When the managers of federal vehicle fleets were charged with implementing telematics systems for all their vehicles, the Department of Homeland Security Science and Technology Directorate (S&T) and the Department of Transportation’s (DoT) Volpe National Transportation Systems Center (Volpe Center) teamed to create a cybersecurity implementation.
The new requirement was part of Executive Order (EO) 13693, also known as “Planning for Federal Sustainability in the Next Decade” and issued in March 2015.
The EO called for government vehicle fleet managers to “collect and utilize as a fleet efficiency tool…agency fleet operational data (i.e., fuel consumption, emissions, maintenance, utilization, idling, speed and location data) through deployment of vehicle telematics as a vehicle asset level for all new passenger and light duty vehicle acquisitions and for medium duty vehicles where appropriate.”
Vehicle telematics refers to embedded systems on a vehicle that tracks the vehicle and combines wireless and Internet communications to send, receive and store vehicle information. As the use of vehicle telematics technologies rapidly grow, so do the cybersecurity security vulnerabilities and the need to safeguard the vehicle telematics data from cyberattack.
As part of an interagency joint project, DHS S&T’s cybersecurity team contracted the DoT’s Volpe Center to develop a vehicle telematics cybersecurity primer for fleet managers, who as a group had little practical experience with cybersecurity.
“DHS has one of the largest civilian vehicle fleets, with primarily law enforcement vehicles, and this project has provided a great opportunity to help improve our cybersecurity posture and safety of our officers and agents in the field,” said Cyber Physical Systems Security Program Manager Chase Garwood. “We are working closely to support DHS Fleet and with our counterparts in other federal, defense and state, local, tribal and territorial fleet and cybersecurity organizations and value our ongoing relationships.”
At the project’s outset, cybersecurity experts from the Volpe Center and the Software Engineering Institute’s CERT Division from Carnegie Mellon University in Pittsburgh conducted cybersecurity testing of vehicle telematics devices that are connected to an external network and could be subject to cyberattacks.
Based on the test findings, the Volpe Center developed the “Telematics Cybersecurity Primer for Agencies,” which provides fleet managers at the Customs and Borders Protection, Federal Bureau of Investigation, military, federal and state law enforcement agencies, and other federal agencies essential guidelines they need to safeguard vehicle telematics from cyberattack.
Specifically, the primer’s purpose is to guide fleet managers and the General Services Administration (GSA) in securing telematics systems by implementing applicable security controls as outlined in the National Institute of Standards and Technology Special Publication 800-53, titled “Security and Privacy Controls for Federal Information Systems and Organizations.” These security controls are included in the primer, which also provides cybersecurity procurement language that GSA and fleet managers can adopt for future agency telematics acquisitions.
“The main user of the primer to date has been GSA Fleet, which has leveraged the telematics cybersecurity procurement language and is using it in a Request for Quote for telematics within GSA Fleet’s leased vehicles,” said Kevin Harnett, the Volpe Center Project Manager who led the development of the primer.
Among the topics covered in the primer are fleet management office responsibility for Federal Information Security Management Act requirements and security controls such as access control, penetration testing, security assessment and authorization, system and information integrity as well as telematics security considerations. The primer, which is not available publicly because of security sensitivity, addresses the core concerns for an agency in the protection of their vehicle fleets.
The telematics cybersecurity primer stresses that implementing this protection involves the following steps:
• Protecting communications to and from devices via the use of encryption, authentication, etc.
• Protecting device firmware and the firmware update process using digital signatures and encryption
• Protecting actions on devices by implementing the principle of “Least Privilege” and enabling of minimal services, etc.
• Protecting the Integrity of devices through a manufacturer vulnerability disclosure and response program