Published on RNO/ITS - PIARC (World Road Association) (https://rno-its.piarc.org)

Home > Printer-friendly > Network Security

Network Security

Authors Alexandra Luck (A Luck Associates)  Hugh Boyes (Bodvoc Ltd)

The road network and vehicle industry are at the beginning of a period of significant change as innovative solutions are sought to improve the safety, serviceability, sustainability and resilience of infrastructure. The way in which networks are managed and the way in which road space is utilised is evolving – with greater use of technology to monitor network conditions and to actively manage traffic. (See ITS and Network Monitoring and Traffic Management) There has also been a significant increase in the complexity of vehicle technology – for example, the use of hybrid and electric vehicles, and developments relating to vehicle connectivity and automation. (See Driver Support)

Changes in the use of technology create vulnerabilities. These are open to exploitation for malicious or hostile reasons – risking interference with vehicles and infrastructure. A security minded approach is necessary to assess and minimise potential risks and to manage incidents and evaluate measures taken.

A security-minded approach is defined as the understanding of the need for – and routine application of – appropriate and proportionate security measures to deter and/or disrupt hostile, malicious, fraudulent and criminal behaviours or activities. This approach needs to address four areas – people, processes, physical security and technical security.

By integrating these four areas it is possible to create an approach to network security that delivers:

  • safety - preventing the creation of harmful situations which may lead to injury or loss of life or unintentional environmental damage
  • authenticity - ensuring that inputs and outputs are genuine and no tampering has occurred
  • availability (including reliability) – ensuring road infrastructure accessibility and usability in an appropriate and timely way
  • confidentiality - ensuring control of access and prevention of unauthorised access to both physical and information assets
  • integrity - maintaining consistency, coherence and configuration of the road infrastructure and systems
  • possession - preventing unauthorised control, manipulation or interference with facilities and services
  • resilience - ensuring the ability to transform, renew and recover service in a timely fashion in response to adverse events
  • utility - ensuring usability and usefulness over time, of data, information and systems.

The application of a security-minded approach requires road operators to work with partner organisations, such as the police, and security advisers. (See Planning and Reporting) This helps to develop an understanding of potential threats and their impact, key vulnerabilities and the nature of mitigating measures required. A failure of security – for any reason – will require a full assessment so that the reasons for failure are understood and lessons can be learnt. (See Emergency Response)

Security Planning

The application of a security-minded approach requires road operators, working with partner organisations and security advisers, to understand potential threats and their impact, identify key vulnerabilities and analyse the nature of measures required to manage risks. (See Planning and Reporting) The goal is to enhance the safety, security and resilience of the road network and its associated infrastructure.

Three key elements in the risk management process are:

A road authority, with its partner organisations and advisers, should develop a risk management strategy that incorporates each of these three elements – such as the one in the example outlined below.

Road infrastructure security risk management strategy

Road infrastructure security risk management strategy

A systematic approach is useful in developing a risk management strategy – for which a checklist of questions is helpful to guide practitioners through the evaluation process:

  • Step 1: identify the threats
  • Step 2: analyse vulnerabilities and impacts
  • Step 3: evaluate road network and operational resilience
  • Step 4: short-list countermeasures and risk mitigation strategies
  • Step 5: implement security measures and evaluate

Systematic approach

Step 1. Identify the threats

  1. What scenarios need to be considered?
  2. How likely is each kind of threat?
  3. In what ways is the network vulnerable?
  4. How and why?
  5. What is critical?
  6. How would network operations be compromised?
  7. What and where are the vulnerabilities?
  8. What is critical?

Step 2. Analyse vulnerabilities and impact

  1. Worst-case scenarios
  2. Difficult events and combinations of events
  3. Where is there resilience now?
  4. Recovery strategies that are available
  5. Rate the level of risk:
  6. Likelihood vs severity outcome

Step 3. Evaluate road network and operational resilience

  1. How can resilience be strengthened?
  2. What risk mitigation strategies are available?
  3. What specific security measures are available?
  4. Protection of critical sites and equipment
  5. Security through deterrence
  6. Security though design
  7. Security through detection
  8. How might network operations be adapted in response?
  9. Demonstrate benefits and cost-effectiveness of possible countermeasures

Step 4. Short-list countermeasures and risk mitigation strategies

  1. Incident response plans
  2. Partner agency working
  3. Public information strategy

Step 5. Implement security measures and evaluate

 

Risk Assessment

A risk assessment should consider the potential threats to regular road use and operations and consequential vulnerabilities. Some threats that compromise network resilience are quite common, others are less frequent or rare. (See Security Threats) An essential part of the assessment is to consider how likely it is that a particular threat might happen and how disruptive it would be. The assessment needs to consider what harm might be caused to:

  • the road infrastructure and its related systems
  • road users and others who make use of the infrastructure
  • information about the network and its users
  • the benefits for which the road network exists to deliver.

Vulnerabilities

A vulnerability in the context of road network security is defined as a weakness in the road infrastructure or operating systems that can be exploited by one or more threats.

Vulnerabilities associated with the construction, operation or maintenance of the road network relate to its scale, and how easy it is to:

  • obstruct or interfere with logistics, plant and machinery, supply routes, and staff – so as to disrupt the movement of people and goods and the supply chain
  • cause damage to cameras and sensors that provide information on the condition of the road asset
  • cause damage to new or existing roads and highway infrastructure.

Vulnerabilities that affect highway network operations concern cabling, equipment, sensors and associated processing systems that might be attacked:

  • remotely, through internet or wireless connectivity
  • through physical breaches of systems as a result of damage, either accidental or deliberate, interference or tampering
  • by personnel with administrator access.

Likelihood

The likelihood of threats may be relatively predictable for environmental, social, economic or political reasons. For example, a project’s level of profile, its controversy and its impact on local communities will influence how likely it is to provoke civil protests and strikes, malicious attacks, or theft of equipment such as construction plant.

The likelihood of a threat being realised will be greater if security is poor, for example when:

  • equipment or systems are poorly sited
  • the quality and effectiveness of physical protection measures are insufficient
  • the security-force response is too slow or ineffective
  • the value of vulnerable assets are high
  • the cyber-security systems and procedures are unsuitable or ineffective.

Risk Review

In order to maintain the security of the road network and supporting systems it is necessary to establish a process whereby:

  • risks which have changed for political, economic, social, technological, legal or environmental reasons, are identified and assessed
  • risk mitigation plans are reviewed and updated where necessary.

Further Information

Report of the PIARC Security Task Force (See Security of Road Infrastructure)

Reference sources

PIARC Security Task Force (2015)  Security of Road Infrastructure. Report 2015R01EN.  World Road Association, Paris. ISBN 978-2-84060-357-3.

Security Threats

Security threats can be divided into those which:

  • have the capability to cause damage or disruption to the construction, operation or maintenance of the highway infrastructure (the physical infrastructure)
  • could damage or disrupt the infrastructure operating systems and associated information (the ITS infrastructure).

Threats can also be unintentional, non-directed or unpredicted – for example:

  • severe weather events
  • pandemics
  • incidents involving hazardous materials
  • road traffic collisions
  • fall-out from disruption to other transport modes
  • the jamming or interference with navigation signals caused by natural factors
  • malware infection on an IT system.

The potential level of impact will depend on the criticality of the asset, system or information affected. An example is shown in the photo below.

Road Interrupted by direct action (Source : PIARC Security Task Force)

Road Interrupted by direct action (Source : PIARC Security Task Force)

Physical infrastructure

Damage or disruption to the construction, operation or maintenance of the road infrastructure may arise from a number of threats.

Civil protests and strikes

Civil protests and strikes are most likely to arise from social unrest and civil disobedience. Sometimes this is in response to the construction of assets that are sensitive for environmental, social, economic or political reasons. They have the potential to disrupt or delay operations and can be expensive to manage – and expensive in relation to the final cost of the work being undertaken.

Malicious attack

A malicious attack can occur through a range of external and internal/insider threats. These include damage caused by malware, hackers, disaffected personnel or blast. The result of an attack – in relation to the construction, operation and maintenance of the road network – is likely to centre on physical damage/sabotage to the infrastructure, plant or equipment, or disruption to road users.

Severe weather events

Severe and adverse weather – such as periods of rain, flooding, hard frost, snow, prolonged dry weather, excess heat, high winds, dust storms and earthquakes can cause serious disruption and dangerous driving conditions – as well as considerable damage to the network, in particular:
  • the pavement surface condition and structural strength
  • the stability of surrounding and underlying ground and earthworks
  • sensors embedded within the network.
  • The risks of adverse weather can be mitigated to a degree by the installation of road sensor and weather stations at locations that have a high level of exposure. (See.Weather Monitoring)

Pandemics

Pandemics can affect humans, agricultural livestock and wildlife. They can impact on:
  • a population’s capability to travel and to access needed facilities
  • the willingness and ability of staff and external resources – such as contractors and maintenance staff – to enter an area to undertake work.

Theft of equipment

Depending on the type of equipment, theft can impact directly on traffic operations and on the ability of an authority, and the cost to it, of constructing, maintaining and improving transport infrastructure. It can also have a direct influence on road user safety – and the capability of an authority to manage traffic behaviour and enhance a network’s capacity.

Hazardous materials

Hazardous materials (solids, liquids and gases that can be flammable, corrosive or toxic) are frequently transported by road. They are also used within highway construction and management – and may be stored, processed, or used adjacent (or in close proximity) to the road network. An incident involving hazardous materials can lead to closure of the highway – or damage to it and its supporting systems.

Collisions

Road traffic collisions can cause damage to:
  • pavement surface condition
  • structures such as bridges
  • infrastructure such as gantry signs and traffic management equipment
  • sensors embedded within the network.
  • Incidents can also lead to prolonged closure of the highway and have significant social and economic costs. (See Incident Response Plans)

Fall-out from disruption to other modes (rail, ports, airports)

Disruption to other modes of transport can have a significant effect on road traffic. It can force users to make alternative travel arrangements or – where this is not possible or cost effective (for example, in the case of transportation of freight) – to wait until the disruption has been resolved. Contingency plans may be necessary for parking vehicles that are held up by disruption.

Global Navigation Satellite Systems (GNSS)

The jamming of, or interference with, navigation signals may be caused by human factors, such as intentional or malicious acts/attack, or natural factors such as solar flares and disturbance to the ionosphere. It can result in the loss of precision location information, failure of in-vehicle navigation systems and/or loss of accurate timing signals for area-wide systems.

its infrastructure

Damage or disruption to the ITS infrastructure, operating systems and associated information may arise from:

  • similar threats to those facing the physical infrastructure – although with different impacts
  • and from threats directly associated with digital technology

Malicious attack

A malicious attack can occur through a range of external and internal/insider threats. For example, damage may be caused by malware, hackers or disaffected personnel. Physical damage may be caused to:

  • IT equipment and sensors within the highway boundary
  • communications infrastructure or processing systems located outside the highway boundary (such as control centres, data centres, etc.)
  • logical damage to system software, operating systems and stored data or information
  • road users
  • These attacks can lead to loss of communications or network connectivity – and the corruption or loss of information and traffic disruption.

Theft of equipment

Theft of IT equipment, sensors or cables within the highway boundary can lead to loss of functionality or system resilience. It can also impact on the ability of the infrastructure system to perform as efficiently as it would otherwise. Repair and replacement can be disruptive and problematic.

Cyber-threats

Cyber-threats can arise in several ways including:
  • eCrime – such as the interference with road charging or toll systems, can lead to loss, or corruption, of data on charging, revenue or usage
  • loss of communications and power supplies – which can be accidental or due to deliberate damage to cables and/or distribution system components within the highway boundary or supplying systems outside. The impact will be reduced performance of the infrastructure
  • loss or corruption of software systems – which can impact on the system’s availability or integrity, leading to loss of functionality and/or loss or corruption of data.

 

Risk Mitigation

Counter-measures can help reduce the level of threat to the security of roads and highways and mitigate the potential for disruption. The decision whether to accept identified risks or implement mitigation measures, (and what measures to deploy) may fall to different parties according to the circumstances. It may be:

  • the employer or owner – for example, of a traffic control centre
  • the contractor involved in some aspect of managing and maintaining equipment and infrastructure
  • the road authority or road operator – because of possible legal liabilities
  • the financer or investor where privately-owned assets are involved
  • or the state, as a matter of public policy.

The decision about what mitigation measures will be implemented will depend on a number of factors:

  • the cost of the measure and its implementation
  • the anticipated reduction in the identified risk
  • any undesirable impacts which the mitigation measure may have
  • the potential for the measure to introduce other vulnerabilities
  • whether the proposed measure has any benefits in addition to an improvement in security

Damage or disruption to the construction, operation or maintenance of the highway network arising from intended events – such as civil protests and strikes, malicious attacks, or theft of equipment – may be managed by improving security. For example:

  • protective physical measures being placed around sites vulnerable to threats
  • enhanced stakeholder management, for example early community engagement and consultation
  • planning on traffic routeing and the implementation of works – which take into account, the outcome of the security risk assessment.
  • It may also be necessary – depending on the level of criticality – to develop appropriate and proportionate plans and processes for dealing with different potential outcomes – in case mitigation measures fail.
  • Unintentional, non-directed and unpredicted events (such as severe weather events, pandemics, hazardous materials, and disruption to other transport modes) will also need managing – to reduce the risk of damage and disruption to the infrastructure’s safety, sustainability, serviceability and resilience.
  • In all cases it is advisable to have in place appropriate and proportionate plans and processes for dealing with different types of incident.

Network Operating Systems

Damage or disruption to the highway network operating systems and associated information can have a serious impact on road users and network performance. The outcome is unlikely, though, to pose a major danger to road safety or network serviceability. For example, the loss of satellite navigation can be inconvenient and difficult to prevent. In the event of a failure – so long as there is adequate directional signage on the highway – it is unlikely to have a significant impact on the ability of the network to meet users’ needs.

Equipment Security

Measures relating to the design, location and physical security of equipment cabinets, sensors and cabling routes – which may be at risk from theft or other malicious attack – should be taken into consideration when the assets are first introduced. For existing assets, physical security measures will need to be proportionate – when balancing cost and constraints against the impact of the loss, compromise or failure of the network and associated assets.

Software Systems and ITS Infrastructure

A security minded approach can manage the risk of loss, theft or corruption of software systems, systems for processing financial and/or personal data, and systems providing communications or power supply. This approach is based on the implementation of appropriate and proportionate policies, processes and procedures focusing on four areas – people, business process, physical security, and cyber-security. (See Network Security)

Where wireless technologies are employed in the system, consideration needs to be given to the impact of jamming or interference, and appropriate measures adopted to protect system confidentiality, integrity and availability. Depending on the criticality of individual systems, a variety of business continuity and disaster recovery solutions may also need to be developed.

Weather events

It may be possible to mitigate some of the effects of severe weather on the road pavement, structures, drainage systems and sensors – by:
  • carefully selecting the most appropriate design, materials, methods and systems used in new infrastructure
  • incorporating these into the existing network as and when improvement works are undertaken
  • anticipating where severe weather or flooding may occur and installing weather monitoring an flood warning systems (See Weather Management)

 

Security of ITS

ITS makes use of technologies such as Bluetooth, mobile phones and licence plate recognition to monitor traffic behaviour, improve traffic flows and road safety. Many of these systems – such as CCTV, video image processing and vehicle licence plate recognition – can sometimes be used specifically for security purposes. (See CCTV)

ITS is also extensively used in emergency situations to support crisis management and enforcement purposes. (See Emergency Response and Policing / Enforcement) These systems have to be robust enough to withstand unintentional, non-directed and unpredicted events.

The latest ITS applications, use connected vehicle technology to offer added-value services and safety support to the driving public. The possibility, though, that they may malfunction – or be subject to cyber-attack – needs to be taken into account by system designers and operator. (See Connected Vehicles)

In order to manage the security risks around greater automation and connectivity, it is vital that security of the whole system is considered. Alongside the security safeguards that are built into road vehicles it is important that the security of traffic management systems is also addressed.

Traffic management systems

With the current levels of automation in vehicles being very low, security breaches of existing traffic management systems are the most likely risk to efficient operations and increased congestion. Any such breach would bring with it a risk of reputational damage to the relevant highway authority or operating company. It may also impact on the safety of road users if the ability to detect and verify incidents is impeded. This is particularly the case during the hours of darkness when a stationary vehicle on the roadway can be difficult for drivers to detect, and when traffic speeds are high.

If control rooms become more automated in the future, the tolerance of risk will need to decrease as the need for assurance around the security of the systems becomes greater. Mitigation measures will need to be reviewed to ensure that the level of residual risk is at an acceptable level and does not exceed the level that can be tolerated by the road operator – or by road users in general.

Connected Vehicles and Automation

Security risks will need to be comprehensively reassessed with the introduction of Vehicle-to-Infrastructure (V2I) communications into traffic management systems. This is especially so when V2I is used in combination with Vehicle-to-Vehicle (V2V) systems and greater vehicle autonomy. There will need to be far greater emphasis on safety and the prevention of incidents, particularly those that could cause injury or loss of life. For example, V2I systems that regulate vehicle speed or lane use may be vulnerable to streaming of incorrect or malicious data from insecure sources (vehicles) or other attacks on the system infrastructure. This could put large numbers of vehicles and their occupants at risk.

Vehicle Automation

There are six defined levels of automation for on-road vehicles, where zero represents a fully manual vehicle, and level five is a fully automated vehicle. (See Warning and Control) At level two, the driver is required to monitor the surrounding environment continuously but is assisted by vehicle systems such as emergency assisted braking, lane warning and assisted parking.

At levels three and four the automation will probably begin to include both V2V and V2I connectivity – to support increasingly automated driving and navigation processes.

As a result of the relatively long life of vehicles compared to the rapid development and deployment of new technologies, there will be a mixed fleet of vehicles using the highway at any one time. This may range from those with the very latest communications and automation features, to those which are older with legacy systems. The road network and its associated infrastructure will need to be able to ensure the safe interaction of vehicles with these varying capabilities.

Security risks

The increasing connectivity of external systems and devices to a vehicle – and the developments in V2V, V2I and vehicle-to-device (V2X) connectivity – provide external access which will create vulnerabilities. If a threat is realised it may impact on the safety and security of:
  • the vehicles occupants
  • other road users
  • and infrastructure on or around the highway.
  • Currently the risk of these attacks affecting a vehicle, its occupants and other road users, is very low. It will increase as more connections are made and the technology is deployed in new vehicle models.

Legal Issues

Increasing automation – ultimately up to a level where a driver (like a passenger) has no control of the vehicle – raises legal questions surrounding:

  • the continuing responsibilities and duty of care of drivers
  • the responsibility of fleet owners
  • the duty of care owed by the manufacturers of the vehicle and the designers and providers of the advanced technology
  • the responsibility of highway authorities, traffic management system engineers and statutory bodies

Advice to Practitioners

To implement a security-minded approach for ITS, it is essential that security risks are understood not only during design stage, but throughout the lifecycle of operations. This requires the development of an ITS Security Strategy that sets out:

  • the security requirements for the system(s)
  • the risk management strategy
  • the mechanisms for maintaining situational awareness
  • the means for reviewing and updating the strategy.

ITS Security Management Plan

Alongside a risk management strategy for the network (See Security Planning), an ITS Security Management Plan is needed to detail the policies, processes and procedures needed to maintain the required level of security with clear roles and responsibilities for the road authority, the road operator, and any other parties that are directly involved in network operations. This should be embedded in other operating policies and reviewed regularly. (See Planning and Reporting)

The policies, process and procedures in the ITS Security Management Plan will need to deliver:

  • continuity of operations, including safety of drivers, passengers, the vehicles, other road users, and the road network (its availability, safety, and resilience)
  • control of access and system operations (issues such as confidentiality and who is controlling the highway)
  • the quality and validity of information, including configuration of the vehicle, road infrastructure and any connected systems (to preserve the integrity, utility, and authenticity of those systems).
  • Failure to address any of these elements can undermine the safety and security of the vehicle, the road network, and/or any connected systems.

 

Security Incidents

The immediate response to any incident or breach of security which impacts on the integrity of the road network, its associated assets and systems, and/or information is more likely to be effective if:

  • it is based around a plan that has been prepared in advance and rehearsed
  • the plan has been developed in collaboration with key stakeholders
  • the plan has been kept up to date

A security response plan increases the chance that local communities, businesses, transportation and emergency services will be able to continue to function following less severe incidents – without the need for the authorities to implement contingency arrangements. Where contingency arrangements become necessary, these should include business continuity measures as well as disaster and incident recovery actions. The aim is to mitigate impacts arising in the event of failure or impairment or non-availability of part of the network or related systems. (See Incident Response Plans)

To produce a plan of this type, it is necessary to identify:

  • those parts of the network or assets that are most at risk or where the consequences may be most severe. For example, where the network provides access to isolated communities or emergency services, or are part of crucial network links
  • alternative network routes which can be utilised and are at lower risk
  • processes of inspection, public reporting of issues and accurate record-keeping – to better establish and monitor areas where issues arise
  • warning procedures to provide alerts of threats such as severe weather events
  • health and safety issues specific to each threat
  • the lead authority and the key decision-makers and other parties who need to be informed of the situation in the event of an incident, including the emergency services
  • the processes by which key decisions should be made
  • the mitigation measures to be implemented, including specific health and safety considerations
  • methods for communicating with members of the public including effective working arrangements with local press and broadcast media including social media. These can, where applicable, enable presentation of timely and accurate information and advice on infrastructure condition
  • training needs for staff and key stakeholders on measures and processes to be included in the plan(s)
  • arrangements for obtaining reserve supplies of key resources to support a minimum resilience standard
  • the business continuity measures required in the event of a failure or breach of the mitigation measures – resulting in the failure, impairment or non-availability of part of the network or related systems
  • disaster or incident recovery actions
  • arrangements for regular reviews of the plan to take account of changing circumstances, and to monitor of its implementation in the event of incident.

Security Incident response

In the event of a security incident, it is important that steps are taken to contain and recover from the event. (See Traffic Incidents)

During a security incident the response should include:

  • measures for reducing further damage or loss
  • an assessment of what has been lost, compromised, damaged or corrupted
  • and if required, the collection of evidence for law enforcement purposes
  • Where it is necessary to collect evidence for law enforcement – all evidence (both physical and digital) that may help investigators to identify the cause of the event and its perpetrators, should be preserved and collected before any recovery actions are taken. The exception being where immediate recovery actions are critical to saving life

It may also be necessary to notify third parties – for example, service providers, regulatory bodies, and law enforcement agencies – in order to manage the incident effectively, including management of traffic on the surrounding network, and to minimise further disruption.

The provision of appropriate and timely information and advice to members of the public will also help in the management of the incident and minimise further disruption to the network. (See Emergency Response)

Source URL: https://rno-its.piarc.org/en/network-operations/network-security