Smart streets systems, due to their connected and automated nature, come with cyber security risks that must be identified and managed. An understanding of engineering security is essential to the successful planning, procurement, delivery and operation of smart streets.

Local authorities are increasingly relying on the automation and connectivity of smart streets to make transport more sustainable, more accessible and more beneficial to the local economy. However, the increased connectivity of smart streets is widening the attack surface for cyber threats and introducing new risks. An analysis of the industry has revealed that local authorities are underprepared for the significant changes ahead. This guidance discusses threats facing smart streets, current weaknesses of a typical local authority, and recommended steps to improve a local authority’s security posture at each stage of the smart streets life cycle.

Quick Reference Sheets
  1. Smart Streets Threat Modelling
  2. Smart Streets Security Lifecycle Overview

Smart Streets and the Relevance of Cyber Security

Local government is significantly involved in achieving national and regional strategic goals, which include achieving net zero, providing equal access to transport and driving regional economic growth. To achieve these goals, local transport needs to become more efficient, resilient, cost effective and flexible. Public transport needs to offer a better customer experience and multi-modal integration, while road transport needs to better address congestion and emissions. A consensus has widely formed that data exchange and system automation offer key methods to address these challenges. Leveraging technologies such as internet of things (IoT) sensors and data sharing interfaces to support transport operations is the aim of the smart streets initiative.

Transport is an attractive target for malicious and disruptive attacks. Smart streets technologies offer a wealth of opportunities to improve local transport services and reduce cost. However, the interconnected nature of these technologies leads to increased cyber security risk. Project teams involved in the delivery and operation of local transport have limited domain knowledge and experience of cyber security, and local government IT security staff have limited knowledge and experience of transport infrastructure and operations. This creates a barrier to the deployment of smart streets technologies. Thus, guidance is needed to ensure mitigation of these risks is understood and properly addressed in working practices.

The Role of Local Government in Transport

Local government comes in many shapes and sizes. England is divided into five different types of local authority, each with somewhat different competencies. In addition, groups of local authorities can pool their resources to create a combined authority with particular competencies delegated to it such as transport. Transport powers and functions handled by local government are generally any that are not of a nationally strategic nature (e.g. strategic trunk roads and national railways). Scottish and Welsh councils also have transport competencies for anything not handled at a strategic level by the respective devolved governments. Local authorities in Northern Ireland do not have statutory responsibilities for transport but are becoming increasingly involved in local transport planning. As with elsewhere in the Manual for Smart Streets, we will use the term “authority” to refer to any UK local government body that executes transport functions.

This guidance aims to equip local authorities with an understanding of how cyber security good practice can be applied throughout the lifecycle of a smart streets system. It presents an analysis of current cyber security maturity in the smart streets industry and makes recommendations to authorities on how they can improve their approach.

The recommendations consider cyber security practices from standards and guidance applicable to the wider smart cities, transport and industrial sectors. It adapts and aligns them with the specific Manual for Smart Streets (MfSS) use cases and engineering lifecycle. The guidance covers all stages from vision, specification, and procurement, through to procurement, operation and decommissioning. It has considered the 11 use cases presented by the MfSS and offers relevant examples based on some of those use cases.

Authorities differ in the services they provide and the extent to which these services are outsourced. This guidance aims to be useful to a range of authorities and has been developed in consultation with a wide variety of such authorities across the UK.

This guidance is primarily intended for:

  • Project staff (e.g. engineers and managers) working for an authority to plan, deliver and operate road transport infrastructure and related services,
  • IT department staff supporting such operations, and
  • Management in the authority responsible for risk management and governance.

This guidance is formed of two parts:

  • Part 1 provides an analysis of the current state of cyber security in the smart streets industry. It introduces a case study based on recent, real cyber-attacks on smart streets and other smart cities and transport systems. It then highlights common challenges that authorities are currently facing, based on dozens of interviews with industry stakeholders.
  • Part 2 provides guidance on how authorities can manage the cyber security risk of their smart streets across their lifecycle. Specific recommendations are made that address the common challenges identified in Part 1. The case study from Part 1 is also revisited, demonstrating how good practice can be applied to an example system.
Related Standards and Guidance

This guidance is intended to supplement National Cyber Security Centre (NCSC) guidance. An authority that implements the MfSS Cyber Security Guidance should also aim to address all points of the NCSC Connected Places: Cyber Security Principles and the NCSC Principles of Supply Chain Security. The MfSS Cyber Security Guidance will identify when to refer to NCSC guidance.

The MfSS Cyber Security Guidance also considers internationally followed engineering security frameworks;

  • IEC 62443 – Cyber Security for Operational Technology in Automation and Control Systems
    • A suite of international standards used for the cyber security of operational technology systems in many industries including transport. IEC 62443 standards are widely used by transport operators around the world and their suppliers. It builds on ISO 27001 by providing an operational technology (OT) perspective on cyber security.
  • NIST SP 800-160 vol. 1 and vol. 2 – Systems Security Engineering
    • Two free US standards in international use that provide guidance on managing cyber security risk as part of a systems engineering approach.

IEC 62443 is one of the primary standards used to create a secure development lifecycle for industrial and transport applications in the UK. NIST SP 800-160 is also used in the UK as guidance to weave cyber security into the internationally standardised systems engineering processes.

Throughout this document, authorities will be pointed in the direction of other useful standards and guidance that can be listed in procurement specifications. However, it is not exhaustive. An additional resource for identifying relevant cyber security standards and guidance has been prepared by the Transport Technology Forum (TTF), called the TTF Cyber Security Signposting Guidance. Furthermore, links to more general smart streets resources can be found in the Manual for Smart Streets – Using Standards section.

System Security Lifecycle Phases

This guidance is intended to be read alongside the MfSS Delivery Lifecycle guidance when planning and executing an MfSS project. The guidance arranges security considerations into seven cyber security phases based on similar structures proposed in IEC 62443-1-1 and NIST SP 800-160 vol 1. Figure 1 shows how these security phases align with the 13 MfSS Delivery Lifecycle stages.

Figure 1 – System security lifecycle phases aligned to MfSS Delivery Lifecycle stages.

Application to Different Use Cases

The guidance considers the three types of use case specified by the MfSS, found here.

Where security practice applies only to certain types of use cases, the guidance will make this clear.

Term Acronym Definition
Automatic number plate recognition ANPR Camera linked to image processor for vehicle identification applications
Chief (Cyber and) Information Security Officer CISO Top executive in an organisation responsible for  cyber and information security
Crown Commercial Services CCS Government agency responsible for supporting public organisations with procurement
Cyber Assessment Framework CAF Security posture assessment tool developed by the NCSC
Cyber security CS The electronic security of connected systems
Cyber Security Management System CSMS Framework including policies and procedures for managing cyber security risk (e.g. combined OT and IT risk)
Cyber-physical system   Connected digital system involved in physical, real-world operations and activities (e.g. a digital railway, factory or smart street)
Department for Digital, Culture, Media and Sport DCMS Former UK government department that was responsible for some cyber technology policy. Now the Department for Science, Innovation and Technology
Engineering security Cyber security considerations woven into the systems engineering lifecycle
General Data Protection Regulations GDPR Data Protection Act 2018; The UK’s data privacy legislation
Information Commissioner’s Office ICO UK data privacy regulator
Information Security Management System ISMS Framework including policies and procedures for managing information security risk
Information technology IT Electronic assets used to collect, store, process and exchange information (e.g. corporate documents, personal data, etc.)
Intelligent transport systems ITS Platform for coordinating traffic management based on a wide range of connected inputs
Internet of Things IoT Concept of many microprocessor devices being connected together over the internet to form a cyber-physical system.
Local Council Roads Innovation Group LCRIG Group of local authorities cooperating on road innovation
Manual for Smart Streets MfSS Smart streets guidance intended for UK local authorities
National Cyber Security Centre NCSC UK government organisation responsible for supporting public and private sector to protect themselves against cyber threats
Operational technology OT Electronic assets used for the command and control of real-world physical operations (e.g. traffic, manufacturing, energy production, etc.)
Payment Card Industry Data Security Standard PCI DSS Cyber security standard created and made mandatory by the major payment card issuers
Security Information and Event Management SIEM Tool used to concentrate and process security logs from assets in order to detect a potential cyber-attack.
Small and medium enterprises SME
Smart streets Streets and roads overlayed with connected digital technology to improve outcomes.
Supervisory control and data acquisition SCADA Technology that provides supervisory control over OT systems
Supply chain mapping SCM Process for identifying and managing supply chain partners
Threat and Risk Assessment TRA Cyber security risk assessment
Traffic Open Products and Specifications TOPAS Supplier assurance scheme for smart streets technologies
Transport Technology and Associated Services TTAS
Transport Technology Forum TTF DfT-funded organisation intended to provide leadership and support in transport technologies