ENISA warns that intelligent public transport operators need to pay more attention to cyber security
Smart city transport operators need to do more to preserve the cyber security around their operations, and the EU should play a role in supporting the effort, according to the European Union Agency for Network and Information Security (ENISA).
The organisation has published a report that says cyber threats have begun to emerge for transport systems that use the internet of things (IoT) and cyber-physical systems (which draw on computing to control physical operations) to exchange data. There have already been disruptions and incidents of smart ticketing systems being hacked for fraud, and operators have so far been slow to respond to the threats.
While the warning will apply most directly to private sector transport operators, it is also highly relevant to public transport and road authorities that are exploring the use of the IoT to make services more efficient.
Titled Cyber Security and the Resilience of Intelligent Public Transport, the report says that while there are great opportunities in the use of intelligent public transport (IPT) systems, they are also bringing new cyber security risks to transport networks. It is even making them a “natural target” for emerging threats.
These include denial of service attacks, malwares and viruses, data breaches, identify theft, eavesdropping and service outages. They are intensified by factors such as the scale and complexity of transport networks, the reliance on real time data, and the interdependence of the systems used.
The report warns that awareness of these threats is low, there is no existing EU policy in the area, and it is difficult for operators to dedicate budgets to preserving cyber security.
It also provides examples of good practice – such as setting up a security control centre with real time monitoring – but ENISA says there is a need for a more coordinated effort.
Recommendations
It makes recommendations that include: promoting public-private collaboration on IPT security at national and EU level; developing a common EU strategy and framework; and developing harmonised cyber secuirty standards for IPT.
It also urges transport operators to integrate cyber security into their corporate governance, implement relevant risk management, clearly specify their requirements in the field, and annually review their processes and infrastructure.
Professor Udo Helmbrecht, executive director of ENISA, said: “Smart infrastructure and smart devices are no longer a thing of the future, they are currently being rolled out across the EU. ENISA sees the security of such infrastructure as being a key success factor. Ensuring adequate protection of citizens will remove barriers to implementation and help promote economic growth through innovation.”
Image from ENISA