Policy Makers¶
Policy makers define the regulatory and governance environment for ITS cybersecurity. They are responsible for setting cybersecurity priorities, enabling secure interoperability, and ensuring national and regional resilience across ITS deployments.
Responsibilities¶
- Define and enforce cybersecurity regulations for ITS operators, ensuring alignment with international standards such as ISO 31000, NIST SP 800-30, and EU CCMS requirements.
- Mandate the use of risk-based security frameworks that assess threats to vehicles, infrastructure, and backend systems and prioritize mitigation of the most critical risks (e.g., spoofed messages, DoS attacks, certificate misuse).
- Require implementation of security management systems, as established in frameworks like the EU NIS2 Directive and CCMS policy, to support ongoing cybersecurity governance for all ITS stakeholders.
- Promote secure interoperability between jurisdictions, particularly in cross-border environments, by encouraging common trust models and the adoption of standards that support certificate and identity validation.
- Ensure privacy requirements (such as GDPR in the EU) are embedded in ITS cybersecurity programs and balanced with public safety and operational needs.
Actions¶
- Require all ITS deployments to conduct regular threat modelling and risk assessments, following frameworks such as NIST SP 800-30 (U.S.) and the CCMS security policy (EU).
- Enforce cybersecurity event reporting obligations to improve shared visibility and response coordination across agencies and operators.
- Apply the Cyber Resilience Act (CRA) and equivalent regulations to ensure that all ICT and ITS systems meet baseline security requirements before deployment.
- Ensure that privacy-preserving techniques such as pseudonym certificates are used to protect driver identity while maintaining system traceability for authorized investigations.
- Ensure that security controls are designed to avoid introducing unacceptable delays into V2X communications, especially for time-sensitive safety messages.
- Require that all cybersecurity mechanisms, including authentication, incident response, and key management, are designed to preserve system availability and limit service disruptions during a cyberattack.
- Adopt CISA and other national guidance (e.g., Transport Canada cybersecurity strategies) to promote a culture of resilience and continuous improvement in ITS cybersecurity policy.