ROAD INFRASTRUCTURE SECURITY

Saverio Palchetti

ROAD INFRASTRUCTURE SECURITY

• ANAS S.p.A – Direction Institutional Affairs – Inter national Relations Office – Rome (ITALY)

• Chairman Task Force PIARC “Infrastructure Security ”

• [email protected]

“Seguridad de infraestructura estratégica”

DR. SAVERIO PALCHETTI - CHAIRMAN TF C.1 INFRASTRUCTURE SECURITY

“Exchange knowledges and techniques on roads and road transportation”

2

Italy, September 28th2003, black-out : the fallof a tree in Switzerlandput Italy in the dark,disconnected from theEU network, missingover 6000 MW, ¼ Italiandemand, damageestimated at 640M €

COMPLEXITY AND

INTERCONNECTION

COMPLEXITY AND

INTERCONNECTION

December 2015, Ukraine : black-out due

to cyber attack, one million people

interested

3

THERE ARE INDUCED PROBLEMS BETWEEN DIFFERENT CI

� energyinfrastructure,

� telco infrastructure, � transportation

infrastructure, etc.,

MOREOVER CYBERSEC AFFECTS ALL, WHEREVER THERE IS AN IP CONNECTION,

THE MORE AT RISK IF A PERIPHERAL DEVICE

RIPPLE EFFECT

““““safety ”””” - ““““security ””””

““““sécurité ”””” - ““““sureté ““““

sicurezza … ac / at““““anticrimine-antiterrorismo ””””

seguridad

A MODERN VISION

AGENDA

01 Understanding the issue

02 The security-minded approach

03

04

05

06

07

Security risk management of road infrastructure

Resilience

Developing security risk mitigation measures

Case studies

Recommendations for Road Administrations

AGENDA



03

04

05

06

07


Resilience


Case studies



1.1 UNDERSTANDING THE SECURITY CONTEX

i. protection of important persons

ii. protection of important buildings and public spaces ,

where significant numbers of people and infrastructure

assets congregate

iii. protection of third-party assets providing vital services for

the functioning of modern societies – energy,

communication and water (13 categories ) , and

iv. provision of secure transport of cargo and passengers

on all modes of transport (road, railway, maritime and air)

... UNDERSTANDING THE SECURITY CONTEXT

13 categories affected by physical security :- Chemical- Civil Nuclear- Communication- Defence- Emergency services- Energy- Finance- Food- Government- Health- Space- Transport- Water

1.1 UNDERSTANDING THE SECURITY CONTEXT

Bologna, Italy, August 6, 2018

Puente el Carrizo, Mexico, January 13, 2018

Brescia, Italy, January 3, 2018

Valle Susa, Italy, last week

A4 – BRENTA Bridge criticalities

COORDINATION

- Intelligence vs Authorities &

Operators ?

- Inside a structure : business

organization for silos?

1.2 SAFETY v SECURITY

Automated car

The resilience cycleSource: Edwards 2009, author’s own illustration

1.3 RESILIENCE vs SECURITY

RESILIENCE CYCLE

RESILIENCE vs SECURITY (safety)

Resilience cycle

Genoa, Polcevera bridge, August 14, 2018

RESILIENCE vs SECURITY (safety)

If I lose the bridge (it did not have to happen!), what happens? How do I manage the rescue? … the traffic for a period?

… rescue plan, emergency plan

Risk analysis, at one point, …. Resilience at one point, in a network,

To deal with the "unexpected", the change in cultural approach is the most complicated step because in a company that has the feeling of not governing, puts fear, and sometimes is refused.

The work of the Security Managers, Risk managers, Business Continuity Managers starts here >>> a new profession :

BUILT ASSET SECURITY MANAGER : STRUCTURE AND OPERATION

«Managing the inexpected »by Karl E. Weick and Katleen M. Sutcliffe (2007)

“Cultural change is hard, slow and subject tofrequent relapse … unexpected events can get youinto trouble unless you create a mindfulinfrastructure that continually tracks smallfailures, resists oversimplification, is sensitive tooperations, maintains capabilities for resilience … ”

Video Monitoring, Traffic–cam and Webcam

Wireless data trasmission aerial tomonitoring centre

Traffic Detection Sensors

Variable message sign about userinformation

1.4 DIGITAL ENGINEERING

ANAS’ project for smart roads

AGENDA



03

04

05

06

07

Security risk assessment of road infrastructure

Resilience


Case studies



2. THE SECURITY MINDED-APPROACH

The securityThe securityThe securityThe security----minded minded minded minded management of a project management of a project management of a project management of a project require steps to cultivate an require steps to cultivate an require steps to cultivate an require steps to cultivate an appropriate safety and appropriate safety and appropriate safety and appropriate safety and security mindset and security mindset and security mindset and security mindset and culture.culture.culture.culture.

Evolve from a "reactive" approach to a Evolve from a "reactive" approach to a Evolve from a "reactive" approach to a Evolve from a "reactive" approach to a

"proactive" approach, involving the entire "proactive" approach, involving the entire "proactive" approach, involving the entire "proactive" approach, involving the entire

organization: each component must be an organization: each component must be an organization: each component must be an organization: each component must be an

active, accountable, responsible and aware active, accountable, responsible and aware active, accountable, responsible and aware active, accountable, responsible and aware

part of the security process.part of the security process.part of the security process.part of the security process.

THE SECURITY MINDED-APPROACH

AREAS OF CONCERN:

i. governance, accountability andresponsibility

ii. personnel

iii. physical and cyber dimension

iv. managing data and information


two essential elements :two essential elements :two essential elements :two essential elements :

- governancegovernancegovernancegovernance >>> >>> >>> >>>

awareness at the level of top managementawareness at the level of top managementawareness at the level of top managementawareness at the level of top management

- accountability and responsibility accountability and responsibility accountability and responsibility accountability and responsibility >>> >>> >>> >>>

the asset owner should develop a risk the asset owner should develop a risk the asset owner should develop a risk the asset owner should develop a risk

management strategy management strategy management strategy management strategy for the for the for the for the builtbuiltbuiltbuilt assetassetassetasset

implementingimplementingimplementingimplementing new new new new organizationalorganizationalorganizationalorganizational functionsfunctionsfunctionsfunctions


AGENDA



03

04

05

06

07


Resilience


Case studies


03 Security risk management of road infrastructure

BUILT ASSET

identified as sensitive (in

whole or in part)

Assess

IMPACT OF LOSS

THE BUILT ASSET RISK MANAGEMENT STRATEGY

Assess

THREATS

Assess

VULNERABILITIES

(Re) assess likelihood of threats

being able to cause

undesiderable impacts by

exploiting vulnerabilities

RISK from

miti

gatio

n m

easu

res

Portfolio of

mitigation

measures

Assess mitigation

measures

Identify possible

mitigation

measures

RISK

Are risks acceptable?

Yes No

Risk mitigation process

Accept

residual risks

to li

kelih

ood

REVIEW

if security relevant parameter

change or review period

elapses

SECURITY THREATS can be divided into those which:

� have the capability to cause damage or disruption to the

construction, operation or maintenance of the infrastructure

(the physical infrastructure);

� could damage or disrupt the infrastructure operating

systems and associated information (the ITS infrastructure)

Threats can also be UNINTENTIONAL, non-

directed or unpredicted, for example:

�pandemics pandemics pandemics pandemics �incidents involving hazardous materials incidents involving hazardous materials incidents involving hazardous materials incidents involving hazardous materials �road traffic collisionsroad traffic collisionsroad traffic collisionsroad traffic collisions�fallfallfallfall----out from disruption to other out from disruption to other out from disruption to other out from disruption to other transport modes transport modes transport modes transport modes �the jamming or interference with the jamming or interference with the jamming or interference with the jamming or interference with navigation signals caused by natural navigation signals caused by natural navigation signals caused by natural navigation signals caused by natural factors malware infection on an IT system.factors malware infection on an IT system.factors malware infection on an IT system.factors malware infection on an IT system.

THEREFORE severe weather events ARE NOT

COMPRISED here.

only man-made hazards

�Man-made physical threats (e.g. terrorist

attacks with explosions, fire, mechanical impacts,

contamination, very large accidents with or

without involvement of dangerous goods),

�Cyber and cyber-physical threads (e.g. tunnel

and traffic control centers).

PIARC T.F. C.1

BUILT

ASSETS

MAN-MADE PHISICAL THREATS

Damage or disruption to the construction, operation or maintenance of the road infrastructure may originate from:

�civil protests and strikes;�malicious attacks;�theft of equipment;�hazardous materials;�fall-out disruption to other transport modes; and�disruption to global navigation systems.

and… third party assets

THIRD PARTY UTILITY ASSETS

HOSTILE VEHICLE

The threats range from vandalism to sophisticated or aggressive attack by determinedcriminals or terrorists, in two cases:

�vehicle that delivers a bomb, known as a vehicle borne improvised explosive device(VBIED)

�vehicle that is used as a weapon to ram and damage infrastructure or to injure or kill people(VAAW)

CYBER AND CYBER-PHISICAL THREATS

Cyber security, computer security or IT security is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide. Two large macro-groups:

� threats to the system operators� threats to the infrastructure.

Potential perpetrators :� hacker and cyber-vandalism;� attacker from inside;� cyber-sabotage;� cyber-terrorism;� cyber-crime; and� cyber phisical attacks by nation, states/secret services.

• ANAS’ network : 28.000 km national roads and motorways, 1.400 tunnels, 850 km, 21 control centers

• Control Centers– 24/7 surveillance– Systems grown over decades– Increasing use and complexity

of IT systems– Operators with varying

qualifications

• Safety relevant subsystems– Traffic control– Fire alarm system– Ventilation– Lighting– Loudspeaker systems– Environmental parameters

In 2015, the Carmel Tunnel, located in Haifa in Isr ael and leading through the mountains of Carmel, had to be

closed for an eight-hour period due to a physical c yber attack, resulting in severe traffic congestion

(The Associated Press, 2015)

Potential consequences of cyber attacks to a tunnelcontrol center :

• intended tunnel blockage

• damage to tunnel equipment

• disruption of monitoring and control systems and safety devices

• data theft and manipulation

>> SAFE AND SECURE OPERATIONS CAN NOT BE MAINTAINED

BUILT ASSET

identified as sensitive (in

whole or in part)

Assess

IMPACT OF LOSS

THE BUILT ASSET RISK MANAGEMENT STRATEGY

Assess

THREATS

Assess

VULNERABILITIES

(Re) assess likelihood of threats

being able to cause

undesiderable impacts by

exploiting vulnerabilities

RISK from

miti

gatio

n m

easu

res

VULNERABILITY : in the context of road network security is defined as a weakness in the road infrastructure or operating

systems that can be exploited by one or more threats.

IMPACT : possible consequences of threats; they could be direct and indirect.

LIKELIHOOD : the chance of something happening.

RISK : is understood as the product of the likelihood (that a threat occurs) and the IMPACT/consequences (expected/calculated) if the threat occurs .

For risk can be also the result of possible accidents or concatenations of unfavorable events.

Then risk may be represented by a complex function of vulnerability + impacts + likelihood.

Prof. W. Hubbard, in The Failure of Risk Management , expresses a severe judgment on the ways in which organizations today, despite the best intentions, apply Risk Management.

The author says that :"some organizations believe they

have adopted an effective risk management method and do not know that they have not improved

their situation by a comma."

we will see why

AGENDA



03

05

06

07


Resilience


Case studies


0404 Developing risk mitigation measures

HOSTILE VEHICLE

two cases:

� vehicle that delivers a bomb, known as a vehicle borneimprovised explosive device

� vehicle that is used as a weapon to ram and damageinfrastructure or to injure or kill people

THREATS TO SYSTEM OPERATORS

THREATS TO THE INFRASTRUCTURE

GENERAL CONTROL LAYOUT

AUTOMATED VEHICLES AND SMART ROADS

automated vehicle smartphones-on-wheels

smart roads simultaneous communication among cars and station, collect and analyse data

AUTOMATED VEHICLES AND SMART ROADS

AGENDA



03

05

06

07


Resilience


Case studies


04

05 Resilience

RESILIENCE

IN ADDITION TO THE TRADITIONAL RISK MANAGEMENT APPROACH DESCRIBED ABOVE, THE CONCEPTS OF RESILIENCE

AND RESILIENCE MANAGEMENT ARE OFTEN USED IN THE CASE OF

UNPLANNED AND UNFORESEEN EVENTS WITH HIGH UNCERTAINTIES.

RESILIENCE

IN ADDITION TO CONSIDERING SYSTEM DECLINE AFTER AN EVENT, RESILIENCE ADDS

FULL CONSIDERATION OF PREPARATION, RECOVERY AND POST-EVENT RESPONSE. THE

CONSIDERATION OF THESE ASPECTS IS ESPECIALLY IMPORTANT FOR MANAGING THE

RESILIENCE OF ROAD INFRASTRUCTURE/ROAD NETWORKS IN THE

FACE OF COMPLEX THREATS WITH HIGH UNCERTAINTIES.

RESILIENCE definition

Resilience is the ability to repel, prepare for, take into account, absorb, recover from and adapt ever more successfully to actual or potential adverse events.

Those events are either catastrophes or processes of change with catastrophic outcome which can have human, technical or natural causes.

The resilience cycleSource: Edwards 2009, author’s own illustration

AGENDA



03

05

06

07


Resilience


Case studies


04

06 Case studies

The scenario of a dirty bomb in an urban area

The problems raised by an inadequate prevention - in themselves not complex or expensive - must be highlighted, because very serious consequences could happen that go well beyond the limit of the private infrastructure.

The moral is: the police forces and fire brigades are not enough and the awareness of a widespread security minded-approach involving also private entities (and if necessary even citizenship) is necessary.

The slogan is "if you see something, say it" (campaign born on the recommendation of the US Department of Security in 2010).

In the resilience levels, some weaknesses and deficiencies were identified in technical,organizational and personneldomains.

Preparation:

� the lack of a security project by the property / administration of the intermodal center

� the lack of a security project by road and motorway companies prevents the definition of adequate procedures for the control centers

Prevention:

� no control of the accesses / exits of about 4000 vehicles daily

� no control on sensitive areas by the R.A.� video surveillance systems provide images that are not

post-processed for security reason� no specific sensors;� no trained personnel to intervene � no control of the railway station docks� no contact list (focal points) in the case of urgent

communications� lack of checks and verification of routes, relationships with

private companies that produce and transport, especially for more critical transport eg. cyanide and vinyl chloride

Protection:� lack of normal communication from the public authorities

Respond:� prevention and protection can not hinder the attack � the first 3-4 hours were lost due to unpreparedness;� a big issue is handling correct communication for

population management� the system of coordination of the traffic function works but

on a totally unprepared network, it is necessary to decide blocks and gates that require approximately 500 people and 100 vehicles that need time to activate themselves;

� in the meantime the means destined to the amount arrive at its entrance and contribute to the paralysis of the traffic

� a red zone is defined in the intermodal center which is an unplanned measure

Recovery:� there is no business continuity plan that mitigates the

effects of the attack

� the need to use cleaning equipment currently not supplied

AGENDA



03

05

06

07


Resilience


Case studies


04

07 Recommendations for Road Administrations

the recommendations are the recommendations are the recommendations are the recommendations are contained in the mitigation contained in the mitigation contained in the mitigation contained in the mitigation measures mentioned above measures mentioned above measures mentioned above measures mentioned above …………

CYBER SECURTY : a path for steps CYBER SECURTY : a path for steps CYBER SECURTY : a path for steps CYBER SECURTY : a path for steps ….….….….

Early detection introduces the opportunity to address the issues before the attackers can exploit the weakness, which may cause serious damage to the Road Administration/company assets and to its reputation

4 STEPS :4 STEPS :4 STEPS :4 STEPS :

1.1.1.1. VulnerabilityVulnerabilityVulnerabilityVulnerability assessmentassessmentassessmentassessment

2.2.2.2. PenetrationPenetrationPenetrationPenetration teststeststeststests

3.3.3.3. RiskRiskRiskRisk assessmentassessmentassessmentassessment processprocessprocessprocess

4.4.4.4. QuestionnairesQuestionnairesQuestionnairesQuestionnaires / / / / CheckCheckCheckCheck listslistslistslists

Questionnaire to evaluate the state of art in cyber security in a RA (1/2)

YES NO Partial Specifications & Comments Answers

1 Security Infrastructure

1.1Do you have a Data Center internal or external to

your company network?

1.2If external, is the connection safe? Through which

channels and protocols (SSH, SSL, IPSec)?

1.3Have you ever undergone computer security

attacks/accidents? What was the time lapse for

resumption? Was there data loss?

1.4Have you prepared access safety measures to the

network and the computer systems?

1.5 Has a System Administrator been nominated?

2 Security Governance

2.1Do you have a document on the Company Policies

for computer security?

2.2

Have you prepared procedures for the management

of computer security accidents? Was a Business

Continuity Plan and/or a Disaster Recovery Plan

drawn up?

2.3Have you ever carried out drills that simulate

accidents or computer emergency situations?

2.4Are Auditing activities carried out periodically in

order to verify the effective status of security and

control compliance?

2.5Do you have training programs, awareness and

lessons in the field of network security and

computer systems?

Questionnaire to evaluate the state of art in cyber security in a RA (2/2)

3 Legislative Compliance

3.1Is your Company adapting to the General

Regulations concerning EU Data Protection

2016/679?

3.2Has the figure of DPO (Data Protection Oficer) been

identified?

3.3Have Security Assessment and/or Evaluation Risk

Plans been performed?

3.4Have the new Directives NIS (EU) 2016/1148 been

implmented (or are being implemeted)?

3.5Do you directly manage Intelligent Transport

Systems (ITS)?

4 Cyber Security

4.1 Do you have a Cyber Security strategy?

4.2

Have Vulnerability Assessment and/or Penetration

Test activity ever been carried out to evalutate the

level of security of the networks and computer

systems?

4.3Do you use outsourcing services and in particular

cloud services (cloud computing)?

4.4Are you equipped with an IDS System (Intrusion

Detection System)?

4.5Are you equipped with a SOC (Security Operation

Center)?

CHECK LIST FOR INFORMATION SECURITY OF CONTROL CENTERS

In the scenario that investigates the IT security of traffic control centers and road infrastructures, a check list has been developed that should provide an initial overview of the level of individual security.

1. CONTROL TECHNIQUES

1.1 Is access to all information systems via a user-password combination?

1.2. Passwords must contain at least 8 characters and include uppercase and lowercase letters, special characters and numbers.

1.3 Are passwords changed regularly (at least every 6 months)?

1.4. Are passwords entered and / or registered in writing?

1.5. Is the communication between the level of control and the objects at the field level encrypted and authenticated?

1.6 Do contractors have to comply with a basic level of IT security?

1.7. Are all IT systems with remote access constantly monitored by the control center and can be blocked at any time?

1.8. Have all remote access IT systems updated antivirus programs?

1.9 Is the control center system connected to the Internet?

2. INTERNAL COMMUNICATIONS

2.1. Is there a physical separation between the control center system and the center's internal communications?

2.2 Is the exchange of data between the control center system and internal communications in accordance with the security rules?

2.3 Are private devices (laptops, smartphones (even recharging), USB sticks, etc.) connected to the service computers?

2.4. Is there a WLAN?

2.5. Service computers are also used for private purposes.

3. CONTROL OF ACCESS TO THE CENTER

3.1 Is access to the control center and the premises guaranteed by video surveillance and burglar alarm systems?

3.2 Are all accesses to the buildings indicated above documented?

3.3 Are access control systems regularly checked to verify their effectiveness (at least every 6 months)?

3.4 Are even vulnerable rooms (eg server room, business premises) monitored internally?

4. ORGANIZATION AND PERSONNEL

4.1 In the event of an IT attack or IT failure, are appropriate contingency plans available?

4.2 Is the basic IT security catalog already fully implemented?

4.3 Is there an IT security manager?

4.4 Are employees regularly trained on IT security?

4.5 Is employee training appropriate?

4.6 Do employees know the dangers of social networks?

5. PERSONAL ASSESSMENTS

5.1 In your opinion, is the IT security of the control center overall high?

6. FEEDBACK ON CHECKLIST

We would be delighted if you could give us suggestions for this checklist.

� A security-minded approach andmitigation/resilience capability must become avital part of organizational structure of modernRoad Administration.

� It must be considered that the fact that incidents will occur is inescapable and in some cases unpredictable.

FINAL CONSIDERATIONS

� Their successful handling and the speed at which recovery take place will be dependent on the plans that are put in place in advance, their execution at the time of the incident and the honesty with which reviews are conducted subsequent to it.

ROAD INFRASTRUCTURE SECURITY

Documents

Transcript of ROAD INFRASTRUCTURE SECURITY