Tunnel vision: Cyber a top priority for Pennsylvania Turnpike Commission’s modernization project has been saved
Cover image by: Jim Slatton
Limited functionality available
As the 360-mile east-west leg of the Pennsylvania Turnpike crosses the state, it traverses the Appalachian Mountains and passes through four tunnels, including the Tuscarora Mountain Tunnel. In 2019, the Pennsylvania Turnpike Commission (PTC) kicked off a multiyear modernization project to refurbish both tubes of the mile-long tunnel. PTC not only faced typical civil engineering challenges, but it also had to manage a host of cybersecurity risks directly related to a complex web of connected devices deployed throughout the tunnel.
PTC’s security team historically focused on securing traditional computing and network infrastructure. But unlike past infrastructure refurbishment projects, this tunnel rehab—a US$110 million investment with a 30-year lifespan—required the deployment of connected environmental sensors that measure and report on tunnel conditions, temperature, and levels of carbon dioxide and other gases; automated ventilation, lighting, and video detection systems; and a control system that collects data and enables remote monitoring, among other devices and systems.
With so many physical devices now part of the tech stack, PTC’s security team took a farsighted, preemptive approach to cybersecurity, says April Rothermel, PTC’s director of information privacy and security. “The security team proactively got involved in the engineering and design of the tunnels, working hand in hand with project engineers to ensure that cybersecurity was baked in from the beginning,” she notes. “Before this, our team had never needed to be involved in these types of projects in the very early stages, or with such a high level of involvement.”1
As a result, the security and engineering teams had to combine different cultural styles and working norms and expectations. The engineering and security teams rallied around an early decision to tailor and use prescriptive cybersecurity standards typically used in power grids for compliance with the regulatory requirements of North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP). “The decision to customize and use NERC CIP cybersecurity standards with a transportation system gave us a common lexicon,” says Rothermel. “It helped facilitate communication among those involved in securing the tunnels and made it easy to agree upon how to design or modify previously designed systems.”
Often, the teams collaboratively had to modify longstanding processes to accommodate security requirements. For instance, 17 different equipment manufacturers participated in the revamp, and many of them were not well versed in cybersecurity principles. Historically, these device vendors had only been required to prove functional usability by passing an acceptance test, but PTC engineering and security teams challenged vendor expectations by modifying the onsite factory acceptance testing process to include security requirements.
The two teams also had to devise creative solutions when security and business requirements collided. For example, operational network isolation was a top priority that challenged business needs. “We didn’t want these formerly isolated devices and systems to be on the same network path or part of our regular network traffic, but we had a business need to get the tunnel video feed to the operations center,” Rothermel says. “We collaborated to figure out the best way to make it happen.”
The first phase of the project—the revamped eastbound tube—is expected to reopen this fall, and then work will begin on the westbound tube. At that point, Rothermel expects the change control process to be her team’s biggest challenge. For example, devices will have to be upgraded and patches deployed without disrupting traffic flow or creating safety issues.
Ultimately, travel in the Tuscarora Mountain Tunnel is expected to be not only more efficient, but safer. “PTC’s top priority continues to be customer and employee safety,” says Rothermel. “And because technology plays such a critical role in transportation infrastructure, cybersecurity is at the top of our priority list as well.”