Decision-Makers¶
Understanding the Role of Decision-Makers in ITS Cybersecurity¶
Decision makers are often influenced by national policy, funding priorities and legal frameworks. They are responsible for ensuring public safety, mitigating risk, enabling secure cross-border interoperability, and maintaining public trust in connected mobility.
Strategic Priorities for Decision Makers¶
1. Adopt a Risk-Based Policy Framework¶
Cybersecurity policy should be driven by a clear understanding of risk. Vehicles, roadside infrastructure, and backend systems are all potential targets for cyberattacks that could result in harm. A risk-based approach enables policies to address the most critical threats to an ITS system. ITS executives should ensure that risk assessments are performed regularly, international standards are adopted with a focus on interoperability, and tailored mitigation strategies are put in place to safeguard their specific ITS deployments.
Regional Considerations¶
- European Union: Policies should align with tbd
- North America: Agencies such as the U.S. National Institute of Standards and Technology (NIST) and Transport Canada provide guidelines for cybersecurity risk management in transportation. For example, in the United States, NIST SP 800-30 provides a guide for conducting risk assessments that can be applied to ITS systems.
Key Actions¶
- Incorporate threat modeling to understand attack vectors and mitigate risks.
- Implement and enforce cybersecurity reporting obligations for transportation operators to share key cybersecurity event information across stakeholders.
2. Balancing Security with Usability and Operational Continuity¶
Cybersecurity measures must not compromise the usability, efficiency, or reliability of transportation systems.
Challenges¶
- Security controls that slow down V2X message exchanges may introduce unacceptable latency issues.
- Security processes must balance driver privacy.
- Incident response mechanisms must be designed to minimize service disruptions.
Regional Considerations¶
- EU: The General Data Protection Regulation (GDPR) imposes strict privacy requirements on data collection and storage.
- North America: tbd
Key Actions¶
- Implement privacy-preserving security mechanisms, such as pseudonym certificates.
- Ensure that systems are resilient to ensure continuity in the event of a cyberattack.