Speaker: Charles Harry (Associate Research Professor, School of Public Policy, UMD)
Abstract: Policy makers are concerned about the growing disruptive potential of cyber attacks on interconnected systems and infrastructures. For example, the explosive growth in connected vehicle infrastructures and proliferation of IoT-enabled traffic systems opens the potential for novel societal impacts stemming from cyber-attacks on transportation systems. Researchers and threat actors have demonstrated that they can gain control of safety-critical vehicle functions, compromise poorly authenticated third-party apps, as well as modify Supervisory Control and Data Acquisition (SCADA) systems that manage physical infrastructures. While localized impacts on individual systems are a persistent technical challenge, policymakers remain more generally concerned about large-scale and cascading consequences across entire road systems raising the question of where should policy makers invest to reduce the most significant consequences of a cyber attack on road infrastructure? In this paper, we develop a network based approach in conjunction with historical trip information to quantify the impacts of cyber attacks on the performance of road networks in Washington D.C. We find that a highly targeted attack on only ten SCADA controlled signaling devices at specific locations disrupts a third of the most efficient paths in Washington D.C., while disrupting 100 signaling devices would disrupt a third of all accessible routes. Surprisingly however, location agnostic targeting strategies on vehicles or disinformation targeting drivers on specific routes generate similar effects as highly targeted attacks on SCADA systems, albeit requiring more disrupted nodes in the network. These results imply that layered deterrence strategies seeking to promote national resilience need to develop defensive models that not only strengthen SCADA control system networks, but improve compulsory adherence to security frameworks by private companies whose products could generate similar consequences. Drawn together, our results open up the possibility of layered deterrence strategies that minimize the disruptive consequences of cyber attacks, thereby reducing benefits to attackers on road transportation networks.