Research and analysis

Secure by design transport system: DfT Science Advisory Council paper

Published 5 February 2024

Background

The Science Advisory Council (SAC) met on 22 September 2022 to provide an independent perspective on the opportunities for science to support a ‘secure by design’ approach to achieve a secure, resilient and safe transport system. The session included input from additional government officials:

• Dr Tom Salter, Deputy Director of the National Security Science and Research division at the Department for Transport (DfT)

• Professor Daniel Pope, Technical Fellow, Structural Dynamics Team, Defence Science and Technology Laboratory (Dstl), Head of Joint Response, Joint Security and Resilience Centre (JSaRC) Home Office, Transport Sector Lead, National Cyber Security Centre (NCSC) and Protective Security Adviser, Centre for the Protection of National Infrastructure (CPNI)

The content of this paper is the responsibility of the SAC alone.

Introduction

Security from malicious or unintended actions is a core requirement of all transport systems. Making systems secure is, however, sometimes approached as an ‘add-on’. For example, technology or processes that are developed and implemented separately and often after other design, engineering and operational decisions have been made.

Sometimes security add-ons are also applied in response to new or changed threats. The most effective and secure infrastructure includes security as an integral part of the system, a resilience that is woven into design principles, physical and cyber assets, operational procedures and even maintenance. This engineering paradigm is often referred to as secure by design.

This paper provides a high-level evaluation of scientific opportunities for DfT that may improve the security of systems through the adoption of secure by design principles, both within the design of new transport infrastructure or when existing infrastructure is updated. The focus is on engaging wider communities of researchers and normalising consideration of security aspects within DfT research commissioning and evaluation processes.  

The paper is based on a workshop session held at the September 2022 session of the DfT SAC and was supported by a range of organisations, and follow-up work by SAC members. The analysis is shaped by:

• considering where science, technology and innovation can complement existing activities

• how academic engagement might be increased

• how new science capability be developed to enhance transport systems

Key recommendations

1. Science and technology supporting security is a relatively niche topic in the wider UK research landscape with limited numbers of active academic researchers and research groups. There is a strategic need to grow the diversity of communities that are engaged in security research problems, including disciplines such as project management, architecture and civil engineering. Key stakeholders in achieving secure transport can play a prominent role in articulating science needs to new audiences and actively engaging in outreach and communications.

2. Greater links between safety and security as a common consideration in transport design are needed. Seeking out innovation and best practices that may be learned, whether modal-specific or common across different transport modes, for example, aviation safety culture, is needed. A consistent department-wide approach to encouraging the adoption of secure by design principles across selected research and development programmes is also needed (for example, through grant funding criteria), including innovation and demonstrator programmes within EmTech, governance engagement and futures.

3. Encourage the application of secure by design principles through the life cycle of pre-existing transport assets, for example when systems are updated, during maintenance and refits. DfT’s role as a major investor should allow it to define secure by design objectives that can be tested at stage gate reviews, used to prioritise project funding or form part of progress reviews.

4. Removing some of the barriers for new entrants to make a science or technology contribution to innovation in security. This may be achieved by including security dimensions as a routine metric for evaluation and review in proposals, even for early phase/low transport research laboratory (TRL) research. Engagement with early career researchers will be essential to grow long-term capability and normalise security as a factor in research that is supported by DfT. Specific initiatives may include in-house training or engagement with external institutions such as the Sutton Trust, Royal Academy of Engineering, other professional bodies and graduate and apprenticeship training providers.

5. Integrate security and ‘secure by design’ thinking into how departmental research needs are formulated and articulated. Also, include evaluation of security aspects as part of research decision-making and prioritisation. For example, grant applicants could be encouraged to describe how they might identify and implement secure by design within the project framework. Over time a community of practice can be created with a broader reach than existing subject matter specialists. The pre-existing DfT research portfolio should form part of this, not just future projects. Winning the hearts and minds of PhD and early career scientists who may have never considered the security dimensions of their research will be an important aspect.

6. Use DfT’s influence to increase educational engagement with secure by design to ultimately reach a wider base of transport stakeholders, including operators, developers and suppliers. This may include influencing educators and professional bodies to include security considerations and secure by design concepts into curricula and professional membership criteria. Engagement should include undergraduate and postgraduate students and apprentices at all NVQ levels. Those coming into the transport ecosystem should be made aware of educational resources, create a virtuous circle, grow the audience of those who can then incorporate security into their research and commercial research and development activities.

Secure by design

The principle of ‘secure by design’ is that critical assets, processes and infrastructure have their security controls built in as an intrinsic part of their original design, routine operation and ongoing maintenance. 

A secure by design approach can be applied to how new infrastructures are designed in their initial phases (for example, High Speed 2 (HS2)) or when modifications or upgrades to existing assets are planned (for example, redesign of London Kings Cross).

Secure by design principles are broad and ensure, for example, that materials used in the construction of transport hubs provide some protection against explosive threats, or systems developed for routine physical maintenance also provide timely security upgrades to software systems.

Once identified, in place and supported by project management procedures, secure by design measures derived from the principles can be adapted and updated in line with changing circumstances, both anticipated and unexpected. 

This approach provides several benefits, most notably that it enables a more cost-effective and sustainable security solution to be identified early in a project’s life cycle, and that transport systems may adapt more readily to changed threats.

Why secure by design is needed

How the UK transport system is used by society is continually changing. The how and when reflects societal trends in mobility (for example, where and when people work) and the movement of goods and services.

Transport systems must also evaluate and adapt to shifts in the external threat landscape (for example, malicious activities, state and non-state actors). Changes in mobility needs often occur gradually and can be measured, modelled and to a degree predicted – although events like COVID-19 pandemic demonstrated shocks to the system can also occur.

Changes to the threat landscape often manifest as a step-change with both localised and wider-ranging impacts – for example, the 7/7 London terrorist attacks in 2005). Changed threats can cause a societal shock that quickly shifts perceptions, attitudes and behaviours.

Recognising society’s desire for stability and security particularly after events, and government’s role in enabling it, responses to changing security circumstances are often implemented as reactive and visible interventions (for example, the introduction of screening liquids).

For changes in physical security, the government’s response to new threats often directs significant resources (including research and development investment) to the retrofit of physical solutions – for example, adding additional physical barriers to stop vehicles after attacks on crowds. 

For cyber security measures aim to ‘identify, protect, detect, respond and recover’ from unwanted changes to systems and their external environment. Operationally, cyber security requires continual effort to identify threats with changes that can in principle be implemented more frequently than for physical protections (for example, regular Microsoft issues, sometimes referred to as ‘patch Tuesday’). 

Updates can be needed to fix vulnerabilities in the data communication channels that link between hardware and digital domains. All of these responses are, to a degree, reactive to events. A less common but natural way to secure by design principles is a more proactive incorporation of security resilience into systems from their design onwards – where part of that resilience may be their flexibility to update, change and adapt quickly if required. 

Due to the complexity of transport infrastructure, and the threats it is faced with, getting the right balance between ‘reactive’ and ‘proactive’ development of security resilience is crucial – this includes in the research and development domain.

Opportunity for DfT to lead

DfT is well placed to act as a scientific and technical role model and work to broaden the diversity of organisations, scientists and engineers who may help improve transport security. Increased engagement from industry and academic stakeholders may help identify new opportunities to adopt and implement secure by design principles. This will be important in the cyber area as the impact of updates to the Network and Information Security Directive (NIS), known as ‘NIS2’, on both the UK and the EU becomes clearer.

Science leadership may be a powerful mechanism that allows DfT to influence complex supply chains and bring the best innovations in secure by design to the UK.  A changing regulatory environment adds further motivation to evaluate how systematic application of secure by design may increase resilience and accountability. Other legislation not directly applicable to the UK regulatory regime – such as the EU CRA (Cyber Resilience Act) – may still shape the UK’s approach to planning and implementing the science of secure by design. This can include technology, engineering and other activities such as architect/land planning and strengthen the motivation for broad and coordinated action.

Inevitably, scientific knowledge is related to security threats and resilience is also subject to a need to protect sensitive information. Encouraging system-wide thinking on the scientific and technical principles of making systems secure, rather than identifying specifics, may, however, avoid the need to divulge sensitive information about individual transport systems. For example, exposing a perceived weakest point.

Increasing the breadth of researchers engaged in security will likely create a higher need for good science governance, for example, authoritative mechanisms that assure scientific and technological information is robust, consistent and reflects the best evidence available. Science governance is distinct from the critical wider governance of transport systems, which assures public security and assigns roles and responsibilities.

Secure by design is seen as a strategic goal that requires more academic involvement from a larger community. However, a cautious approach is necessary to ensure new outputs, computer models and any underlying assumptions are handled in a way that weighs security considerations against the advantages of diversification and open research.

Investing in the science of secure by design has a financial benefit, as it should enable more efficient use of resources and offer durability over a longer time. Relatively small design changes made at the early stages of a project can produce much larger savings later on.

Proactive consideration of future transport systems and horizon scanning of potential threats can support a more future-resilient and adaptable transport system. Applying the principle in DfT’s research and development commissioning should facilitate a broader range of stakeholders who engage with security early on in major projects, which potentially avoids the need for redesigns later.

Through department leadership, science and research-based opportunities for enhancing the application of secure by design principles can be identified and the benefits articulated. Six challenges are common across the UK and internationally will shape the effective use of those principles. They are:

• continual threat evolution that aims to exploit perceived weaknesses in transport security

• different transport environments have a range of vulnerabilities to different threats

• non-security external factors influencing transport security (for example, demographic trends, future technologies, different fuel types, weather and climate hazards)

• complexity of roles and responsibilities alongside the requirement for clear communications between the stakeholders responsible for transport

• keeping pace with technological change across the security sphere and synchronisation of timescales for research and testing with wider timelines for transport change

• keeping security measures proportionate, demonstrating effectiveness and value and enabling a strong security culture that has broad-based public support

Applying and enhancing secure by design

Four questions are explored to help provide the context that secure by design exists and to identify levers that may best help encourage progress towards greater implementation of secure by design principles within the transport systems landscape. They are:

• what is different about the transport sector compared with the protection and security of other Critical National Infrastructure (CNI)?

• are there opportunities for the transport sector to adopt scientific and technical approaches used for security in other infrastructure sectors, and what challenges might these bring?

• what step changes are needed in the UK research/training portfolio to take forward the scientific opportunities, addressing the challenges?

• what are the required enabling factors to create a foundational awareness and appreciation of secure by design to create the conditions for increasing its application in transport?

Transport sector and secure by design

The transport sector benefits from applying secure by design because of long lead times, the high cost of investment and operation of assets and an often-outsized societal impact that arises from disruption – when compared to some other fixed assets. It is unique compared with other CNI because the assets physically move and are accessed by the general public, often in large and unrestricted numbers. 

Transport policy is shaped by a particularly complex range of roles and responsibilities, including:

• regulators
• subject matter experts
• asset owners
• asset operators
• risk owners
• local authorities

Further complexities exist since not all transport modes are the same in design, use, complexity or lifespan. Different sectors will have different threats so solutions will vary according to needs. What is optimised for one sector may not be optimal for another.

Ranges of types, ages and the distribution of transport systems are vast. Some transport infrastructure is well over 100 years old and works alongside other systems that were more recently designed. Some systems are achieved through national or international bodies, whereas others are provided locally. Some have elements that are government-owned or managed, whereas others are almost completely private in ownership or providing.

This makes it challenging to design and implement universally applicable secure by design principles across this range of transport modes. Some significant influences on UK transport are outside UK control, including:

• global supply chains
• ‘malicious actors’
• other countries driving research and development priorities that align with their national needs

This makes it harder to shape and influence at the source the application of ‘secure by design’ principles, although collaborative research and commercial activities can help mitigate this.

Stepping back to consider the picture, recognising and articulating this ‘transport difference’ can help encourage stakeholders to broaden their perspectives around both the underlying motivators and potential implementation of secure by design. As stakeholder understanding of secure by design develops, this may support greater exploration of opportunities to adapt research investment to meet transport security needs better.

Challenges to the nature of security and safety research

For transport infrastructure projects, better outcomes may be realised should safety and security be fully considered. Safety science is often more culturally and operationally embedded, and holistically considered in transport projects than security.

Security is often considered to be a more specialist and ‘secretive’ topic, or at least a topic where many feel they do not hold direct responsibilities. This means the size of the combined audience that may need to consider both safety and security-derived requirements, including potentially conflicting trade-offs, is much smaller than discussions of other aspects of transport systems such as economic, engineering or societal considerations.

The need to meet a balance between ‘openness versus secrecy’ means it is harder to build a multidisciplinary science research community or introduce new thinking to the field. Security, for good reasons, generally operates in a different way. If both requirements of openness and secrecy are considered together and the stakeholder network extended, it creates the opportunity for common priorities and research needs to emerge and for new innovations to flow between safety and security domains.

Presently, the majority of security-focused research is reactive to meet a short-term need and implemented as a retrofit to existing infrastructure (for example, liquids or explosives detection). This type of research often takes precedence over research that will be completed at some point.

While urgent problems will always exist, an increased science focus on exploring how enduring strategic security requirements may be integrated into infrastructure and operational design is needed. For example, an optimal approach to managing the threat of explosive attacks may be to make infrastructure more resilient using materials at the same time as increasing technological surveillance capability to proactively intercept malicious individuals. In this sense, secure by design is likely to always be socio-technical in its achievement.

Changes needed to achieve secure by design

Science requirements for transport asset owners and operators are largely based on meeting service user (customer) and operator requirements. Given the need for through-life updates of systems, both planned and those that are in response to changing circumstances, optimising technological flexibility of maintenance/upgrades is an under-recognised priority in early-stage project planning.

More emphasis in research should be placed on ensuring the frameworks that update and upgrade transport systems – whether physical or digital – can help both improve security resilience and adaptability and reduce through-life maintenance costs. An easily adapted system is likely much cheaper than one subject to repeated, and possibly, disruptive retro-fits in the long run.

In line with its ambitions to be a science superpower, the UK needs to find niche opportunities for innovation that support immediate needs but also create global commercial opportunities. Encouraging research innovation for secure by design is not enough and direct DfT actions are needed to adapt how research is designed, commissioned and evaluated. 

Given the broad reach of the current DfT-funded research and development programme, it provides a direct and near-term opportunity for exploring and implementing secure by design across the transport research programme. Many existing DfT-sponsored research projects do not actively report on their alignment with secure by design as they are not asked to as a condition of their research. However, the outcomes of those existing investments may be enhanced if grant holders are asked to consider security as an influencing factor in shaping research direction and that security is included to explain the benefits of the research output.

There are some professional communities specific to major transport projects whose role in identifying and implementing secure by design principles might be usefully amplified. For example, the ‘under-appreciated’ yet significant role of architects/planners in the infrastructure elements of hubs such as airports/stations. The diversity of science communities is crucial and should include cross-cutting technologies like artificial intelligence (AI).

There is no single overarching statement of research need because of how diverse the transport sector is. A portfolio approach is needed to encourage working across disparate groups and projects. DfT, along with other funders such as UK Research and Innovation (UKRI), should aim to create the space for new ideas to be put forward by newcomers to the security domain. Funders like DfT may want to ask how the proposed research is going to contribute to supporting security and the protection of passengers, goods, data and infrastructure when it is relevant.

It is often not possible to use the recent past to shape an understanding of what will come next. This is not limited to security – there are broader changes around new structural materials, the emergence of green fuels and enabling digital infrastructure such as electric vehicle (EV ) charging. It, therefore, becomes harder to create and test, both physically (explosion) and digitally (digital twin modelling, machine learning and AI) when there is no precedent of their operational use in the real world.

Education provides a powerful tool to shift individual and organisational awareness, but it is important to take a lifelong continuing professional development (CPD) perspective. This can include both formal and informal mechanisms – CPD happens when people pick up a report to inform themselves.

Similarly, the scope of those being informed needs to be broadened. A future transport systems research and teaching portfolio needs to reflect that secure by design is not only an engineering activity but includes policy, architecture and sociology (behaviour of people). Awareness of available knowledge resources generated by existing organisations appears to be low and many consider security as a regulatory requirement (a ‘must do’) rather than an opportunity to de-risk a project.

Creating communication channels to raise awareness of what resources are available and why this topic is important may provide a relatively low-cost route for increasing participation. Step changes will also be needed in the professional training portfolio. This may include greater incorporation of security into university undergraduate teaching in disciplines such as engineering and training provided by professional bodies.

There are models for communication and outreach that can be followed, inspired by approaches used in other system-wide and complex adaptations. For example, those who previously would not have considered factors such as climate change in their engineering designs or operational plans are now doing so, whether that is to adapt to long-term trends (temperature) or to provide resilience to extreme events (storms or rainfall). The integration of climate change thinking into design provides a helpful case model that may be used to support a similar shift in culture towards proactive application of secure by design principles.

Research priorities will need to be agile and the secure by design science community will need to proactively engage with emerging technologies. Especially when the future governance and regulation of those technologies may be through a regulator that does not have security as a primary consideration.

Required enabling factors and opportunities for DfT’s programme

There are major changes ongoing in UK transport systems, including:

• types of propulsion system
• low carbon fuels
• mobility patterns post-COVID-19

There is increased complexity in the ways society uses transport, a large dependence on international transport supply chains and ever-changing threats to these systems. The existing security research community, spanning both physical and cyber disciplines, is generally focused on pressing, near-term threats that potentially lead to fewer resources allocated to consideration of how future systems may be made secure. The situation is compounded by the small professional community that is involved in considering the overlaps between security and safety of transport systems, including the influence of upgrades and modifications throughout a long asset life on security and safety.

In addition, there may be only limited consideration of security science and engineering concepts within current apprenticeship, undergraduate, and postgraduate programmes. Research grants and funders do not explicitly ask for secure by design consideration as part of funding terms, even if the research is explicitly security-focused.

While there is extensive security-motivated research being undertaken in the UK, it is often carried out by separate specialist teams. When research is combined with a broad stakeholder network of responsibilities, this creates barriers to practical translation in a secure by design context. However, highlighting and discussing these barriers also presents DfT with an opportunity to apply some targeted science and research investment tools.

Some early actions may be needed to build momentum: for example, as there are many threads relating to early-stage design, integrating a diversity of activities. Engaging expert stakeholders to discuss a systems-level approach, collaborative innovation approaches such as road mapping could offer an agile route to integrate multiple system elements and create a common view on the most promising opportunities for short, medium and longer-term research and development.

Conclusion

It is possible that as implementation progresses other effective short-term tools are also identified. These might be more intangible and reflect organisational priorities, structural change and funding policy rather than specific directed research programmes. These initiatives may build shared norms of understanding (systems thinking) that then create an environment in which activities and programmes can be implemented more smoothly.

The time to identify and implement a secure by design solution is often much longer than the time available to shape a response once an incident has happened. Whether it is a physical, a cyber-attack or an incident (the Log4Shell vulnerability, often referred to as Log4j) that exposes vulnerabilities that need addressing, responses are formulated and implemented rapidly, sometimes in only days or weeks.

There is a substantial mismatch between the decades-long period needed for transport infrastructure planning and implementation of asset construction and operation, and the months to years needed to design and test solutions (physically or digitally). Unfortunately, malicious factors are not constrained in the same way and can be agile and more creative to identify priorities and implement ‘solutions’ to disrupt transport systems.

A ‘try and iterate’ approach is recommended. For example, through small seed projects and local areas of influence. Secure by design does not have to be controlled using a ‘top-down’ management approach, instead, progress can be made through parallel trial activities, iterating and fine-tuning. This ‘find the gaps and do something’ mirrors the external motivations that create the security need. Malicious factors often use rapid iteration and agile design and implementation approaches and look for the weakest link and exploit it.

Similarly, passengers and broader society do not act as one coordinated cohort when changing their behaviours. For increased efficiency, we may need to adapt our planning mindset to align with how secure by design motivators evolve in practice.

There is an overarching challenge of how to present disparate topics, different sectors and complex interactions that still draw out a common secure by design theme that:

• is widely understood
• shifts thinking and actions – a common framework and language

Now is a critical time to broaden the research community engaged in security and create a greater ‘lean in’ across all transport modes towards a greater focus on secure by design. This approach will help strengthen further the UK transport ecosystem both now and in readiness for the future.

Authors

All members of the SAC contributed to this paper:

• Dr Emma Taylor  (lead author), Cranfield University and RazorSecure Ltd

• Professor Alastair Lewis (SAC Chair), University of York

• James Gaade, The Faraday Institution

• Anna-Marie Greenaway, University of Cambridge

• Professor Peter Jones, University College London

• Dr Siddartha Khastgir,  WMG, University of Warwick

• Professor Ricardo Martinez-Botas, Imperial College London

• Professor Rob Miller, University of Cambridge

• Professor Nick Pidgeon, Cardiff University

• Professor William Powrie, University of Southampton

• Dr Dave Smith, Rolls-Royce plc

• Professor Patricia Thornley (lead author), Aston University