Improving cyber resilience of urban multimodal transport systems with standards
In September 2022 the European Commission published a proposal for an European Regulation (Cyber Resilience Act) on horizontal cybersecurity requirements for products with digital elements in order to harmonise and streamline the EU regulatory landscape and to avoid overlapping requirements stemming from different pieces of legislation. The proposal covers a broad range of devices and includes all products that are connected either directly or indirectly to another device or network, including hardware, software, and ancillary services. Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors. As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems. Considering this the Regulation will impose obligations on manufacturers, importers, and distributors of these products to provide duty of care across their whole life cycle.
Although intelligent multimodal transport systems are not explicitly mentioned in the proposed regulation, there are objectives that CitySCAPE’s work can help to achieve. Next to the reference document to be used for cybersecurity labelling purposes, especially the CitySCAPE toolkit serves as a supportive enabler to make the multimodal transport sector more cyber resilient. Modules of this toolkit apply well recognized standards like the series of ISO/IEC 27000ff. The application of these standards enhances the market uptake of the novel CitySCAPE solutions like the toolkit. Here are some examples.
Guidelines for the assessment of information security controls specified in ISO/IEC TS 27008 are used as a complementary text to the information security risk management process described in ISO/IEC 27005 in the design of CitySCAPE’s Risk Analysis and Impact Assessment (RITA), in order to enable organisations using RITA to select countermeasures that are fit for purpose, effective and efficient. The Structured Threat Information eXpression (STIX 1.4 and 2.0), developed in OASIS Technical Committee on Cyber Threat Intelligence (CTI), is leveraged inside the CTIP component, which has the objective to create an investigation platform to follow and discover new Advanced Persistent Threat group, targeting specific sectors/domains. The RFC 3164 standard, which is a IETF document describing how syslog messages have been seen in traditional implementations, is used in communication with SIEM (a correlation engine monitoring the CPaaS platform), relating to threats and vulnerabilities found on individual devices. ISO/IEC 27039 deals with the selection, deployment and operations of intrusion detection and prevention systems. This standard is used for the development of the CITYSCAPE IDS/IPS engine, which detects anomalies and traces of attacks/incidents and pushes events from the network level up to the SIEM for correlation and (risk-based) response; it also provides basic blocking capabilities.
This approach follows the spirit of the proposed Cyber Resilience Act, which is a so-called New Legislative Framework Regulation. This means, that standards are requested by the European Commission to translate the essential requirements of this Regulation into detailed technical specifications. Being in conformity with such harmonised standards facilitates the assessment of conformity with the legal requirements and provides the presumption of conformity for products with digital elements.
The Organisation
Austrian Standards International (A.S.I.), established in 1920, is the Austrian, not-for-profit standardization body, member of the European Committee for Standardization CEN, the International Organisation for Standardization ISO and the European Telecommunication Standards Institute (ETSI). A.S.I.’s committed team forms part of a large network comprising 4,500 Austrian experts in a dialogue with European and international experts. A.S.I. makes it possible for everyone to take part in shaping standards and facilitate access to, and the application of, internationally recognized expertise. This supports the interests of business, consumers, administration, science and research as well as society at large. Austrian Standards is one of eight Standards Development Organisations (BSI, DKE/VDE, IEEE, CESI, IEC, NSAI and OVE) having founded the “Open Community for Ethics in Autonomous and Intelligent Systems” (OCEANIS), which is a global forum fostering cooperation in the development and use of ethically aligned standards in ICT, in particular for autonomous and intelligent systems.
