How Security enables the best journey

Building trust and delivering resilience

The best journey

INTERN

Door to door

Smart purchase Mobility

The shift to digital

INTERN

2003

70% 3%

Ticket office Self service

INTERN

2017

Ticket office Self service

6% 85%

INTERN

Kapittelnavn

Our app makes commuting less of a hassle

1.2,1 million app downloads 1.> 1/3 of Norwegian population

2.150 000 daily active users

Building trust

INTERN

• Digitalization challenges traditional trust building practices

• Digital technologies, both tools and systems, function as replacements for trusted human roles

• Most people do not understand the technology, much less the full digital supply chains involved

• Consent is given without understanding what is actually asked

• Customer data is used for unexpected purposes

INTERN

• Digital ethics and privacy, security a fundamental component

• Principled approach to collection and processing of customer data

• Consistent communication and behaviour throughout the digital customer journey

• Fair processing in keeping with customer expectations

INTERN

Delivering digital resilience

INTERN

Security & Safety

Physical Security

Personell Security

Information Security

Safety measures are created to protect people and property from injury or loss by circumstance,

accident or negligence

Security measures are created to protect people and property from injury or loss by deliberate

actions taken by people

Physical Security

Information Security

Personell Security

Analogue

InformationDigital

Information

Other things than

information

Cyber Security

IT Security

IT security is Information Security is Cyber Security…

INTERN

Why digital resilience?

• Individual assets combine multiple components

• The cyber/physical divide blurs

• Assets are linked to form individual systems and systems-of-systems shared amongst multiple stakeholders

Changes in the nature of transportation assets

• Assets are subject to a greater range of security threats

• Cyber security and physical safety can no longer be treated as separate concerns

• Determining where a transport operator’s (security) responsibilities end is no longer clear

The security implications are serious

Adapted from: Cyber Security and Resilience of Intelligent Public Transport, ENISA (2015)

Resilience – ability to resist, absorb, recover from or successfully adapt to adversity or a

change in conditions

INTERN

Key functions of the security office

Source: Structuring the Chief Information Security Officer Organization, SEI, Carnegie Mellon University

INTERN

Functional organisation

Chief Information Security Officer

Security Engineering and Asset Security

Application Security

Identity & Access Management

Host and Network Security

Physical Access Control

Information Asset Security

Security Operations

Center

Emergency Operations &

Incident mgmt.

Incident Response Team

Program management

Governance, Risk and Compliance

External Relations

Project management

Information Security Council

Adapted from: Structuring the Chief Information Security Officer Organization, SEI, Carnegie Mellon University

INTERN

Risk assessment

Risk Scenario

Asset

ThreatVulnerability

• Common threat assessment built on • Threat reports from national security services • Research reports (ENISA, ISF etc.) • Experience • Public incidents

• Vulnerabilities • Common to other ICT systems • Specific vulnerabilities in legacy systems • Fact based – scanning, audit, testing

INTERN

Govern

Building on common frameworks NSM Principles for ICT security, NIST Cyber Framework, CSC Top 20

Identify Protect Monitor Respond & Recover

INTERN

Future challenges

• Multiple operators sharing infrastructure

• Integration between carriers in multimodal transport systems

• Autonomous vehicles

• Mobility as a service (MaaS)…

• …in smart city environments

Source: Cyber Security and Resilience of Intelligent Public Transport, ENISA (2015)