Student hackers take control, learn how to protect transportation infrastructure

Almost every vehicle on the road today contains a small computer called an ECU or Engine Control Unit. This device regulates the engine using inputs from various sensors, the driver, and increasingly, hackers. Remote hackers can initiate vehicle braking, acceleration, and other potentially hazardous operations. They can even destroy an engine.

Jake Jepson, a master’s student in the Colorado State University Department of Systems Engineering, knows how vulnerable vehicles can be because he and his peers regularly practice taking over their controls through cyber-attacks.

Jake Jepson is pictured bending over with one hand on his knee while the other gestures at the internal components of a heavy truck’s cab that were removed to be used as a testbed. A headlight from the cab testbed is in the at the top of the image with various wires, pipes, and plugs underneath. Jepson has on a gray sweater and blue jeans. He has curly dark blond hair and is looking toward the wires.
Jake Jepson, master’s student, Colorado State University Department of Systems Engineering, explains how those in the Systems Cyber Research Group use components from vehicles to conduct cybersecurity experiments. (Photo by Kevin Fleming, CSU ES communications)

Jepson is a member of the Systems Cyber Research Group, which works with industry manufacturers, trade organizations, and governments to improve in-vehicle networks and cybersecurity. Headed by Jeremy Daily, associate professor, this group takes a hands-on approach to vehicular cybersecurity. They hope to break new ground in learning how to protect infrastructural systems across the United States.

Governments, NGOs, and manufacturers have grown increasingly concerned about hostile hacking on critical infrastructure in recent years. The White House’s National Cybersecurity Strategy, published March 2, lists defending critical infrastructure as a top priority. The proportion of cyberattacks on vehicles from hostile actors increased to 54% in 2021, according to a 2022 report from Upstream.

While most of their current work focuses on vehicular cybersecurity, Jepson said the group is working on expanding the research.

“I want to look at other industrial systems, take lessons we learned here to there, and if we learn anything new there, then we can apply that here,” Jepson said. “For now, we’re mostly studying heavy trucks because they’re important and can teach us a lot.”

Jepson said he decided to get his master’s degree in systems engineering because he wanted to engage directly with real-world problems. He wasn’t as interested in traditional “blue team” methods of cybersecurity, which he said tend to be about carefully following protocols.

The importance of “red team” tactics cannot be understated, Jepson said, because they help researchers anticipate dangerous cyber-attacks. When attacks can be anticipated, engineers can design resistant systems.

“As cyber systems become more connected and more complex, the opportunities for nefarious hackers increase,” Jepson said. “They don’t have to follow rules, and often find ways to by-pass security protocols set in place by designers.”

Cyber systems are especially vulnerable when various components come from different manufacturers who don’t always have the capacity to test how well each piece works with the others from a security perspective.

Manufacturers generally do well in making sure their own systems are secure together, but this is harder when connected components are sourced externally, Jepson said. Components from different manufacturers might function well together, but small misalignments can result in vulnerabilities.

That is why Jepson’s most recent project has been to build a program that allows users to connect different end-product components over a network to test their combined security.

This project is the subject of Jepson’s most recent conference paper, which he will present at the INCOSE 33rd Annual International Symposium in July. The paper titled “CANLay: A Network Virtualized Testbed for Vehicle Systems – Improving System Integration and Verification Efforts,” was co-authored with Daily and fellow graduate students Subhojeet Mukherjee and U.S. Air Force Maj. Trae Span.

INCOSE, or the International Council on Systems Engineering, is the leading professional organization that advocates for systems engineering as a career field globally.

Using this new program, Jepson’s team has replicated vulnerabilities that were well-known and corrected previously, but he said they hope to publish more about current testing soon.

Jepson joined the research group while he was an undergraduate studying in the CSU Computer Science Department. He said he chose to participate in the annual CyberTruck Challenge after Daily, who heads the event, spoke to the local undergraduate computer science club.

“The real fun and the stuff that would keep me going is actual hands-on experience when it comes to hacking things,” he said. “I mean, you can talk about stuff all day, but until you actually do it – it’s just a whole new experience.”

The Cybertruck Challenge is a partnership with the Systems department, the National Motor Freight Traffic Association, Inc., and various industry sponsors. During the event, students from across the country attempt to hack and control heavy trucks. What they learn from this event is then shared with manufacturers and professional organizations, so they can improve on their designs and standards.

This challenge has been one of at least three similar types of events in recent years: various CyberAuto or cyber automotive challenges, the John Deere Cyber Tractor Challenge, and the CyberBoat Challenge. Jepson said he has attended each.

“Our partnerships and our students are important to improving cybersecurity in a complex world,” Daily said. “The creativity and hard work I see at these events is exciting, and we are always looking for talented applicants.”

The Colorado State University Department of Systems Engineering offers interdisciplinary engineering education to both online and on-campus students. Systems engineering is a technical field that focuses on creating, optimizing, and protecting interconnected systems in complex environments.

Cybersecurity is a key area of interest for systems engineers because it’s integral to all computerized systems today.

“We want the authorized user to have control,” Jepson said. “And every year the trucks are harder to hack.”