As someone who has thought about cybersecurity for some time, including in previous posts on this blog, the recent events around the hack of the Colonial Pipeline has been front of mind, and not just because I live in Washington, D.C., where gas stations have been running out of fuel. The incident is yet another dramatic demonstration of how cyberattacks can cause serious real-world damage. As more and more of our transportation system becomes connected to computer networks (both vehicles and infrastructure) cybersecurity is becoming just as important issue as the physical safety and security of our roads and vehicles.
The Colonial Pipeline attack comes at a time when the Biden Administration and Congress have both turned their attention to cybersecurity. In the House, lawmakers have proposed $500 million in funding to help state and local governments protect themselves from cyberattacks, while other legislators have been discussing laws that require companies to report cyberattacks they suffer to the government and the public. Such rules would give the government greater insight into attacks and allow them to better coordinate responses when cybercriminals attack more than one company or industry. Making attacks public would also give the public a better idea of how the companies they patronize are protecting their data and products. At the same time, President Biden signed an executive order that will require all software sold to the federal government to meet set security standards. Given the sheer amount of buying power the U.S. government has, that means consumers will also likely benefit from the order, as companies up security in their products to make them competitive for government purchase.
The Colonial attack will also put more scrutiny on the Transportation Security Administration (this is the same TSA that confiscates your water bottles at the airport). While the U.S. Department of Transportation oversees the regulation of pipelines (via the Pipeline and Hazardous Materials Safety Administration), the TSA (part of the Department of Homeland Security) is tasked with helping pipeline owners protect their infrastructure from cyberattacks. In a 2018 report the government’s General Accounting Office (GAO) released a report on weaknesses in the TSA’s pipeline security efforts, including cybersecurity. As the fallout from the Colonial attack continues, the TSA’s infrastructure security will no doubt face some tough questions.
Issues for Transportation Technology Overall
Pipelines are far from the only part of our transportation system that is at risk of being hacked. Last June automaker Honda’s internal network was compromised, leading the company’s factories across the globe to shut down for a day or more. Journalists and hackers alike have shown how a vehicle’s onboard computers can be compromised in a number of ways. More recently, the European Union Agency for Cybersecurity issued a report that identified autonomous vehicles as “highly vulnerable to a wide range of attacks.” The complexity of AVs (and driver assistance systems) and the myriad of computer systems within them is part of why they make a tempting target. Issues also arise as vehicles become more networked – meaning a failure to connect to an outside server can limit a car’s capabilities, as has been reported with some Teslas at times. As AVs and connected vehicles of all kinds proliferate, along with connected infrastructure, the number of failure points or avenues of attack multiple, something that will keep engineers up for years to come.
One good thing that may come from the Colonial Pipeline incident is the centering of cybersecurity in our discussions over infrastructure and transportation. Especially as the White House and lawmakers continue to negotiate a potentially massive investment in infrastructure, addressing the cybersecurity ramifications will be vital. Likewise, the current surface transportation reauthorization (a bill that funds the U.S. DOT and highway projects) will expire on September 30, giving Congress a second opportunity to include cybersecurity issues into the greater transportation policy discussion.