Beware of the Security of Things in School Transportation Technology

Presidio provides technologies and security for the Huntsville Intermediate School District in Texas, which covers 645 square miles of routes. With some students riding as long as 90 minutes, the district entered a partnership with Presidio to install bus Wi-Fi, dashboard apps to track ridership, and real- time vehicle diagnostics and camera views.

Today’s school buses are part of the Internet of Things (IoT), a network of devices that are embedded with electronics, sensors, cameras, and connectivity to generate data for operational productivity and real-time visibility.

While technology advancements offer school districts and bus operators a wealth of functionality, they also create opportunities for ill-intended hackers to wreak havoc through unsecured systems.

The K-12 Cyber Incident Map is a visualization of public school districts that have been victims of cybersecurity-related attacked, including phishing, ransomware, denial-of-service and unauthorized disclosures of information.

Information is stored in many places, including the vehicle, apps, data centers and vendor systems. Even smartphones and tablets, which aftermarket solutions leverage to capture and transmit data, can be potential targets for hacking. Such issues will continue to be an ongoing battle that requires increased technical, legislative and school administrator attention.

In this month’s School Transportation News survey on bus connectivity, about 60 percent of respondents saw at least one use of data, such as messaging, GPS routing, accident reporting, vehicle health monitoring, plus student and bus tracking.

“Fleet managers, dispatchers and transportation director’s roles regarding school bus security are expanding beyond the physical security of the bus, driver, and students,” said Toby McGraw, senior VP at Zonar. “These individuals are increasingly responsible for ensuring that data of the bus and those riding it are secure.”

Bus manufacturers and aftermarket solutions providers are paying close attention to vehicles that use J1939 Controller Area Network (CAN), which enables communication and diagnostics data among vehicle components. Since it was designed in the 1980s, CAN buses do not have an inherent authentication layer, which means many updates and additional layers of security are needed.

Since the beginning of 2016, more than 350 U.S. K-12 public school districts have reported cybersecurity-related incidents that breached personal information or caused operational losses. EdTech Strategies visualizes the incidents with pinpoints on its interactive K-12 Cyber Incident Map of the U.S. It does provide incident descriptions that range from ransomware attacks to phishing that led to data breaches.

“I can foresee hackers’ focus shifting to vehicle data,” said G.P. Singh, CEO and founder of school bus data analytic firm ByteCurve, LLC. in Chicago. “Hackers can only obtain data for one vehicle at a time, hence making it more laborious and less rewarding for them. But it’s only a matter of time when they will overcome this challenge and figure out how to access multiple vehicles” at once, he believes.

If districts and operators haven’t already developed uniform guidelines and standards to address cyber incidents, federal and state regulation will soon force them to do so. The evolution of autonomous vehicles and connected fleets is prompting governments to develop laws for new forms of transportation.

Congress is working with the American Vision for Safer Transportation through the Advancement of Revolutionary Technologies (AV START) Act, which establishes regulations for the development of highly automated vehicle (HAV) technologies. The legislation also addresses cybersecurity, data access and privacy concerns.

In order to protect students, employees and tax-payer-funded equipment, transporters should install appropriate upgrades, undergo rigorous testing, and erect barriers within their systems.

“Security involves looking for weaknesses in the entire architecture and multiple layers of technologies,” said Vinu Thomas, chief technology officer at Presidio, which builds IoT capabilities and secures them for manufacturers, law enforcers, first responders and school transportation providers. “Hacking a bus can be prevented with secure system access, user verification, data encryption, manual overrides and constant monitoring.”

When purchasing new technologies, school transportation administrators should turn to technology vendors who not only have vetted their solutions for security, but also make themselves available for protecting data after the buying decision.

Disruptive technologies also are prompting the need for formal training and education on managing digital-driven industries, especially transportation.

“Before technology decisions are made, administrators need to decide if they are transporting a classroom and if they will be securing data as much as students. Make decisions now for 10 years down the line,” said Gregg Garrett, an educator at Oakland University in Michigan, and author of the book, “Competing in the Connecting World: The Future of Your Industry is Already Here.”

The book provides readers with a workable framework to better understand and prepare for technology disruption, organizational transformation, and leadership that will be needed within the digital era.

“Despite the impending disruption from all of this technology, there are defined strategies that greatly enhance an existing organization’s chance of survival,” said Garrett.