Your Train Has Just Been Hacked. Yes, This Just Happened.

“You Hacked, ALL Data Encrypted” blazed every screen last Friday night at San Francisco’s Muni Rail System. The cyber criminals held the city at ransom for over 48 hours, demanding 100 Bitcoins to turn back on the train’s automated ticketing system. Rather than paying, Muni responded with free rides all weekend long (a loss that far exceeded the ransom payment).

The MUNI hack is not the first municipal cybercrime, but raises serious concerns as we race towards an autonomous global transportation network. While San Francisco only lost money, hacks can potentially turn buses or trains into weapons of mass destruction. Last December, hackers physically killed the electricity in Ukraine and then overwrote the control software damaging their electrical grid, permanently. A similar move in the USA or Europe could paralyze a city like New York or London, crippling millions of their livelihood and comfort.

Two years ago, the American Public Transportation Association warned municipalities of attacks via its position paper that stated, “cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data.” Since the APTA’s statement, more than 6.4 billion control systems have been connected online, estimated to be over 20 billion by 2020.

To illustrate the ease that hackers over take our auto-pilot systems, security experts at a Norwegian app firm called, Promon demonstrated online how they were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

One of the key aspects of a driverless future is machine communications across the network, commonly referred to as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2X) communications. Already, the 2017 Cadillac CTS will be enabled with V2V communication technology. The positives are well known – safety, energy efficiency and traffic avoidance being the top three. A big supporter of this technology has been the current Secretary of the Department of Transportation, Anthony Foxx. Last year, Foxx announced in Silicon Valley that he has accelerated the timetable on the proposed V2V tech mandate, speeding up the testing of a national 5.9 GHz spectrum reserved for connected cars.

Foxx’s V2V network, along 15 open ports within the current automobile (below), makes hacking transportation not only attractive, but accessible. While the venture capital space is littered with hundreds of companies going after the connected car ecosystem, there are only a handful of qualified cybersecurity firms focused on securing the vehicle from attacks. Unlike IT security, which is typically reactive to malware, autonomous driving systems need proactive, lighting-speed, security. Seconds of buffering for authenticating the communication could mean the difference of life or death.

Last month, Samsung Electronics acquired automobile infotainment provider Harman International Industries for $8 billion. Harman is currently the industry’s biggest provider of connected car and infotainment solutions. Harman purchased Israeli cybersecurity firm TowerSec last year for $70 million. TowerSec is one of the few companies along with Argus, Karamba, and Visual Threat focused on stopping real-time malware intrusions on the car’s internal computer network. Many of these startups were birthed shortly after the famed Jeep Cherokee hack that led to a recall of 1.4 million vehicles.

According to the press release from the TowerSec acquisition, Harman Chairman, President and CEO, Dinesh C. Paliwal, said that “the demand for connected – and eventually autonomous – cars is accelerating quickly with OEMs and consumers understanding the enormous benefits that cloud, data and analytics produce for enhanced safety, productivity and entertainment. At the same time, we cannot sacrifice security for functionality. By acquiring TowerSec’s best-in-class suite of network protection software and gaining the expertise of their highly experienced security engineers, we will build on HARMAN’s 5+1 security framework, already the most comprehensive in the industry, and ensure that we remain one step ahead to protect existing and future connected systems.”

While market factors seem to be driving demand for cybersecurity on consumer automobiles, much of municipal infrastructure is still being built on aging computer systems that are extremely vulnerable to attacks. North American cybersecurity experts say that the U.S. power grid is not well protected against the kind of campaign that hit Ukraine last year. “Everything about this attack was repeatable in the United States,” according to Robert Lee, a former cyberwarfare operations officer for the U.S. Air Force who went to Ukraine to independently assess the December attack. “While their security wasn’t awesome, it definitely wasn’t below the [industry] standards,” says Lee, who is the CEO of Dragos Security, based in San Antonio, which develops cybersecurity tools for SCADA (supervisory control and data acquisition) systems.

The Muni and the Grid, are not the only targets. In real-world war, combatants typically don’t attack hospitals. In the cyber realm, hackers have no such scruples. “We’re attacked about every 7 seconds, 24 hours a day,” says John Halamka, CIO of the Boston hospital Beth Israel Deaconess. And the strikes come from everywhere: “It’s hacktivists, organized crime, cyberterrorists, MIT students,” he said last year at SXSW Interactive. The most notable incident was last February when a Los Angeles hospital’s network was out for a week as hackers allegedly demanded more than $3 million in bitcoin payment. In the end, the hospital paid a ransom of $17,000 to get its files back.

According to an IBM report on the “Security Trends in the Transportation Industry,” the Muni incident last weekend could be the first of many more rail, plane or auto hacks as cybercriminals are actively targeting the autonomous systems used in the industry. The transportation sector is increasingly vulnerable to cyberthreats as a result of “the growing reliance on cyber-based control, navigation, tracking, positioning and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation.” It further states that systems used in the transportation industry are used to manage a large volume of data that could be stolen by crooks that intend to resell them on the dark web. 

“We are seeing this industry emerging as high-value target right alongside healthcare, manufacturing, financial services and government,” said Michelle Alvarez, Threat Researcher and Editor at IBM Managed Security Services. Experts like Alvarez also warn about the threat of terrorism, sabotage, and data theft that could be used by terrorists. The report goes on to state that “when dealing with hacking in the transportation industry we cannot avoid to mention the demonstrative attacks” like the Jeep Cherokee example and the computer systems aboard a Polish National Airlines (LOT) flight in June 2015. 

The scary aspect to these attacks are how easy they were to execute, in a non-autonomous V2V setting. In the San Francisco example, the ransomware was able to take advantage of outdated software on a Microsoft Windows-based computer. According cyber security expert, Ed Cabrera of TrendMicro, the number of ransomware attacks have doubled this year. He suggests that the best way to protect the infrastructure is still to invest in software that protect the “endpoints.” He believes that artificial intelligence technology is the key to proactively protecting infrastructure, “only by automating a lot of this technology can you actually improve your risk management of these types of attacks.”

There are two absolutes relative to the Muni hack: 1) there will be more and 2) hacking autonomous vehicles could be deadly. When one thinks about this deeply, it is difficult to sleep at night. Many government organizations and private sector initiatives are wrestling with this challenge, just not at the pace of autonomous technology (or hackers). This past August, President Obama appointed Michael Daniel as the Special Assistant to the President and Cybersecurity Coordinator. I would like to suggest that the President-Elect elevate this position to a Czar-like role that proactively works not just to coordinate activity, but also prevents any possibility of autonomous mayhem.