Securing ITS

ITS systems are subject to security threats like any other information technology system. This is true not only for systems that process personal or financial information (i.e., electronic toll collection systems), but also for many other types of ITS systems. Dynamic message signs are subject to tampering and unauthorized use, traffic signal control systems must operate flawlessly and fail in a safe manner when errors do occur, and many ITS operations centers may be called upon to play an important role in disaster response and recovery. ITS systems can only contribute to a disaster response if the ITS systems are robust and secure enough to operate reliably in crisis situations. Note from these examples that security is not only concerned with preventing unauthorized disclosure of sensitive information. Comprehensive security also addresses a broad range of threats that can disrupt or alter system operation.

Securing ITS

The National ITS Architecture was enhanced in version 5.0 to include general security objectives, threats, and services that are implementation independent. Instead of the specific computer and communications systems that are considered in a traditional security analysis, these general security concepts are applied to the functions and information flows that are defined in the National ITS Architecture. The security analysis that is included in the National ITS Architecture is high-level, but representative of the initial security analysis that is performed for any system. This section discusses how securing ITS is represented in the National ITS Architecture. It defines general security objectives and threat rankings and describes how those lead to suggested security services for subsystems and architecture flow groups.

Security Services

Security services are typical security mechanisms or countermeasures that provide for different aspects of security. Security services are driven by the security objectives and threats expected to adversely impact a system or communication between systems.

Information Security

Confidentiality - The system should prevent unauthorized disclosure of information deemed sensitive.
Integrity - The system should ensure that information is protected from unauthorized intentional or unintentional modifications.
Availability - The system should protect critical ITS services in order to prevent degradation or denial of the ITS services to users of the services. Single points of failure should be avoided.
Accountability - The system should provide protection against a sender of an information transmission later denying that they sent the information. The system should provide protection against a receiver of an information transmission later denying that they received the information. This concept is known as Non-Repudiation or Accountability.
Authentication - The system should verify the identity of a user and/or other system prior to granting access to a requested resource.
Auditing - The system should have the capability to trace ITS subsystem and individual user actions and activities. The auditing function of the system places the actions and activities in an audit trail that is protected from unauthorized access and modification.
Access Control - The system should limit access to the resources of a subsystem to only those users and other subsystems that are properly authorized. After authenticating an entity, the system should have the capability to limit system access to information or resources based on that entity’s access privileges. The system should limit software modifications and upgrades to users and other systems that have authorization.

Operational Security

Physical and Environmental Protection - The system should protect against adverse environmental conditions (e.g., temperature extremes, moisture and humidity, wind, dust). The system should provide capabilities to minimize the affects of power disruptions and surges. The system should protect against telecommunications failures. The system should provide capabilities like fire prevention, detection, and suppression.
Physical Access Control - The system should prevent unauthorized physical access to critical ITS facilities, field equipment, and other ITS assets. The system should log all attempts to physically access ITS facilities, field equipment, and other assets. The system should notify operations staff when a breach of physical access is attempted.
Security Monitoring - Critical ITS facilities, field equipment, and other ITS assets should be monitored. Manual and automated alarms should be provided.
Security Incident Management - Security incidents should be actively managed via identification, operations, and recovery. The incident should be reviewed and analyzed to determine how to improve security to prevent future occurrences. Procedures should be deployed that manage these incidents, including the review and analysis processes. These procedures should be continually improved and updated to mitigate future occurrences of the same type of incident. This could include defining different types of security incidents, and the procedures in place for preventing future occurrences of each – these procedures may be different depending on the type of incident.
Contingency Planning - Operational continuity and disaster recovery plans should be prepared and periodically tested and revised to ensure the integrity and continuity of operations and minimize the impact to the system from a disaster. The system should implement a comprehensive strategy for backup and restoration.
System Maintenance - Only authorized software, hardware, and devices should be installed or used. System changes should be documented, authorized, and tested prior to deployment. Change management procedures should be used.
Sensitive Materials Management - Sensitive information should be securely stored, protected, and properly disposed of.

Personnel Security

Personnel Screening - ITS Personnel with access to sensitive information or in security-critical positions should be subject to pre-employment screening, including background checks when appropriate per the security policy in effect. ITS Personnel in these sensitive positions should be subject to periodic reinvestigation.
Supervisory Controls - Supervisory practices should be followed that ensure that ITS Personnel roles and responsibilities are properly exercised.
Awareness and Training - All critical ITS Personnel should be trained on relevant security policies, practices, and guidelines.
Separation of Duties - Duties should be identified such that one person acting alone cannot compromise the security of critical ITS services. Job rotation should be used for sensitive ITS positions.
Least Privilege - ITS Personnel should be granted the level of access needed to fulfill their role and no more.
Accountability - ITS Personnel should understand their responsibility and be accountable for their actions. Audit trails and logs should be reviewed to detect improper access.
Termination - The system should prevent unauthorized access by transferred or terminated employees.

Security Management

Security Management - The security management service connects all of the other security services together in order to provide security controls throughout ITS. Security Management ties in with the Information, Operational, and Personnel security aspects of securing ITS as well as the eight security areas. The security management service includes user and system assignment of appropriate access control, password management and a host of other security mechanisms. Security Management is often implemented by a combination of manual and automated controls. Security Management includes the definition, implementation, and enforcement of the following: security policies and procedures, roles and responsibilities, and system configuration. System configuration management provides the means for ensuring all aspects of the ITS deployment are configured to provide an effective, efficient, and secure operating environment. Interfaces between architecture entities should be designed and implemented such that each security-related specific interface has minimal and closely controlled functionality in providing system access.

Security Objectives

Security Objectives help form the basis for evaluating appropriate security services and levels of service that satisfy the security objectives. The security objectives have classifications of High, Medium, Low, and Minimal.

Availability

Confidentiality

Integrity

Security Threats

Security Threats, along with Security Objectives, also provide the basis for evaluating appropriate security services. The security threats have classifications of High, Medium, Low, and Minimal.

Deception

Disclosure

Disruption

Usurpation

Securing Architecture Flows

The focus of the ITS Standards program is for systems to be able to seamlessly exchange information. Protecting system interfaces is critical to securing ITS. The interfaces, or architecture flows, as defined in the National ITS Architecture have been analyzed to ascertain applicable security services importance. In order to keep the security considerations for architecture flows manageable, architecture flow groupings were created for architecture flows that share similar security objectives, threats and security services

Architecture flows have been placed into one of fifteen groups that are based on unique security considerations. In cases where an architecture flow could be allocated to multiple groups, the most appropriate security group was chosen. Each architecture flow group has been given typical security service, security objectives and security threat classifications of high, medium, low or minimal. Similar architecture flows are grouped together so that security services can be consistently applied. The security service classifications are based on the security objective and threat importance. For example, the combination of a high level of integrity (i.e., unauthorized modification of the information) and a high level for the threat of deception would necessitate, among other services, a high or great need for the Access Control security service.

The information content of the architecture flow coupled with its operational role was considered in the security service classifications. In some cases, the security service, objective or threat is not applicable and thus will not be in the corresponding table. The security service considerations are typical, it is incumbent on the user to tailor the security considerations as appropriate to the ITS application (e.g., sensitive archive data might require a higher classification than the nominal "Low" designation identified in the National ITS Architecture). The architecture flow groups are as follows:

Archived Data Architecture Flows

Business Sensitive Architecture Flows

Emergency Architecture Flows

Enforcement/Crash Reporting Architecture Flows

Financial/Personal Architecture Flows

Map Data Architecture Flows

Media Architecture Flows

Not Applicable Architecture Flows

Operational Information Architecture Flows

Operational Information - Safety Architecture Flows

Public Architecture Flows

Secure Human Interface Architecture Flows

System Control Architecture Flows

Traveler Information Architecture Flows

Traveler Information - Safety Architecture Flows

Weather/Environmental Architecture Flows

Securing Subsystems

The following list of National ITS Architecture subsystems contains a description of potential security considerations for each subsystem. These high-level descriptions are intended to highlight security considerations that touch on information security, operational security, personnel security and security management. Because of the breadth and diverse nature of the processing within each subsystem, the specific security considerations for a given ITS implementation must be developed by understanding the objectives, threats, and the system vulnerabilities to these threats.

Entity	Security Overview
Archived Data Management	The Archived Data Management Subsystem security considerations are directly related to the sensitivity of the data contained in the archive. Some ITS archives include crash reports, personal information, and other sensitive information that requires significant security safeguards. Most archives are much less sensitive, containing bulk ITS information that is not confidential and does not require special security measures. Like confidentiality, the required availability of each archive must be considered based on the archive’s application. In many, but not all, cases, archives are used for off-line applications where short-term loss of availability will not cause serious impact to the transportation system. In many cases, the most critical objective for data archives will be data integrity. Since archives are frequently used to measure performance of the transportation system and provide data that supports operations and planning, the accuracy and reliability of the data contained in the archive is paramount. Each archive should be reviewed by the system manager and data owners to ensure that security is consistent with the sensitivity of the archived data.
Commercial Vehicle	The Commercial Vehicle Subsystem contains screening and safety data, and is used to support roadside electronic screenings. Cargo content information should be protected from unauthorized access for knowledge of this information, especially security sensitive HAZMAT cargo, could target the vehicle for hijacking or terrorist attack. In support of driver authentication, driver identity characteristics (i.e. biometrics, Personal Identification Number (PIN)) would be stored on-board the vehicle and appropriate measures should be taken to protect this personal information. In general, the Commercial Vehicle Subsystem handles personal and business sensitive information about the commercial vehicle including container content information that needs to have a relatively high degree of confidentiality in order to safeguard the information. In addition, it is important that the information about the commercial vehicle and its cargo is available to the Commercial Vehicle Administration subsystem. The integrity of the information from the commercial vehicle is also important to prevent deceptive practices.
Commercial Vehicle Administration	The Commercial Vehicle Administration Subsystem manages credentials, financial data, border clearance, safety data, and other sensitive information. In general, the Commercial Vehicle Administration Subsystem handles personal and business sensitive information, such as financial data information that needs to have a relatively high degree of confidentiality in order to safeguard the information. In addition, it is important that the information is available in order to ensure that cargo is transported as safely and efficiently as possible. The integrity of the information is also important to consider in order to prevent unauthorized clearance.
Commercial Vehicle Check	The Commercial Vehicle Check Subsystem contains safety and credentials data to support electronic screening. The safety data also supports roadside safety inspections. For international borders, data from border inspection administration systems (i.e. Department of Homeland Security) supports commercial vehicle border screening. In general, the Commercial Vehicle Check Subsystem handles personal and business sensitive commercial vehicle information that needs to have a relatively high degree of confidentiality in order to safeguard the information. In addition, it is important that the information is available to support safety inspections and electronic screening for safe and efficient commercial vehicle checking. The integrity of the information is also important to consider in preventing possible deceptive screening.
Emergency Management	The Emergency Management Subsystem provides critical functions that directly impact public safety. It handles sensitive information, must "operate through" and be available in distressed environments, and is subject to numerous threats including both physical and cyber attacks. The Emergency Management Subsystem represents an extremely broad group of call-taking, dispatch, command post, and operations centers. In addition to these public safety and emergency management centers, the Emergency Management Subsystem also represents private sector telematics service providers, service patrol dispatch systems, and security monitoring systems. Each of these systems has unique security vulnerabilities that must be considered in defining appropriate security services. Systems represented by the Emergency Management Subsystem operate in environments ranging from tightly controlled, secure command centers through open field environments when command posts are established in the vicinity of a major incident or disaster. The command post environment, with its reliance on wireless communications and relative lack of physical and environmental protection, has different vulnerabilities than systems operating in a fixed center. The availability requirements for an individual center must be assessed in the context of the concept of operations for the region. For example, the availability requirements for a service patrol dispatch system may not be high because the dispatch operation may be moved to an emergency operations center in times of crisis. The emergency operations center would have much more stringent availability requirements in this scenario. Similarly, the sensitivity and value of the information handled by each specific system must be evaluated to determine appropriate security safeguards for integrity and confidentiality. While it is good practice for all systems, a rigorous evaluation of security objectives, threats, vulnerabilities, and countermeasures is particularly important for each system represented by the Emergency Management Subsystem.
Emergency Vehicle	The Emergency Vehicle Subsystem (EVS) is the communications lifeline that connects emergency personnel in the field with emergency dispatch, other emergency personnel, and other resources that support emergency response. The EVS handles potentially sensitive information, must "operate through" and be available in distressed environments, and is exposed to numerous threats including eavesdropping (disclosure), unauthorized access or control, and disruption of services. Although confidentiality is a concern, the most critical security objectives for EVS are availability and integrity - the services and information provided by EVS must be available and accurate so that incident response is not degraded. Although the EVS provides the same basic driver communications, tracking, and routing functions that are provided by the other fleet vehicle subsystems, these functions are frequently safety critical for this subsystem since they directly impact the ability to provide an effective response to emergencies, which in turn impacts public safety. The EVS represents a wide range of vehicles including police cruisers, command vehicles, various types of fire apparatus, service patrol vehicles, ambulances, towing and recovery vehicles, and many different specialized response vehicles. This collection of vehicles may have very different security requirements, depending on the functions supported, the data that is stored, and the mission criticality of the services provided. For example, maintaining confidentiality of police vehicle locations is a public safety concern and frequently a key security objective. Tow vehicle locations are generally not a public safety concern, but tow truck operators may still want to prevent unauthorized vehicle location disclosure for business reasons. Finally, the current location of a service patrol vehicle may not be considered to be particularly sensitive. There are also other variables that impact security that are independent of vehicle type. For example, initial EVS data services will supplement voice communications that frequently will continue to carry all mission critical information. The security requirements for these initial implementations might be less robust until the agency gains experience with the EVS data services and begins to rely on them for mission critical information. As the role of the data services evolves and expands, the security requirements and the systems themselves must be revised so that mission critical systems are available and reliable when they are needed most. The specific analysis of the security objectives, threats, vulnerabilities to those threats, and appropriate security services to address the vulnerabilities should be undertaken for systems associated with the EVS.
Emissions Management	The Emissions Management Subsystem processes vehicle emissions data and regional air quality data that are generally not sensitive to public disclosure. Also, while air quality is extremely important to everyone, the services provided by the Emissions Management Subsystem are generally not mission critical and could be lost or delayed for short periods of time without serious implications for public safety or operational efficiency of the transportation system. In most cases, normal precautions that are taken to protect data integrity will also suffice here since the threat of inadvertent or malicious tampering with data is not particularly high. There are scenarios where the security associated with Emissions Management will be more significant. For example, data integrity and confidentiality are more significant if the specific emissions management system is identifying emissions/pollution violators and collecting personal information and evidence of infractions. This information is both sensitive and subject to tampering. In most cases, system availability will not be critical, but a specific system may require higher availability if the network of sensors and data collected are relied upon to detect and report dangerous levels of pollutants or other airborne materials in emergency situations.
Fleet and Freight Management	The Fleet and Freight Management Subsystem is responsible for submitting credential applications, enrolling in international goods movement programs and paying tax bills, which contain personal and financial data. Driver identification information, including biometric parameters, is managed by this subsystem and it contains sensitive personal information. Since knowing freight equipment locations and cargo contents, especially security sensitive HAZMAT could lead to unintended consequences like hijackings or terrorist acts, security measures should be in place to protect this information. In general, the Fleet and Freight Management Subsystem handles personal and business sensitive information, including financial data, that needs to have a relatively high degree of confidentiality in order to safeguard the information. In addition, it is important that the location and cargo content information is available. The integrity of the information is also important to prevent deceptive practices.
Information Service Provider	The Information Service Provider security considerations are related to the sensitivity of the requests being made for information as well as the sensitivity of the information being provided. Some ISPs may charge their clients for information and services, in which case security measures should be in place to protect the client's personal information including their credit information as well as unauthorized access to premium services. Information such as evacuation information and emergency alerts can jeopardize public safety if the information is unauthorized, inaccurate, or not delivered in a timely fashion. Traveler information that contains financial data or other highly sensitive information should have a relatively high degree of confidentiality in order to safeguard the information. In addition, it is important that traveler information is available in times of crisis. The integrity of the information is also important to prevent deceptive practices. Most traveler information will not require this level of safeguarding.
Maintenance and Construction Management	The security considerations for the Maintenance and Construction Management Subsystem relate to the physical security of transportation assets and maintenance personnel. This subsystem is involved in coordinating the response to certain incidents by dispatch, routing and allocating maintenance vehicles and other resources in coordination with other center subsystems. This subsystem collects and processes environmental sensor information from the roadside that might contribute to the detection, classification and response to security threats. In general, the Maintenance and Construction Management Subsystem’s information security needs to have a relatively low degree of confidentiality in order to safeguard the information. In addition, it is important that the information is available and has integrity in order to prevent improper reporting of assets needed to support emergencies.
Maintenance and Construction Vehicle	The security considerations for the Maintenance and Construction Vehicle Subsystem relate to physical security of the vehicle, operators and the roadway on which the vehicle operates. The maintenance vehicles can be mobile environmental sensing platforms that could contribute to the detection, classification and response to security threats. Maintenance vehicles might be deployed as movable barriers in response to certain security threats. In general, the Maintenance and Construction Vehicle Subsystem’s information security needs to have a relatively low degree of confidentiality in order to safeguard the information. In addition, it is important but not essential that the information is available and has integrity in order to prevent improper reporting of the vehicle’s location and sensing capabilities.
Parking Management	The primary security consideration for the Parking Management Subsystem is related to the financial information collected from the customer vehicles and exchanged with center subsystems for electronic payment processing. Additional security sensitivity is for the personal information associated with electronic accounts used for parking payment. Parking lots may be capable of uniquely identifying each vehicle that enters and exits, for the purpose of computing the correct parking fee, and this information could also be used for security purposes. High profile parking lots may require special monitoring and classification of vehicles requiring a relatively higher degree of confidentiality, availability and integrity of the information than most parking lots.
Payment Administration	The primary security consideration for the Payment Administration Subsystem is related to the financial information collected from the field and exchanged between other agencies using common electronic payment media that needs to have a relatively high degree of confidentiality in order to safeguard the information. Additional security sensitivity is for the personal information associated with electronic accounts. In addition, it is important that the information is available to the Payment Administration Subsystem in order to ensure that payments are properly accounted for. The integrity of the information is also important to consider in order to prevent disruption of fee collection operations.
Personal Information Access	Security considerations for Personal Information Access include the measures necessary to safeguard the personal and financial information that may be entered by individual users. Personal Information Access subsystem equipment is typically privately owned and operated, and includes the use of portable or handheld devices. Devices such as these are prone to theft and misuse. Information coming from these personal devices should be authenticated to verify that the requester is who they say they are and that the information they are given is limited to the information requested or to information that is available to the public. In general, the Personal Information Access Subsystem handles personal and financial information that needs a relatively low degree of confidentiality to safeguard the information. In addition, it is important but not essential that the information is available. The integrity of the information is also important in order to prevent improper financial transactions and accessibility to unauthorized information.
Remote Traveler Support	The Remote Traveler Support subsystem security considerations relate to the potential locations of the types of equipment included in this subsystem. Kiosks and other publicly accessible information access points can be target areas for criminal elements trying to rob or harm travelers. As such the RTS should include appropriate physical security measures including the placement in well-lit areas and the use of video and audio surveillance to secure the use of the equipment. Travelers may be using the RTS to request emergency services and measures should be in place to secure the information and ensure the availability and integrity of the system. Travelers may also be using the RTS to make reservations and trip plans that involve the transmission of personal and financial data. Those transactions should also be secured.
Roadway	The security considerations for the Roadway Subsystem (RS) are directly related to the types of field equipment that are included in a particular implementation. The RS performs a broad range of roadway network monitoring and control services and includes both safety-critical and non-safety critical systems. Safety-critical systems include traffic signal systems, gates and barriers that control facility access, and future systems that may support automated vehicle control systems. Since improper operation of these systems can directly endanger motorists, security services should be established so that these systems operate with very high levels of integrity and availability and system operation degrades in a fail-safe manner. In contrast, the information associated with operation of these systems is not confidential and typically will not need special measures to protect it from disclosure. Surveillance and environmental sensor systems provide information that may be safety critical if this information is used to monitor for incidents or dangerous road conditions. Although malicious tampering is possible, the more likely threats to sensor and surveillance information involve inadvertent loss or corruption of the provided information. Again, availability and integrity are the paramount security objectives. Although the surveillance and sensor data is generally not sensitive to disclosure, confidentially is important when CCTV cameras are zoomed in on a crash and other scenarios where individuals can be identified from the surveillance data. The driver information systems included in the RS, such as dynamic message signs and highway advisory radio, are generally not considered to be safety-critical, but have their own set of security considerations. These systems are perhaps the most likely in the RS to be the target of unauthorized access attempts and must be protected against such attacks by emphasizing security services that enhance integrity. The availability requirements associated with DMS and HAR may increase as these systems are used increasingly in critical services like Amber Alert. Other RS systems, including short range communications equipment, will increasingly warrant attention in the future with the advent of VII-enabled safety critical applications. These applications range from probe surveillance to intersection collision avoidance to weather advisory dissemination. Special security considerations will be needed based on the criticality of the supported applications.
Roadway Payment	The primary security consideration for the Roadway Payment Subsystem relates to the financial information collected in the field that is sent to the Payment Administration Subsystem, and to any personal information associated with the financial transactions. Electronic payment needs to have a relatively high degree of confidentiality in order to safeguard the information. Additional security sensitivity is for the personal information associated with electronic accounts. In addition, it is important that the information is available from the Roadway Payment Subsystem to the Payment Administration Subsystem in order to ensure that payments are properly accounted for. The integrity of the information is also important to consider in order to prevent disruption of fee collection operations.
Security Monitoring	The Security Monitoring Subsystem (SMS) includes surveillance and sensor equipment used to provide enhanced security and safety for transportation facilities or infrastructure. The SMS handles information used to support safe operation of the transportation system and to support emergency response. The threat sensor, object detection and infrastructure integrity monitoring equipment represented by this subsystem perform safety critical functions. Since improper operation of these systems can directly endanger motorists and communities, security services should be established so that these systems operate with very high levels of integrity and availability and system operation degrades in a fail-safe manner. The information associated with operation of these systems is confidential and typically will need special measures to protect it from disclosure. Although malicious tampering is possible, the more likely threats to SMS sensor and surveillance information involve inadvertent loss or corruption of the provided information. Again, availability and integrity are the paramount security objectives. The surveillance and sensor data is not meant for public disclosure so confidentially is important. Limited processing of collected sensor and surveillance data is also included in this subsystem to support threat detection and classification. Physical security around the SMS sensors and surveillance equipment may be necessary to protect the equipment from usurpation and disruption.
Traffic Management	The Traffic Management Subsystem (TMS) represents centers that control freeway systems, rural and suburban highway systems, and urban and suburban traffic control systems. This includes safety critical control of traffic signals, dynamic message signs, gates and barriers, and other traffic control equipment. It also supports important coordination with other centers to adapt traffic management to address incidents and the special needs of other systems and agencies. The majority of the information handled by the TMS is not particularly sensitive; public disclosure of DMS messages, traffic signal control plans, and the bulk of the other information managed by the TMS is not a key concern. The integrity of this information is more important since the principal threats are those that allow undetected errors or unauthorized control of field equipment. For example, errors that cause loss of control of traffic signals or malicious attacks that usurp control of a dynamic message sign. Both insider and outsider attacks must be considered in developing the overall security strategy for a traffic management center. Availability may also be important, depending on the role of the specific traffic management center in the region. State, regional, and local traffic management centers are all represented by the TMS. In addition to traditional centers, the TMS also represents portable computers and other simple solutions that allow remote monitoring and control of field equipment. Each of these implementations may have different implications for security. For example, a regional traffic management center may take control from a local traffic management center during off-hours and under special circumstances. In these types of implementations, the security-related availability requirements could be much more stringent for the regional traffic management center and the associated remote control capability than they would be for the local traffic management center. The functions performed by a specific TMC and the ability of the Roadway Subsystem to operate autonomously when the TMC is off-line are also factors that determine how critical availability is for a particular TMC. While confidentiality is not a special concern for most traffic management data, confidentiality may be important if the specific system supports speed enforcement, HOV occupancy enforcement, or other applications that identify specific vehicles and individuals and other information that must be protected from public disclosure.
Transit Management	The Transit Management Subsystem (TRMS) represents centers that control public transportation vehicle fleets, including buses and light and commuter rail, in rural, suburban, or urban settings. It provides operations (schedules, routes, fare structures), maintenance, customer information, planning and management functions for the transit property, and spans the central dispatch and garage management systems. Security considerations for the TRMS include safety critical control of the physical transit assets, operational security of the facilities that house the transit management center and the maintenance garage, and transit personnel security. The TRMS also supports coordination with other centers to adapt transit management to address incidents, event data, and the special needs of other systems and agencies, and to provide real-time information on current transit services. The majority of the information handled by the TRMS is not particularly sensitive; public disclosure of transit operational data, passenger loading, ridership, and vehicle maintenance data, and the bulk of the other information managed by the TRMS is not a key security concern. The integrity of this information is more important since the principal threats are those that allow undetected errors or unauthorized control of physical transit assets, i.e., buses or light rail. For example, malicious attacks on the computer system that controls light rail would be a serious security concern. Both insider and outsider attacks must be considered in developing the overall security strategy for a transit management center. Security considerations at the Transit Management Center itself should include closing and locking outside doors, badge access to outside doors, at least password control when logging onto computers, a dispatcher in-house at all times service is operational, etc. Security considerations at the garage should include badge access to outside doors, password access when logging onto the bus (including transit vehicle operator authentication by the center). From an information standpoint the primary security issues relate to financial transactions associated with electronic payment media or certain security sensitive operations, such as remote disabling of a transit vehicle during an incident such as a hijacking.
Transit Vehicle	The Transit Vehicle Subsystem (TRVS) is the communications path that connects transit personnel in the field with central dispatch at the transit management center. This subsystem provides the functions necessary to support the safe and efficient movement of passengers. Most of the information that is handled by the TRVS is not particularly sensitive except for financial transactions associated with electronic payment media, and the information flows used for operator authentication on the vehicle or remote vehicle disabling. Operator authentication is used to prevent unauthorized vehicle operation, and remote disabling is provided as one aspect of response to on-board threats. The security considerations for the Transit Vehicle Subsystem relate to physical security of the vehicle, transit vehicle operators, and travelers using the vehicle. The TRVS is exposed to certain threats including unauthorized access or control (hijacking) and disruption of services. Other security objectives for TRVS are availability and integrity – the services and information provided by the TRVS must be available and accurate so that transit operations are not degraded. The basic transit vehicle operator communications, tracking, and routing functions provided by the TRVS are not particularly sensitive from a security standpoint. They do not directly affect public safety – disruption of service would be mainly an inconvenience. The TRVS represents a wide range of vehicles including articulated and double-decked buses, paratransit vehicles, ferryboats, light and commuter rail, monorail vehicles, school buses, trolley buses, vans, tow trucks, shelter service trucks. This collection of vehicles may have different security requirements, depending on the functions supported, the data that is stored, and the services provided. Passenger carrying transit vehicles have additional security concerns beyond those vehicles that do not carry passengers, namely the physical security of the passengers, and the protection of financial or personal information relating to electronic fare payment systems. For example, threat sensors, surveillance, and alarms are used to identify threats on-board a vehicle, and there are confidentiality issues associated with all financial transactions. The primary security consideration for supervisory or support vehicles is the physical security of the vehicle and the vehicle operator. There are also other variables that impact security that are independent of vehicle type. For example, as new systems are deployed on a bus, the transit vehicle operator must become familiar and comfortable with their usage. Until the operator is familiar with these systems, they may be vulnerable to attack (or the information that is stored and sent to the TRMS may be vulnerable) and security may be an issue. The specific analysis of the security objectives, threats, vulnerabilities to those threats, and appropriate security services to address the vulnerabilities should be undertaken for systems associated with the TRVS.
Vehicle	The primary security consideration for the Vehicle Subsystem relates to the security of the basic vehicle and the driver and passengers in the vehicle. A vehicle Mayday capability might allow the driver or passengers to provide center subsystems with information about security threats or incidents. Various safety systems in the vehicle might protect the occupants from some security hazards. The electronic payment capabilities expose the financial information of the owner to certain risks of unauthorized disclosure. The vehicle may anonymously broadcast its location and key sensor readings and receive critical safety information from roadside equipment. In general, the Vehicle Subsystem needs to have a relatively high degree of confidentiality in order to safeguard transmitted information.