Introduction
Smart Streets Cyber Security
Smart streets systems, due to their connected and automated nature, come with cyber security risks that must be identified and managed. An understanding of engineering security is essential to the successful planning, procurement, delivery and operation of smart streets.
Local authorities are increasingly relying on the automation and connectivity of smart streets to make transport more sustainable, more accessible and more beneficial to the local economy. However, the increased connectivity of smart streets is widening the attack surface for cyber threats and introducing new risks. An analysis of the industry has revealed that local authorities are underprepared for the significant changes ahead. This guidance discusses threats facing smart streets, current weaknesses of a typical local authority, and recommended steps to improve a local authority’s security posture at each stage of the smart streets life cycle.
Quick Reference Sheets
Smart Streets and the Relevance of Cyber Security
Local government is significantly involved in achieving national and regional strategic goals, which include achieving net zero, providing equal access to transport and driving regional economic growth. To achieve these goals, local transport needs to become more efficient, resilient, cost effective and flexible. Public transport needs to offer a better customer experience and multi-modal integration, while road transport needs to better address congestion and emissions. A consensus has widely formed that data exchange and system automation offer key methods to address these challenges. Leveraging technologies such as internet of things (IoT) sensors and data sharing interfaces to support transport operations is the aim of the smart streets initiative.
Transport is an attractive target for malicious and disruptive attacks. Smart streets technologies offer a wealth of opportunities to improve local transport services and reduce cost. However, the interconnected nature of these technologies leads to increased cyber security risk. Project teams involved in the delivery and operation of local transport have limited domain knowledge and experience of cyber security, and local government IT security staff have limited knowledge and experience of transport infrastructure and operations. This creates a barrier to the deployment of smart streets technologies. Thus, guidance is needed to ensure mitigation of these risks is understood and properly addressed in working practices.
The Role of Local Government in Transport
Local government comes in many shapes and sizes. England is divided into five different types of local authority, each with somewhat different competencies. In addition, groups of local authorities can pool their resources to create a combined authority with particular competencies delegated to it such as transport. Transport powers and functions handled by local government are generally any that are not of a nationally strategic nature (e.g. strategic trunk roads and national railways). Scottish and Welsh councils also have transport competencies for anything not handled at a strategic level by the respective devolved governments. Local authorities in Northern Ireland do not have statutory responsibilities for transport but are becoming increasingly involved in local transport planning. As with elsewhere in the Manual for Smart Streets, we will use the term “authority” to refer to any UK local government body that executes transport functions.
This guidance aims to equip local authorities with an understanding of how cyber security good practice can be applied throughout the lifecycle of a smart streets system. It presents an analysis of current cyber security maturity in the smart streets industry and makes recommendations to authorities on how they can improve their approach.
The recommendations consider cyber security practices from standards and guidance applicable to the wider smart cities, transport and industrial sectors. It adapts and aligns them with the specific Manual for Smart Streets (MfSS) use cases and engineering lifecycle. The guidance covers all stages from vision, specification, and procurement, through to procurement, operation and decommissioning. It has considered the 11 use cases presented by the MfSS and offers relevant examples based on some of those use cases.
Authorities differ in the services they provide and the extent to which these services are outsourced. This guidance aims to be useful to a range of authorities and has been developed in consultation with a wide variety of such authorities across the UK.
This guidance is primarily intended for:
- Project staff (e.g. engineers and managers) working for an authority to plan, deliver and operate road transport infrastructure and related services,
- IT department staff supporting such operations, and
- Management in the authority responsible for risk management and governance.
This guidance is formed of two parts:
- Part 1 provides an analysis of the current state of cyber security in the smart streets industry. It introduces a case study based on recent, real cyber-attacks on smart streets and other smart cities and transport systems. It then highlights common challenges that authorities are currently facing, based on dozens of interviews with industry stakeholders.
- Part 2 provides guidance on how authorities can manage the cyber security risk of their smart streets across their lifecycle. Specific recommendations are made that address the common challenges identified in Part 1. The case study from Part 1 is also revisited, demonstrating how good practice can be applied to an example system.
Related Standards and Guidance
This guidance is intended to supplement National Cyber Security Centre (NCSC) guidance. An authority that implements the MfSS Cyber Security Guidance should also aim to address all points of the NCSC Connected Places: Cyber Security Principles and the NCSC Principles of Supply Chain Security. The MfSS Cyber Security Guidance will identify when to refer to NCSC guidance.
The MfSS Cyber Security Guidance also considers internationally followed engineering security frameworks;
- IEC 62443 – Cyber Security for Operational Technology in Automation and Control Systems
- A suite of international standards used for the cyber security of operational technology systems in many industries including transport. IEC 62443 standards are widely used by transport operators around the world and their suppliers. It builds on ISO 27001 by providing an operational technology (OT) perspective on cyber security.
- NIST SP 800-160 vol. 1 and vol. 2 – Systems Security Engineering
- Two free US standards in international use that provide guidance on managing cyber security risk as part of a systems engineering approach.
IEC 62443 is one of the primary standards used to create a secure development lifecycle for industrial and transport applications in the UK. NIST SP 800-160 is also used in the UK as guidance to weave cyber security into the internationally standardised systems engineering processes.
Throughout this document, authorities will be pointed in the direction of other useful standards and guidance that can be listed in procurement specifications. However, it is not exhaustive. An additional resource for identifying relevant cyber security standards and guidance has been prepared by the Transport Technology Forum (TTF), called the TTF Cyber Security Signposting Guidance. Furthermore, links to more general smart streets resources can be found in the Manual for Smart Streets – Using Standards section.
System Security Lifecycle Phases
This guidance is intended to be read alongside the MfSS Delivery Lifecycle guidance when planning and executing an MfSS project. The guidance arranges security considerations into seven cyber security phases based on similar structures proposed in IEC 62443-1-1 and NIST SP 800-160 vol 1. Figure 1 shows how these security phases align with the 13 MfSS Delivery Lifecycle stages.
Figure 1 – System security lifecycle phases aligned to MfSS Delivery Lifecycle stages.
Application to Different Use Cases
The guidance considers the three types of use case specified by the MfSS, found here.
Where security practice applies only to certain types of use cases, the guidance will make this clear.
| Term | Acronym | Definition |
| Automatic number plate recognition | ANPR | Camera linked to image processor for vehicle identification applications |
| Chief (Cyber and) Information Security Officer | CISO | Top executive in an organisation responsible for cyber and information security |
| Crown Commercial Services | CCS | Government agency responsible for supporting public organisations with procurement |
| Cyber Assessment Framework | CAF | Security posture assessment tool developed by the NCSC |
| Cyber security | CS | The electronic security of connected systems |
| Cyber Security Management System | CSMS | Framework including policies and procedures for managing cyber security risk (e.g. combined OT and IT risk) |
| Cyber-physical system | Connected digital system involved in physical, real-world operations and activities (e.g. a digital railway, factory or smart street) | |
| Department for Digital, Culture, Media and Sport | DCMS | Former UK government department that was responsible for some cyber technology policy. Now the Department for Science, Innovation and Technology |
| Engineering security | Cyber security considerations woven into the systems engineering lifecycle | |
| General Data Protection Regulations | GDPR | Data Protection Act 2018; The UK’s data privacy legislation |
| Information Commissioner’s Office | ICO | UK data privacy regulator |
| Information Security Management System | ISMS | Framework including policies and procedures for managing information security risk |
| Information technology | IT | Electronic assets used to collect, store, process and exchange information (e.g. corporate documents, personal data, etc.) |
| Intelligent transport systems | ITS | Platform for coordinating traffic management based on a wide range of connected inputs |
| Internet of Things | IoT | Concept of many microprocessor devices being connected together over the internet to form a cyber-physical system. |
| Local Council Roads Innovation Group | LCRIG | Group of local authorities cooperating on road innovation |
| Manual for Smart Streets | MfSS | Smart streets guidance intended for UK local authorities |
| National Cyber Security Centre | NCSC | UK government organisation responsible for supporting public and private sector to protect themselves against cyber threats |
| Operational technology | OT | Electronic assets used for the command and control of real-world physical operations (e.g. traffic, manufacturing, energy production, etc.) |
| Payment Card Industry Data Security Standard | PCI DSS | Cyber security standard created and made mandatory by the major payment card issuers |
| Security Information and Event Management | SIEM | Tool used to concentrate and process security logs from assets in order to detect a potential cyber-attack. |
| Small and medium enterprises | SME | |
| Smart streets | Streets and roads overlayed with connected digital technology to improve outcomes. | |
| Supervisory control and data acquisition | SCADA | Technology that provides supervisory control over OT systems |
| Supply chain mapping | SCM | Process for identifying and managing supply chain partners |
| Threat and Risk Assessment | TRA | Cyber security risk assessment |
| Traffic Open Products and Specifications | TOPAS | Supplier assurance scheme for smart streets technologies |
| Transport Technology and Associated Services | TTAS | |
| Transport Technology Forum | TTF | DfT-funded organisation intended to provide leadership and support in transport technologies |