In the transportation industry, where computer systems are becoming increasingly important, cybersecurity issues are also on the rise. What’s more, the very nature of transportation (always in movement) adds to the risks usually associated with cyberattacks and pushes the industry to continually strengthen its defences.
For example, take personal vehicles. Today, they are more and more connected and some models are able to receive updates from the manufacturer, or are even equipped with their own wireless network card. These are all access points to on-board computers that must be protected by cybersecurity. This facet applies to any moving vehicle, no matter how big or small: buses, motorcycles, trucks, trains, ships, planes and more are all connected in various ways. Add the rise of autonomous driving systems, which represents a new attraction for cyber hackers. The industry must not only ensure the cybersecurity of vehicles, but that of infrastructures as well, which can also be targeted by wrongdoers
“We often think of what moves, but we mustn’t forget what doesn’t move, meaning road infrastructures,” explains Victor Poudelet, Director of the Cité for Sustainable Mobility Project at Propulsion Québec, the organization that mobilizes and stimulates Quebec’s smart and electric ground transportation industry actors around joint and innovative projects. “It’s not just by taking control of vehicles that you can create security issues, but also, for example, by taking control of the traffic lights and of the infrastructure that controls traffic or charging.”
There are also business aspects to the vehicle and transport infrastructure hacking equation. The hacking of a fleet of interconnected commercial vehicles could greatly disrupt a company’s business, cause financial losses and result in information theft. Charging stations can also be targeted in order to interrupt their operation or retrieve data from them.
“The entire transportation sector is becoming more and more connected, therefore all elements, may they be vehicles or infrastructure, have more and more exchanges with each other and with the external environment,” elaborates Victor Poudelet. “The industry’s major players, in Quebec and elsewhere in the world, know this very well and are putting measures in place to counter these potential attacks.”
As is often the case, cybersecurity issues are also found within the supply chain. While the physical security of passengers has always been a priority for every transportation stakeholder, the integration of cybersecurity solutions is not yet sufficiently embedded in the design and manufacturing processes of the products and systems offered by actors further up in the supply chain.
It is in light of this lack of resources that the Quebec Cybersecurity Innovation Program (PICQ) was created. This government initiative is overseen by PROMPT, the organization responsible for the creation of research partnerships in technological innovation. Over the next three years, the PICQ will offer financial support to companies seeking cybersecurity certifications or aiming to develop enhanced protection solutions.
“In this rapidly changing industry where things happen very quickly, it is necessary to be ahead of the game in terms of cybersecurity in order to not only protect the on-board systems of the various means of transportation, but also road infrastructures and other critical infrastructures related to transportation,” points out Maxime Clerk, the PICQ’s Director. “More than ever, the concepts of ‘security by design’ and ‘privacy by design’ are becoming increasingly important in regards to transportation. Being able to demonstrate the cyber-resiliency of solutions is essential for any industry, and this is especially true for the mobility industry.”
Indeed, certain cybersecurity standards and practices are already in effect around the world, and there is a growing trend from large transportation sector companies to be more demanding of their suppliers and in their tenders. Especially in terms of the protection surrounding suppliers’ IT infrastructures, but also in terms of integrating cybersecurity right from the initial design of a product. In the railway sector, for example, some international calls for tenders now include cybersecurity criteria.
To illustrate this need for protection and demonstrate the importance of strengthening cybersecurity at all levels, here is another example coming from personal vehicles. Last February, CAA-Quebec reported that data from the Insurance Bureau of Canada shows that the 10 most stolen models in Quebec are newer vehicles. Therefore, the rise in newer vehicle thefts can be correlated to the increasing number of connected vehicles. These thefts can be facilitated by intercepting the signal emitted by each vehicle’s smart keys, as some are not thought out nor designed to be cybersecure. Consequently, thieves exploit this flaw to unlock and start targeted vehicles.
“This is a good example which shows that the safety aspect was forgotten during the design of this innovation,” comments Marcel Labelle, CEO of Cybereco, the organization that brings together several large national companies and institutions in order to accelerate the development of technological solutions. “Smart keys are a great convenience for the user, but manufacturers should have taken the time to invest more effort in security fundamentals, starting from the key’s design. It’s not normal that a car can be stolen in 15 seconds!”
It’s not just the signals from smart keys that need to be considered. For road safety reasons, the automotive industry is moving towards interconnected cars in order to, for example, perceive vehicles approaching an intersection or detect the imminent change of traffic lights. With so much information being exchanged, the challenge is to foster interoperability while maintaining robust cybersecurity.
“Automotive innovations are progressing so rapidly”, notes Marcel Labelle. “Without stricter standards, the industry could find itself facing an alarming situation. Companies within the supply chain need to make sure they are not part of the problem. It took many years to improve vehicle structures and passenger safety, but when it comes to cybersecurity, things need to move much faster.”
The transportation industry is constantly changing, regardless of the sector: automotive, maritime, rail or aviation. As a result, supply chain providers need to be forward-thinking by improving their cybersecurity levels and by preparing to meet the national and international requirements that are appearing on the horizon.
“It’s better to get a head start”, adds Marcel Labelle. “The transportation sector is changing dramatically.”