Cyber security in intelligent public transport: challenges and solutions
20 June 2016 • Author(s): Cédric Lévy-Bencheton and Eleni Darra from the European Union Agency for Network and Information Security (ENISA)
For Eurotransport, Cédric Lévy-Bencheton and Eleni Darra from the European Union Agency for Network and Information Security (ENISA)1 underline the importance of cyber security for transport operators by presenting the consequences of cyber threats on a transport system, as well as the current challenges linked to the implementation of cyber security. Cédric and Elenia also propose solutions by highlighting security good-practices and key recommendations to enhance the current status of security in intelligent public transport systems.
The public transport industry has recently been investing in new technologies, such as the Internet of Things, cyber-physical systems, Big Data, Open Data and more generally in connected systems. These intelligent public transport systems collect, process and exchange data in order to improve services and provide new functionalities to passengers.
The shift towards an intelligent infrastructure usually follows a transition period, during which time new and legacy systems cohabitate. As legacy systems are traditionally secured vis-à-vis safety concerns, their new counterparts bring in new challenges linked to cyber security. Contrary to safety, the aim of security is to protect a system against the likelihood of multiple threats.
Cyber threats now apply to intelligent public transport systems: they target traditional IT systems (computers, e-mails) but also more specific operational and critical systems, since they are IP-connected (IP or ‘Internet Protocol’ is a communication standard). Hence, they can be accessed remotely and could also be exposed via the Internet. Some systems are also cyber-physical, meaning that they are controlled by software to perform actions on the physical world (e.g. a signalling system managed from an operating control centre).
In the Network and Information Security Directive, operators of intelligent public transport are considered ‘Operators of Essential Services’. They will have to implement minimum security measures and report their cyber incidents to a designated authority. Therefore, security must become a concern for a public transport operator, not only to secure operations and business but also to comply with the regulatory framework and ensure the safety of citizens.