Responding to cyber-attacks in transportation: adapting risk assessment methods for a new age

BY Natchaphon Leungbootnak & Kevin Heaslip

One of the most discussed infrastructure issues of our time is cybersecurity. A transportation system that connects not only people but also logistics to make the community around the world closer is one of the critical infrastructures requiring cybersecurity to perform its functions.  Cutting-edge technologies related to transportation, such as Variable Message Signs (VMS), Vehicular Ad Hoc Networks (VANETs), and Connected Autonomous Vehicles (CAVs), have been developed to improve safety and efficiency. Those technologies make transportation systems more complex and integrated, bringing many potential vulnerabilities and cyber risks. This can attract an adversary to attack and exploit the system. Although cybersecurity attacks on transportation systems have been growing for many years, protecting from all cybersecurity attacks is not feasible. The risk assessment concept is proposed to prioritize risk resulting from attacks to make appropriate decisions, allocate limited resources, and increase the investment in policies or countermeasures.

Several risk assessment methods, including National Institute of Standards and Technology Special Publication 800-30 (NIST SP 800-30), Attack Potential (AP) and Damage Potential (DP), and Fuzzy Analytic Hierarchy Process (FAHP), are adopted in the transportation area. We find that each method has different benefits and drawbacks. There is no best method appropriate for every incident. Choosing the best-fit framework for each incident depends on several factors, including the level of detail in the assessments, the type of targeted applications, an important level of impact aspects, availability of information, and method simplicity. Furthermore, we can perform two or more methods independently together, which can help a decision-maker get more useful information and different perspectives.

The process of conducting a risk assessment method is not without its challenges. These challenges include ensuring the reproducibility and repeatability of the assessment, the quality of the assessors, the scarcity of data, the emergence of new technologies or attack methods over time, and the possibility of unexpected threats. In the following, we propose solutions to address these challenges:

  • Provide more explicit and detailed information for risk assessment components and rigorous analysis approaches that can enhance the reproducibility and repeatability of the framework and alleviate problems resulting from assessors.

  • Establish certification for each targeted device to ensure an assessor has enough background to conduct the analysis.

  • Raise awareness among researchers and organizations to encourage them to investigate and develop research in this area.

  • Refresh and update risk assessment criteria and methods to support new and threat-changing technology over time.

  • Consider transportation infrastructure resilience to cope with unknown or unexpected attacks that the current risk assessment method cannot specify.

Article details

Review of Risk Assessment Methods for Cybersecurity Attacks on Road Network and Intelligent Transportation System Applications
Natchaphon Leungbootnak and Kevin Heaslip
DOI: 10.1177/03611981241264276
First Published: August 12, 2024
Transportation Research Record: Journal of the Transportation Research Board

About the Authors

Featured
Natchaphon Leungbootnak

Natchaphon Leungbootnak is pursuing his PhD in Transportation Engineering at Texas A&M University. His area of interest encompasses Transportation Economics, Toll and Revenue, Transportation Planning, Travel Behavior, Traffic Engineering, Cyber Resilience, Congestion Management, and Parking. His research aims to enhance the efficiency and sustainability of transportation systems by employing data-driven approaches, behavior studies, and policy analysis. His work contributes to developing innovative solutions to improve transportation infrastructure and address contemporary challenges in urban mobility.

Email: natchaphonl@tamu.edu

LinkedIn: https://www.linkedin.com/in/natchaphon-leungbootnak/

Kevin Heaslip, Ph.D., PE

Dr. Kevin Heaslip is a Professor of Civil and Environmental Engineering and Director of the Center for Transportation Research at the University of Tennessee, Knoxville. Also, he is the director of the United States Department of Transportation-funded Center for Freight Transportation for Efficient and Resilient Supply Chain, housed at UT Knoxville. He has been awarded over $40 million in research grants and contracts from federal governments, state governments, and industry as an expert in transportation engineering, transportation technology, and critical infrastructure cybersecurity. He has over 180 peer-reviewed journal articles, conference proceedings, and technical reports and has conducted research for federal, state, and local government agencies.

He also leads the Future Mobility Initiative for the Office of Research, Innovation, and Economic Development at UT Knoxville. He serves as Principal Investigator and Chief Operating Officer of Tennessee Technology Enabled Advanced Mobility (TEAM TN). TEAM TN is a partnership with the National Science Foundation, an alliance of academics, industry, and government. Dr. Heaslip also co-leads the Energy Storage and Transportation Convergent Research Initiative of the University of Tennessee Oak Ridge Innovation Institute.  Dr. Heaslip received a B.S. and M.S. in Civil Engineering from Virginia Tech and a Ph.D. in Civil Engineering from the University of Massachusetts Amherst.

Email: kheaslip@utk.edu

LinkedIn: https://www.linkedin.com/in/kevin-heaslip/

Website: https://ctr.utk.edu

ResearchGeorgina Savagetransportation, cybersecurity, risk management