Content
Cyber Security in Public Transport Vehicle Networks
How to protect systems in buses and trains from hacker attacks The digitalization of buses and trains raises many questions about cybersecurity: To what extent are digitized public transport vehicles at risk? How could digital systems and network data be successfully protected from hackers without compromising network performance? Although rare, cyberattacks also occur in public transport and can have far-reaching consequences. We clarify what transport operators can and should do themselves to protect digital onboard systems in vehicles from unauthorized intrusions.
When the Public Transport Vehicle Becomes the Target of a Cyber Attack: Possible Reasons and Risks
It’s hard to imagine public transport without digitized line vehicles: live data on departure times, capacity utilization and connections is far too convenient; the ability to buy a ticket via app; time passes so much more pleasantly on the train when you have free Internet access. To enable passengers and transport operators to make use of such services, data is always collected or made available in the vehicles, which is transmitted via the vehicle’s own network.
Like any network, the onboard network in buses and trains can become the target of hacker attacks. IT attacks of this kind do not pose an immediate danger to drivers and passengers. However, they can result in disruptions and losses:
Disruptions or failures in information and control services
Manipulation of services
Tapping of data generated by vehicle systems
Short- and longer-term financial losses due to system failure and damage repair
Attack Surfaces in the Vehicle and How Attackers Get at Them
Any device on board a line-haul vehicle that is on the network has the potential to become a target of attack. However, camera, validator, switch, router & co. would only be misused as a gateway to the network. After all, it is not the individual devices but the control of the data and services provided via the network that is likely to be the real target of an attacker.
Attacks by Connecting Unauthorized Devices
By gaining physical access to the IP-enabled components in the vehicle, attackers could easily connect to them and then gain unauthorized access to the network in the vehicle. The connection would be made simply by connecting a cable to a network port. In principle, the hacker can compromise any network participant for this purpose or misuse its connection.
Since as a rule unauthorized persons do not have direct, physical access to the on-board devices of a moving vehicle, this type of attack is rather unlikely.
Attacks via Radio
A local vehicle network always forwards data. For this reason, modern IP networks are usually equipped with a router that, among other things, provides the connection via mobile radio between the vehicle and the control center. In buses and trains, the LTE router or WLAN represents a very attractive attack surface. The router can be seen not just as a door, but as a gateway to the network. If an attacker manages to compromise the WLAN or cellular system, he can gain access to the entire IP network.
Attacks via Services
Network communication runs in both inward and outward directions. Thus, attacks could also come from the outside through compromised services such as system updates. So protection mechanisms are needed that are both inward and outward facing.
How Vulnerable is an Ethernet Switch to Attacks?
Like any other network device, the switch is a potential target for attack on the network.
Tasks of an Ethernet Switch
An Ethernet switch provides for the exchange of data between the individual devices of the network. The data is transmitted in individual packets. How the packet is processed is decided exclusively by the MAC addresses.
Management Software in the Switch
Managed switches have the possibility to be configured. Their internal software is used to set the parameters of the network controller and provides a few basic services. Managed switches introduce new threats, but also new opportunities to make the network more robust against attacks, as we will see later.
Switch Configuration Manipulation
A cyber attack on an Ethernet switch can cause the switch’s configuration to be changed. This can cause the disruption or complete failure of services or the disabling of protective measures that are taken in the switch. For such a manipulation, however, at least one of the protective measures must already have failed.
>> Read also: The Ethernet Switch & Cybersecurity
Making Vehicle Networks Secure: Here’s What Transport Operators Can Do.
Public transport operators can ensure that the in-vehicle IP network is well protected from attack and still fully functional in a number of ways. It starts with device installation and extends to targeted data flow control.
Physical Protection of the Network
Installation Security of the Devices
The simplest and most effective measure fleet operators can take to protect vehicle networks from tampering by unauthorized parties is to restrict physical access to devices, especially the router. In concrete terms, this means installing network components such as Ethernet switches, routers, video recorders, etc. in such a way that only authorized workshop personnel can make changes to devices and their connections. This is usually the case, as the technology is installed behind panels or in special locations designed for this purpose. This simple measure ensures that no foreign devices can enter the network.
Logical Protection of the Network
Router Configuration
As the gateway to the network, attention should primarily be paid to the mobile/WLAN router in the vehicle. It should be configured to allow devices within the network to exchange data only with predefined services. This reduces the risk of data leakage.
MAC Whitelisting
The MAC address is the first piece of information in the data packet that a sender provides. MAC whitelisting allows communication on the network only for MAC addresses that meet certain criteria. This method provides basic protection against foreign devices that should not be on the network.
MAC whitelisting is critical to protect against malicious network intrusions. It is enough for an attacker to locate the MAC address of any network device to gain access to the entire network. This is because MAC addresses are usually attached legibly to every device at the factory. Or they can be queried via a direct connection to the respective subscriber. The attacker can then disguise his own MAC address so that he is recognized as if he were a confidential network subscriber. MAC whitelisting can therefore be circumvented and is therefore not an effective protection mechanism in the event of intentional attacks.
IEEE 802.1X and RADIUS
The IEEE 802.1X standard provides secure authentication for access control in local networks. It is often used in conjunction with a Remote Authentication Dial-In User Service (RADIUS). RADIUS is a client-server protocol for authentication, authorization and accounting of users when connecting to a network. Via a central access management system, devices are first authenticated each time a connection is attempted before they are enabled for the network.
To enable new network users, access to the authorization server is required. The authentication can be cached in order to do without the authorization server when the device is unlocked again. However, new problems arise here with the synchronicity of the data. The server itself must also be validated so that a trustworthy connection can be established.
IEEE802.1X or RADIUS require that all network nodes support IEEE802.1X authentication. During implementation, all devices must be learned and corresponding certificates must be installed on each individual device. This also affects subsequent maintenance, as it will no longer be possible to simply replace a device without first releasing it in RADIUS.If all requirements are met, IEEE802.1X or RADIUS can provide protection against unauthorized systems on a network. However, it cannot provide protection if a system that has valid credentials for the network is compromised. For this reason, and because of the large administrative overhead involved in this service, structural security proves to be more practical.
Cryptographic Security
Cryptographic security is used to encode or render unreadable data that is to be transmitted. All data that is routed over the network should be cryptographically secured. Then, even if data were stolen via a direct cable connection, it would be impossible to read the data received. Cryptographic security takes place on two levels: firstly, during communication with the vehicle and secondly, in the application itself (e.g. payment data).
Please note: Data can be encrypted, but communication protocols cannot.
Network Segmentation
Virtual network segmentation using VLAN ensures separate data flow and can minimize damage if individual systems are taken over that are separated from the rest. VLAN networks are a functionality of Ethernet switches.
Measures for a Secure Network in Buses and Trains
Even these measures, which fleet managers can take with little to moderate effort, can contribute significantly to the security of vehicle networks:
Determine security concept during planning: Check which, risks exist and how to deal with them; select suitable services for this.
Restrict access: Install devices in such a way that only installers or specialists have access to them.
Change default passwords for all devices and services and use strong passwords.
Cryptographic security: Make data from the network unreadable to outsiders.
VLAN segmentation: virtual networks (VLANs) separate particularly sensitive data from the rest of the data.
Monitoring: Network monitoring can be used to identify anomalies in the network in good time. These could be unusual connection attempts or too frequent querying of IP addresses.
Security in IP Networks with ROQSTAR Ethernet Switches
Ethernet switches also play a role in the cyber security of the IP network. Users of our ROQSTAR Ethernet switches should pay attention to the following to enhance the security of the switches or the network:
Installation location: Like other equipment, switches should be installed securely and covertly.
Ports: Disable ports that are not in use so that no direct connection to the switch can be made through idle ports.
Disable services that are not needed: Simple Network Monitoring Protocol (SNMP) in particular.
Change default passwords and use strong passwords: Learn how to change the login credentials of a ROQSTAR Ethernet switch in this video tutorial.
VLAN segmentation: Learn in this video tutorial how to set up virtual networks or VLAN on a ROQSTAR Ethernet Switch.
Monitoring: Here we have used the example of passenger counting systems to explain
which diagnostic options are generally available within an IP network.