Security Planning

The application of a security-minded approach requires road operators, working with partner organisations and security advisers, to understand potential threats and their impact, identify key vulnerabilities and analyse the nature of measures required to manage risks. (See Planning and Reporting) The goal is to enhance the safety, security and resilience of the road network and its associated infrastructure.

Three key elements in the risk management process are:

risk assessment
risk mitigation (See risk mitigation)
risk review

A road authority, with its partner organisations and advisers, should develop a risk management strategy that incorporates each of these three elements – such as the one in the example outlined below.

Road infrastructure security risk management strategy

A systematic approach is useful in developing a risk management strategy – for which a checklist of questions is helpful to guide practitioners through the evaluation process:

Step 1: identify the threats
Step 2: analyse vulnerabilities and impacts
Step 3: evaluate road network and operational resilience
Step 4: short-list countermeasures and risk mitigation strategies
Step 5: implement security measures and evaluate

Systematic approach

Step 1. Identify the threats

What scenarios need to be considered?
How likely is each kind of threat?
In what ways is the network vulnerable?
How and why?
What is critical?
How would network operations be compromised?
What and where are the vulnerabilities?
What is critical?

Step 2. Analyse vulnerabilities and impact

Worst-case scenarios
Difficult events and combinations of events
Where is there resilience now?
Recovery strategies that are available
Rate the level of risk:
Likelihood vs severity outcome

Step 3. Evaluate road network and operational resilience

How can resilience be strengthened?
What risk mitigation strategies are available?
What specific security measures are available?
Protection of critical sites and equipment
Security through deterrence
Security though design
Security through detection
How might network operations be adapted in response?
Demonstrate benefits and cost-effectiveness of possible countermeasures

Step 4. Short-list countermeasures and risk mitigation strategies

Incident response plans
Partner agency working
Public information strategy

Step 5. Implement security measures and evaluate

Risk Assessment

A risk assessment should consider the potential threats to regular road use and operations and consequential vulnerabilities. Some threats that compromise network resilience are quite common, others are less frequent or rare. (See Security Threats) An essential part of the assessment is to consider how likely it is that a particular threat might happen and how disruptive it would be. The assessment needs to consider what harm might be caused to:

the road infrastructure and its related systems
road users and others who make use of the infrastructure
information about the network and its users
the benefits for which the road network exists to deliver.

Vulnerabilities

A vulnerability in the context of road network security is defined as a weakness in the road infrastructure or operating systems that can be exploited by one or more threats.

Vulnerabilities associated with the construction, operation or maintenance of the road network relate to its scale, and how easy it is to:

obstruct or interfere with logistics, plant and machinery, supply routes, and staff – so as to disrupt the movement of people and goods and the supply chain
cause damage to cameras and sensors that provide information on the condition of the road asset
cause damage to new or existing roads and highway infrastructure.

Vulnerabilities that affect highway network operations concern cabling, equipment, sensors and associated processing systems that might be attacked:

remotely, through internet or wireless connectivity
through physical breaches of systems as a result of damage, either accidental or deliberate, interference or tampering
by personnel with administrator access.

Likelihood

The likelihood of threats may be relatively predictable for environmental, social, economic or political reasons. For example, a project’s level of profile, its controversy and its impact on local communities will influence how likely it is to provoke civil protests and strikes, malicious attacks, or theft of equipment such as construction plant.

The likelihood of a threat being realised will be greater if security is poor, for example when:

equipment or systems are poorly sited
the quality and effectiveness of physical protection measures are insufficient
the security-force response is too slow or ineffective
the value of vulnerable assets are high
the cyber-security systems and procedures are unsuitable or ineffective.

Risk Review

In order to maintain the security of the road network and supporting systems it is necessary to establish a process whereby:

risks which have changed for political, economic, social, technological, legal or environmental reasons, are identified and assessed
risk mitigation plans are reviewed and updated where necessary.

Further Information

Report of the PIARC Security Task Force (See Security of Road Infrastructure)

Security Threats

Security threats can be divided into those which:

have the capability to cause damage or disruption to the construction, operation or maintenance of the highway infrastructure (the physical infrastructure)
could damage or disrupt the infrastructure operating systems and associated information (the ITS infrastructure).

Threats can also be unintentional, non-directed or unpredicted – for example:

severe weather events
pandemics
incidents involving hazardous materials
road traffic collisions
fall-out from disruption to other transport modes
the jamming or interference with navigation signals caused by natural factors
malware infection on an IT system.

The potential level of impact will depend on the criticality of the asset, system or information affected. An example is shown in the photo below.

Road Interrupted by direct action (Source : PIARC Security Task Force)

Physical infrastructure

Damage or disruption to the construction, operation or maintenance of the road infrastructure may arise from a number of threats.

Civil protests and strikes

Civil protests and strikes are most likely to arise from social unrest and civil disobedience. Sometimes this is in response to the construction of assets that are sensitive for environmental, social, economic or political reasons. They have the potential to disrupt or delay operations and can be expensive to manage – and expensive in relation to the final cost of the work being undertaken.

Malicious attack

A malicious attack can occur through a range of external and internal/insider threats. These include damage caused by malware, hackers, disaffected personnel or blast. The result of an attack – in relation to the construction, operation and maintenance of the road network – is likely to centre on physical damage/sabotage to the infrastructure, plant or equipment, or disruption to road users.

Severe weather events

Severe and adverse weather – such as periods of rain, flooding, hard frost, snow, prolonged dry weather, excess heat, high winds, dust storms and earthquakes can cause serious disruption and dangerous driving conditions – as well as considerable damage to the network, in particular:

the pavement surface condition and structural strength
the stability of surrounding and underlying ground and earthworks
sensors embedded within the network.
The risks of adverse weather can be mitigated to a degree by the installation of road sensor and weather stations at locations that have a high level of exposure. (See.Weather Monitoring)

Pandemics

Pandemics can affect humans, agricultural livestock and wildlife. They can impact on:

a population’s capability to travel and to access needed facilities
the willingness and ability of staff and external resources – such as contractors and maintenance staff – to enter an area to undertake work.

Theft of equipment

Depending on the type of equipment, theft can impact directly on traffic operations and on the ability of an authority, and the cost to it, of constructing, maintaining and improving transport infrastructure. It can also have a direct influence on road user safety – and the capability of an authority to manage traffic behaviour and enhance a network’s capacity.

Hazardous materials

Hazardous materials (solids, liquids and gases that can be flammable, corrosive or toxic) are frequently transported by road. They are also used within highway construction and management – and may be stored, processed, or used adjacent (or in close proximity) to the road network. An incident involving hazardous materials can lead to closure of the highway – or damage to it and its supporting systems.

Collisions

Road traffic collisions can cause damage to:

pavement surface condition
structures such as bridges
infrastructure such as gantry signs and traffic management equipment
sensors embedded within the network.
Incidents can also lead to prolonged closure of the highway and have significant social and economic costs. (See Incident Response Plans)

Fall-out from disruption to other modes (rail, ports, airports)

Disruption to other modes of transport can have a significant effect on road traffic. It can force users to make alternative travel arrangements or – where this is not possible or cost effective (for example, in the case of transportation of freight) – to wait until the disruption has been resolved. Contingency plans may be necessary for parking vehicles that are held up by disruption.

Global Navigation Satellite Systems (GNSS)

The jamming of, or interference with, navigation signals may be caused by human factors, such as intentional or malicious acts/attack, or natural factors such as solar flares and disturbance to the ionosphere. It can result in the loss of precision location information, failure of in-vehicle navigation systems and/or loss of accurate timing signals for area-wide systems.

its infrastructure

Damage or disruption to the ITS infrastructure, operating systems and associated information may arise from:

similar threats to those facing the physical infrastructure – although with different impacts
and from threats directly associated with digital technology

Malicious attack

A malicious attack can occur through a range of external and internal/insider threats. For example, damage may be caused by malware, hackers or disaffected personnel. Physical damage may be caused to:

IT equipment and sensors within the highway boundary
communications infrastructure or processing systems located outside the highway boundary (such as control centres, data centres, etc.)
logical damage to system software, operating systems and stored data or information
road users
These attacks can lead to loss of communications or network connectivity – and the corruption or loss of information and traffic disruption.

Theft of equipment

Theft of IT equipment, sensors or cables within the highway boundary can lead to loss of functionality or system resilience. It can also impact on the ability of the infrastructure system to perform as efficiently as it would otherwise. Repair and replacement can be disruptive and problematic.

Cyber-threats

Cyber-threats can arise in several ways including:

eCrime – such as the interference with road charging or toll systems, can lead to loss, or corruption, of data on charging, revenue or usage
loss of communications and power supplies – which can be accidental or due to deliberate damage to cables and/or distribution system components within the highway boundary or supplying systems outside. The impact will be reduced performance of the infrastructure
loss or corruption of software systems – which can impact on the system’s availability or integrity, leading to loss of functionality and/or loss or corruption of data.

Risk Mitigation

Counter-measures can help reduce the level of threat to the security of roads and highways and mitigate the potential for disruption. The decision whether to accept identified risks or implement mitigation measures, (and what measures to deploy) may fall to different parties according to the circumstances. It may be:

the employer or owner – for example, of a traffic control centre
the contractor involved in some aspect of managing and maintaining equipment and infrastructure
the road authority or road operator – because of possible legal liabilities
the financer or investor where privately-owned assets are involved
or the state, as a matter of public policy.

The decision about what mitigation measures will be implemented will depend on a number of factors:

the cost of the measure and its implementation
the anticipated reduction in the identified risk
any undesirable impacts which the mitigation measure may have
the potential for the measure to introduce other vulnerabilities
whether the proposed measure has any benefits in addition to an improvement in security

Damage or disruption to the construction, operation or maintenance of the highway network arising from intended events – such as civil protests and strikes, malicious attacks, or theft of equipment – may be managed by improving security. For example:

protective physical measures being placed around sites vulnerable to threats
enhanced stakeholder management, for example early community engagement and consultation
planning on traffic routeing and the implementation of works – which take into account, the outcome of the security risk assessment.
It may also be necessary – depending on the level of criticality – to develop appropriate and proportionate plans and processes for dealing with different potential outcomes – in case mitigation measures fail.
Unintentional, non-directed and unpredicted events (such as severe weather events, pandemics, hazardous materials, and disruption to other transport modes) will also need managing – to reduce the risk of damage and disruption to the infrastructure’s safety, sustainability, serviceability and resilience.
In all cases it is advisable to have in place appropriate and proportionate plans and processes for dealing with different types of incident.

Network Operating Systems

Damage or disruption to the highway network operating systems and associated information can have a serious impact on road users and network performance. The outcome is unlikely, though, to pose a major danger to road safety or network serviceability. For example, the loss of satellite navigation can be inconvenient and difficult to prevent. In the event of a failure – so long as there is adequate directional signage on the highway – it is unlikely to have a significant impact on the ability of the network to meet users’ needs.

Equipment Security

Measures relating to the design, location and physical security of equipment cabinets, sensors and cabling routes – which may be at risk from theft or other malicious attack – should be taken into consideration when the assets are first introduced. For existing assets, physical security measures will need to be proportionate – when balancing cost and constraints against the impact of the loss, compromise or failure of the network and associated assets.

Software Systems and ITS Infrastructure

A security minded approach can manage the risk of loss, theft or corruption of software systems, systems for processing financial and/or personal data, and systems providing communications or power supply. This approach is based on the implementation of appropriate and proportionate policies, processes and procedures focusing on four areas – people, business process, physical security, and cyber-security. (See Network Security)

Where wireless technologies are employed in the system, consideration needs to be given to the impact of jamming or interference, and appropriate measures adopted to protect system confidentiality, integrity and availability. Depending on the criticality of individual systems, a variety of business continuity and disaster recovery solutions may also need to be developed.

Weather events

It may be possible to mitigate some of the effects of severe weather on the road pavement, structures, drainage systems and sensors – by:

carefully selecting the most appropriate design, materials, methods and systems used in new infrastructure
incorporating these into the existing network as and when improvement works are undertaken
anticipating where severe weather or flooding may occur and installing weather monitoring an flood warning systems (See Weather Management)

Security of ITS

ITS makes use of technologies such as Bluetooth, mobile phones and licence plate recognition to monitor traffic behaviour, improve traffic flows and road safety. Many of these systems – such as CCTV, video image processing and vehicle licence plate recognition – can sometimes be used specifically for security purposes. (See CCTV)

ITS is also extensively used in emergency situations to support crisis management and enforcement purposes. (See Emergency Response and Policing / Enforcement) These systems have to be robust enough to withstand unintentional, non-directed and unpredicted events.

The latest ITS applications, use connected vehicle technology to offer added-value services and safety support to the driving public. The possibility, though, that they may malfunction – or be subject to cyber-attack – needs to be taken into account by system designers and operator. (See Connected Vehicles)

In order to manage the security risks around greater automation and connectivity, it is vital that security of the whole system is considered. Alongside the security safeguards that are built into road vehicles it is important that the security of traffic management systems is also addressed.

Traffic management systems

With the current levels of automation in vehicles being very low, security breaches of existing traffic management systems are the most likely risk to efficient operations and increased congestion. Any such breach would bring with it a risk of reputational damage to the relevant highway authority or operating company. It may also impact on the safety of road users if the ability to detect and verify incidents is impeded. This is particularly the case during the hours of darkness when a stationary vehicle on the roadway can be difficult for drivers to detect, and when traffic speeds are high.

If control rooms become more automated in the future, the tolerance of risk will need to decrease as the need for assurance around the security of the systems becomes greater. Mitigation measures will need to be reviewed to ensure that the level of residual risk is at an acceptable level and does not exceed the level that can be tolerated by the road operator – or by road users in general.

Connected Vehicles and Automation

Security risks will need to be comprehensively reassessed with the introduction of Vehicle-to-Infrastructure (V2I) communications into traffic management systems. This is especially so when V2I is used in combination with Vehicle-to-Vehicle (V2V) systems and greater vehicle autonomy. There will need to be far greater emphasis on safety and the prevention of incidents, particularly those that could cause injury or loss of life. For example, V2I systems that regulate vehicle speed or lane use may be vulnerable to streaming of incorrect or malicious data from insecure sources (vehicles) or other attacks on the system infrastructure. This could put large numbers of vehicles and their occupants at risk.

Vehicle Automation

There are six defined levels of automation for on-road vehicles, where zero represents a fully manual vehicle, and level five is a fully automated vehicle. (See Warning and Control) At level two, the driver is required to monitor the surrounding environment continuously but is assisted by vehicle systems such as emergency assisted braking, lane warning and assisted parking.

At levels three and four the automation will probably begin to include both V2V and V2I connectivity – to support increasingly automated driving and navigation processes.

As a result of the relatively long life of vehicles compared to the rapid development and deployment of new technologies, there will be a mixed fleet of vehicles using the highway at any one time. This may range from those with the very latest communications and automation features, to those which are older with legacy systems. The road network and its associated infrastructure will need to be able to ensure the safe interaction of vehicles with these varying capabilities.

Security risks

The increasing connectivity of external systems and devices to a vehicle – and the developments in V2V, V2I and vehicle-to-device (V2X) connectivity – provide external access which will create vulnerabilities. If a threat is realised it may impact on the safety and security of:

the vehicles occupants
other road users
and infrastructure on or around the highway.
Currently the risk of these attacks affecting a vehicle, its occupants and other road users, is very low. It will increase as more connections are made and the technology is deployed in new vehicle models.

Legal Issues

Increasing automation – ultimately up to a level where a driver (like a passenger) has no control of the vehicle – raises legal questions surrounding:

the continuing responsibilities and duty of care of drivers
the responsibility of fleet owners
the duty of care owed by the manufacturers of the vehicle and the designers and providers of the advanced technology
the responsibility of highway authorities, traffic management system engineers and statutory bodies

Advice to Practitioners

To implement a security-minded approach for ITS, it is essential that security risks are understood not only during design stage, but throughout the lifecycle of operations. This requires the development of an ITS Security Strategy that sets out:

the security requirements for the system(s)
the risk management strategy
the mechanisms for maintaining situational awareness
the means for reviewing and updating the strategy.

ITS Security Management Plan

Alongside a risk management strategy for the network (See Security Planning), an ITS Security Management Plan is needed to detail the policies, processes and procedures needed to maintain the required level of security with clear roles and responsibilities for the road authority, the road operator, and any other parties that are directly involved in network operations. This should be embedded in other operating policies and reviewed regularly. (See Planning and Reporting)

The policies, process and procedures in the ITS Security Management Plan will need to deliver:

continuity of operations, including safety of drivers, passengers, the vehicles, other road users, and the road network (its availability, safety, and resilience)
control of access and system operations (issues such as confidentiality and who is controlling the highway)
the quality and validity of information, including configuration of the vehicle, road infrastructure and any connected systems (to preserve the integrity, utility, and authenticity of those systems).
Failure to address any of these elements can undermine the safety and security of the vehicle, the road network, and/or any connected systems.