Cyber security in intelligent public transport: challenges and solutions
Posted: 20 June 2016 | Cédric Lévy-Bencheton and Eleni Darra from the European Union Agency for Network and Information Security (ENISA) | No comments yet
For Intelligent Transport, Cédric Lévy-Bencheton and Eleni Darra from the European Union Agency for Network and Information Security (ENISA) underline the importance of cyber security for transport operators by presenting the consequences of cyber threats on a transport system, as well as the current challenges linked to the implementation of cyber security. Cédric and Elenia also propose solutions by highlighting security good-practices and key recommendations to enhance the current status of security in intelligent public transport systems…
The public transport industry has recently been investing in new technologies, such as the Internet of Things, cyber-physical systems, Big Data, Open Data and more generally in connected systems. These intelligent public transport systems collect, process and exchange data in order to improve services and provide new functionalities to passengers.
The shift towards an intelligent infrastructure usually follows a transition period, during which time new and legacy systems cohabitate. As legacy systems are traditionally secured vis-à-vis safety concerns, their new counterparts bring in new challenges linked to cyber security. Contrary to safety, the aim of security is to protect a system against the likelihood of multiple threats.
Cyber threats now apply to intelligent public transport systems: they target traditional IT systems (computers, e-mails) but also more specific operational and critical systems, since they are IP-connected (IP or ‘Internet Protocol’ is a communication standard). Hence, they can be accessed remotely and could also be exposed via the Internet. Some systems are also cyber-physical, meaning that they are controlled by software to perform actions on the physical world (e.g. a signalling system managed from an operating control centre).
In the Network and Information Security Directive, operators of intelligent public transport are considered ‘Operators of Essential Services’. They will have to implement minimum security measures and report their cyber incidents to a designated authority. Therefore, security must become a concern for a public transport operator, not only to secure operations and business but also to comply with the regulatory framework and ensure the safety of citizens.
The consequences of cyber threats on transport
Legacy systems were designed to work in isolation with limited possibilities. New systems are interconnected which allows transport operators to improve their supervision and benefit from remote control. In addition, the operational costs are lowered and, because these systems tend to be standardised, they are cheaper to acquire and maintain.
However, any system can be or become vulnerable. In the case of intelligent public transport, an attacker gaining control of one system could theoretically control others that are interconnected. This really highlights the importance of security as several transport networks around the world have seen their operations disrupted by ‘Distributed Denial of Service’ attacks, malware and hacked fare cards, etc.
Figure 1 on page 00 presents the taxonomy of cyber threats applicable to intelligent public transport. These threats can be accidental (e.g. system failure) or intentional (e.g. Distributed Denial of Service). Moreover, cyber threats target not only transport operators but their dependencies (other operators or other stakeholders) and can also target citizens. The outcome of these threats are multiple; from data theft to complete service outage.
Furthermore, cyber threats pose a great risk to safety. If a critical system fails after a cyber attack, safety will also be impacted. Consequently, it is a duty for the transport operators to ensure both the safety and the security of their systems in order to fulfil their mission and protect their reputation, their operations and most importantly human lives.
The challenges of cyber security
Transport operators face numerous challenges in the process of securing their assets against cyber threats. These challenges go beyond the technical aspect of security, with a wide range of applications.
Intelligent public transport operators have limited expertise in security because their main duty is to transport citizens to their destinations. Even though they are well aware of safety concerns, their knowledge on cyber threats may be limited due to the lack of information available to them and the shortage of sector-specific training.
The definition of cyber security for public transport remains unclear, since every transport operator has its own unique architecture and not all vendors have the same degree of understanding security dependecies. Moreover, current risk assessments are not sufficiently focused, failing to include the security aspect of critical assets, and there is no framework or standard that links security with safety.
The spending on cyber security is low: When reviewed by ENISA, the budgets for cyber security did not score very well in terms of sufficiency of resources. When they are, these budgets appear to be low compared to the overall budget of the intelligent public transport operator. This significantly limits the possibility of a proportionate investment in security.
Security for safety is still in its infancy. Manufacturers need to understand the needs of their customers several years before releasing a product. However, customers are only starting to understand these arising security issues. In the meantime, legacy systems become connected and their potential vulnerabilities may put the entire intelligent public transport system at risk.
Security good-practices to secure intelligent public transport
Even though the challenges are difficult to tackle, it is already possible for intelligent public transport operators to take actions toward stronger security. Several good-practices on security exist to prevent cyber threats, react during a crisis, as well as recover and improve after an incident.
As shown in Figure 2 on page 00, the good-practices need to consider all layers of intelligent public transport business. These good-practices go beyond the technical as they also focus on processes and organisational aspects. In that respect, intelligent public transport operators could enhance their security status by following the good-practices proposed in Table 1 on page 00 which are organised into three groups:
- Technical good-practices to secure systems and technologies
One good-practice is to define cyber and physical security measures to protect assets. As intelligent public transport operators become increasingly connected, they face internal and external threats, thus assessing the security of their assets, including the difficult data exchange with external partners, is key. For those reasons, intelligent public transport operators need to agree with their suppliers and partners on a commonly accepted security level: for example, if data exchange is important for business, adapted measures shall ensure data integrity.
- Good-practices linked to policy and standards in which intelligent public transport operators define guidelines to secure their business
Employing security by design is another good-practice. In transport, the lifetime of a system ranges from 10 to 20 years. Intelligent public transport operators acquire these systems via tenders. If the security aspect is not defined in contract, there is no reason to believe it will be taken into account. Using the principles of security by design, intelligent public transport operators must discuss and understand how security is implemented for the whole lifecycle of the product: at the time the system is designed; when the product is integrated into an existing system; right until the end-of-life of the product (e.g. patching).
- Good-practices regarding organisation, people and processes which concern working methodologies as well as the structure and the strategy of the organisation
One good-practice is to develop organisational and operational procedures and guidelines that define the role of everyone in the company. This includes the reporting line, in case of an incident, as well as the actions to perform before, during and after a crisis.
Conclusions and recommendations to enhance cyber security
Transport operators have the responsibility to protect their operations by securing their assets. If the cost of cyber security could be perceived as high, the impact of an incident on reputation, operations, revenues and even on human lives could be rated as higher still. Such possibilities need to be considered before there are any casualties due to a cyber attack.
Intelligent public transport operators should integrate security in their governance in the following ways: by defining a specific structure; making training and awareness programmes available to staff; identifying critical assets from the business and societal perspective; and defining key performance indicators to protect both the transport service and the passengers.
The concept of ‘security for safety’ is a strong statement to integrate in procurement procedures. Yet operators need to understand what to protect for manufacturers to provide them with suitable and adequate solutions. A first step would be to rely on ENISA’s guidance to identify critical assets, the relevant threats and the applicable solutions3.
Another interesting instrument to enhance security is to foster multi-stakeholders’ collaboration so they can exchange experiences and views on threats, challenges and solutions. This is the purpose of the ENISA TRANSSEC Expert Group5 which gathers intelligent public transport operators, manufacturers, consultants and representatives from municipalities.
An extension of this collaboration is to reuse good-practices from other sectors with similar challenges, as they may have already faced similar threats. This is even more important with the NIS Directive which brings obligations for all Member States of the European Union to enforce cyber security measures for critical services. In the NIS Directive transport operators are referenced as operators of essential services; as such they will have to comply with the regulation. For that purpose, ENISA will propose guidelines for minimum security measures and develop specific incident reporting schemes.
- Contact the authors at: [email protected]
Cédric Lévy-Bencheton2 is an expert in cyber security at the European Union Agency for Network and Information Security (ENISA). His interests focus on the protection of smart infrastructures, cyber-physical systems and critical infrastructure. He is currently involved in several projects to secure the Internet of Things in several sectors including Transport, Smart Cities and Smart Homes. Previously, Cédric has designed critical networks for public transport and was also a researcher in telecommunications. Cédric obtained a Ph.D. in Computer Science from University Lyon in 2011.
Eleni Darra2 has been a Network Information Security Assistant at the European Union Agency for Network and Information Security (ENISA) since 2015. She is currently dedicated to improve the security of smart infrastructures. She has expertise in Cyber Security and Privacy for Mobile Communications, with a specialisation in Sensors Networks, Cloud Computing Security and Intrusion Detection Systems. Eleni studied at the University of Piraeus where she received an M.Sc. in Network Oriented Systems (2008) and a B.Sc. in the field of Digital Systems (2005). Previously, Eleni was an Instructional Designer, a Tester for Web Applications, an IT Support Specialist and a Professor in Computer Science.
Issue 3 2016
European Union Agency for Network and Information Security (ENISA)