Insider Threats in Emerging Mobility-as-a-Service Scenarios

Mobility as a Service (MaaS) applies the everything-as- \ a-service paradigm of Cloud Computing to transportation: a MaaS \ provider offers to its users the dynamic composition of solutions of \ different travel agencies into a single, consistent interface. \ Traditionally, transits and data on mobility belong to a scattered \ plethora of operators. Thus, we argue that the economic model of \ MaaS is that of federations of providers, each trading its resources to \ coordinate multi-modal solutions for mobility. Such flexibility comes \ with many security and privacy concerns, of which insider threat is \ one of the most prominent. In this paper, we follow a tiered structure \ — from individual operators to markets of federated MaaS providers \ — to classify the potential threats of each tier and propose the \ appropriate countermeasures, in an effort to mitigate the problems

Federated Platooning: Insider Threats and Mitigations

Platoon formation is a freight organization system where a group of vehicles follows a predefined trajectory maintaining a desired spatial pattern. Benefits of platooning include fuel savings, reduction of carbon dioxide emissions, and efficient allocation of road capacity. While traditionally platooning has been an exclusive option limited to specific geographical areas managed by a single operator, recent technological developments and EU initiatives are directed at the creation of an international, federated market for platooning, i.e., a consortium of platoon operators that collaborate and coordinate their users to constitute freights covering international routes. In this paper, we look at federated platooning from an insiders\u27 perspective. In our development, first we outline the basic elements of platooning and federation of platooning operators. Then, we provide a comprehensive analysis to identify the possible insiders (employees, users, operators, and federated members) and the threats they pose. Finally, we propose two layered, composable technical solutions to mitigate those threats: \emph{a}) a decentralized overlay network that regulates the interactions among the stakeholders, useful to mitigate issues linked to data safety and trustworthiness and \emph{b}) a dynamic federation platform, needed to monitor and interrupt deviant behaviors of federated members

Privacy-Preserving Design of Data Processing Systems in the Public Transport Context

The public transport network of a region inhabited by more than 4 million people is run by a complex interplay of public and private actors. Large amounts of data are generated by travellers, buying and using various forms of tickets and passes. Analysing the data is of paramount importance for the governance and sustainability of the system. This manuscript reports the early results of the privacy analysis which is being undertaken as part of the analysis of the clearing process in the Emilia-Romagna region, in Italy, which will compute the compensations for tickets bought from one operator and used with another. In the manuscript it is shown by means of examples that the clearing data may be used to violate various privacy aspects regarding users, as well as (technically equivalent) trade secrets regarding operators. The ensuing discussion has a twofold goal. First, it shows that after researching possible existing solutions, both by reviewing the literature on general privacy-preserving techniques, and by analysing similar scenarios that are being discussed in various cities across the world, the former are found exhibiting structural effectiveness deficiencies, while the latter are found of limited applicability, typically involving less demanding requirements. Second, it traces a research path towards a more effective approach to privacy-preserving data management in the specific context of public transport, both by refinement of current sanitization techniques and by application of the privacy by design approach. Available at: https://aisel.aisnet.org/pajais/vol7/iss4/4

Time sensitive networking security: issues of precision time protocol and its implementation

Time Sensitive Networking (TSN) will be an integral component of industrial networking. Time synchronization in TSN is provided by the IEEE-1588, Precision Time Protocol (PTP) protocol. The standard, dating back to 2008, marginally addresses security aspects, notably not encompassing the frames designed for management purposes (Type Length Values or TLVs). In this work we show that the TLVs can be abused by an attacker to reconfigure, manipulate, or shut down time synchronization. The effects of such an attack can be serious, ranging from interruption of operations to actual unintended behavior of industrial devices, possibly resulting in physical damages or even harm to operators. The paper analyzes the root causes of this vulnerability, and provides concrete examples of attacks leveraging it to de-synchronize the clocks, showing that they can succeed with limited resources, realistically available to a malicious actor

A Service-Oriented Approach to Crowdsensing for Accessible Smart Mobility Scenarios

This work presents an architecture to help designing and deploying smart mobility applications. The proposed solution builds on the experience already matured by the authors in different fields: crowdsourcing and sensing done by users to gather data related to urban barriers and facilities, computation of personalized paths for users with special needs, and integration of open data provided by bus companies to identify the actual accessibility features and estimate the real arrival time of vehicles at stops. In terms of functionality, the first "monolithic" prototype fulfilled the goal of composing the aforementioned pieces of information to support citizens with reduced mobility (users with disabilities and/or elderly people) in their urban movements. In this paper, we describe a service-oriented architecture that exploits the microservices orchestration paradigm to enable the creation of new services and to make the management of the various data sources easier and more effective. The proposed platform exposes standardized interfaces to access data, implements common services to manage metadata associated with them, such as trustworthiness and provenance, and provides an orchestration language to create complex services, naturally mapping their internal workflow to code. The manuscript demonstrates the effectiveness of the approach by means of some case studies

When Operation Technology Meets Information Technology: Challenges and Opportunities

Industry 4.0 has revolutionized process innovation while facilitating and encouraging many new possibilities. The objective of Industry 4.0 is the radical enhancement of productivity, a goal that presupposes the integration of Operational Technology (OT) networks with Information Technology (IT) networks, which were hitherto isolated. This disruptive approach is enabled by adopting several emerging technologies in Enterprise processes. In this manuscript, we discuss what we believe to be one of the main challenges preventing the full employment of Industry 4.0, namely, the integration of Operation Technology networking and Information Technology networking. We discuss the technical challenges alongside the potential tools while providing a state-of-the-art use case scenario. We showcase a possible solution based on the Asset Administration Shell approach, referring to the use case of camera synchronization for collaborative tasks

Nervous facilitation in cardiodynamic response of exercising athletes to superimposed mental tasks: implications in depressive disorder

Introduction : Motor commands to perform exercise tasks may also induce activation of cardiovascular centres to supply the energy needs of the contracting muscles. Mental stressors per se may also influence cardiovascular homeostasis. We investigated the cardiovascular response of trained runners simultaneously engaged in mental and physical tasks to establish if aerobically trained subjects could develop, differently from untrained ones, nervous facilitation in the brain cardiovascular centre. Methods : Cardiovascular responses of 8 male middle-distance runners (MDR), simultaneously engaged in mental (colour-word interference test) and physical (cycle ergometer exercise) tasks, were compared with those of 8 untrained subjects. Heart rate, cardiac (CI) and stroke indexes were assessed by impedance cardiography while arterial blood pressures were assessed with a brachial sphygmomanometer. Results : Only in MDR simultaneous engagement in mental and physical tasks induced a significant CI increase which was higher (p<0.05) than that obtained on summing CI values from each task separately performed. Conclusion : Aerobic training, when performed together with a mental effort, induced a CI oversupply which allowed a redundant oxygen delivery to satisfy a sudden fuel demand from exercising muscles by utilizing aerobic sources of ATP, thus shifting the anaerobic threshold towards a higher work load. From data of this study it may also be indirectly stated that, in patients with major depressive disorder, the promotion of regular low-intensity exercise together with mental engagement could ameliorate the perceived physical quality of life, thus reducing their heart risk associated with physical stress

Data Security Issues in MaaS-enabling Platforms

International audienceMobility as a Service takes the concept of XaaS to transportation: a MaaS provider shall merge transport options from different mobility providers, seamlessly handling the whole experience of traveling, from providing information, to travel planning, and payments handling. To effectively support the creation of a market of MaaS providers, we envision the creation of ICT infrastructures based on microservices, a modern and renowned development model that fosters the creation of an ecosystem of reusable components. The flexibility of such platforms is their key advantage, yet it poses many security issues. In this paper, we look at these problems through the lens of our experience on one of such platforms, called SMAll. We classify the most relevant vulnerabilities related to data reliability, integrity, and authenticity, and we investigate directions for their mitigation

Password similarity using probabilistic data structures

Passwords should be easy to remember, yet expiration policies mandate their frequent change. Caught in the crossfire between these conflicting requirements, users often adopt creative methods to perform slight variations over time. While easily fooling the most basic checks for similarity, these schemes lead to a substantial decrease in actual security, because leaked passwords, albeit expired, can be effectively exploited as seeds for crackers. This work describes an approach based on Bloom filters to detect password similarity, which can be used to discourage password reuse habits. The proposed scheme intrinsically obfuscates the stored passwords to protect them in case of database leaks, and can be tuned to be resistant to common cryptanalytic techniques, making it suitable for usage on exposed systems