Cyber Security and Traffic Data Systems 17th October 2016 Dr Darren Handley Presentation Title (edit this in Insert > Header and Footer, then click 'Apply to All')

Cyber Security v Cyber is about securing not just enterprise architectures (IT) but also operational technologies and the services they provide. For enterprise systems the threats and effects are well known. Breaches can cause data lose and services reliant on affected systems to be affected. Operational technologies incorporate a wide breath of things, including the technologies that provide for traffic management systems, C-ITS services and platooning. These differ as they are not classic IT systems. Their make up will differ, for example they may be formed of a multitude of remote and ad-hoc device. The results of things going wrong may also differ, with outcomes including death (accidents), destruction of assets (i.e. they fail and stop working), disruption (traffic congestion) and data breaches. Ultimately getting it wrong will cost money, both to fix and potentially in fines. April 19

Are you prepared? Are your corporate/enterprise systems secure? Well established IT policies and procedures Dedicated IT team Cyber Essentials Are your traffic management systems and ITS services secure? Knowledge of your systems and architectures Understand what could go wrong if your deployed assets are hacked Understand the risks of those scenarios happening Include cyber security requirements in contracts Incident response planning – how would you return assets to service? Quick check list. For deployed assets and services this is a quick checklist Do you know how secure your assets are? Do you know what assets are connected to what and how they might be accessed via the outside world (physically or via connectivity)? Are they connected to corporate systems and how? Have you assessed what could go wrong and assessed the associated risks with these systems? For those assets and services you procure have you included cyber security requirements in those procurements/contracts? This can provide assurances that cyber security has been considered and potential action paths should breaches occur. Should the worst happen – do you have remediation/response plans? Have you tested them?

A2M2 example of good practice Early stage risk assessment End to end risk assessment of proposed architecture and services Used to inform design decisions and security requirements Cyber security requirements in procurement process Set expectations/requirements for bidders, against which they were scored Ensured contractual obligations to incorporate cyber security Baseline security standard used to define detailed requirements Delivery of cyber security assessed Delivery of cyber security managed & assessed within project delivery Acceptance testing against requirements for deliverables Security testing to assess if risks mitigated

Resources What good looks like: For vehicles and intelligent transport systems – Principles of cyber security for CAV & ITS: https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles For internet enabled devices – DCMS guidance on secure by design: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf Assess how you are doing corporately: Cyber Essentials - https://www.ncsc.gov.uk/scheme/cyber-essentials NCSC Network and Information Systems cyber assessment framework - https://www.ncsc.gov.uk/guidance/indicators-good-practice Keep up to date with news via NCSC experts NCSC Cyber Information Sharing Platform - https://www.ncsc.gov.uk/cisp Public Authority Information Exchange – contact me. Specific bits of great guidance are available from NCSC, including: Cloud applications https://www.ncsc.gov.uk/guidance/security-industrial-control-systems IoT devices: https://www.ncsc.gov.uk/guidance/end-user-devices-security-principles Public Authority Information Exchange is most likely to focus on a blend of local / traffic authorities and cover subjects such as the evolving threats to Smart City Initiatives, Blending HVM in to the Streetscene, Security of Intelligent Transport Systems. Composition is yet to be determined but Secretariat likely to be provided by the Chartered Institution of Highways & Transportation (CIHT).

Questions You can also contact me at: darren.handley@dft.gov.uk April 19

Resources What good looks like: For vehicles and intelligent transport systems – Principles of cyber security for CAV & ITS: https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-vehicles For internet enabled devices – DCMS guidance on secure by design: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf Assess how you are doing corporately: Cyber Essentials - https://www.ncsc.gov.uk/scheme/cyber-essentials NCSC Network and Information Systems cyber assessment framework - https://www.ncsc.gov.uk/guidance/indicators-good-practice Keep up to date with news via NCSC experts NCSC Cyber Information Sharing Platform - https://www.ncsc.gov.uk/cisp Public Authority Information Exchange – contact me. Specific bits of great guidance are available from NCSC, including: Cloud applications https://www.ncsc.gov.uk/guidance/security-industrial-control-systems IoT devices: https://www.ncsc.gov.uk/guidance/end-user-devices-security-principles Public Authority Information Exchange is most likely to focus on a blend of local / traffic authorities and cover subjects such as the evolving threats to Smart City Initiatives, Blending HVM in to the Streetscene, Security of Intelligent Transport Systems. Composition is yet to be determined but Secretariat likely to be provided by the Chartered Institution of Highways & Transportation (CIHT).