The Next Generation of Transportation: Cybersecurity

Written by Regina Hopper, SVP Global Public Policy, GRIDSMART

As the new person to the awesome GRIDSMART team, I want to say hello and how thrilled I am to be working with all of you to represent technologies, products and business models that will advance safe, equitable, sustainable, efficient and productive transportation systems and networks of the future.  My job is to work with all of you to both identify and execute on public policy issues and advocacy initiatives that will help accomplish those goals.

In this blog post, and those in the future, we will highlight transportation issues that are interfacing with the public policy world, at the local, state and/or national levels and in both the legislative and regulatory venues.

We begin in this first post with the issue of cybersecurity.

As connectivity to the internet of things (“IoT”) becomes more pervasive in the intelligent transportation (“ITS”) space and as the importance of the use of data to meet the goals of ITS grows, there isn’t a lawmaker or regulator, mayor or governor, local or state DOT director, CIO or CTO, or those working in private industry who doesn’t ask about the impact of potential cyber threats.  Advancing these technologies comes the obligation to take seriously the need to identify all of the associated issues to create a safe and secure network and work toward the steps, standards and other structures that protect every citizen who interfaces with the systems.  Other industries – energy, health care and defense –  are already hard at work on the same kind of questions having already felt the effects of attempted and successful cyber intrusions.

GRIDSMART has joined with ATI21, ITSAmerica and other organizations to participate in the many conversations and debates taking place in this space.  ITSAmerica has partnered with the Cyber Future Foundation to produce an industry planning paper to advance policy initiatives through working groups based around technology challenges, legal & liability issues, policy, regulation, legislation, and incentives.

These discussions have already led to the identification of several issue verticals:

  • The need to widen “transportation connectivity” related issues to all surface and air transportation modes
  • Making sure that “traditional” ITS infrastructure is covered while new technologies are deployed
  • Making sure that ancillary systems such as contractor equipment and supply chains are covered.
  • Avoiding a patchwork of standards or a patchwork of regulatory and/or legislative structures
  • Understanding the challenges around compliance, attribution, authentication, identifying vulnerabilities, meters, payments, common risk assessment protocols, response/emergency response planning, training, insurance and liability, counterfeit equipment, aftermarket and connectivity equipment, access to both existing and new equipment, risks associated with the public internet, latency
  • Software related issues including ransomwares, patches and upgrades and open source supply chains
  • Storage of data, the cloud and private networks
  • The need to develop a good working relationship with associated industries, in particular the network carriers
  • Understanding the human factors.
  • Realizing the importance of the industry’s commitment to public education
  • Connecting all of the issues throughout V2V, V2X and autonomous systems chain

While these discussions continue to take place, other organizations are at work and some like NTHSA, the Auto Alliance, CTIA’s working group and the National Governors Association, among others, have issued preliminary reports on the cyber threat issue.

In the meantime, before the August recess, both the House and Senate were busy on cyber as it pertains to autos. The House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection and the Senate Committee on Commerce Science and Transportation bills create a framework for the development, testing, and deployment of self-driving vehicles. The “SELF DRIVE Act” (H.R.3388) is to “memorialize the federal role in ensuring the safety of highly automated vehicles as it relates to design, construction, and performance, by encouraging the testing and deployment of such vehicles… with SEC. 5. CYBERSECURITY OF AUTOMATED DRIVING SYSTEMS which requires a manufacturer to have cybersecurity plan. Within 180 days, a manufacturer may not sell, offer for sale, introduce or deliver for introduction into commerce, or import into the U.S., an HAV or vehicle that performs partial driving automation, or automated driving system unless such a manufacturer has developed a cybersecurity plan. The plan would include practices for detecting and responding to cyber-attacks, unauthorized intrusions, and false and spurious messages or vehicle control commands.” according to Ron Thaniel, VP of Legislative Affairs at ITSAmerica.

The Senate AV bill is on hold under after the August recess.

If you are interested in other federal House and Senate cyber legislative efforts you can visit  https://www.congress.gov/ and put “Cybersecurity” in the search field.  You will find among others:

H.R.3411 – To establish in the National Highway Traffic Safety Administration an Automated Driving System Cybersecurity Advisory Council to make recommendations regarding cybersecurity for the testing, deployment, and updating of automated driving systems.

On the state level you can check out the National Conference of State Legislators site for state by state information.  According to the NCSL, while not all related to transportation, there were:

“2017 Introductions: At least 41 states have introduced more than 240 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include:

  • Improving government security practices: 42 bills in 20 states, Puerto Rico.
  • Commissions, task forces and studies: 29 bills in 16 states, Puerto Rico.
  • Funding for cybersecurity programs and initiatives: 27 bills in 14 states.
  • Targeting computer crimes: 20 bills in 11 states.
  • Restricting public disclosure of sensitive security information: 19 bills in 11 states.
  • Promoting workforce, training, economic development: 13 bills in 10 states.

2017 Enactments: At least 16 states have enacted legislation…”

All of this, of course, is just the tip of the cybersecurity public policy iceberg. If you have additional information to share on this topic, please do.  These issues will also be addressed at INTERSECT17, “It’s Time We Had the Talk” November 13-16. You can take a look at the topics, educational sessions and networking opportunities as well as registration here. You can also follow the action on Instragram @intersectgi.

Thanks so much for taking time to read the first POLICYSMART blog! If you are interested in certain topics for the future, please let us know. Also, please feel free to reach out to me at regina.hopper@gridsmart.com. You can also follow me on Instagram @regina_hopper and on Twitter @reginahopper.

Until the next blog, remember GRIDSMART – Simple, Flexible, Transparent.