Mitigation of Cybersecurity Vulnerabilities for Traffic Control Infrastructure
"... several vulnerabilities discovered could allow for an attacker to remotely gain complete control over the controller, including changing signal timings or modifying the firmware and can render the traffic controllers used by FDOT inoperable or can damage the network or other devices connected to the traffic controllers."
Principal Investigators:
Dr. Achilleas Kourtellis (PI)
Dr. Pei-Sung Lin (Co-PI)
Dr. Jay Ligatti (Co-PI)
Research Assistants: Kevin Dennis, Gabriel Laverghetta
FDOT Project Number: BED25 977-17
This project extends the work of the previous FDOT project, Identify Sources and Risks on Cyber Security for Connected Vehicle Infrastructures. Since, to my knowledge, that work is still confidential, this page will also be short on details. If the final document is published, I will update the page to include it.
The primary objectives and deliverables for this project were to:
develop specifications for traffic controllers to mitigate the vulnerabilities found in BDV25-977-70 and recommend minimum requirements of cybersecurity for traffic signal controllers,
develop a testing procedure and guidelines for specification testing,
provide support in cybersecurity testing of traffic controllers and establish the procedure for testing,
support Florida Department of Transportation (FDOT) in responsible disclosure with traffic controller manufacturers so that the vulnerabilities can be disclosed and a realistic timeline for mitigation can be implemented, and
assess other devices used in traffic management (e.g., traffic controllers, MMUs/CMU, and traffic cameras).
At the time of writing (July 2024), tasks 1-3 have been completed. As I am graduating in July, I may not be heavily involved in completing the remaining tasks.
Testing Procedure
The testing procedure was developed based on existing testing procedures conducted by the Traffic Engineering Research Laboratory (TERL) in Tallahassee. More information on the TERL Product Approval Process can be found at https://www.fdot.gov/traffic/traf-sys/traf-sys.shtm.
Test testing guide is generalized to apply to all traffic controllers; that is, the tests do not depend on manufacturer or make. Without going into detail, the test examines:
Documentation Review
Network/Service Scan
Vulnerability Scan
Denial of Service Testing
Authentication Checks
Encryption Checks
After developing the testing protocol, we traveled to Tallahassee and presented it to the TERL staff. This included a presentation, guided walkthrough, and installing all of the required software on a TERL device.
Day 1: Gabriel and I demonstrating the testing document to the TERL staff.
Day 2: Guiding TERL staff through the testing process.