Hackers in ‘white hats’ join effort to thwart the bad guys

Commuters in the Israeli port city of Haifa fumed during a particularly tedious traffic jam two years ago, never guessing that the logjam was caused not by an accident or some other relatively customary event — but reportedly by cyber attack.

It shut the city’s Carmel tunnel for eight hours, with the Associated Press later reporting a cyber attack, although the authorities never confirmed this. A hacker used a “Trojan horse” — a malicious computer programme — to shut down the security cameras monitoring the tunnel, the report said.

As transport networks — from cars to planes to trains — connect to the internet in hundreds of ways, hackers have found ways to disrupt the arteries of major cities. A single flaw in one device connected to a complex network can have major consequences in the transport industry. With vehicles having the ability to communicate remotely and supply chains being so extensive, it can be hard to monitor the security of every component.

Tim Best, cyber security director at Ernst & Young, says it is this “network of networks”, often made up of old and creaky systems, that makes transport so open to attack.

Automakers often rely on external software providers or third party hosting organisations, which they cannot easily monitor. The option of WiFi on planes, meanwhile, has created problems when the passenger internet is linked to the systems controlling flying.

Computer security experts — so called “white hat” hackers — who look for digital system weaknesses, have made considerable impact in the transport field this year. Vulnerabilities in the Jeep Cherokee reported in June at a Las Vegas hackers conference led Fiat Chrysler to recall 1.4m vehicles. One security researcher was questioned by the FBI in April after taking a United Airlines flight, during which he claimed in a tweet that he had hacked into its computer system. United has since introduced a programme of awarding air miles to hackers who inform it of vulnerabilities.

Cesar Cerrudo, chief technology officer at IOActive, a security research company which discovered ways to hack satellite communications equipments on planes, says companies tend to drag their feet on security until they are in “water to the neck”.

Mr Cerrudo adds: “One problem with a car system is that it is already designed with this weak architecture and design is very difficult to change. If you change the design, you change all the components, how everything interacts and works.”

Automakers need to build security in from the beginning, rather than adding it on top, but that will probably take time, Mr Cerrudo says. “The technology we are using today was built three years ago, so if they start investing hard in security now, we will probably see the results in a couple of years.”

Philip Lacombe, vice-president for information systems and security at Parsons, an infrastructure company, said there had been a “dramatic change” in every part of the industry. From metropolitan transport agencies to airline operators and carmakers, it is paying more attention to cyber security.

As boardrooms get worried about fulfilling their responsibilities, they are putting more contracts for cyber security services out to tender and hiring more specialists in the field, Mr Lacombe says.

Mr Lacombe believes co-operation between the public and private sectors is essential. There are already concerns that cars could be used to spread viruses into systems managed by government, for example, when cars are checked by emissions control systems. Soon, publicly owned traffic lights will “converse”, as it were, with private cars.

In the private sector, groups such as Intel’s automotive security review board are conducting testing and creating best practices for the industry. A recent white paper warned about risks ranging from “ransomware” — malicious software that holds cars to ransom — to petrol stations being used to infect vehicles with computer viruses.

Regulators are paying attention to the problem. In Germany, for example, the country’s IT security act applies primarily to critical infrastructure, including that for transport.

It outlines “state of the art technical and organisational measures” to improve infrastructure and to encourage companies to report security incidents anonymously.