GoTech's Charles Harry and Skanda Vivek analyze how cyberattacks on road networks can cause massive disruptions.
In May 2021, ransomware attackers gained access to a Colonial Pipeline VPN and put the company’s operational technology network at risk of remote takeover in one of the biggest cyberattacks on U.S. energy infrastructure to date. When the company took its pipeline system offline in order to limit exposure of its operational network, millions of Americans on the East Coast faced lines at the gas pump. Gas stations shuttered and people began hoarding dwindling supplies. After days of negotiations with the attackers, Colonial eventually agreed to pay them $4.4 million in bitcoin–most of which was eventually recovered–in order to regain control of its computer systems.
In the wake of the event, there has been a renewed focus on infrastructure security and the myriad ways hackers can affect our lives. Events like the Colonial Pipeline cyberattack can cause minor inconveniences to everyday Americans at their best and societal breakdown at their worst. With physical objects, devices, and operational systems being increasingly connected to the internet, there are countless opportunities for ransomware attackers to act. One often overlooked area of concern is road infrastructure. In a recent paper, Skanda Vivek, assistant research scholar at the Center for Governance of Technology and Systems (GoTech) in the School of Public Policy, and Charles Harry, director of GoTech and associate research professor with a joint appointment at SPP and the College of Information Studies at the University of Maryland, look at how attackers can exploit the vulnerabilities of internet-connected vehicles and traffic systems.
On the necessity of this type of research, Harry says, “Understanding what attack vectors generate strategic consequence remain vital in our ability to allocate scarce resources to build resiliency. These types of studies are fundamental in our understanding of national risk.”
By tampering with intelligent traffic lights and taking control of the brake, engine, and steering of intelligent vehicles, attackers can fragment road networks, disrupting movement of cargo and passengers. This can have serious safety implications–emergency vehicles can get stuck at an impasse, critical supplies can get deadlocked. Attackers can also send out fake alert messages telling people to avoid prominent city routes, thereby creating massive traffic jams.
Vivek and Harry used Washington, DC, as a case study to look at how these various attacks could play out. First, they gathered information about the driving routes taken by millions of commuters by using census data and data from cell phones. Next, they mapped this information onto road networks within and around Washington, DC, and considered what type of attacks could affect routes typically traveled.
The researchers analyzed three types of attacks–tampering with traffic lights, taking control of vehicles, and sending out fake alerts. They concluded that in order for half of all routes to become inaccessible, one of the following scenarios needs to occur—14% of road intersections need to be jammed by disabled vehicles, fake alerts need to direct people away from 9% of heavily used routes, and 2% of traffic lights need to be disabled. Not all attacks need to be of this magnitude to cause issues. By targeting a much smaller percentage of vehicles and intersections, attackers can cause traffic to be redirected to less optimal routes, turning an hour-long rush hour commute into several hours.
According to the researchers, the work of making road infrastructure more resilient doesn’t just fall in the hands of local governments. Products made by private companies generate large effects on society. While protecting signaling systems remains important, their findings demonstrate that other targeting strategies that attack vehicles, software platforms, and third party apps also have the potential to generate significant consequences.
“The results of this analysis highlight the importance of private sector decisions on national risk,” says Harry. “While product development is a private sector activity, the abuse of poorly defended systems can lead to societal consequences requiring a deeper understanding by government of the complexities these technologies impart to reduce those impacts.”