Decision-Maker Guidance¶
Introduction¶
ITS decision makers include government officials, regulatory bodies, transportation agencies, and executives responsible for setting cybersecurity policies and investment priorities. Ensuring secure and resilient ITS deployments requires a risk-based approach, strategic investment in security infrastructure, and a balance between security, usability, and operational continuity.
This section provides guidance on cybersecurity policy that can be tailored to both European (EU) and North American regulatory environments.
1. Risk-Based Approaches to Cybersecurity Policy Development¶
A risk-based approach enables cybersecurity policies and solutions to mitigate specific and relevant ITS threats. Risk management involves: - Identifying and decomposing critical assets such as vehicles (OBUs), ITS equipment (RSUs, DMS, CCTV, etc), and TMCs (backend infrastructure). - Identifying and assessing threats and vulnerabilities specific to the identified assets within the transportation system, including potential for attacks against communications (e.g., V2X). - Implementing risk mitigation strategies aligned with international standards.
Regional Considerations¶
- European Union: Policies should align with tbd
- North America: Agencies such as the U.S. National Institute of Standards and Technology (NIST) and Transport Canada provide guidelines for cybersecurity risk management in transportation. For example, in the United States, NIST SP 800-30 provides a guide for conducting risk assessments that can be applied to ITS systems.
Key Actions¶
- Incorporate threat modeling to understand attack vectors and mitigate risks.
- Implement and enforce cybersecurity reporting obligations for transportation operators to share key cybersecurity event information across stakeholders.
2. Investment Strategies for Security Infrastructure¶
Cybersecurity investments should be prioritized based on risk assessments, regulatory requirements, and technological advancements.
Investment Priorities¶
- Public Key Infrastructure (PKI) for secure certificate management (e.g., IEEE 1609.2, X.509).
- Resilient V2X security architectures to protect communications between vehicles, RSUs, and backend services.
- Misbehavior Detection and Response tools for ITS networks to identify potential cyber threats in real-time.
Key Actions¶
- Prioritize cybersecurity funding for critical ITS assets.
- Develop public-private partnerships to leverage industry expertise in security investments.
- Allocate funds for ongoing cybersecurity training for ITS operators.
3. Balancing Security with Usability and Operational Continuity¶
Cybersecurity measures must not compromise the usability, efficiency, or reliability of transportation systems.
Challenges¶
- Security controls that slow down V2X message exchanges may introduce unacceptable latency issues.
- Security processes must balance driver privacy.
- Incident response mechanisms must be designed to minimize service disruptions.
Regional Considerations¶
- EU: The General Data Protection Regulation (GDPR) imposes strict privacy requirements on data collection and storage.
- North America: The Cybersecurity and Infrastructure Security Agency (CISA) promotes best practices for secure and resilient ITS deployments.
Key Actions¶
- Implement privacy-preserving security mechanisms, such as pseudonym certificates.
- Ensure that systems are resilient to ensure continuity in the event of a cyberattack.