**3.2 Assessing the risk: foreseeable attack scenarios**

We conducted a literature review on cybersecurity vulnerabilities of traffic signal systems in recent years, and a high-level of summary is presented in **Table 1**. We then considered various types of attacks that could exploit those vulnerabilities and the consequences that could result. What follows is a description of several foreseeable attack scenarios and the damage that could be done.

a.Controller attacks represent attacks that target at the light controller. An attacker may attempt to gain privileged access to the controllers. On a successful intrusion, lights could be changed to be green along the route the attacker is driving. An attacker may also initiate various denial of service (DoS) attacks on the traffic light system, causing the intersection to enter an undesired and potentially dangerous state. Alternatively, an attacker could trigger the MMU to take over, which will cause the lights to enter a safe but suboptimal state (e.g., flashing


#### **Table 1.**

*Cybersecurity vulnerabilities in traffic signal systems.*

*Intersection Management, Cybersecurity, and Local Government: ITS Applications, Critical… DOI: http://dx.doi.org/10.5772/intechopen.101815*

all-red). Since MMU can only be reset with physical access to the controller while an attack can be triggered remotely, an adversary can disable traffic signals faster than technicians can be sent to repair them.


#### **3.3 Efforts to address the issues**

While the challenges are numerous, there have been two ongoing efforts to address the TMS cybersecurity weaknesses are worthy of mention. A state-funded initiative in Florida at the National Center for Transit Research is called Enhancing Cybersecurity in Public Transportation [14]. That initiative is to: identify and mitigate transit cybersecurity liabilities, and facilitate ongoing cybersecurity information exchange among Florida transit agencies, their vendors, and cybersecurity researchers. A second ongoing effort is being spearheaded by the Southwest Research Institute, funded by the National Cooperative Highway Research Program for approximately \$750,000 [39] and due to be completed 8/15/2019. The description of the project is to develop guidance for state and local transportation agencies on mitigating the risks from cyber-attacks on the field side of traffic management systems (including traffic signal systems, intelligent transportation systems, vehicle-to-infrastructure systems (V2I), and closed-circuit television systems) and, secondarily, on informing the agency's response to an attack. The guidance will address the vulnerability of field devices (e.g., traffic signal controllers and cabinets, dynamic message signs, V2I roadside units, weigh-in-motion systems, road-weather information systems, remote processing and sensing units, and other IP-addressable devices), field communications networks, and field-to-center communications. It will not address vulnerabilities within a traffic management center, within center-to-center communications, or due to insider risk (accidental or intentional).

It is anticipated that the guidance will take the form of a web-based deliverable that uses a guided risk-based decision tree (similar to a capability maturity model) to identify the most relevant content for a user. The users will range from small, local agencies with limited risks and limited capabilities to those with substantial traffic management systems and more resources available to protect them. If a viable approach and host for the implementation and maintenance (including

updating content and addressing emerging technologies) of this type of product is not found, a traditional NCHRP document will be produced. NCHRP has begun discussions with the National Operations Center of Excellence as a possible host, but they should not be contacted by proposers regarding this effort (NCHRP 03–127). The most extensive and up-to-date listing of resources for TMS is the first draft of a Cybersecurity Literature Review and Efforts Report by Ramon and Zajac [40].

### **3.4 The current regulatory framework for intersection management**

The dependence on and seamless integration of technology into everyday activities and operations has exposed the critical need to address cybersecurity [2]. The strategy at the national level has focused its regulatory schemes to aid cybersecurity by providing rules or guidance about security practices to be used by public agencies (based on IS0 27,001), and by providing legal standards or guidance about equipment to either/both vendors in terms of product standards, and public agencies in terms of qualified product lists (based on ISO 27002). This and more are captured in the National Institute of Standards and Technology, *"Framework for Improving Critical Infrastructure Cybersecurity (version 1.1)"* for the federal system (2018) [41].

To improve resilience to cyber-incidents and reduce cyber threats, at the federal level, rules have focused to date on consistent use of traffic control devices via the Manual on Uniform Traffic Control Devices (MUTCD) which is a part of 23 Code of Federal Regulations, Part 655, Subpart F [42]. While MUTCD rules are national in scope, they do not regulate cybersecurity standards at this point. Unlike some other highly critical areas of transportation such as the Cyber Air Act of 2016 in which cybersecurity standards were implemented via such agencies and government corporations as the National Institute of Standards and Technology and the Radio Technical Commission for Aeronautics, *cybersecurity of intersection management is not federally regulated.*

However, the federal government has provided general guidance about cybersecurity such as the Framework for Improving Critical Infrastructure Cybersecurity (2017), as have private organizations [43]. The federal guidance includes the Roadmap to Secure Control Systems in the Transportation Sector (2012), National Security Strategy for Transportation Security (2015), and the Federal Highway Administration Cybersecurity Program Handbook (2017).

Aligning with the DOT, DHS, and TSA, the American Public Transportation Association (APTA) has broadly identified four priorities for transportation agencies to consider, and at a minimum to address, regarding an agency's information and communication technology (ICT) infrastructure [2]. The federal government is likely to issue some initial rules and guidance on connected and autonomous vehicles cybersecurity in the near future which will have an impact on TMS in the US and elsewhere.

States tend to have the best resources to provide qualified, preferred traffic control systems lists. In California (the location of the empirical in-depth study), that is the Caltrans Transportation Electrical Equipment Specification (TEES) report, last re-issued in 2009 [44], but with supplements (called Errata) in 2010, 2014, and 2018. California's TEES guidance is used by many other states in the country, as well as local governments in California. Other than the brief mention of a password file (CA TEES, p. 46, 9.2.7.6.2), there had been no robust cybersecurity guidance in the 2014 revision (aka errata update). However, the recent errata report has included substantially enhanced cybersecurity specifications for equipment. The new standard promotes embedded cybersecurity systems and phase out customize-after-purchase approaches. Use of the TEES list by local government agencies is not mandated, but is frequently

## *Intersection Management, Cybersecurity, and Local Government: ITS Applications, Critical… DOI: http://dx.doi.org/10.5772/intechopen.101815*

voluntarily adopted. The state is taking an aggressive stand on cybersecurity in general at an enterprise level with a Security Operations Center in the CA Department of Technology's Office of Information Security. While this resource will likely bolster prevention of hacking of state agencies for private information and help prevent ransomware and denial-of-service attacks, it seems unlikely to have much effect in the near future on state or local intersection management issues. It should be noted that while most qualified equipment lists do not have an official regulatory status because they are dynamic, in practice they function like regulatory protocols at the time a contract is let.

Although city and county CIOs listed cybersecurity as their primary focus in 2017 [45], local governments do not seem to understand the scope of their problems, let alone have much in place beyond generic cybersecurity protocols, and few are equipped to stave off threats [4, 46]. Twenty-five years ago in the southwest US, a teenage computer whiz hacked into software that controlled city traffic signals. Since then, not much has changed [47]. Recent cyber-attacks (e.g., two LA traffic engineers were found guilty of intentionally creating massive delays by adjusting signal times [48], and reports (Cesar Cerrudo demonstrated how he accessed traffic-light systems in dozens of cities, and University of Michigan students conducted experiments that manipulated over 1000 lights in one city alone) have heightened cybersecurity concerns dramatically, making them the top priority according to some public officials perception surveys [47]. Striking shortages of IT and cybersecurity personnel have been widely reported [33]. Internal practices and policies with existing personnel create tremendous gaps in local government's cyber responses [4]. Further, local governments are cash-strapped and aren't easily convinced, for example, that they must manually update every signal controller to thwart vulnerabilities at intersections [10].
