Security for smart traffic: what risks are real?

large interchange city colour (2)

In part one of this two part post, Miovision’s Dave Bullock, Managing Director, ITS Line of Business, outlines the perceived and real security risks in a networked traffic control system.

The old way of managing cities and traffic control is going away. The days of engineers making their way down to traffic cabinets to tweak timing schedules are numbered. The new way is to sit back at mission control. Monitor the situation. Then issue commands. Very Star Trek.

But operating this way—leveraging connected devices via the Internet of Things (IoT)—comes with its own Prime Directive: security needs to be considered and made to be much more than an afterthought.  The movement to the cloud of the applications storing and analyzing this traffic data reinforces that security should be top of mind for anyone deploying a connected device as part of a public works infrastructure project.

While cloud-based connected devices are standard today, understanding network security is critical. The first step is to figure out what risks are real.

The Most Common Security Questions We Get Asked

Miovision fields a ton of questions from customers about security. Below you’ll find the three most common questions we get, and how we respond with security as a top-of-mind consideration.

Does remote access to my traffic system pose a risk?  Securely retrieving data remotely from cloud-based servers is commonplace today.  The CIA and Department of Homeland Security utilize the same cloud hosting services as Miovision.  The threat isn’t in remote access or the cloud itself, it’s in the policies and configuration of those services.  Working with a partner like Miovision who has the tools to control the who/what/when/where of data access, is the key to making remote access work for you, instead of against you.

Is wireless transmission of data susceptible to hackers?  When properly secured, wireless is no more risky than fiber, yet provides much faster response and resiliency to a number of common scenarios.  Network-wide outages from natural disasters, such as hurricanes, are as real of a danger as any hacker.  With wireless, systems can be brought back online remotely and often in hours or days through technologies like cell-on-truck.  With hardwired fiber solutions, resolution can take weeks or months to solve cut connections.  

Does cloud computing mean that I have less control over my data? While city data is stored on cloud-based servers, it’s readily available and safe. Miovision partners with Amazon Web Services (AWS) and has systems in place to ensure data is not only secure, but protected by a full disaster recovery backup strategy.  Managing a secure cloud data platform means constant security patches and audits to ensure the system is fully secure.  It’s safe to say security monitoring from cloud specialists is superior to a few resource-strapped personnel on a city’s IT team.

The Real Risks

The questions above are more perceived risks, in our experience. Addressing these risks are best handled by working with best-in-class technology and partnering with security-minded partners who can help manage the complex world of data security.

But there are real risks. By spending years in the traffic control business, we’re familiar with these concerns. The important thing is knowing what they are, and being smart about how to control them.

Device security: Most traffic control equipment wasn’t built with data security in mind.  The vast majority of traffic cabinet devices utilize communication protocols with no built-in security, and without explictly secured connections, putting your entire network at risk.  The security risk is not simply one of a hacker hijacking control of the hardware, but an unprotected device can be ‘locked out’ and rendered inoperable.

Poor data encryption: Devices often receive commands with weak or no encryption from vendors that haven’t invested in key management. It’s a deployment compromise arrived at to keep the system up and running. But the result is that data is left readable and vulnerable to unauthorized users.

Unauthenticated system access: Many city networks use default authentication settings, which leads to unauthorized access to the system. The result is poor systems auditing, and generally poor tracking of users and their activities.

Outdated security patches on servers and software: Firmware updates to devices in the field are done infrequently, if ever, because they can’t be done remotely. The problem with that is new security patch deployments rarely make it to devices in the field once deployed.

The four risks above can be tightly controlled.  Stay tuned for part two where we outline the six security pillars built into TraffcLink that make these issues non issues.

Dave Bullock is a serial entrepreneur who has built successful companies in the mobile, gaming, and telecommunications industries.  He joined Miovision in 2015 and spearheads Miovision’s Intelligent Transportation efforts.