Forecasting Issues of Wireless Communication Networks’ Cyber Resilience for An Intelligent Transportation System: An Overview of Cyber Attacks

: During the last decade there has been an essential development of wireless communication technologies for intelligent transportation system (ITS) applications for motor transport; these advanced infocommunication technologies are called vehicular ad hoc networks (VANET). VANET/ITS, in particular, inform and warn drivers about possible obstacles, and also the possibility of how to organize coordinated actions. Therefore, any violation of its functioning by cyber attacks automatically inﬂuences the safety of people and automotive engineering on the road. The purpose of this article is to provide an analytical overview of cyber attacks on VANET/ITS, presented in state-of-the-art publications on this topic by the prediction of its cyber resistance. We start with an analysis of the top 10 cyber threats, considered according to the following schemes: attack mechanism, vulnerability, damage, object of attack, and a counter measure. We then set out a synergistic approach for assessing the cyber resistance of the forward-looking VANET/ITS conceptual model, formed by the merger of the internet of vehicles and software-deﬁned networking technology. Finally, we identify open issues and associated research opportunities, the main ones being the formalization of threats, vulnerability stratiﬁcation, the choice of the level of network management centralization and, last but not least, the modeling and prediction of VANET/ITS cyber resistance.


Introduction
Developed countries around the world (for example, the USA, European Union member states, Japan, China, and Russia) are actively moving ahead in the direction of the digitalization of the economy, and in particular the transport systems that inevitability lead to the integration of means of communication which are built in vehicles (on-board unit, OBU) and infrastructure objects (roadside unit, RSU). During the last decade there has been an essential development of wireless communication technologies for intelligent transportation system (ITS) applications for motor transport; these advanced infocommunication technologies are called the vehicular ad hoc network (VANET). It is expected that the communication of vehicles with each other (vehicular to vehicular, V2V), with infrastructure (vehicular to infrastructure, V2I), and vulnerable participants of traffic will bring essential benefit from the point of view of safety and comfort; these methods can also promote improvement and more competent traffic management, provide the best way to prevent or reduce traffic jams, and also save fuel and thus reduce emissions [1,2]. These modes of communication are summarized by the term vehicle to everything (V2X).
VANET/ITS, in particular, informs and warns drivers about possible obstacles (repair work, speed limits, etc.) and also provides possibilities about how to organize coordinated actions (change of lanes, priority way on junctions, etc.). Therefore, any violation of its functioning automatically influences the safety of people and automotive engineering on the road: accordingly, this makes issues of the cyber resilience of VANET/ITS urgent. Authors consider cyber resilience as VANET's capability to provide and maintain an acceptable level of service of requirements of ITS for V2X-exchange of problem-oriented information in the conditions of destructive influences (for example, cyber attacks). In [3], the authors put forward a similar thesis. The increasing number of publications concerning various aspects of the cyber resilience of VANET/ITS, and the fast growth of revealed cyber threats (including zero-day threats) immature (i.e., in the conditions of deficiency of "best practice"), almost innovative cyber system creates a certain paradoxical situation that demands scientific judgment. The first step in this direction is the identification of problematic issues and forecasting of the cyber resilience of ITS telecommunication components.

Variants of Creating Cyber-Resilient Vehicular Ad Hoc Networks/Intelligent Transportation Systems (VANET/ITS)
In recent years, an extensive set of variants for the creation and development of VANET have been investigated. Analysis from [4] allows the identification of the main candidates to be telecommunication components of ITS in the context of supplying cyber security. Historically, the first is Wi-Fi technology according to the IEEE 802.11p standard, for which a special band in the region of 5.9 GHz is allocated and cheap chips are mass-produced. The large-scale "field" tests which were carried out in the USA and various European countries showed that VANET/ITS on this technology has a low delay (in the range of milliseconds), can cope with high relative speed between transceivers (up to 200 km/h and above), has high dynamics of information collection from nearby objects (dynamic topology of network), maintains considerable network loading (by means of constant periodic transmission of messages to several participants and a large number of transceivers in scenarios of the overloaded traffic), and is capable of working at a considerable distance (from several hundred meters to 1 km) and in conditions where direct visibility is lacking (by means of routing with several transitions by the use of other mobile knots and knots of transport infrastructure). In response to high standards of safety, the USA's department of transport has firmly adopted a position of introduction of the standard 802.11p, having initiated the process of rule-making for the mandate on expansion of communications of V2V on the basis of dedicated short-range communications (DSRC). They consider that the mandate will support producers in effective advance forward and will help to develop the critical mass of the equipped vehicles [5].
As the strong competitor of DSRC/802.11p, the 4G cellular communication technology (formally called long-term evolution for vehicular, LTE-V) is being considered by the European community; the Automotive Association 5GAA intends to promote it for corporate ITS (C-ITS). However, according to the results of comparative research conducted by specialists from the Dutch company NXP Semiconductors together with Israeli partners from Autotalks [6], nowadays the situation of using LTE-V as a telecommunication component of C-ITS seems to be less common. When comparing IEEE 802.11p with LTE-V2X, they highlight several important facts of both technological and economic sense. Firstly, the offered LTE-V2X technology is the derivative of a technology cellular ascending communication line which maintains similarity to the current LTE systems: the structure of a shot, an interval between bearing, requires the accuracy of hours and the concept of the block of resources, and some of them-these properties are not adapted for options of use of vehicles, but are rather inherited from the existing cellular technologies. Secondly, commercially available LTE-V2X cannot use the presence of the standard LTE modem in the car, as various safety and technological requirements strongly require that the LTE-V2X domain, crucial for safety, has to be separated from the "entertaining" domain of the standard LTE modem.
The modern technical policy of C-ITS focuses on the strengths of each technology and forcing them to work together with the purpose of providing the best decision for VANET/ITS. Therefore, the European Commission has expressed the need for a "full hybrid communication mix" on board vehicles for ensuring cyber security with the certain coordinated model of trust (trust models for C-ITS). One variant, for example, is in considerable degree to reserve capacity 802.11p for V2V communication connected with safety and to include some important messages of I2V, such as repeated transfer (replay) of the corresponding messages in conditions where direct visibility is lacking and to leave contact of I2V, less critical on time, with the cellular domain. A considerable part of this functionality will already be possible with the use of modern 4G technology; however it is quite obvious that the current 4G/LTE cellular technology cannot answer the strict requirements for communication of V2X connected with cyber security. At the same time, the supporters of cellular communication for ITS point to fifth generation mobile communication (5G) as being superior in productivity and safer than IEEE 802.11p [7].

Top 10 VANET/ITS Cyber Threats
Based on our analysis of the numerous sources describing critical topics of information security in VANET/ITS networks, we compiled the following list of the most serious cyber threats facing such networks: • Such an abundance of threats implies their systematization and structuring. The authors of the report "VANET/ITS Cybersecurity Threats: Analysis, Categorization and Forecasting" at the 2018 EIConRus [74] critically analyzed the approaches to classification presented in the relevant reviews [8,[75][76][77], and suggested all VANET/ITS threats, along with "classical" signs of a violation of a property's information resources, such as confidentiality, integrity and accessibility, or their combinations should be also identified by the main elements of ITS-vehicles, transport infrastructure, and their information technology interface interaction (in the sense of a wireless network)-as objects of attack. In order to obtain a representative image of the topical area, we compiled the conditional "top 10" threats (ordered by the number of references that can be conventionally considered the primary taxonomy of cyber attacks on this topic) from the above list. We carried out the analysis according to the canonical scheme for information security: the attack mechanism-the exploited vulnerability-information security damage-object of attack-countermeasure.

Message Tampering/Suppression/Fabrication-Attacks to the Network Messages
A message tampering attack is directed to the violation of integrity of the networked messages: the malefactor modifies messages of OBU-OBU and OBU-RSU, while at the same time falsifications can be both a request of the application and a reply to the request. A message suppression attack is directed at the violation of confidentiality of the networked messages: the malefactor carries out a selection of packages and broadcasts them in the network; strange users, who do not take part in valid packages exchange, and have access to this network; packages, in particular, may contain information relating to the safety of a knot. A message fabrication attack is directed to the violation of integrity and confidentiality of the network messages: the malefactor broadcasts untrue reports in network; in this way the malefactor can acquire the right of priority journey, non-authorized access to system resources and confidential data (passwords, logins of other knots). Thus, the attack is aimed at the wireless network. Similar to 'traffic analysis' that is described below, it is generally used for carrying out the following cascade of attacks to all elements of the intellectual transport system. The countermeasure were not found in the reviewed sources; it is possible to assume encryption of the networked packages and the use of digital certificates for the authentication of a knot.

Tracking-Unauthorized Access to Identification Information on a Knot
This attack is directed at tracking the location of the vehicle during some period of time in order to obtain detailed information on a knot. It is aimed at the violation of data confidentiality of a legitimate knot since the malefactor seeks to intercept them and to use in the purposes. The task can be reduced to the calculation of coordinates by the analytical way. The received coordinates can be used by malefactors for subsequent physical attacks, such as hijacking of the vehicle (for example, a secure cash delivery vehicle). The countermeasure are not found in the reviewed sources.

Sybil Attack-Destruction of Network Reputation by Cloning of False Identifiers
By exploiting a vulnerability of a simple multiple fake of the identifier, the malefactor creates clones of identification data for exerting a disproportionately large influence on a network, repeatedly imitating the functioning of valid knots. The attack causes direct damage to network availability, littering traffic with untrue reports, and also increases the probability of sending data through the malefactor's knot (see "man in the middle" attack, below) that potentially leads to confidentiality violation, because the malefactor will read the traffic which is not intended for them. By means of this attack the malefactor can also influence integrity, for example to send false reports about the road situation. The attack is directed at transport infrastructure (regarding the algorithms which make certain decisions on the basis of reputation estimates from system participants). Therefore, for example, the fake-identifiers-of-vehicles set is localized moving in some area, and will make a traffic jam visible for assessment subsystems of a road situation. This may cause other subsystems to relieve road traffic (for example, by an increase in the duration of a green traffic light signal) and to construct alternate routes for the traffic. Nevertheless, equipment will be physically absent on the road, and malefactors can, therefore, use it for a free journey. Countermeasure include the creation of the confidential channel (for example, due to the validation of identification data).

DoS (Denial of Service)
This is the most known attack for the majority of networks. Its purpose is to finish VANET/ITS fully or to increase delays in the network that will make it impossible or complicated for legitimate users to obtain information. As the information in vehicle wireless networks becomes outdated very quickly, even small delays can set to zero the work of one segment, since at the time of obtaining information, a road situation will already be different. This attack directly reduces network availability and has many variations. Many researchers refer to DoS all the attacks as routing and/or consuming the resources.
The attack is aimed at wireless networks due to the creation of a huge amount of information (not necessarily false) demanding from VANET/ITS of the maximum quantity of resources for its processing; for example, multiple sending signals of the road accidents and repair work that arise will force the intellectual transport system to constantly re-estimate the road situation and recalculate optimum routes. At the moment there are many methods for counteracting DoS attacks, however their efficiency is still doubtful.

Node Impersonation-Substitution of Identification of the Participant of Traffic
This attack is implemented by substitution by the malefactor of the MAC-and IP addresses to addresses of a valid knot. In order to receive identification of other knots, the malefactor uses the corresponding spoofing. If there is no authentication, the attacker can send the fake report on behalf of another knot, thereby breaking integrity. For example, the malefactor speaks on behalf of the ambulance to get the priority drive. At the return operation, i.e., obtaining the message intended for the car with the required MAC and IP addresses, confidentiality will be broken. The main subject of the attack is the vehicle, because substitution by the malefactor of transport infrastructure knots (for example, traffic lights) will allow confidential information to be obtained about the vehicle.
At the same time, the substitution of the address of special purpose vehicles (for example, ambulances or fire trucks) will allow the transfer of the modified information to transport infrastructure, having ensured special traffic conditions ("the green road", etc.). Countermeasures include authentication based on certificates, and dynamic addresses.

Key and/or Certificate Replication-Unauthorized Identification in System
This attack involves the use of duplicate keys, certificates, or their combination, for unauthorized identification of the user in the system. The malefactor undermines the work of the system, duplicating the identification data of other knots. Its purpose consists of mixing powers and to interfere with the identification of the participants of a road accident. This attack causes direct loss of data confidentiality and also of integrity, because the malefactor can redistribute the roles of the participants in the road accident in its own favor, if it implements it. The attack pursues the same aim, as well as aforementioned 'node impersonation', i.e. a violation of the AAA (Authentication, Authorization, Accounting) process of vehicles and transport infrastructure. Countermeasures include the creation of an information transfer secure channel; the use of keys with limited validity period, in order to avoid the use of a key by the malefactor, can be discussed.

Traffic Analysis-Definition of Topology of Network, Routing
The attack consists of the interception and different analysis of office and information packages which may contain data about location, identification, a route, etc. Such a passive attack allows the malefactor to be prepared for the realization of the powerful active attack. The analysis of traffic breaks the confidentiality of transfer of the message for all modes of exchange of OBU and RSU. This attack is aimed at a wireless network, because the network packages which are not intended for open access gather and are analyzed; the further direction of development of the attack is aimed at any ITS elements: on the vehicle and on transport infrastructure as along with the revealed network routes it is possible to organize the interception of packages of confidential information; and on wireless network for the organization of the effective DoS attack to which knowledge of its topology is considered the most important of conditions. Countermeasures include the creation of an information transfer secure channel.

Man in the Middle-Interception and Modification of Messages between Cars and Points of Access
This attack can be realized in two variations: one for the OBU mode and one for the RSU mode. In the first case, the knot of the malefactor (OBU) "listens" to the connection channel between other knots. In the case of RSU, the malefactor organizes an access point (transmitter) on the section of the road for interception (confidentiality violation) and modifications (violation of integrity) of messages; at the same time, the attacker's transmitter is connected to the main transmitter. Other knots are connected to the pseudo-transmitter, and transmit messages through it on the main transmitter; at the same time, the malefactor obtains all information going on the main transmitter from subscribers, as it was an unauthorized intermediary between them. This attack is aimed equally at the vehicle and at transport infrastructure, because both of these participants of the exchange "expect" that the opposite side is original, and transfer confidential information to it; actually the subscriber is the malefactor's knot.
Countermeasures include digital certificates in total with authentication methods and also hashing with keys. This attack exploits the vulnerability of protocols of routing at the network level and has several versions. Blackhole is directed to the destruction of all packages which follow through the malefactor's knot; therefore, packages do not come to the recipient. Greyhole is directed to the destruction of only some part of packages, because it reduces the probability that the malefactor will be found by the next knots; other packages are broadcast correctly. All these attacks are directed at the violation of the integrity of networked data. Routing attacks are aimed at all elements of the intellectual transport system insofar as its functioning in general breaks. Therefore, the redirection of all traffic from transport on a knot of the malefactor will allow its confidential data to be received (after their interpretation), and the main exchange between knot and surrounding transport infrastructure to be stopped (to create effect of "a network shadow"). The establishment of an own routes of office VANET/ITS packages will allow not only the regular functioning of wireless network to be broken, but also subsequent attacks, such as DoS, to be mounted. Countermeasures were not found in the reviewed sources, however the use of the mechanism of the entrusted routing can be offered.

Global Positioning System (GPS) Spoofing/Hidden Vehicle (position faking)-Substitution of Coordinates of Knot Location
Using the Global Positioning System (GPS) simulator, the malefactor generates the signal, which surpasses in power a real signal of the satellite. Vehicles read out a stronger, false signal which broadcasts to the car the incorrect location taken for true. Hidden vehicle attack is a special case of a substitution of location data when the knot deliberately does not send the warning messages to another knot about the location of a road accident. Such attacks are directed to the violation of integrity of the messages sent by a knot with the location, as in the course of the attack these data are modified by the malefactor. The attack is aimed at the vehicle, providing incorrect information to it, which is obviously unsafe. For example, following the GPS navigator and accepting incorrect coordinates will at best not allow the destination to be reached in time, and at worst will lead to a road accident (for example, there will be no information on ongoing repair works, the road with oncoming traffic, abrupt turns, etc.). Countermeasures include the digital signature of data on a location can be recommended (the matter is under discussion in the scientific community, since a method of absolute elimination of this threat has not yet been determined).
The results of the analysis of the top 10 cyber threats for VANET/ITS regarding classification features and references are shown in Table 1, in which the following symbols are accepted: C-confidentiality; I-integrity; A-availability; V-the vehicle; TI-transport infrastructure; WN-wireless network. From Table 1 it can be seen that, in spite of the abundance of threats, practically all of them are characteristic of any wireless network; for VANET/ITS-specific threats, it is possible to carry out, perhaps, only GPS spoofing/position faking. The distinction of cyber threats for VANET/ITS, in case of its realization with the use of Wi-Fi or cellular communication, is distinctly shown, despite strong convergence.
Additionally, the malefactors-exploited vulnerabilities, which are the most important factor of generation requirements to protective measures, are not specified for all threats in the analyzed sources; at the same time, the level of these vulnerabilities-low to medium or high level-is not specified (architectural).
The last circumstance is critical for the further promotion of the concept of VANET/ITS, and the modification of its architectural model can be required in case of the detection of high-level vulnerabilities [78]. Table 2, presented in the form of a matrix with the measurements "Target Object vs. Violation of Information Security", represents the next and one of the many cyber threats taxonomy for VANET/ITS.
Creating such a taxonomy allows providing targeted research of VANET/ITS protection issues, in particular, to structure statistical data on cyber attacks, to highlight typical attack patterns (for example, attacks on WN that damage integrity), and to draw conclusions based on the collected data. Use of other classification criteria (for example: level of vulnerabilities (low, medium, high), potential violators (external, internal), etc.) leads to a systematic expansion of knowledge in the field of cyber resilience.

Risk Analysis
The process of determining cyber threats, vulnerabilities and potential damage belongs to the field of knowledge called risk analysis and it is one of the most complex and important in predicting the cyber-resistance of VANET/ITS. The definition of cyber threat involves identifying it, which was practically addressed above for the top 10 threats except of the type and potential of the malefactor, i.e. source of threat. Opportunities of the violator that are sufficient for the implementation of cyber threats to VANET/ITS are undoubtedly a special topic of study but are not critical for the further presentation of the problematic issues in the prediction of its cyber resistance.
An identified cyber threat may have some risks and it is subject for neutralization (blocking) if it is relevant to VANET/ITS. Cyber threats are relevant for VANET/ITS with given structural and functional characteristics and functioning features if there is a likelihood of the cyber threat probability being actualized by the malefactor with the corresponding potential and its implementation will lead to unacceptable negative consequences (damage) from breach of confidentiality, integrity or availability of information.
As an indicator of the j-th cyber threat (A) relevance, a vector can be used, the first component of which characterizes the likelihood of the threat (Pj), and the second-the degree of possible damage in case of its realization (Xj). Traditionally, Pj is determined on the basis of statistical data analysis on the frequency of cyber threats in an information system and (or) similar information systems, and Xj is defined based on an assessment of the degree of confidentiality breach consequences, integrity or availability of information.
In the absence of statistics on the occurrence of security incidents, which is typical of VANET/ITS as an innovative cyber system, the relevance of cyber threats will be determined based on an assessment of the cyber threats (Yj) possibility. Yj will be determined based on an assessment of the level of the system security and the potential of the malefactor required to implement cyber threats. Such an assessment today is carried out in the overwhelming majority of cases by an expert method and it is predictive in relation to cyber resilience (will be discussed below).

Synergetic Approach
It follows from Item 2 that questions of cyber security of 802.11p and LTE-V are already quite well researched, as today there are only individual publications that are devoted to their safe joint functioning [79,80]. The complexity of researching this issue arises from a new communication mix (so called "hybrid"). As this hybrid is the result of sharing DSRC/802.11 and LTE-V, from the point of view of cyber security it represents another essence, which is different from the parts forming it, when their vulnerabilities form the effect of synergy.
This synergy is formed due to the operation of the following mechanisms. Firstly, some properties of the first part of the communication mix (for example, DSRC/802.11p) can serve as neutralizing measures for cyber threats of the second part (for example, LTE-V), and vice versa. Secondly, other properties of the first part can represent sources of threats for the second part, and vice versa. Thirdly, similar vulnerabilities can reinforce each other and initiate fatal cyber threats.
The resulting cyber resilience of "hybrid" of VANET/ITS does not come down to the simple sum of the cyber resilience of its components (DSRC/802.11p and LTE-V) in any cases.
If the resulting cyber resilience of "hybrid" is lower than the components, then their association has to be recognized as unsafe. The cyber threats which have remained and appeared in "hybrid" have to be compared with its vulnerabilities. As a result, preventive measures can be used concerning the predicted vulnerabilities, because the latter became known before the current incidents of cyber security.
The analysis of Tables 1 and 2 shows the existence of a difficult dependence of total cyber resilience of VANET on the ITS telecommunication component, from cyber threats to the applied wireless technology.
In the case of the hybrid option, the situation often becomes complicated due to presence of synergetic effects. To provide harmonious and effective existence of "communication mix", a certain supervising program will be required, which is capable of exchanging the level of cyber security of critical applications for functional requirements of ITS regarding reliability of reception/transfer, the maximum delay of messages, and other probabilistic and time characteristics, situationally (depending on the road and other milieu).
Employing software-defined networking (SDN) technology can be one such decision. This technology is based on the principle of division according to the planes of management and data, and this situation hypothetically allows realizing the above-stated exchange [81,82].
In this case, the conceptual VANET/ITS model can be considered as a new cyber essence, software-defined internet of vehicles (SDIoV), formed by the certain "automobile world" of the internet of things (IoT) (the so-called internet of vehicles, IoV) in the form of a set of terminal device sensors which are built into vehicles and physical infrastructure facilities and generate problem-oriented traffic, on the one hand, and the SDN technology applying for the solution of problems of its cyber-stable service, on the other. However, both SDN and IoV cannot be considered ideal from a position of cyber security, as besides the new advantages they bring they are also associated with certain cyber threats, which are a consequence of vulnerabilities of their own architectural concepts [78] and technical realization.
The declared synergetic approach can be shown as a step-by-step algorithm in relation to a qualitative assessment task of cyber resilience of SDIoV and forecasting its vulnerabilities as follows.
Step 1: To reveal a set of the cyber threats which are traditionally initiated by architectural vulnerabilities of SDN and IoV. For this purpose, it is possible to use a pool of the publications devoted to the safety of IoT (IoV) and SDN, including the report of the international open consortium OWASP [83].
Step 2: To estimate possibilities of neutralization of cyber threats of SDN, of advantages of the use of IoV, and to establish the vulnerabilities of SDN which have lost relevance for SDIoV. To make asymmetric operations: to estimate possibilities of neutralization of cyber threats of IoV by advantages of the use of SDN and to establish the lost vulnerabilities of IoV.
Step 3: To estimate possibilities of transformation of architectural features of SDN into sources of cyber threats for IoV, to establish the new vulnerabilities exploited by them, and to make asymmetric operation for architectural features of IoV.
Step 4: To compare cyber threats of the united parts on a similarity subject. If in the SDIoV system two similar cyber threats from SDN and IoV are defined, then this threat appears in both parts of the system and cannot be essentially neutralized by them. It is furthermore necessary to establish the architectural vulnerabilities of SDN and IoV initiating it.
As a result of performing Steps 2-4 of the algorithm on a set of the cyber threats and vulnerabilities revealed in Step 1, it is possible to forecast vulnerabilities for SDIoV. We will predict vulnerabilities of SDIoV for cases of operation of all three synergetic mechanisms-neutralizations (N-effect, Neutralization), generation (G-effect, Generation), and reinforcement (I-effect, Interference).
One implementation of the concept of IoV are wireless touch networks. Because of their small size and spatial distribution, the IoV devices energy supply can be carried out at the expense of non-renewable power sources with a limited charge; the latter defines a new cyber threat for IoV applications, namely attack implementation on a power system of a touch network for the purpose of 'harvesting' energy from its knots [84].

Case 1: Low Power Consumption of Sensor Network Knots
With this purpose, malefactors can use streams of false events, because the false event (for example, inquiry) as well as being legal, surely provokes reaction of a touch knot which demands additional power consumption and "exhausts" it, thereby reducing the life cycle of IoV network. At the same time, SDN allows the centralized management of data flows, and besides is not dependent on the number of the devices generating the last ones. Streams concerning devices can be both regarded as input/output, but in the context of the considered threat we are interested in the former. Thus, one correction of the network activity of devices is possible according to the set purpose-the restriction of the number of office packages in the network. As a result, IoV devices save scarce energy, and their low power consumption stops being a critical vulnerability.
The basic possibility of the centralized management of data flows, inherent to SDN, is capable of neutralizing one more vulnerability of IoV.

Case 1: Possibility of Cloning Packages
One of the cyber threats to the "microcosm" is connected with a practical lack of sufficient computing opportunities for IoV devices that necessitates the request for computational power from the "cloud" service. It has been experimentally proved [85] that on all routes of data from the IoV device to a cloud service there can be a destruction, distortion, and blocking of the transmitted data. A special type of cyber attack is the transportation (or duplication) of IoV traffic at the expense of cloning of network packages in the false cloud IoV server. The noted possibility of SDN of the centralized control of routes of IoV traffic makes package cloning useless from the point of view of the malefactor. In such a way, because of merging with SDN, one more vulnerability of IoV will not be inherited by SDIoV.
The same architectural feature of SDN which in the previous case led to the neutralization of a number of vulnerabilities of IoV can serve as a vulnerability for SDIoV in another case.

Case 2: A Possibility of Purposeful Management of Network Traffic of a Set of Uncontrolled Devices
The concept of IoV offers the existence of the physical things comprising sources of network activity. The number of the latter tends to constantly grow, and their network distribution aspires to the organization in groups with weak differentiation. Thereby, the set of the chosen SDN and IoV properties (which are not separately expressed vulnerabilities) leads to the emergence of new vulnerability-a possibility of purposeful management of network traffic of a set of almost uncontrolled devices. The threat of carrying out the subsequent distributed DoS (DDoS) attack in this case can be realized in the two following ways: firstly, the organization of the purposeful attack to the same IoV devices (and therefore equally vulnerable) for their infection and the creation of the zombie network; secondly, direct redirection of valid traffic of IoV devices on the attacked knot. An opportunity for the operation of a vulnerability can be received by both the short-term "hacking" of the SDN controller by the malefactor, and the direct attraction of third-party IoV devices in SDN.
The SDIoV system received by the immersion of SDN technology to the IoV "world" will include the vulnerabilities that have reinforcing influence on total cyber resilience. We will consider the new received SDIoV system from this position.

Case 3: Absence of Control of Network Configuration
On the one hand, manual SDN control, at a rather weak automatic check of its accuracy, leads to the creation of a wrong configuration at the top level of the system. The threat of realization of this vulnerability can generally be weakened by automatic fine-tuning of lower knots of the network, for example, by preventing the usage of predicted unsafe network routes. On the other hand, mistakes in IoV configuration, having mass character, are capable of breaking the accuracy of network work at the lower level of a system. Control of such wrong work can be delegated to the controllers, which operate the general scheme of package transfer; for example, they can automatically construct a 'barrier' by the boundary devices of the network; they are interfering with the dissemination of confidential information out of the established zone.
Thus, during the work separately, on each level the application of specialized analysis algorithms and management will allow the partial or complete neutralization of configuration errors of other level. The joint use of SDN and IoV will introduce vulnerabilities of configuration in total SDIoV, which will not only be united, but are also strengthened (effect of an interference), because their exploitation will obviously become simpler. This is because the malefactor will take control of a uniform role in the system, which allows manual settings of a configuration SDIoV to be made.
We will estimate the received SDIoV from a cyber resilience position due to a potential success consideration of cyber attacks for vulnerabilities of various genesis [86].
The attempt of SDN and IoV vulnerability exploitation, which are neutralized partially or completely in a total SDIoV cyber system, will no longer result in essential damage, even with considerable variations of vector attack initial parameters. This is an obvious sign of cyber resilience.
Therefore, the realization of more effective management of network streams as reasonable mitigation of cyber threats will be more effective than fighting against low power consumption of a separate group of devices (Case 1) in a physical way (as, most likely, the malefactor for sufficient time is capable of practically discharging any independent IoV device)-in other words, management is better than attempting to create an idealized picture.
The reverse situation arises for the case of an interference of vulnerabilities from both parts of a cyber system, leading to SDIoV having the worst safety of each of the initial elements or even their sum. However, the realization of the protective measures directed to neutralize the total vulnerability can potentially lead to an increase of indicator of cyber resilience, for the reasons, similar to the previous case, that separate vulnerabilities in the system will be present, and the threat from the exploitation of everyone (as well as their sums) will be minimized. Therefore, it makes sense not to create separate instruments of automatic checking of configurations of each system level (Case 3), but rather to provide control access to configuration files and to increase the qualification of administrators; otherwise, random errors in check instruments, as well as malicious logic, will nullify all attempts to ensure perfect automatic protection against the wrong settings.
The cyber resilience indicator of a final system behaves differently in terms of generating new vulnerabilities there. It is obvious that the general safety of such cyber systems will be considerably reduced, which will prevail over its opportunity to adapt to cyber attacks; at least, the process of evolution to the required level will be rather strongly dragged out in time. For instance, the possibility of the DDoS attack implementation by the malefactor with attraction of legal IoV devices (Case 2) can in theory be neutralized by the creation of the relevant legal framework, but the real effect of such base will not be visible soon enough. At the same time, a more mobile system of DDoS attack construction by the malefactor at the expense of time for adaptation itself will have a cyber resilience property to neutralized measures.

Top 10 SDIoV Cyber Threats
We will apply the offered algorithm regarding the forecasting of the cyber resilience of SDN and IoV in the case of their joint functioning within SDIoV.
The analysis of publications [87][88][89][90][91] concerning the cyber security of SDN has allowed the allocation of the top 10 threats generated by its vulnerabilities. The results of this qualitative analysis, according to Step 2 of the algorithm, are given in Table 3. Table 3. Results of synergetic impact of the internet of vehicles (IoV) on the vulnerabilities of software defined networking (SDN).

SDN_01: Using unauthorized controllers
Architectural feature of SDN is allocation of the module of management in a separate element of system-the controller. Therefore, unauthorized access to the controller will lead to the violation of functioning of the network or to complete malefactor control.
None SDN_02: Using unauthorized applications The logic of operation of the SDN controller is adjusted at a higher level, exactly in applications. Thus, unauthorized access to the application will lead to a threat that is similar to SDN_01 consequences.
None SDN_03: Account) data leak Interception of the packages by the malefactor that are sent to the controller will allow their analysis, that can subsequently be used for the intentional generation of wrong packages. Certificates and keys (account data) can also be intercepted by the malefactor, which is inadmissible.
Formation of I-effect with IoV_02 is possible (see Table 4).

SDN_04: Data modification
The scheme of the wireless network built on the principles of SDN is vulnerable to "man in the middle" type attacks.
Formation of N-effect is possible: The development of special protocols of exchange for IoV devices will allow the reduction of the risk of modification of data or finding the fact of such modification.

SDN_05: Denial of service
Features of processing of new streams in SDN can potentially lead to denial of service (DoS) attack implementation.
Formation of N-effect is possible: Protocols for IoV devices can be adjusted in such a way to minimize traffic and to reduce the risk of implementation of a DoS attack.

SDN_06: Misconfiguration and human factor
The wrong configuration of devices influencing safety of all SDN levels represents a typical and rather serious threat for any network. The possibility of manual control of a configuration on the part of the client automatically leads to the threat of a so-called "human factor".
Formation of I-effect with IoV_10 is possible (see Table 4); it is considered above (see Case 3).

SDN_07: Creation of unencrypted network channels
The lack of the mandatory requirement to use transport layer security (TLS) in the OpenFlow protocol is going to be threat of cyber security of SDN, being a consequence of its architecture.
None SDN_08: Inner protocol network elements The SDN model allows short-term interruptions of network connections. The detection of the loss of connections by the controller at the same time will not be instant, which will finally lead to a loss of data.
Formation of I-effect with IoV_04 is possible (see Table 4).

SDN_09: OpenFlow usage
The absence in OpenFlow of "clever switching" together with sending the special teams by the malefactor to devices supporting OpenFlow can lead to the violation of work of stand-alone programs (applications) or of the whole network.
None SDN_10: API layer interaction One more weak point in the architecture of SDN is the interface of the interaction of applications, controllers and routers, leading to corresponding threats.

None
The results of the similar procedure for IoV (based on [92][93][94][95][96]) are shown in Table 4. Table 4. Results of synergetic impact of SDN on vulnerabilities of IoV.

IoV _01: Public IP hacking
Presence of open and insecure IP; this applies to the majority of IoV devices, and allows the implementation of the corresponding attacks, which causes the system to break.
Formation of N-effect is possible: The correct organization of SDN streams minimizes or limits access for the malefactor to IoV devices with public IP.

IoV _02: WLAN link interception
Interception of open traffic of IoV devices by WLAN allows the malefactor to obtain confidential information, using which they are able to carry out subsequent attacks.
Formation of I-effect with SDN_03 is possible (see Table 3).
IoV _03: "Brute-force" attack Access to control of IoV devices can be provided by brute force attack on an account's password, because of the lack of a serious system of authentication in the case of their weak computing power.

None
IoV _04: Cloud connection halting Even short-term failure of the exchange of traffic of IoV devices with a cloud can lead to the full infrastructure's refusal.
Formation of I-effect with SDN_08 is possible (see Table 3).

IoV _05: Destructive electromagnetic influence
Weak signals from IoV devices can be lost in the case of influence by a close or purposeful electromagnetic impulse.

None
IoV _06: Fake connecting The IPv6 mechanism, used for IoV network scaling, allows the malefactor to create fake IoV devices, redirecting necessary traffic on itself.
Formation of N-effect is possible: The SDN controller can partially operate streams at the time of addition of the new IoV device; this means "false" knots cannot connect to a network (including to "clouds"). This is considered above (see Case 1*).
IoV _07: Physical access The main feature of IoV devices is their very small size, and the possibility of embedding in household objects is a serious threat in the case of a malefactor's physical access to them.

None
IoV _08: Energy depletion The very small sizes of IoV devices require them to use batteries (because of the lack of a strict main power feed) with a limited validity period. This period of time can be considerably reduced by the malefactor by the creation of operating conditions of the IoV device with excessively high loading.
Formation of N-effect is possible: The ability of SDN and algorithms of operation of its controller to trace network loading allow the prevention of the exhaustion of energy of IoV devices; it is considered above (see Case 1).

IoV _09: Buggs
The vulnerabilities that are present at any difficult software can often be destructive for IoV networks.

None
IoV _10: Error clone Mass setup of the same IoV devices leads to the duplication of a wrong configuration.
Formation of I-effect with SDN_06 is possible (see Table 3); it is considered above (see Case 3).
A concept scheme of the process of synergetic impact of SDN on vulnerabilities of IoV (and vice versa) under the new cyber essence (SDIoV) is presented in Figure 1.
The qualitative analysis of the contents of Tables 3 and 4 allows it to predict that from the top 10 cyber threats of SDN can be neutralized only two of them by synergy of IoV (N-effect). Respectively, only three for IoV due to SDN. That is, the majority of threats to SDN and IoV in SDIoV will remain, and some of them will even be amplified (I-effect). Taking into account this circumstance, and the inevitable initiation of new cyber threats (G-effect), it is expedient to expand SDIoV by a new component which is a specialized subsystem of ensuring cyber security.

IoV _10: Error clone
Mass setup of the same IoV devices leads to the duplication of a wrong configuration. (see Table 3); it is considered above (see Case 3). A concept scheme of the process of synergetic impact of SDN on vulnerabilities of IoV (and vice versa) under the new cyber essence (SDIoV) is presented in Figure 1. The qualitative analysis of the contents of Tables 3 and 4 allows it to predict that from the top 10 cyber threats of SDN can be neutralized only two of them by synergy of IoV (N-effect). Respectively, only three for IoV due to SDN. That is, the majority of threats to SDN and IoV in SDIoV will remain, and some of them will even be amplified (I-effect). Taking into account this circumstance, and the inevitable initiation of new cyber threats (G-effect), it is expedient to expand SDIoV by a new component which is a specialized subsystem of ensuring cyber security.

Expert Forecasting Cyber Resilience of Variants of Creating VANET/ITS
In the application of the described synergetic approach, even for the qualitative assessment of cyber resilience of "hybrid" of VANET/ITS and forecasting its vulnerabilities, there are essential restrictions.
Firstly, this study only considers the combination of two technologies, DSRC/802.11p and LTE-V, although in reality the synthesis of new cyber systems from the whole cascade of technologies "full hybrid communication mix" type can be required [4]. Secondly, it is considered that in a new cyber system the condition of vulnerability is static; it can only disappear, arise or be transformed to another one. Real vulnerabilities have dynamic properties and are capable of continuing modification throughout the life cycle of cyber systems and under the influence of external factors; thus, the description of the subsequent states requires the use of more difficult scientific approaches and methods. Thirdly, the forecasting of a new cyber system (for example, "hybrid") is based in the assumption that its development is determined. The indisputable complexity of the majority of cyber systems (which are practically all in the sphere of communication technologies and safety) demands the consideration of the processes related to them as stochastic, i.e., developing on various ways with various probabilities.
Nevertheless, even taking into account all sufficiently essential restrictions of a definite answer (at least qualitative, not to mention the calculation of any quantitative measures) it is not possible to receive. Therefore, in VANET/ITS, the existing vulnerabilities can disappear, appear again or become amplified; some of these will lead to the strengthening of cyber resilience, and some will have the opposite effect.
The main reason for such uncertainty is that the existing methodology and the tools serving information security do not allow the forecasting of a condition of difficult cyber systems, in feature applicable in practice, i.e., having the sufficient level of pragmatism.
For such a case, one of the only ways of forecasting is to use up-to-date expert estimates.
As tools, the hierarchy analysis method of Saati [97] (conditionally the first method) in combination with a sampling method (conditionally the second method) is considered by authors.
The first method includes procedures of synthesis and the analysis of multiple judgments of experts concerning the priority of indicators and the choice of rational options among alternatives. As alternatives, the options of development VANET/ITS considered in Chapter 1 can act here: the "standardized" VANET (DSRC/802.11p), "mobile" VANET (LTE-V), and "hybrid".
All of the aforementioned alternatives rely in the majority of cases on modern wireless technologies, but at the same time they have specifics in the organization of communications within the implementation of the aforementioned concept.
Indicators describing the most essential properties of alternative information and telecommunication systems, and changing the values in time, can be, for example: a cyber security vector as a part of indicators of confidentiality, integrity, availability, and non-repudiation; and productivity vector as a part of indicators of throughput ability, multi-service and timeliness. The offered indicators are interconnected; for example, requirements to timeliness characterize availability, etc. Therefore, the created generalized criterion of estimation of cyber resilience of ITS telecommunication component considered essential internal properties of a cyber system can be presented in the form of joint conditional probability of implementation of requirements for cyber security and productivity.
The second method includes statistical research of the general properties of objects (alternatives) on the basis of the studying of the properties only of the sample.
The judgments received by the first method are static, and their values do not allow solving a problem of forecasting, because its decision is based on the dynamic change of priorities. The analytical solution of the specified task is in [98], where for receiving estimates of coordinates of an own vector the sampling method is used.
The received indicators represent continuous differentiated functions of time. Therefore, it is possible to execute the differentiation of these functions to define growth rates of the studied priorities. Dependences on the change of priority growth rates for three alternative options of the organization of VANET/ITS communications obtained by authors show that the rate of change of a priority, which is a defining property of cyber security for the first alternative (DSRC/802.11p), is negative. Its biggest absolute value is predicted in the first years, and after that this value decreases.
Priorities change tempo and are approximately identical to those of the two other alternative options.
The paired relations of the received similar derivatives have allowed the comparison of growth rates of the extent of realization of each property for the considered alternatives. This study shows that the rate of change of the property of cyber security for the second alternative, LTE-V, is highest in the first years, which represents the greatest efficiency of its implementation in the nearest future. In prospect, the effect of its implementation in comparison with other alternatives falls. In the medium-term and long-term forecast, it is expedient to develop the third alternative, "hybrid", that does not contradict global trends.

Challenges
Taking into account the above, we summarize the aforementioned problematic issues of the cyber resilience telecommunication component of intelligent transportation systems.
Issue 1: Classification vs. terminology. In spite of the significant amount of publications about the threats of cyber security in VANET networks, these generally involve surveys or grouping of classical features for telecommunication networks.
This means that incorrect classification features are used; they do not take into consideration specifics of vehicle wireless networks.
The reason for such a situation, in our opinion, is the insufficient base preparation of modern writers in the cyber security sphere. This happens because they are keen on "best practice", which is detriment for theoretical and methodological preparation.
For the same reason, a serious problem for systematization (and the subsequent successful classification) is also terminological confusion leading to the shift and mixture of the terms "vulnerability", "threat source", "damage", "attack", and "threat". On the other hand, classification of threats of cyber resilience of VANET is an uncommon task even for "classical scientists", in view of its complexity as an object of study, because it is not a just a specific segment of a wireless network, but rather a set of dissimilar devices; each threat has to be specified from a position of a possibility of its realization in relation to a concrete layer of ITS, e.g., OBU, RSU, V2V, V2I, etc.
Issue 2: Space vs. time. Investigating the genesis of cyber resilience of VANET/ITS, this study has established that the main source of threats for cyber systems is the high-level (architectural) vulnerabilities of its components.
These are generated by features of realization of some conceptual model, and most actively participate in synergetic effects. In view of the above, such analysis requires special conditions such as spatial taxonomy (stratification) of vulnerabilities, at least for the high, medium, and low levels. Any mechanisms for the development of vulnerabilities, even for the simplest cyber systems in time (such as evolution, revolution, coevolution, etc.), are also almost disregarded. Therefore, it is necessary to recognize the VANET/ITS phenomenon as relevant. On the one hand, such an infocommunication system inherits the vulnerabilities of its parts, and on the another hand develops essentially new vulnerabilities [99].
Issue 3: Productivity vs. cyber security. This issue, mentioned before (see Item 3), assumes the situational exchange of productivity on the cyber security of VANET/ITS, and vice versa for the benefit of the maintenance of the required level of its cyber resilience. The mechanism of such exchange has been the focus of limited study. The attempt made in this study to use SDN technology as some regulator ("solver") transforms this issue to the plane of a problem of the optimum (rational) choice of the level of centralization of network management, even up to the realization of completely decentralized VANET [100].
Issue 4: Forecasting vs. "best practice". It is necessary to recognize forecasting in the field of cyber resilience research, such as priority direction, because it is aimed at the prevention of destructive consequences. At the same time, this direction is mostly "a weak link" for the aforementioned reasons. The lack of representative "best practice" prevents an opportunity to use the predictive power of classical mathematics, inevitably leading to expert estimation, and has trend to "a human factor", e.g., unreliability, limitation, engagement, etc.
The authors believe that implementing the following steps, which can help to solve the problem of formulated collisions and scientific knowledge gaps (directed to solve this collisions) in the future, provides an opportunity for the creation of missing scientific, theoretical, and methodological bases for comprehensive descriptions and solutions for the issue of critical questions of assessment, forecasting, and providing cyber resilience to all kinds (and complexities) of systems.
At first, the formalized establishment of the fundamental concepts, such as vulnerability and cyber threat will be needed, which will allow all facts to be accumulated methodically, and have a true cyber security (cyber resilience) research 'landscape'.
Secondly, properties of the central cyber security object-vulnerability-should be deeply analyzed. We mention not only static characteristics, but also dynamic ones, because they have a higher priority. Forecasting the security of a new cyber system is basically impossible without dynamic characteristics. Thirdly, specialized mathematics is needed to comply with the rigidity of scientific judgement. Such a set of mathematical tools includes the notation of description of system state from the point of view of cyber security, and also algorithms, which connect the states according to current synergetic mechanisms. Fourthly, the problem of balance between productivity and security should be stated in terms of degrees of centralization and levels of cyber system management. Finally, the practical use of the developed scientific and methodological base will require the development of problem-oriented software solutions allowing the modeling of development processes of cyber systems to estimate their parameters and to forecast vulnerabilities.

Conclusions
The authors analyzed the paradoxical situation of intelligent transportation systems in the field of information security, which consists of a sharp "surge" of identified threats (including zero-day) for a not yet completely formed, practically new cyber system, in order to identify problematic issues of forecasting cyber resistance of its connected components based on wireless technology.
There are 3 main options for constructing cyber-resilience telecommunication components for intelligent transportation system from sustainable global trends: "standardized" (DSRC/802.11p), "mobile" (LTE-V) and their "communication mix" are allocated.
The authors detail a set of the known threats of cyber security in wireless automobile networks according to the initial scheme: the attack mechanism-the exploited vulnerability-information security damage-object of attack-a countermeasure.
As an object of attack, it was proposed to consider the three main elements of an intelligent transport system: vehicles, transport infrastructure and wireless information and technical interaction between them.
The authors used the effects of the synergistic approach they established to qualitatively assess the cumulative effect of combining various cyber systems concepts. As an example, a qualitative prediction of cyber resilience of a certain new entity formed by the merger of a software-configured network and the "automotive" internet of things has been proposed.
The solution of the quantitative forecasting problem of the wireless automotive networks cybersecurity in the article is to establish on a change in the values of global priorities when comparing alternative options for organizing information technology interaction. As a toolkit, it was proposed to use the T. Saaty hierarchy analysis method in combination with the sampling method, and as alternatives, formed variants of a coherent component of an intelligent transport system.
As a result, the problem questions for predicting the cyber-resilience of the intelligent transport system coherent component are formulated. A sequence of steps is proposed to resolve the formulated collisions by creating the missing scientific (theoretical and methodological) and instrumental basis.
The authors are aware of the incompleteness of the described problematic issues list in predicting the cyber resilience of VANET/ITS, caused by the limited scope of the article. Left out of consideration were important issues; for example, the problem of deploying a general trust model [101] between the main subjects of ITS (terminals, applications etc.) based on public key infrastructure. Also, there is a problem of technical, informational and organizational compatibility of 'communication mix', i.e., the ability of a coherent component to exist on the basis of conflict-free and harmonious interaction of various telecommunication technologies. However, the steps proposed above will allow us to move from solving delayed issues of exploited vulnerabilities from practical neutralization to preventive tasks of modeling, forecasting and designing cyber systems like VANET/ITS with a given level of cyber resistance [102].