360 Degree Cyber Security, LLC

Lost control of traffic control systems

Lost control of traffic control systems

March 24, 2018 – In this day and age, we mostly understand the requirement to protect information whether it is personal, or business related.  Positions related to information security can be found around the country typically in organizations larger than a small enterprise.  This included government organizations at all levels; federal, state, county, & municipal.

These organizations not only have the responsibility of protecting personally identifiable information of their citizens, but may also have additional standards/requirements they need to follow such as

  • PCI/DSS
  • HIPAA/HITECH
  • FERPA

If the organization is solely seeking to just meet the requirements, then they may be missing additional areas that need to be protected.  The Information Security Officer needs to transition to being a Security Officer responsible for securing all things digital, especially if they are critical for normal daily life.

Elements of critical infrastructure, such as the water supply and waste water have been in the news.  Some of the other services some municipalities provide and should be concerned with protecting are the transmission of electricity, Cable TV, and Internet services if they are services that they are responsible for providing.

As government agencies increasingly depend on devices that offer some advantage to remotely managing or gathering information from, more are being placed on the Internet.  One such device is the traffic controller.  These devices are found at individual intersections and can be linked together to improve traffic flow.

Traffic control systems are a form of an industrial control system.  They don’t operate at the speeds found in manufacturing systems, but they do operate in a similar manner.  They take inputs from road and optical sensors, adjust as programmed, and trigger events such as changing the lights from red to green.

So, what would happen if those control systems are left open to the world?  Well it could lead to scenes found in such movies as Live Free, Die Hard, or The Italian Job.  Recent research into traffic control systems led to the discovery of over 250 traffic control systems on the Internet in the United States and Canada.  Of those discovered, I was able to locate 25 in Canada and 24 in the United States that were open where the username and password were disabled.

Devices were found that controlled major intersections on a main thoroughfare where a highway intersected the road in two large cities.  Eleven out of 15 traffic control systems were found on a single major road through a city in California.  Several were discovered that belonged to a city in Texas.

What was concerning about the city in Texas, was that the city would not have known if those handful of devices were not open to the Internet.  Based on the IP address, there are assumptions that can be made about other IP addresses in the same address range that are protected by a login prompt.  This may represent all the traffic control systems in the city.

The traffic controls discovered are modular in nature.  Seeing that most of the Texas devices are protected with a username and password, it would seem those that are open to the Internet are that way probably due to maintenance where a module was replaced.

These findings were reported to the U.S. municipalities where these traffic control systems are located.  This was to allow them the opportunity to secure the system.  Hence the lack of specific details in this article.

Protecting traffic control systems from outside access is just as important as protecting all the information that the government organizations are responsible for protecting due to standards and regulation.  Traffic control systems are just as critical as water, sewage, and electricity and should be protected just the same.

Suggestions for organizations that manage traffic control systems:

  • Periodically scan Internet addresses of traffic control systems known to belong to the government organization to identify which ones are open.
  • Add traffic control systems to a security inventory, in addition to the standard information (model, serial number, etc.) annotate the IP address and port of any web portal the system has enabled.
  • Add traffic control systems to a change control process.
  • After any maintenance, remotely test connect to the device to ensure that login is required and that it is not the default login credentials

After all, who likes sitting in in traffic now?  Imaging what would happen if someone wanted to make it worse by remotely controlling the traffic control system from elsewhere in the world?

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Comments Are Closed!!!