes. In addition to roads, ground modes include trains, inland waterways, subways, bike ways, pedestrian travel, etc. Here we only focus on intersection management and upcoming Connected Automated Vehicles (CAV) issues. However, it should be noted that many reports focus on "critical" transportation systems. Such systems are generally thought to be air and train systems; while intersection management and TMS generally are considered significant, they are not as critical in terms of the

*Intersection Management, Cybersecurity, and Local Government: ITS Applications, Critical… DOI: http://dx.doi.org/10.5772/intechopen.101815*

immediate, catastrophic consequences of cyber vulnerabilities. However, the field of TMS has become aware of: (1) the issues of cybersecurity related to intersection management, (2) the fact that vulnerabilities are extensive, (3) the increasing importance of cyber issues because of CAV and public information/service expectations, (4) the perception that public sector traffic experts do not have consistently adequate training and staff to deal with cyber issues, and (5) the fact that industry vendors have not been reliable partners in cybersecurity.

## **3.1 The magnitude**

From an historical perspective, the number of reported attacks and incidents is still very small and non-catastrophic, despite the series of Hollywood movie portrayals of hijacked intersection management systems to the contrary. However, in 2014, cybersecurity expert Cesar Cerrudo presented the results of extensive white-hat hacking of Sensys intersection management systems at the DefCon 22 conference. An extensive YouTube video of that presentation has been watched over 15,000 times. He not only showed how the system he hacked was vulnerable to manipulation, ransom, and potential denial-of-service, but also showed that even the simplest security measures had not been taken in the primary field test site (Washington, DC) [29], and that the vendor was misleading about the level of security provided, and initially unresponsive about cybersecurity issues as not "their" problem. Cerrudo also pointed out that most deficient sensor systems could not be retrofitted, and would need to be completely replaced when more rigorous cybersecurity standards were implemented. He estimated the then-current replacement cost of the legacy sensors at \$100,000,000. Cerrudo's presentation was highly reported on and put the industry on notice. It is hoped that improvements will be made by vendors to provide better cyber safeguards (such as simple encryption), and greater transparency [30]. While improvements in the industry are likely, the private sector also must improve. One cybersecurity expert reported that of the 250 traffic control systems he was able to discover on the internet, 49 had open devices because the username and password were disabled [31].

These are not one-off anomalies. There are numerous challenges to intersection management. While the following list is not comprehensive, it will sketch out the magnitude of the problem.


vulnerabilities. Qualified product lists, generally adopted by local governments from the state level, do not provide any information or guidance other than statements that they have been found to be acceptable on a variety of engineering factors, of which cybersecurity is only one.

