The digital transformation of roadway infrastructure continues to dramatically shape the way we travel from point A to point B. With more and more state and local agencies integrating smart traffic systems, autonomous and electric vehicles, and connected roadways, we are living in a time of unprecedented efficiency, safety and convenience. However, with the rise of this new digital paradigm comes the increased risk of vulnerability from cyber attacks against these infrastructure systems, making the need for more robust cybersecurity resilience of critical importance.
As part of our ongoing digital infrastructure webinar series, in partnership with the Intelligent Transportation Society (ITS) of America, we recently moderated a webinar of subject matter experts addressing the topic of cybersecurity resilience. The panel featured a mix of public officials and private sector experts/consultants who discussed how cybersecurity is currently being integrated into digital infrastructure initiatives. A recurring theme in this discussion included a particular focus on how this vital resilience measure is often being treated like an “add-on” or an “afterthought” during the development of projects and programs, and more importantly, how this really doesn’t work.
STV’s growing cybersecurity practice works with our team of engineers, planners and project delivery professionals – including our emerging mobility and intelligent transportation system experts – to provide consulting services to transportation and water and wastewater clients. And we’re witnessing a growing demand for these services from these clients. However, as we discussed in the panel, one of the keys to enhancing cybersecurity resilience in our industry is to program those resilience measures into a project plan from day one, rather than addressing with a reactive mindset.
Digital roadway infrastructure relies on the integration of information and communication technologies into our transportation systems, including intelligent traffic signals, sensors, public and private communications infrastructure to vehicle-to-infrastructure communication networks and centralized traffic management systems. Because of that, the consequences of a cyber attack on these systems could be severe. In addition to leaking sensitive information, a cyber attack has the capacity to bring an entire transportation network to a standstill. And it just takes one vulnerability in a system to do that.
Over the past few years, we’ve seen several examples of cyber-attacks impacting state and local transportation agencies. In May 2020, following the onset of the COVID-19 pandemic, the Texas Department of Transportation was hit by ransomware which seized control of aspects the department’s statewide network, including its website, making communication incredibly challenging during a period of remote work and social distancing. Last year, the Washington State Department of Transportation’s website was infiltrated, impacting all real-time travel information like the state travel map, mobile app and ferry vessel watch.
Our panel discussed some proactive ways for state agencies to address cybersecurity – primarily getting all of the agency’s key stakeholders together, including both information technology (IT) and operational technology (OT) teams, in the earliest stages of a project’s development.
The distinction between IT and OT as it relates to cybersecurity is an important one, as each team has different focuses and needs and aligning both teams facilitates a more holistic and robust approach. IT cybersecurity is centered around data protection within a business-orientated environment while OT is focused more on the safety and reliability of physical processes where the protection of operational continuity is vital. Getting these teams to interact early on allows an agency to secure a cybersecurity plan around every vulnerability on a network.
Additionally, involving IT and OT in the planning stages lets these teams provide input that can significantly impact the way a project advances through design and construction. Namely, project procurement and delivery has changed significantly over the past 30 years when cybersecurity wasn’t nearly the priority it is now. Getting IT and OT input at the beginning allows them the opportunity to say, “It’s not that we can’t do a project… it’s that we can’t do it that way.”
The larger goal of taking this proactive and inclusive approach is building a larger culture of cybersecurity resilience in digital infrastructure projects. Having an engaged and communicative team creates a framework of plans and tools. It keeps security and privacy front and center in the project procurement process benefitting not only the client, but the communities they serve as well.
