Cybersecurity Challenges to Secure Smart Highway Infrastructure

A highway is no longer just concrete and asphalt; it’s also a network of intelligent systems that, if compromised, could disrupt transport or endanger lives. In 2023, the European Union Agency for Cybersecurity (ENISA) found that the transportation sector was the target of 11% of all cyberattacks in Europe – second only to government – highlighting that transport infrastructure has become an enticing target. High-profile incidents have underscored the stakes: a ransomware attack on an expressway operator in Asia caused a complete standstill of highway traffic and services, and security researchers have remotely hacked traffic signals and even passenger vehicles to demonstrate the potential havoc attackers could wreak.

Modern highways are becoming “smart.” Across the world, roadside sensors relay live traffic data to control centres, wireless networks connect traffic lights and message signs, and vehicles communicate with infrastructure in real time. This digital transformation promises safer, more efficient travel – yet it also opens the door to new cyber threats. A highway is no longer just concrete and asphalt; it’s also a network of intelligent systems that, if compromised, could disrupt transport or endanger lives.

In 2023, the European Union Agency for Cybersecurity (ENISA) found that the transportation sector was the target of 11% of all cyberattacks in Europe – second only to government – highlighting that transport infrastructure has become an enticing target. High-profile incidents have underscored the stakes: a ransomware attack on an expressway operator in Asia caused a complete standstill of highway traffic and services, and security researchers have remotely hacked traffic signals and even passenger vehicles to demonstrate the potential havoc attackers could wreak.

Smart Highways in the Digital Era

Highways around the world are undergoing a high-tech makeover. Under the banner of “smart infrastructure,” transportation agencies are deploying Intelligent Transportation Systems (ITS) – an ecosystem of sensors, cameras, connected signage, and communication networks – to improve road safety and traffic flow. These innovations enable dynamic speed limits, real-time traffic rerouting, automated incident detection, and vehicle-to-infrastructure messaging about road conditions. Highways are also integrating with other digital systems: toll collection has gone electronic, maintenance crews use connected devices, and increasing numbers of vehicles on the road are internet-enabled. The result is a modern highway that functions as a cyber-physical system – where computing and connectivity are as integral as pavement and guardrails.

The benefits of this digital transformation are significant. Smart highway technologies promise to reduce congestion, optimize fuel consumption, and prevent accidents through early warnings. For example, roadside units can broadcast hazard alerts directly to connected cars, and AI-based traffic management platforms can automatically adjust ramp meters or traffic signals to alleviate bottlenecks. These advancements support goals like smoother logistics for freight and lower emissions from idling traffic. They also enable future innovations such as autonomous vehicles, which will rely on robust communication with intelligent road infrastructure to navigate safely.

However, the flip side of increased connectivity is increased vulnerability. Each new digital system introduced to highways – from an IP camera monitoring traffic to a roadside Wi-Fi network connecting vehicles – becomes a potential attack surface for cyber adversaries. Cisco, a major provider of networking for ITS, bluntly summarizes the situation: as more components of roadways go online, “the attack surface only increases”. In other words, the very technologies that make highways smarter and more efficient also give malicious actors new entry points to attempt disruption, theft, or sabotage. An S&P Global analysis in late 2024 noted that while digitization has transformed transport for the better, it also provides “an enticing target for malevolent actors” who recognize that disrupting transportation networks can inflict outsized economic damage and grab headlines.

Unlike the closed, analogue systems of the past, today’s highway infrastructure often connects to the same networks we use for general IT. Traffic control centres are linked via corporate IT networks that may be accessible from the internet; field devices communicate over wireless links that may not always be secure. This convergence of operational technology (OT) with information technology (IT) means a hacker halfway around the world could conceivably reach into a local traffic system – something that was nearly impossible when each signal or sign was an isolated electrical device. The boundary between digital and physical infrastructure is blurring, raising the stakes for security in the highway sector.

For an educated layperson, a useful analogy is to compare a modern smart highway to a modern office building. Both have become “smart” – an office has connected HVAC, security cameras, and badge readers; a highway has connected sensors, cameras, and message boards. If an office building’s systems are hacked, it might lead to disabling elevators or alarms; if a highway’s systems are hacked, the consequences can extend to citywide traffic jams or accidents. In both cases, cybersecurity must be a foundational design consideration. Unfortunately, infrastructure systems historically were engineered with safety and reliability in mind – but not necessarily with security against hackers. Many legacy highway components were not built to withstand deliberate cyberattacks.

This lag in cybersecurity maturity is evident in incidents and audits worldwide. Penetration testers often find basic weaknesses such as default passwords and outdated software in traffic management devices. National Highways in the UK, for instance, recently faced scrutiny after reports that over 125 sensitive devices (like laptops and storage drives) went missing – prompting warnings about cyber risks if data fell into the wrong hands. Although that case was about lost equipment, it underscores a general issue: highway agencies are still building up their cyber protections, and lapses can occur in both technology and human processes.

In summary, the digital era brings a dual challenge for highway operators: embrace connectivity to unlock transportation innovations, while rigorously managing the new cyber risks that connectivity introduces. As we progress into deeper technical analysis, keep in mind this core tension. Smart highways deliver value by connecting systems together – and it’s that very connectedness that demands vigilant cybersecurity to maintain safe and reliable operations. The next section maps out the kinds of cyber threats that smart road infrastructure faces, from malware and ransomware to GPS jamming and vehicle hacks.

The Evolving Cyber Threat Landscape for Connected Roadways

As highways have become more digitized, attackers have taken notice. The threat landscape for smart road infrastructure is broad and continuously evolving, spanning everything from lone hackers mischief-making to organized cybercriminals and state-sponsored groups. ENISA’s first comprehensive Transport Threat Landscape report (covering 2021–2022) found that ransomware attacks were the single most prominent threat against the transport sector (38% of analysed incidents), followed by data breaches (30%) and malware (17%).

Transportation was among the top three most targeted sectors in Europe by mid-2024. While many attacks so far have focused on stealing data or holding IT systems hostage for ransom, there is growing concern about attacks that could directly disrupt physical operations or safety.

Below, we break down the major cyber threat vectors affecting smart highways:

Insecure IoT Devices and Roadside Systems

The Internet of Things (IoT) has come to highway infrastructure in the form of networked cameras, weather sensors, traffic counters, digital signage, connected toll booths, and more. These devices provide critical functions – monitoring traffic and road conditions, informing drivers via electronic signs, automating toll payments – but they can be rife with vulnerabilities. Many roadside IoT devices were designed primarily for robustness and ease of maintenance, not hardened against cyber intrusions. They often have limited computing power (making it hard to add heavy security measures) and may run outdated embedded software. If not properly configured, such devices can become entry points for attackers to get into a highway’s broader network.

One dramatic example came in Michigan in 2014, when security researchers demonstrated how easily a city’s traffic lights could be hacked. With permission from a local road agency, a University of Michigan team led by Dr. J. Alex Halderman used a laptop and an off-the-shelf radio transmitter to break into and control over 100 wirelessly networked traffic signal controllers. The exploit was shockingly straightforward: the traffic controllers were communicating over an unencrypted radio link in the 5.8 GHz band, using default factory-set usernames and passwords. By eavesdropping on the wireless traffic, the researchers obtained the credentials (which were the same for many controllers) and then were able to send unauthorized commands to manipulate the traffic lights. In a real attack, such manipulation could snarl traffic or create dangerous conflicts at intersections (though safety fail-safes would prevent outright green-green collisions). The Michigan experiment underscores how weak IoT security – open radios, default passwords – can make critical infrastructure “terrifyingly easy” to hack.

Many highway agencies have since audited and updated their traffic signal systems (for instance, changing default credentials and adding encryption to wireless links) in response to findings like these. Yet, the issue is far from solved. Recent assessments still turn up highway IoT devices reachable from the public internet or lacking basic authentication. In the United States, the Department of Homeland Security has warned that transportation systems are highly complex and “open to a vastly larger number of potential cyber threats” as they integrate more networked technology. Even digital highway signs – the electronic message boards that display alerts or travel times – have been targets of tampering. There have been multiple reports of pranksters hacking into roadside signs (often via default passwords or physical access) to display humorous or political messages. While those incidents were relatively benign, they highlight that poorly secured roadside units can be hijacked, undermining public trust in official highway information and potentially causing distractions or misinformation.

Beyond signals and signs, consider other IoT elements: weather and environmental sensors along highways could be manipulated to feed false data (e.g. not detecting ice when it’s actually present, or vice versa), weigh-in-motion stations for trucks could be tricked into misreporting loads, and smart street lighting or tunnel ventilation controls could be turned on/off at the wrong times. Each of these represents a cyber-physical danger if abused. In one hypothetical scenario explored by researchers, an attacker who compromises a network of sensor stations could create a fake fog or accident report that triggers automated systems to lower speed limits on a freeway unnecessarily, causing congestion and possibly secondary accidents. In another scenario, malware on a field device could serve as a foothold to pivot into a traffic management centre’s network, similar to how HVAC systems were the weak link in some past corporate breaches.

The industry is responding by tightening procurement requirements for highway electronics (vendors are now often asked to meet specific cybersecurity standards) and by segmenting networks so that even if a field device is compromised, it can’t directly access control centre crown jewels. Nonetheless, securing thousands of distributed devices remains a formidable challenge, especially as legacy equipment (with legacy weaknesses) may remain in service for years. It only takes one neglected sensor with an open port for an attacker to get a foot in the door.

Attacks on Traffic Management Centres and SCADA Systems

Closely related to IoT vulnerabilities are threats to the central control systems that manage highway infrastructure. Large highway networks are run by Traffic Management Centres (TMCs) staffed by engineers and equipped with supervisory control and data acquisition (SCADA) systems that issue commands to field devices (changing signal timings, activating message boards, etc.). These systems are essentially the “brains” of smart highways. If an attacker can infiltrate a TMC’s network – whether through an exposed server, phishing an employee, or exploiting a connection from a contractor – they may gain the ability to send malicious commands or disrupt the control software.

So far, most publicly known cyber incidents impacting highway authorities have targeted their IT systems (like business networks or databases) rather than the real-time control systems. In fact, ENISA observed that “the majority of attacks on the transport sector target IT systems,” with operational technology rarely directly hit. Often the outcome is that certain services (e.g. a public travel information website or an internal email system) go down without immediately endangering drivers. For example, when the Colorado Department of Transportation was infected by ransomware in 2018, over 2,000 of the agency’s computers had to be shut down as the malware spread. Fortunately, “the critical systems used to manage road traffic and alerts were not affected” in that case, thanks to quick isolation and perhaps network separation. The attackers encrypted files on administrative PCs and demanded bitcoin, but Colorado DOT, backed by robust backups, refused to pay and was able to restore systems with help from state IT and the FBI. The incident still caused days of disruption to the agency’s routine operations and absorbed substantial resources to remediate, but highway signs and signals continued working normally.

Experts caution, however, that attacks bleeding into OT systems are a looming risk. In 2022, a sobering demonstration by researchers Yiheng Feng et al. showed how falsified data injections in a traffic control system could cripple urban mobility. By modelling various cyberattack scenarios on a city’s intersection network, they found that an attacker who jams just 14% of intersections or manipulates 10% of connected cars could trigger gridlock where half of all routes become inaccessible. Even smaller-scale attacks caused significant knock-on delays by forcing detours and effectively “fragmenting” the road network. Imagine, for instance, malware that simultaneously switches dozens of traffic lights to flashing red or disables them – emergency vehicles could get stuck, and cascading congestion could take hours to unravel. Unlike a localized power outage (to which traffic lights fail-safe by flashing red), a cyber-induced disruption could be coordinated to maximize chaos across many nodes.

Real-world incidents have come close to this worst-case territory. In April 2020, during the Second Nagorno-Karabakh war, Azerbaijan reportedly experienced mysterious disruptions to transportation networks. Notably, in 2022 and 2023, hacktivist groups sympathetic to one side of the Russia-Ukraine conflict launched waves of DDoS (distributed denial-of-service) attacks against European transport infrastructure, including road authorities’ public websites and highway toll payment systems. While DDoS floods (overwhelming servers with traffic) are not as sophisticated as infiltration attacks, they still caused operational headaches and denial of online services (for example, drivers being unable to top-up their electronic toll accounts or get real-time traffic info). These incidents underline that transport infrastructure has entered the crosshairs of geopolitically motivated hackers, not just profit-driven criminals.

Worse, in July 2021, a cyber attack in Iran paralyzed the national railway system, stranding trains and defacing digital station signs to post fake messages about delays. The attackers boldly posted the phone number of the Supreme Leader’s office as the help line for frustrated passengers. Though this was a rail system, one can draw parallels to highways: an attack on an interconnected highway traffic control system could likewise cause massive jams and confusion, and even be used to spread disinformation or sow panic (imagine highway message boards displaying “Evacuate City Now” when no evacuation is needed – a frightening thought). The Iranian rail attack turned out to be a destructive wiper malware (dubbed “Meteor”) that effectively locked up control of switches and signs. It was a politically charged act of sabotage under the guise of a prank. It shows that cyber attacks on transport can transcend financial motives and become tools of chaos or coercion.

Considering these trends, highway agencies are bolstering defences for their control systems. Many are implementing intrusion detection systems (IDS) specialized for SCADA/ICS networks, segmenting IT and OT networks with strict gateways, and conducting regular cyber drills. Some have created “dark site” TMC backups – alternate control centres that can be activated if the primary is compromised. The encouraging news so far is that there have been no publicly disclosed cases of hackers causing traffic accidents or large-scale highway failures via cyberattack as of 2025. The defensive measures and safety redundancies built into these systems (e.g. traffic lights have fail-safes that default to a safe mode) provide resilience. However, experts warn that ransomware groups may increasingly target OT operations in the future, and nation-state attackers probing critical infrastructure could eventually find weaknesses. As one U.S. researcher put it, “Understanding which attack vectors could generate strategic, real-world consequences remains vital to allocating resources and building resiliency”. In other words, transport operators must continuously analyse where an attacker could do the most damage and prioritize securing those pathways.

Highways Held Hostage

If one threat has dominated critical infrastructure cybersecurity in recent years, it is ransomware – malware that encrypts an organization’s data or systems and demands payment for restoration. The highways sector has not been spared. Cybercriminal groups have found government agencies and infrastructure operators to be tempting targets, often betting that the urgency to restore services will pressure victims into paying.

ENISA’s analysis confirms that across all modes of transport, ransomware surged to become the number one threat in 2022, accounting for 25% of transport cyber incidents that year (up from 13% in 2021). For road transport specifically, ENISA reports ransomware as the predominant threat at 43% of incidents, well ahead of other threat types.

We’ve already discussed the Colorado DOT SamSam attack, which fortunately did not impact live traffic operations. But other cases internationally have had more direct effects:

In Malaysia, a ransomware attack on one of the country’s major expressway operators in late 2020 was a wake-up call. According to a case study by the operator PLUS Malaysia, a “peer organization” was hit by ransomware, leading to “operational disruptions and revenue loss” and even a temporary standstill of highway services. Commuters and logistics were affected as toll collection systems went offline and the operator struggled to maintain normal traffic management. The incident “underscored the critical nature of uninterrupted operations” for highways, in the words of PLUS Malaysia’s Chief Technology Officer. It spurred PLUS to invest heavily in cyber defences (such as immutable backups and incident response tools) to avoid a similar fate.

In Australia, toll road conglomerate Transurban reported in 2023 that it had repelled a ransomware attempt targeting its corporate IT – part of a broader wave of attacks on transportation and logistics companies in the region. Meanwhile, the Australian freight company Toll Group (despite the name unrelated to toll roads) suffered two ransomware incidents in 2020 (the Mailto/Netwalker and Nefilim strains) that disrupted its trucking and delivery operations for weeks. Though not highway operators per se, these examples increased awareness in the road transport community about ransomware risk.

In Europe, a clear example occurred in Italy in 2018 when the city of Genova’s mobility department was hit by ransomware that took down some traffic camera and permit systems. And in the UK, local councils (some of which manage traffic lights and CCTV) have been struck by ransomware, occasionally affecting their traffic control capabilities.

Beyond direct infrastructure operators, the automotive industry and smart mobility ecosystem has seen a rash of ransomware. Upstream, an automotive cybersecurity firm, documented over 108 ransomware attacks on automotive and mobility targets in 2024 alone, a huge increase that included incidents at parts manufacturers, dealerships, and fleet management companies. One particularly impactful case was a June 2024 attack on CDK Global, a software provider for auto dealerships, which halted operations for 15,000 dealerships and was estimated to cost over $1 billion in losses. While that did not directly stop highway systems, it shows the ripple effect – if dealerships and fleets are paralyzed, vehicles don’t get serviced or delivered, indirectly affecting transportation. Upstream’s CEO, Yoav Levy, observes that “mobility-specific ransomware attacks [have] surged, causing unprecedented disruptions,” and attackers are shifting to “large-scale, sophisticated and AI-powered methods” that target not only vehicles but also interconnected systems like EV charging networks and telematics platforms.

Within highway authorities, ransomware often enters through mundane avenues like a phishing email or an exposed Remote Desktop server, then spreads laterally. It might encrypt file servers, databases, and office PCs – crippling administrative functions and information services. If it reaches control systems, it could force an agency to revert to manual operations or safety fallback modes. Imagine state DOT personnel suddenly losing access to the computerized signal coordination plans and having to manage an entire region’s traffic with little more than phones and radios – rush hour would not be pretty. Ransomware can also threaten the compromise of sensitive data (extortion via leaking stolen data is now common). A transportation agency might hold personal data on employees or drivers (e.g. toll customer info) that, if leaked, raises legal and privacy issues.

The financial and safety implications push agencies to treat ransomware as a disaster scenario on par with snowstorms or earthquakes. Some have likened their ransomware preparedness to an “all-hazards” emergency plan: have backups, have manual fallback procedures, rehearse the incident response, coordinate with law enforcement. “We have no intention of paying,” asserted Colorado’s tech chief during the SamSam incident, emphasizing robust backups and multi-agency response. Indeed, paying attackers is discouraged (and often illegal if the group is sanctioned); instead, the focus is on resilience so that systems can be restored without capitulation. Still, every agency faces the reality that cybercriminals are continually probing for weaknesses. ENISA noted that cybercrime groups (motivated by profit) account for over half of transport attacks. Many of these groups share tactics, techniques, and even code with those hitting hospitals or banks – meaning transport must be equally vigilant.

The trend doesn’t show signs of slowing. If anything, hackers are eyeing the OT side more boldly. In one instance that blurred the lines between IT and OT, a Belarusian hacktivist group in 2022 deployed ransomware against the country’s railway system to disrupt troop movements, demonstrating that ransomware isn’t just criminals’ tool – it can be weaponized for activism or sabotage. Though that attack was politically motivated, it used the same encryption-and-extortion model. ENISA warns that hacktivists may increasingly adopt ransomware techniques because of the high impact and publicity it brings. Highway agencies, especially those in the public sector, might become targets of such ideologically driven ransomware if, for example, activists sought to protest a policy by causing gridlock or embarrassing the government. It’s a chilling prospect that extends the ransomware issue from one of mere “IT downtime” to one of public order and safety.

Connected Vehicles and V2X Vulnerabilities

No discussion of highway cybersecurity is complete without addressing the vehicles themselves – which are effectively moving network nodes in the smart highway environment. Today’s cars, trucks, and buses are often described as “computers on wheels,” brimming with electronic control units (ECUs) and wireless interfaces. Many new vehicles feature telematics systems (connecting to manufacturer or fleet servers), smartphone integration, over-the-air update capabilities, and in some cases, dedicated short-range communications (DSRC) or cellular V2X radios for communicating with infrastructure and other cars. This connectivity brings tremendous convenience and safety features but also makes vehicles part of the overall threat surface of road transportation.

In 2015, a watershed moment occurred that awakened the auto industry to cyber risks: the remote hack of a Jeep Cherokee by researchers Charlie Miller and Chris Valasek. By exploiting a vulnerability in the vehicle’s Uconnect infotainment system, they were able to send commands through the CAN bus to disable the transmission and brakes of the Jeep while it was driving, all from a laptop 10 miles away. The demonstration, publicized via Wired magazine, led to Fiat Chrysler recalling 1.4 million vehicles for a software update to patch the flaw. It was a dramatic illustration that connected cars could be remotely compromised in ways that have direct physical consequences on highways – such as a vehicle suddenly stopping on a busy interstate. Not long after, other researchers showed they could spoof sensors on Teslas, and a group in China (Keen Security Lab) demonstrated multi-step exploits to influence steering in a BMW and Tesla under certain conditions. While these were all researcher-driven and not malicious, they proved that determined attackers could find ways to manipulate connected vehicles.

For the highway ecosystem, a hacked vehicle isn’t just a risk to its occupants, but to everyone around it. A single rogue vehicle on a highway – whether caused by hacking or a technical malfunction – can trigger multi-car accidents. Now imagine a coordinated attack on dozens of connected cars at once: the havoc could be enormous. Upstream’s 2025 report highlighted that nearly 50% of cyberattacks in the past year on the automotive sector targeted vehicle telematics or infotainment systems, and 92% of attacks could be executed remotely (with 85% requiring no physical proximity). These statistics imply that hackers aim to compromise vehicles from afar (through internet-connected interfaces), and often across borders. In one 2022 incident, a young security researcher hacked into 25 Tesla vehicles in 13 countries by exploiting flaws in a third-party open-source logging tool; he managed to remotely turn on vehicles’ heating and sound systems (nothing safety-critical) and responsibly disclosed the issue. Tesla quickly fixed that bug, but it showed how even vehicles from a generally security-savvy manufacturer could be indirectly affected via the broader app ecosystem.

Beyond direct “car hacking,” there are concerns around the Vehicle-to-Everything (V2X) communications being rolled out to enable cooperative safety systems. V2X includes vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) messaging, such as Basic Safety Messages (BSM) transmitted 10 times a second to share a car’s position and speed, or signal phase and timing (SPaT) messages from a smart traffic light to approaching cars. The integrity and authenticity of these messages is paramount – a corrupted or fake message could, for example, mislead a car into thinking another vehicle is braking when it isn’t, or that an intersection’s light is green when it’s actually red. Recognizing this, the USDOT from the outset applied “security by design” principles to V2X communications, establishing a Security Credential Management System (SCMS) to issue digital certificates for V2X messages. This SCMS essentially acts as a notary (to use Brian Cronin’s analogy) to ensure that vehicles can trust the messages they receive. Certificates and signatures validate that a message (like “Car ahead is braking”) really comes from a legitimate source and hasn’t been tampered with.

However, implementing security is one thing; ensuring it’s fool proof is another. Researchers have already explored possible attacks like GPS spoofing of connected autonomous vehicles (making a vehicle think it’s in a different location) or jamming V2X signals. There’s also the worry of insider threats – if someone obtained the private signing keys for V2X messages (from a vehicle OEM or the SCMS itself), they could potentially inject “ghost” messages into the network. The good news is that V2X deployments are still in early stages and heavily pilot-tested, giving engineers time to iron out vulnerabilities. As Cronin, the ITS JPO Director, emphasized, “authentic, trusted communication is essential to V2X… a security system is critical to ensure that these technologies and the information they provide can be trusted.”. Pilot programs, such as those in New York City and Tampa, have stood up functioning SCMS prototypes with multiple vendors to ensure interoperability and security in certificate exchange. In Europe, a similar concept – the European C-ITS Credential Management System (CCMS) – is being deployed to manage trust for connected vehicle services.

Still, connected vehicle security must extend beyond just V2X messages. Modern vehicles have over 100 million lines of code and dozens of interconnected subsystems; securing them is as complex as securing a corporate IT environment, if not more. There is progress: global regulations now mandate cybersecurity for new vehicles (discussed later under UNECE WP.29), and automakers have formed the Auto-ISAC to share threat intelligence. Many automakers offer bug bounty programs inviting hackers to report vulnerabilities ethically. But as vehicles increasingly become part of the “edge” of highway networks, highways agencies find themselves needing to consider vehicle security in their threat models. For example, if a certain model of connected car has a known vulnerability that could cause erratic behaviour, highway operators might need a way to detect and manage such an event on their roads (perhaps through geo-fencing or advisories).

A related aspect is fleet cybersecurity – trucks, buses, and emergency vehicles that are critical to highway operations. JJ Eden, executive director of the North Carolina Turnpike Authority, noted in mid-2024 that attacks on high-value vehicle fleets had more than doubled in the last year and that a significant portion targeted fleet telematics systems, often executed remotely across borders. Fleet operators like trucking companies have been hit by ransomware and malware aiming to disrupt logistics. On highways, if a logistics company’s dispatch and tracking systems are frozen, the trucks still move but the situational awareness (and perhaps safety oversight like electronic logging) is lost. There have even been instances of hackers attempting to seize control of trucking fleet GPS trackers to spoof locations – essentially cyber-hijacking trucks for theft. All these scenarios connect back to highway infrastructure in that the vehicles traversing the roads can be either targets or unwitting weapons in cyber incidents.

In summary, vehicle cybersecurity and highway infrastructure cybersecurity are two sides of the same coin in a connected transport ecosystem. A weakness in one can impact the other. The automotive sector is investing heavily in hardening vehicles (with standards like ISO/SAE 21434 for design), but the work is ongoing. For those managing highways, it will be crucial to collaborate with vehicle manufacturers and to ensure that roadside systems (like RSUs – Roadside Units for V2X) are just as secure as the vehicles they communicate with.

GPS Jamming and Spoofing

Modern transportation is highly reliant on the Global Positioning System (GPS) and other satellite navigation constellations for positioning, navigation, and timing. On highways, GPS underpins not only in-car navigation apps that drivers love, but also systems like fleet tracking, electronic toll collection (for distance-based tolling), and future road user charging schemes. Even some intelligent speed assistance systems and crash-notification services lean on GPS. This makes GPS a tempting target for attackers – especially because GPS signals are weak and unencrypted, making them relatively easy to interfere with.

Two main types of GPS-focused attacks are jamming and spoofing. Jamming involves flooding the local area with noise or signals on the GPS frequency to prevent receivers from getting a lock. Spoofing is more insidious: it involves broadcasting false GPS signals that receivers lock onto, thereby feeding them incorrect position or time information.

We’ve seen a proliferation of cheap GPS jamming devices (illegal to use in most countries, but unfortunately easy to buy). In the UK, for instance, studies by the Sentinel Project revealed alarming levels of GPS jamming on the roads. Many incidents were traced to truck or van drivers using cigarette-lighter jammers to evade tracking by their employers while moonlighting. One survey found thousands of GPS jamming events in the UK over a six-month period; at one major airport (London Heathrow), as many as 100 jamming incidents per day were recorded, likely caused by passing vehicles on nearby motorways using jammers. These portable jammers create a 100- to 300-meter “bubble” around the vehicle where GPS signals are knocked out. While the trucker might succeed in hiding from their dispatcher, the collateral damage is that any other GPS-dependent device in that bubble – be it another car’s nav system or, critically, systems at sensitive facilities like airports – can be disrupted. In a notorious 2013 case, a New Jersey truck driver’s GPS jammer used to dodge his boss ended up interfering with the landing guidance system at Newark Airport; he was caught and fined $32,000 by the FCC. This incident underscores the risk that common, small-scale jamming on highways can spill into much bigger problems if near critical infrastructure.

GPS spoofing, on the other hand, has been observed more in military or high-stakes contexts, but could potentially affect civilian transport. During 2022, amid geopolitical conflicts, incidents of GPS spoofing spiked 500% (particularly affecting aviation in conflict-adjacent areas). Commercial ships have also reported being misled by spoofed GPS signals in certain regions (for example, in the Black Sea and near some ports). For road vehicles, a spoofing attack could, in theory, cause navigation systems to redirect traffic erroneously or even cause an autonomous vehicle to take a dangerous route. One researcher demonstrated a devious concept: placing a spoofing device in a specific location to make all map apps think a road is congested (by manipulating time signals), thereby diverting traffic away – essentially a fake traffic jam. In a lighter vein, an artist in Berlin once did the inverse by pulling a wagon of 99 phones running Google Maps to create a “virtual traffic jam” on empty streets. While that was an art project and not a hack, it revealed how manipulation of location-based data can influence driver behaviour at scale.

For connected and autonomous vehicles, GPS integrity is even more important. If an autonomous truck’s GPS feed is spoofed to believe it’s 50 meters to the left, it might swerve to re-centre itself on a phantom lane. Recognizing this, researchers are developing multi-sensor fusion and anomaly detection to catch inconsistencies (e.g., cross-checking GPS against camera and lidar data). But these are complex systems still being perfected.

Highway operators are concerned about GPS attacks for another reason: tolling and road pricing systems. Several countries use GNSS (GPS) to track vehicles for distance-based tolling (e.g., truck tolling in Germany and Slovakia). If a truck runs a jammer, it could avoid tolls by effectively disappearing from the tracking system – essentially electronic toll evasion. This is one motivator behind UK authorities investing in anti-jam technology. They have been testing “detect and mitigate” setups – for instance, deploying sensors that can pick up jamming devices (like the Chronos Technology project which identifies the RF signature of jammers). Additionally, advancements such as Controlled Reception Pattern Antennas (CRPA) can allow GPS receivers to resist jamming by focusing on legitimate satellite signals and nullifying others. For spoofing, techniques like checking against encrypted GPS signals (when available) or using regional augmentation systems help.

It’s worth noting that beyond deliberate attacks, natural or accidental events also threaten GPS – like solar flares or multipath interference in urban canyons. So building resilience (backup navigation methods, inertial systems, terrestrial radio navigation like eLoran, etc.) is part of the broader strategy, which conveniently also helps against deliberate jamming/spoofing.

In summary, GPS disruption is a real threat to highways in the sense that it can cause anything from annoying navigation glitches to serious safety or economic impacts. It’s a type of attack that doesn’t require hacking into systems – it simply exploits the physics of wireless signals. That makes it attractive to non-technical actors (even organized crime or low-level vandals). Highway authorities, especially those managing critical corridors and freight routes, are starting to treat GPS integrity as a critical part of their security posture. Some have begun deploying GPS interference monitoring along major highways and sharing data with national cybersecurity centres. As automated and connected vehicles increase, expect to see even more attention on securing the positioning and timing aspect of our transport systems.

Supply Chain and Insider Threats

While external cyberattacks grab most headlines, insiders and supply chain weaknesses can be equally dangerous for highway infrastructure. “Insider threats” might include a disgruntled employee of a transport agency or contractor abusing their access, or simply well-meaning staff making security errors. Supply chain threats involve attackers targeting a third-party that provides software or equipment to highway systems – for instance, infecting a traffic software update or compromising a contractor’s laptop used on the TMC network.

A classic insider-type incident occurred in Los Angeles in 2006, when during a labour dispute, two city traffic engineers went rogue and sabotaged the timing of signals at several critical intersections by accessing the system after hours. They managed to cause massive congestion before being caught. That was more of an old-fashioned insider incident (no malware, just misuse of legitimate access), but it underscores the damage an insider with knowledge can do. Nowadays, an insider with IT privileges could, say, introduce malware via a USB drive into a supposedly isolated traffic control network (sometimes called “USB bingo” in ICS security). Highways agencies therefore implement measures like background checks, role-based access control, and technical controls (disable USB ports, monitoring of admin actions) to mitigate insider risk.

The supply chain angle was vividly highlighted by the SolarWinds hack (where attackers compromised a widely used network management tool’s update and thus infiltrated thousands of organizations in 2020). One lesser-known victim in that campaign was reportedly a U.S. local transit authority – illustrating that transportation wasn’t exempt. For highways, supply chain concerns include: could an attacker backdoor the firmware of a traffic camera or sensor during manufacturing? Could a popular traffic management software have an undiscovered vulnerability planted by someone? These scenarios are not far-fetched – in 2015, a Polish student famously modified train switching equipment software causing a local rail disruption. One can imagine a motivated adversary compromising a vendor who supplies many highway agencies globally with, say, tunnel SCADA software or electronic road sign controllers.

To counter this, there’s an increasing emphasis on procurement security requirements – highway agencies are asking vendors to adhere to standards like ISO 27001 (information security management) and IEC 62443 (secure design for industrial control systems) in their products. Some governments require a “cybersecurity certification” for any system going into critical infrastructure. For example, Green Hills Software proudly announced in 2024 that its automotive platform received a cybersecurity compliance certificate, which will give road operators more confidence in deploying it. This trend is essentially extending the concept of **“trust but verify” into the supply chain.

Another supply chain risk is with third-party service providers – e.g., the IT company that manages the highway agency’s network, or the construction firm that installs the smart sensors. If those companies are compromised, attackers might ride in on the trusted connections. This is how the 2017 NotPetya attack spread – via an accounting software used by many businesses in Ukraine. A similar fear in highways: an attacker could target a small traffic engineering consultancy knowing it has VPN access into multiple city traffic systems for maintenance, then use that access to inject malware.

Thus, highway agencies are embracing practices like reviewing supply chain cyber risks, limiting third-party access privileges, and monitoring for anomalous activity even from “trusted” accounts. In the U.S., CISA’s guidelines for critical infrastructure emphasize verifying the security of vendors and sharing threat information about compromised suppliers. In Europe, the NIS2 Directive explicitly requires essential entities (including transport) to address supply chain cybersecurity in their risk management.

One more insider variant to mention: physical intruders. Highways have a lot of field cabinets and control boxes often situated in plain sight along roads or at intersections. If not properly locked and monitored, an attacker could physically access these cabinets – perhaps plugging a malicious device into a network port or a USB. There have been cases of vandals or thieves opening such cabinets to steal copper or electronics; a targeted attacker could do so to plant a backdoor. Secure hardware (locks, tamper alarms) and regular inspections are thus also part of cybersecurity in this context.

Overall, the threat landscape for smart highways is multifaceted. We have script-kiddie pranksters defacing signs, organized cybercriminals deploying ransomware for profit, hacktivists and nation-state actors causing disruptive mayhem, insiders with personal motives, and systemic risks via supply chains. It’s a lot to defend against. The next sections will turn to how the industry is responding – through real incident learnings, expert insights, and the development of standards and cooperative frameworks to collectively raise the bar on highway cybersecurity.

Cyber Attacks on Transport Infrastructure

To ground the discussion in reality, let’s examine a few international case studies where cyber incidents have impacted transport and highway infrastructure. Each reveals different facets of the threat and provides lessons that have informed better security practices.

Case Study 1: Ransomware Cripples an Expressway – Malaysia, 2020

In late 2020, one of Malaysia’s largest highway operators experienced a severe wake-up call when a ransomware attack crippled a fellow expressway company’s IT systems. As described by PLUS Malaysia (the country’s biggest highway concessionaire), the unnamed peer organization was hit hard – toll collection systems went down, highway service plazas were disrupted, and even emergency response coordination was affected. The attack resulted in significant operational downtime and revenue loss, as drivers could not pay tolls electronically and backups snarled traffic. It was, in effect, a cyber-induced partial shutdown of a major transport artery.

This incident spurred PLUS Malaysia to urgently reassess its own defences. The company’s CTO described it as a “wake-up call” – highlighting vulnerabilities in transportation that perhaps hadn’t been fully appreciated until then. The aftermath saw PLUS invest in comprehensive cyber resilience measures. They deployed immutable, air-gapped backups (so that even if systems are encrypted by ransomware, data can be restored). They also implemented advanced threat detection and incident response tools, aiming to “bolster defences against cyber threats” and ensure they could recover quickly if an attack occurred.

The lesson from this case is clear: critical highway operations need strong continuity plans for cyber incidents. Even a few hours of downtime on a busy expressway has cascading effects on commerce and public mobility. By learning from their peer’s misfortune, PLUS was able to harden its systems – a reminder that information sharing and industry collaboration (even informally) are vital. Notably, PLUS did not silo this as purely an “IT issue” – the response was led from the top (CTO level) and communicated as a business risk matter, indicating a mature understanding that cybersecurity is a strategic enterprise concern.

Case Study 2: Colorado DOT Ransomware – USA, 2018

We touched on this earlier: in February 2018, the Colorado Department of Transportation (CDOT) was struck by the SamSam ransomware. What’s worth digging into is how they handled it and what was learned. The attack began when SamSam infiltrated CDOT’s network (possibly via an unsecured remote access or a vulnerable server) and started encrypting files on PCs and servers. Upon detection of unusual activity, the state’s IT team took the drastic step of shutting down over 2,000 employee computers on the CDOT network on February 21 to halt the spread. This essentially paused many of the department’s functions. However, critical road safety systems (like variable message signs and traffic signal controls) were reportedly unaffected because the state managed to isolate them in time.

CDOT, with help from Colorado’s central IT office (OIT) and cybersecurity firm partners, refused to pay the ransom and instead focused on recovery. They had robust data backups, which proved essential. Even so, restoration was not immediate – certain systems took up to a month to be fully brought back, reflecting the slow, careful work of wiping and rebuilding machines. The FBI was involved, and interestingly, not long after, the U.S. Department of Justice indicted two Iranian nationals for the SamSam attacks on various entities including CDOT. This case thus also became part of a larger story of international cybercrime.

Some key takeaways:

Segmentation saved the day: Colorado’s separation of its traffic management network from the general corporate network likely prevented the attackers from ever reaching the highway control systems. The attack remained an IT disruption rather than a life-safety incident. This validated investments in network architecture that limits connectivity between office IT and OT.

Preparedness and backups: The quote from David McCurdy, the state CTO, after the incident was instructive. He said the state’s security tools detected the ransomware early, and that they had no intention of paying ransom due to strong backups. This shows that having an incident response playbook (detect → isolate → restore) and the confidence of backups can avoid a panic response.

Impact on daily operations: Even though traffic signals and such were fine, employees at CDOT had to revert to manual processes for many tasks (email communications, digital records were unavailable). This underscored that a cyber incident can effectively have the same impact as, say, an office fire or natural disaster – you need a business continuity plan that might include using personal devices or alternate sites in the interim.

Colorado’s experience was widely watched by other DOTs around the country. Many state DOTs and city transport departments took it as a warning and started to allocate more budget to cybersecurity (in fact, the American Association of State Highway and Transportation Officials – AASHTO – ramped up its guidance on cyber risk after this). CDOT itself used the event to improve: they reportedly upgraded to next-gen antivirus and improved network monitoring afterward. The culture also shifted to be more cyber-aware.

Case Study 3: Hacked Traffic Lights Demonstration – USA, 2014

This is the Michigan traffic signal hacking incident discussed earlier, but it serves as a distinct case study because it had global impact on awareness. When the University of Michigan researchers published “Green Lights Forever: Analysing the Security of Traffic Infrastructure” in 2014 and coordinated it with media outreach, it suddenly made traffic engineers worldwide sit up and say, “We need to check our systems.” The researchers had effectively taken control of a live traffic system of 100 lights on a test basis. They exploited three things: an unencrypted wireless link, default credentials, and a debug port physically accessible at the street cabinet – all relatively low-hanging fruit as far as hacking goes.

The demonstration had multiple outcomes:

The city involved (and many others) promptly updated configurations: turning on available encryption in the wireless communication (or migrating to more secure radio units), changing all default passwords on controllers, and locking down physical cabinets better. It was an example of “ethical hacking” leading to direct remediation.

The U.S. Federal Highway Administration (FHWA) and NHTSA took note and included references to this in advisories. The incident became a case point in training materials about transportation cybersecurity. It helped justify new programs to fund retrofitting security into older traffic control systems.

Other researchers in Europe and Asia checked their local systems. It spurred a wave of academic interest in ITS security. Follow-on studies came, such as one by Chinese researchers in 2018 analysing falsified data attacks on traffic control. The cross-pollination of ideas began to form a sub-discipline of research dedicated to transport cyber-physical security.

Perhaps the biggest lesson: the “IoT security gap” in critical infrastructure had to be addressed. This case was often cited alongside others (like hacks of internet-connected baby monitors or CCTV cameras in the IoT realm) to push for industry-wide improvements. It partly influenced the later development of standards and best practices for intelligent transport systems security, for example, ETSI’s TS 102 941 standard for V2X security and various IEEE and ISO standards ensuring that future traffic devices have secure protocols from the get-go.

The Michigan case also had a PR angle: it communicated in simple terms to the public that “hacking traffic lights is possible if we don’t secure them.” It thus created public support for investing in upgrades (taxpayers are more willing to fund something if they understand the risk). So in an ironic way, this potentially scary hack actually yielded a positive by catalysing improvements before a malicious actor could exploit the same weaknesses.

Case Study 4: Iranian Railway Hack – Middle East, 2021

While not a highway, the July 2021 cyberattack on Iran’s railway network is worth including for its audacity and relevance to any transport system. Attackers (suspected to be hacktivists) launched a combination of IT system hacks and electronic physical disruption: they defaced the digital station schedule boards to show fake messages about train delays and cancellations, instructing riders to call the Supreme Leader’s office, and concurrently they deployed a wiper malware (dubbed Meteor) that hit the rail operations computers, causing widespread confusion and halting rail services. Passengers were stranded, and it took the rail authorities considerable time to restore normal function.

This incident is a case study in the potential convergence of cyber disruption and psychological operation. The fake messages not only inconvenienced travellers but also mocked the government, which likely intensified the sense of crisis. The reason it resonates for highways is one could imagine something similar: for example, if attackers hacked highway digital signs to display politically charged or panic-inducing messages (“Cyberattack – all roads closed! Call [politician] for info”), while also maybe attacking the traffic control systems to slow response.

What did the world learn? Critical infrastructure in a tense geopolitical environment is a prime target; and attacks may not follow the typical playbook of ransom or data theft – destructive attacks and message-sending are real tactics. For security professionals elsewhere, it reinforced the importance of protecting the integrity of public information displays (which sometimes are overlooked in threat models compared to core control systems). Many transit agencies in other countries quietly double-checked the authentication on their station display systems after this. It also highlighted the need for quick public communication strategies during cyber incidents to avoid mass panic or misinformation.

Finally, it demonstrated how a cyber incident in one domain (rail) can be a learning moment for others (like highways). The inter-city roads in Iran saw a surge in usage during the rail outage – what if those road systems had been attacked next, in a one-two punch? Cross-sector attack scenarios are something resilience planners now contemplate (e.g., if both public transit and highway ITS were hit during a major event, do we have a transportation emergency plan?).

These case studies, spanning North America, Asia, Europe, and the Middle East, each illuminate different aspects: ransomware’s disruptive power, the ease of hacking under-secured devices, the fusion of cyber and physical disruptions, and the challenges of responding under pressure. The clear theme is that cyber incidents in transport are not theoretical – they have happened, and they will happen again. The good news is that each incident has driven improvements and provided valuable lessons.

Next, we turn to insights from experts who are leading the charge in defending our transportation infrastructure. Through their experiences and forward-looking views, we can understand how the community is responding and what more is needed.

Industry and Government Perspectives on Highway Cybersecurity

Securing digital highways is a multidisciplinary effort, and it’s instructive to hear directly from those in the trenches – be they public officials, private sector cybersecurity experts, or academic researchers.

Here, we compile a few notable quotes and insights from respected voices, shedding light on current challenges and strategies:

Brian Cronin – ITS Joint Program Office, USDOT (USA): “V2X connectivity holds great promise for saving lives on our nation’s roadways. Unlike many other safety technologies, however, V2X applications are cooperative. They depend on the exchange of accurate, reliable safety information in real time. A security system is critical to ensure that these technologies – and the information they provide – can be trusted.” – In this remark, Brian Cronin emphasizes that connected vehicle systems (which are key to future smart highways) are only as good as the trust in their data. His team’s work on the Security Credential Management System is a cornerstone to ensuring cars and infrastructure can verify each other’s messages. The takeaway: cybersecurity is a precondition for V2X safety gains.

Juhan Lepassaar – Executive Director, ENISA (EU): “Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding the distribution of cyber threats, motivations, trends, and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved.” – Lepassaar, leading Europe’s cybersecurity agency, underlines the need for a data-driven grasp of the threat landscape. His point resonates with many transport operators: without knowing what you’re defending against (ransomware? hacktivists? insider leaks?), it’s hard to allocate resources wisely. ENISA’s dedicated transport threat reports aim to provide exactly that clarity, enabling evidence-based security strategies for road and other sectors.

JJ Eden – Executive Director, NC Turnpike Authority (USA): “While technologies exist today to get vehicles to perform more services than ever, they introduce significant risks as we include more personally identifiable information or location information… As many Americans have experienced firsthand, additional exposure of this information may create an opportunity for others to invade consumers’ privacy and in a worst-case scenario, threaten the safety and security of the vehicles… We must all be aware that bad actors and threats will continue to emerge and become stronger and more complex no matter where you are in the ecosystem. We must think about security first.” – Speaking from a turnpike authority perspective, JJ Eden highlights a few things: the growth of data in vehicles (and by extension, highways systems) creates privacy and safety concerns, and the connectivity that enables great features also demands a higher level of vigilance. He calls for the industry to make cybersecurity “a top priority” and to embrace open, interoperable standards and information sharing to collectively combat threats. Notably, he advocates that ISO, SAE, and UN cybersecurity standards “must become mandatory and audited” across the industry, rather than remaining voluntary guidelines. Eden’s insight essentially pushes for moving from awareness to enforcement – ensuring cybersecurity is not optional.

Yoav Levy – CEO, Upstream Security (Private Sector, Israel): “The cybersecurity landscape across the automotive and smart mobility ecosystem is poised to become more complex than ever. Cyber threats are evolving faster than the industry is prepared to handle, outpacing regulation-driven measures. Threat actors have already shifted toward large-scale, sophisticated and AI-powered attack methods, targeting not only vehicles but also interconnected systems such as EV charging infrastructure, API-driven apps and smart mobility IoT devices. This growing attack surface demands a transformative and proactive approach to cybersecurity.” – Levy, whose company analyses global automotive cyber trends, delivers a warning that resonates for highways too: adversaries are upping their game, leveraging new techniques (even AI) to go after a widening range of targets in the mobility space. His use of “outpacing regulation” suggests that compliance alone isn’t enough – the industry needs to innovate in security at least as fast as the attackers innovate in offense. The mention of EV charging and APIs is important; as highways add EV charging stations and mobile apps for services, these become part of the extended infrastructure that must be secured. Levy’s prescription is a “transformative and proactive” approach, meaning waiting for incidents and then reacting is not sufficient; one must anticipate and neutralize threats before they strike.

Charles Harry – Research Professor, University of Maryland (Academia/Policy): “Understanding what attack vectors generate strategic consequence remain vital in our ability to allocate scarce resources to build resiliency. These types of studies are fundamental in our understanding of national risk.” – Dr. Harry’s perspective, from a research standpoint, stresses a theme of risk prioritization. Not all cyber threats to highways are equal – some could cause minor annoyances, others could cause catastrophe. By identifying which specific vulnerabilities or attack methods could have the most far-reaching impacts (“strategic consequences” like multi-city disruptions or national economic loss), defenders can focus their efforts (and budgets) on those. His work in analysing systemic effects (like how many lights or vehicles need to be compromised to gridlock a city) feeds directly into such risk assessments. It’s a call for more research-driven policy: use quantitative and scenario-driven research to guide investments in security measures for transport.

These insights converge on a few key points: the necessity of trust and authentication in connected systems (Cronin), the criticality of situational awareness of threats (Lepassaar), the importance of making security a forethought rather than afterthought (Eden), the urgency of staying ahead of evolving attacks (Levy), and the value of strategic risk assessment (Harry). Together, they paint a picture of an industry that is becoming much more sophisticated in tackling cybersecurity – but also one racing against time as technology deployment outpaces security deployment in some areas.

Government voices like Cronin and Lepassaar reassure that public institutions are actively building frameworks and pushing for secure-by-design approaches. Industry voices like Eden and Levy underscore that the private sector recognizes both the business imperative (protect customer data, ensure safety) and the need for collective action (information sharing, standards). And academia provides a grounded, analytical lens to ensure we’re solving the right problems.

One more expert perspective worth noting comes from law enforcement and national security officials (though not quoted above): agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) frequently remind critical infrastructure operators that “a threat to one is a threat to all” and encourage cross-sector information sharing. CISA Director Jen Easterly has advocated for a mindset shift: viewing cybersecurity not just as a tech issue but as fundamental to safety – akin to the way auto safety improved when it was systematically addressed (famously, she compared insecure software to the unsafe cars of yesteryear, invoking Ralph Nader’s Unsafe at Any Speed).

In summary, experts are generally aligned that cybersecurity must be embedded into the DNA of modern transport projects. It requires collaboration, continuous learning, and sometimes a fresh perspective (e.g., bringing in cyber experts to work alongside civil engineers). The next section will delve into how these perspectives are being codified into action – through emerging standards, regulations, and frameworks that aim to institutionalize strong cybersecurity across the highways sector globally.

Guardrails in Cyberspace

As awareness has grown, so too have formal standards and regulations to govern cybersecurity in transportation. In the automotive and highway sector, a variety of initiatives – from international UN regulations to national frameworks – are converging to set a baseline of security expectations. These act like “cyber guardrails”, ensuring organizations don’t overlook essential protections.

Below, we outline some of the key international regulations and standards shaping cybersecurity in smart highway infrastructure, and then summarize them in a table for easy reference.

UNECE WP.29 (UN R155 & R156) – Perhaps the most ground-breaking development is the United Nations Economic Commission for Europe’s regulation known as WP.29. In 2021, UNECE adopted Regulation No. 155 on Cyber Security and No. 156 on Software Updates, which for the first time made cybersecurity mandatory for new vehicles in many markets. Starting July 2022, any new vehicle type approved in the European Union (and other adhering countries like Japan and South Korea) must have a certified Cybersecurity Management System (CSMS) in place. By July 2024, this requirement extends to all new vehicles sold (even models originally approved earlier) in those regions. R155 requires car manufacturers to manage cyber risks throughout the vehicle lifecycle – from design to production to post-sale incident response. It explicitly covers numerous threat vectors (over 70 attack scenarios are listed in an annex, including keyless entry attacks, backend server hacks, etc.). R156 complements it by requiring manufacturers to also have a Software Update Management System (SUMS) – ensuring secure over-the-air updates and software version integrity. The impact on highway infrastructure is indirect but important: vehicles interacting on the highways should now be much more cyber-secure by design, reducing the chance that a car becomes the “weak link” that hackers exploit to cause chaos on roads. WP.29 was a result of global collaboration (it covers UNECE’s 1958 Agreement signatories, which produce over one-third of the world’s vehicles). As such, it is pushing a harmonized level of vehicle cybersecurity worldwide, which highway operators benefit from. A key point: WP.29 explicitly encourages alignment with industry standards (notably ISO/SAE 21434) to meet its requirements.

ISO/SAE 21434 (Road Vehicles – Cybersecurity Engineering) – This is the international standard that goes hand-in-hand with WP.29. Published in 2021, ISO/SAE 21434 provides a detailed framework for automotive engineers to incorporate cybersecurity into every phase of car development. It covers risk assessment methods, design requirements, testing, and even vendor management for hardware and software components. It essentially tells automakers and suppliers how to achieve what WP.29 mandates. For highway agencies, the relevance is that as vehicles conform to ISO 21434, we can expect more robust in-vehicle systems, which means, for example, a compromised roadside unit should not so easily trick a car, and a compromised car should not so easily disrupt traffic. It’s about raising the security posture of the “road users” in the digital sense. Over time, a car that fully follows 21434 should have protections like authenticated boot, encryption of sensitive data, intrusion detection on its networks, etc. – all of which make it harder for an attacker to weaponize the car on the highway.

ISO/IEC 27001 (Information Security Management Systems) – This standard is not transport-specific but is widely adopted across industries including transport. ISO/IEC 27001 defines how an organization should manage and protect information systematically. Many highway authorities and their contractors have pursued ISO 27001 certification to assure that they are following international best practices for cybersecurity governance – things like conducting regular risk assessments, training staff, controlling access to information, and having incident response plans. For example, a toll road operator might get ISO 27001 certified to demonstrate to regulators and users that it safeguards customer data and operational networks with a rigorous process. ISO 27001 is essentially a framework for organizational cybersecurity hygiene, and achieving it often strengthens resilience against common attacks (since the standard will push an entity to patch systems, backup data, enforce policies, etc.). Some governments are now requiring critical infrastructure entities to either be ISO 27001 certified or follow an equivalent standard as part of licensing.

NIST Cybersecurity Framework (CSF) & NIST SP 800-53/82 (USA) – The U.S. National Institute of Standards and Technology (NIST) has produced widely respected guidelines. The NIST Cybersecurity Framework, initially released in 2014 and updated since, provides a structured approach with five core functions: Identify, Protect, Detect, Respond, Recover. It’s voluntary but many transportation entities use it to assess their maturity. The framework’s flexibility has allowed, for instance, a state DOT to map its controls and gaps in a way that is communicable to executives. Additionally, NIST’s special publications like SP 800-53 (Security Controls for Federal Information Systems) and SP 800-82 (Guide to ICS Security) offer detailed controls specifically relevant for industrial control in transportation (like traffic systems). NIST SP 800-82 recognizes transportation control systems as a subset of ICS and gives tailored advice. While these are U.S.-centric, they’ve been influential globally; even ENISA references some NIST guidance in its best practices for transport. Under the U.S. Department of Transportation, NHTSA also published updated Cybersecurity Best Practices for Modern Vehicles (an updated guidance in 2022 building on a 2016 version) – while not enforceable, it echoes many NIST principles and is aligned with ISO 21434. So, for highway stakeholders in the U.S., the CSF plus sector-specific profiles (Transportation Systems Sector has its own guidance) act as the de facto baseline.

EU NIS2 Directive – In Europe, beyond the automotive-specific WP.29, there is broad legislation covering all critical sectors’ cybersecurity: the NIS2 Directive (Directive (EU) 2022/2555). Effective from 2023, NIS2 requires EU member states to enforce cybersecurity risk management and incident reporting across 18 critical sectors, including transport (aviation, rail, water, and road). Under NIS2, many road authorities and operators (for example, national highway agencies, major tunnel operators, intelligent transport system providers) will be classed as “essential entities” that must meet minimum cyber measures. These measures likely include having cybersecurity plans, access controls, encryption of data, supply chain security measures, etc. They also must report significant incidents within 24 hours to authorities and a detailed report within 72 hours, fostering transparency and quick mobilization. NIS2 also emphasizes cooperation and information sharing, so we can expect better cross-border coordination in Europe when incidents happen (since the directive sets up frameworks for mutual assistance among EU countries). Practically, a highway operator in, say, Germany that is hit by an attack will inform the German cyber authority, and via NIS2 structures, other EU countries can be alerted if there’s a wider threat – reducing blind spots. NIS2 is a game-changer because it legally compels action; non-compliance can lead to fines. It’s pushing what used to be recommendations into hard requirements.

IEC 62443 (Industrial Control System Security) – The IEC 62443 series, developed by industrial and automation experts, sets out best practices and technical requirements for securing industrial control and automation systems. Traffic control systems, tunnel control systems, and other highway OT fall into this category. IEC 62443 is actually a suite: some parts are for component manufacturers (ensuring devices have security capabilities), others are for system integrators and operators (ensuring secure implementation and maintenance). Adopting IEC 62443 means, for instance, using PLCs (programmable logic controllers) or RTUs (remote terminal units) in field equipment that support features like account management, encryption, and event logging. It also means segmenting networks into zones with conduits, and doing a risk assessment of each zone. Some countries (like Germany) have referenced IEC 62443 in their national ICS security recommendations for road tunnels and traffic systems. By following IEC 62443, highway agencies treat their operational tech with the same diligence as a power plant or factory would – which historically was not always the case, as many traffic systems were more rudimentary. IEC 62443 provides a common language for highway tech engineers and security professionals to work together, bridging that IT/OT cultural gap with concrete requirements.

UNECE R152 (Automated Lane Keeping) & Other Emerging Guidelines – Beyond cybersecurity-specific rules, there are related regulations on functional safety and automated driving (like UN R152 for Level 3 automated lane keeping systems) that include provisions indirectly requiring security (because an insecure system can’t be safe). Furthermore, organizations like ISO/PAS 21448 (Safety of the Intended Functionality) intersect with cybersecurity – ensuring that new tech doesn’t introduce unsafe failure modes including those from tampering.

There are also national guidelines: e.g., the UK’s Department for Transport released a Cyber Security Code of Practice for Connected and Autonomous Vehicles back in 2017 (with 8 principles, such as “security by design” and “whole-life security management”). The UK’s upcoming Cyber Resilience Centre of Excellence for Roads aims to research and share best practices among road operators. Similarly, the U.S. DHS Transportation Systems Sector has published best practice documents, and AASHTO’s Special Committee on Transportation Security works on guidance for state DOTs.

To make sense of the landscape, here is a table summarizing some key standards and regulations relevant to highway cybersecurity internationally:

Standard / Regulation	Scope & Region	Description / Key Requirements
UN UNECE WP.29(R155 & R156)	Global (UNECE: EU, Japan, S. Korea, etc.)	First-ever mandatory vehicle cybersecurity regulations (2021). R155 requires auto manufacturers to implement a certified Cybersecurity Management System covering risk management, secure design, incident response, etc. R156 requires a Software Update Management System for OTA updates. Mandatory for new vehicle type approvals in participating countries from July 2022; by July 2024 all new vehicle sales must comply. Ensures baseline cyber hygiene for connected vehicles (mitigating threats to vehicles on highways).
ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering	Global standard (industry)	Detailed framework (2021) for incorporating cybersecurity into automotive design and development. Covers processes for threat analysis and risk assessment (TARA), security concept, product development, verification/testing, incident response, and post-production monitoring. Complements WP.29 R155 by providing the technical “how-to” for industry. Ensures vehicles and components (incl. V2X units) are engineered with security from the ground up.</td
ISO/IEC 27001 Information Security Management	Global (all industries)	Widely adopted standard (latest 2022) for organizational information security management systems (ISMS). Requires an organization to systematically assess risks, implement security controls (physical, technical, administrative), and continuously improve. Many highway agencies, toll operators, and ITS companies use ISO 27001 to certify their operations (e.g., securing toll payment data or traffic centre networks) – demonstrating commitment to best-practice security governance.
NIST Cybersecurity Framework (CSF) and NIST SP 800-82 (ICS Security Guide)	USA (voluntary, global influence)	The NIST CSF provides a high-level structured approach (Identify, Protect, Detect, Respond, Recover) to manage cybersecurity risk. Frequently used by transportation organizations for self-assessment and improvement plans. NIST SP 800-82 offers specific guidelines for securing Industrial Control Systems, including traffic management and tunnel control, with controls mapping to NIST SP 800-53. Together, these guide US transport agencies in implementing layered defences and are often referenced internationally as best practice.
EU NIS2 Directive (Directive (EU) 2022/2555)	European Union (critical sectors)	Comprehensive cybersecurity legislation effective 2024, covering 18 sectors including road transport. Requires Member States to ensure operators of essential services (like national road authorities, intelligent traffic system providers) implement risk management measures (e.g. network security, access control, encryption, supply chain security) and report significant cyber incidents within tight timelines. Introduces penalties for non-compliance. Strengthens cross-border cooperation and information sharing in the EU. Will raise baseline security for European highway infrastructure and enforce accountability.
IEC 62443 Series Industrial Automation and Control Systems Security	Global (industrial control/OT)	A multi-part standard providing requirements for secure design and operation of ICS/OT. Relevant parts include 62443-3-3 (system security requirements and levels), 62443-4-1/4-2 (secure product development & component requirements). In highway context, applies to traffic control systems, tunnel SCADA, smart road sensors. Encourages practices like zoning networks, using only security-certified devices, and continuous monitoring. Adoption helps defend against attacks on operational technology (e.g., ensuring a compromised camera can’t pivot to a signal controller).
Auto-ISAC Best Practices (Information Sharing & Analysis Center)	Global (automotive industry)	The Automotive ISAC (est. 2015) publishes best practice guides for vehicle cybersecurity (areas like incident response, supply chain security, collaboration). While focused on vehicles, the ISAC model exemplifies public-private info-sharing for transport. In 2021, Auto-ISAC expanded with a European chapter. Best practices include sharing threat intelligence among OEMs and with government, conducting regular threat assessments, and standardized coordination during multi-vehicle cyber incidents. Highway operators benefit indirectly as more secure vehicles and better threat intel flows.
UK Cybersecurity Code of Practice for CAV (2017, updated)	UK (guidance)	A set of 8 principles issued by the UK Dept for Transport for securing connected and autonomous vehicles. Emphasizes a security-first culture, managing security over the vehicle lifetime, software patching, secure supply chains, etc. Also relevant to connected infrastructure and back-offices. Though not legally binding, it has influenced UK’s approach (e.g., the planned Cyber Security and Resilience Bill). Many principles echo in later international standards, ensuring that British trials of smart roads/vehicles implement strong protections from the outset.
European C-ITS Security Credential Management System (CCMS)	EU (V2X communications)	A trust framework mandated by the EU for Cooperative-ITS (C-ITS) communications (day 1 applications like hazard warnings, road works alerts). The CCMS issues digital certificates to vehicles and infrastructure for V2X messages, ensuring messages are authenticated and can be trusted. Operational since 2019 under EU ITS directives. Similarly, the US has a SCMS for V2X in pilot use. These systems prevent unauthorized or spoofed V2X messages – critical as deployment of connected vehicles and smart road signals expands.

Table: Key Cybersecurity Standards and Regulations for Smart Highway Infrastructure (Note: Table covers select examples; many countries have additional local guidelines.)

As the table shows, there is a concerted movement toward codifying cybersecurity in the transport domain. These standards and regulations serve several purposes: they provide a common language and benchmark for security (so vendors and agencies know what’s expected), they often require audits or certification (adding an extra layer of assurance), and they facilitate international interoperability (a car that meets WP.29 in Japan also meets it in Europe, etc., simplifying global deployment of secure tech). For a highway authority or operator, staying abreast of these “guardrails” is now part of doing business – whether it’s complying with NIS2 if in Europe, aligning with NIST if in the U.S., or ensuring contractors meet ISO standards.

One might wonder, are these frameworks actually making a difference on the ground? Early evidence suggests yes: automotive manufacturers have significantly ramped up investment in cybersecurity teams and processes due to WP.29 and ISO 21434 – we see new vehicles with features like Secure Gateways (firewalls between external interfaces and critical ECUs) and more frequent security updates. Highway agencies in Europe are conducting cyber risk assessments as part of NIS2 preparations, something that might not have happened so systematically before. And the existence of ISACs means when one entity sees an attack, many others can quickly be alerted – in 2021, for instance, the Auto-ISAC circulated details of an automotive supplier ransomware incident so that others could check their exposure.

Of course, paper compliance doesn’t equal security. These standards will only be effective if organizations truly implement them, not treat them as tick-box exercises. That’s why many in the industry echo JJ Eden’s sentiment that compliance must be audited and verified, and even then, proactive measures beyond compliance are needed (e.g., threat hunting, red-teaming). Nonetheless, these guardrails significantly reduce the chance of obvious lapses (like default passwords or no incident response plan) and raise the overall cost for attackers.

Another noteworthy collaborative effort is the development of common testing and certification schemes. For example, Germany’s Federal Highway Research Institute (BASt) has been working on a testbed for connected vehicle security, and in the UK, the “Cyber Assurance for Connected and Automated Mobility” (CAM Assurance) scheme is being piloted, which will test vehicles and infrastructure against a defined standard (built around ISO 21434 and other references) before they are deployed on public roads. Such schemes might be extended to cover things like roadside units and traffic control centres.

In conclusion, a robust scaffolding of standards and regulations is being erected to ensure cybersecurity is woven into the fabric of highway infrastructure and vehicles. Agencies and companies that once had little guidance in this realm now have playbooks to follow. The international scope – UN, ISO, EU, US NIST – indicates a global consensus that transport systems must be secured to safeguard economies and citizens.

With the rules of the road (cyber-wise) now better defined, the focus is shifting to innovative technologies and practices that can enhance security further. In the next section, we’ll explore some of those emerging solutions – from artificial intelligence to digital twins and beyond – that promise to bolster the defences of smart highways as we drive into the future.

Staying Ahead of Hackers

Cyber threats to highways are not static, and as attackers evolve their methods, defenders are turning to new technologies and strategies to keep pace. Here we look at some emerging tools and approaches that are shaping the future of highway cybersecurity – including the use of artificial intelligence for threat detection, digital twin simulations for planning responses, the push for “secure by design” in new tech deployments, and other innovations.

AI and Machine Learning for Anomaly Detection

Artificial Intelligence (AI), particularly machine learning, is a double-edged sword in cybersecurity. Attackers might use AI to find vulnerabilities or craft more evasive malware, but defenders can leverage AI as well – especially to sift through the huge volumes of data generated by modern highway systems and identify the subtle signs of an attack in progress.

For example, traffic management centres process inputs from thousands of IoT sensors, cameras, and logs from network equipment. An AI system can be trained to understand “normal” patterns (e.g., typical traffic flows, typical network communications between devices) and then flag anomalies that could indicate a cyber intrusion or a malicious event. If a hacker were to take control of a set of traffic cameras and begin using them as a botnet to attack other systems, the AI could notice unusual communication patterns (say, cameras sending data to an unknown external server or spiking in data volume) far faster and more accurately than a human analyst scanning screens. Likewise, if someone tries to spoof sensor data, AI might catch inconsistencies – perhaps a sensor reports a sudden, unrealistic temperature or vehicle count that doesn’t match adjacent sensors’ readings or historical trends.

Several pilot projects are underway in this space. The U.S. Department of Energy and Department of Transportation have funded research into using machine learning to detect cyber-physical attacks on traffic signals. One approach uses neural networks to monitor the state of traffic lights and vehicles and detect if the pattern of light changes doesn’t match what’s expected from the traffic conditions – which could indicate a malicious manipulation (similar to an IDS for traffic patterns). Early results show promise in catching anomalies that rule-based systems would miss.

AI is also being looked at for predictive maintenance and security. For instance, by analysing the normal performance of hardware (CPU usage, memory, temperature), an AI might predict an impending failure or detect malware that’s causing a device to behave oddly. This blurs the line between reliability engineering and security, but in practice it improves overall resilience.

However, as JJ Eden pointed out, standards and compliance checks themselves will likely start utilizing AI and even large language models to be proactive. Imagine an AI that can rapidly scan through all software in a traffic management system to identify known vulnerabilities or even discover new ones (an AI code auditor). Large Language Models (LLMs) could assist by analysing configuration files or logs in natural language, summarizing where issues might be – effectively serving as a junior analyst that augments the human team. The key is these technologies could help us identify vulnerabilities before they become incidents, aligning with Eden’s call for proactive programs.

Of course, integrating AI into critical infrastructure security must be done carefully – one doesn’t want false positives shutting down systems or an AI itself being fooled by adversarial input. Therefore, current thinking is to use AI as an assistant to human analysts (e.g., through a Security Operations Centre for highways) rather than fully autonomous control in decision-making.

Nonetheless, given the scale of data in smart highways (think connected vehicle messages, video feeds, etc.), AI-driven security monitoring will likely become indispensable. Several vendors are already marketing “AI-powered SCADA security” solutions aimed at utilities and transport, boasting detection of zero-day attacks by learning system behaviour. In the coming years, highway agencies may well employ such systems as part of intelligent intrusion detection systems (IDS) and Security Information and Event Management (SIEM) solutions specifically tuned for the transport environment.

Digital Twins and Simulation for Resilience Planning

A digital twin is a virtual replica of a physical system that can be used for simulation, analysis, and control. In the context of highways, we see the emergence of digital twins of road networks and traffic systems. The primary use has been for traffic optimization and infrastructure planning, but increasingly, digital twins are being eyed as tools for cybersecurity planning and training.

Consider a digital twin of a city’s traffic management system – it models the roads, traffic signals, sensors, communication networks, and even potentially the behaviour of drivers and connected cars. Such a twin can be used to simulate cyberattack scenarios in a safe environment. For example, one could inject a hypothetical ransomware attack in the twin and observe how it propagates, which operations it affects, and how traffic conditions change if certain signals go down or behave maliciously. This can inform real-world contingency plans (like how to re-route traffic or revert to manual control if system X is compromised). It’s akin to a cyber fire drill using a high-fidelity simulator.

One research project in New York City, supported by the U.S. Federal Highway Administration, is creating a “hybrid twin” of urban traffic that merges traditional traffic simulation with real-time data feeds to keep it accurate. While its stated goal is improving traffic flow, the underlying tech could also be used to simulate disruptions. If the twin is sufficiently detailed, one could test, for instance, what happens if 10% of connected cars in Midtown suddenly all report false locations (mimicking a GPS spoofing attack), or if the central traffic control goes offline at rush hour – and then try various mitigation strategies in simulation.

Digital twins also enable testing of new security technologies before deployment. If an agency wants to deploy a new network segmentation or a new anomaly detector, they can first integrate it into the twin and simulate attacks to see if it performs as expected, without risking real infrastructure.

In Europe, projects like TransSec and Safety.Twin have looked at employing digital twin concepts for transport security and safety. The SENTRY project (referenced in search results) aims to use dynamic digital twins to identify security risks in “smart civic spaces” which include roads. By analysing sensor data through a twin, it could help spot and mitigate anomalies.

Beyond simulation, digital twins might be used in real-time as part of an incident response. If a cyber incident occurs on the highway network, a live digital twin could help operators visualize the impact and test possible countermeasures virtually before applying them. For example, if a segment of the network is compromised, the twin could be used to verify that isolating that segment (say, disconnecting a certain field network) won’t have unintended consequences on traffic flow or system stability.

One can also tie digital twins with AI – for instance, using reinforcement learning (a type of AI) on a twin to discover optimal response actions to certain attacks. A 2022 research paper by German researchers explored using reinforcement learning to improve road safety and cybersecurity simultaneously by managing traffic signals; in simulation, the AI had to deal with both normal congestion and occasional malicious signal faults, and it learned strategies to maintain safety.

In summary, digital twins are becoming a powerful sandbox for highway authorities. Their role in cybersecurity will likely expand as the fidelity of twins improves. What flight simulators have long been to pilot training, digital traffic twins might become for transport cyber incident training – letting operators practice responding to cyber “events” like citywide signal outages or corrupted data feeds.

Zero Trust Architectures and Network Modernization

Another emerging practice in critical infrastructure, borrowed from IT, is the adoption of Zero Trust Architecture (ZTA) principles. Zero Trust means that no user or device is inherently trusted, even if it’s inside the “perimeter” – every access is verified, and lateral movement is tightly controlled. For highways, implementing Zero Trust can dramatically reduce the ability of an attacker to pivot from one compromised element to another.

In practical terms, this means things like: micro-segmenting networks so that a compromised weather sensor can’t talk to a toll database except through narrowly defined, authenticated channels; requiring strong authentication (possibly multi-factor) for engineers accessing control systems; continuously monitoring device behaviour and having automated responses (like isolating a device that starts acting oddly).

Many highway agencies still operate on flat networks or legacy VPN access that, if breached, give wide access. So, an upgrade to zero trust is a significant but needed step. The U.S. White House has been pushing federal agencies (including DOT) to adopt zero trust by 2024, per an executive order. States and municipalities often take cues from that, so we see movement where, say, a state DOT upgrades its networking: implementing identity and access management, software-defined networks, and so forth. Cisco’s marketing of “secure evolved WAN for smart roads” is essentially selling zero-trust enabled networking gear for highways (ensuring encryption of data in transit, segmented lanes for different data types, etc.).

One area highways are looking at is remote access security – maintenance teams or vendors often need to remotely access devices on the roadside or control centre. Instead of traditional VPNs, some agencies are exploring Zero Trust Network Access (ZTNA) solutions (as one search result from Appgate hinted). These would grant access only to the specific device needed and only after verifying user/device posture, drastically limiting what an attacker could do if they stole a contractor’s credentials.

Additionally, network modernization to technologies like 5G for roadside connectivity comes with security opportunities. 5G networks can offer built-in encryption and slicing (isolating traffic flows). If highway sensors transition from older wireless (or no wireless) to 5G-based communication, agencies will need to ensure they configure those with security in mind (using carrier-grade security features, etc.). But 5G also introduces concerns – more reliance on telecom operators, and the need to secure edge computing nodes that might be processing traffic data. There’s work being done on vehicle and infrastructure edge computing security (e.g., how to secure roadside units that might run complex software for V2X).

Post-Quantum Cryptography and Future-Proofing

Looking a bit further ahead, quantum computing poses a long-term threat to the cryptography that currently secures much of our communications, including those in transport systems. Public key algorithms like RSA and ECC (which are used in secure VPNs, in V2X certificate systems, etc.) could be broken by a sufficiently powerful quantum computer. While such computers are not yet in existence at the scale required, the possibility has the security community planning transitions to post-quantum cryptography (PQC). Highways Today itself recently featured an article on quantum computing being a “silent threat” to cybersecurity – a topic raising awareness.

For highway infrastructure, this means that the security credentials with long lifetimes (like those in vehicle PKI systems or long-term signing keys for software updates) will need to be upgraded to quantum-resistant algorithms in the coming decade. Already, NIST has standardized a first set of PQC algorithms (July 2022). Automotive and ITS groups in ISO and ETSI are starting to discuss how to incorporate PQC into future versions of V2X standards. Practically, roadside units and on-board units might need more processing power to handle the larger PQC keys and signatures, which is a consideration for future deployments.

Some forward-looking projects are even trying hybrid cryptography – combining classical and quantum-resistant algorithms to hedge bets. Japan, for instance, with its ambitious plans for connected and automated highways, is ensuring that future system designs account for PQC transitions (especially since cars might stay on the road 15 years, and those made in late 2020s will be in use when quantum computers might emerge).

Collaboration Tools and Cross-Sector Fusion

On a procedural front, an emerging practice is the development of cross-sector cyber fusion centres that include transportation. For example, the U.S. has piloted the idea of “Shield’s Up” briefings that bring together energy, telecom, and transportation sector reps to share threat intel in real time (especially during geopolitical tensions). As transportation agencies often don’t have huge cyber teams, leveraging such fusion efforts ensures they get the latest information on threats (like the ransomware strain du jour or indicators of nation-state activity) without having to independently gather it.

Public-private partnership models are also evolving. We see more highway concessions hiring dedicated cybersecurity firms on retainer, and conversely, cybersecurity companies embedding advisors in infrastructure organizations. Israeli firms, given Israel’s focus on both cyber and transport tech, have been at the forefront, offering managed detection and response services tailor-made for transport control systems.

One interesting collaboration effort is between automotive OEMs and road operators on security. Traditionally, these groups were siloed – car makers worried about their cars, road agencies about roads. But as connected cars and intelligent infrastructure must work together safely, there’s a growing dialogue on sharing data about cyber incidents that could affect each other. For example, if a certain car model experiences a cyber exploit on the highway (say, its cruise control malfunctioning due to an attack), how can that be flagged to road operators to perhaps temporarily adjust how they manage traffic or issue warnings? Conversely, if a highway system is attacked (like a rogue message sign), can nearby connected cars be alerted through their OEM cloud services? Trials in some EU projects are exploring such joint response concepts.

Human Factors and Training

No technology discussion is complete without the human element. An emerging focus is on specialized cybersecurity training for transportation engineers and operators. Many agencies are incorporating cyber incident modules into their regular emergency drills. For instance, a tunnel operator might conduct an exercise where a cyberattack knocks out tunnel sensors while an accident occurs, forcing them to manage the incident with partial info and coordinate with IT to restore systems. Such drills build muscle memory and also help identify gaps (maybe the operators realize they don’t have an out-of-band communication method if their network is down – a common revelation which leads to fixes like having backup radios or phones).

Gamified training is also emerging – some organizations use “cyber escape room” style trainings where staff must navigate a simulated cyber incident by solving puzzles (like decoding a suspicious email that “came from the CEO” – teaching phishing awareness). While these are general, some tailor them to scenarios like someone plugging in a found USB near a traffic centre or a fake call from a “vendor” asking for a password. The idea is to raise vigilance specifically in contexts relevant to highways.

Finally, the concept of “cybersecurity culture” is being woven into safety culture. Transportation organizations historically have a strong safety culture (accident prevention, fail-safe design). Now, they’re extending that mindset to cyber: making sure every project or change gets a cyber risk review, encouraging staff at all levels to report anomalies (just like they’d report a safety hazard), and treating cyber incidents with the same urgency as, say, a snowstorm affecting the roads.

As Richard Horne of the UK NCSC put it recently, organizations must prepare not just to prevent, but to “resist and recover” when attacks happen. Highways are embracing this resilience thinking – assuming breach and planning continuity around it.

In summary, emerging technologies and practices – AI, digital twins, zero trust, PQC, enhanced collaboration, and human-centric strategies – are arming highway operators to better defend and adapt in the face of evolving threats. The race is dynamic: as defenders deploy AI, attackers try to find blind spots in AI; as networks get segmented, attackers look at supply chains or insider tricks. It’s a continual chess match. But the proactive stance seen in many of these innovations gives reason for optimism that the good guys can stay a step ahead.

Collaboration Across Public and Private Sectors

Securing smart highways is not the responsibility of any single entity – it requires a united front across government agencies, private companies, and even international borders. Public-private partnerships and information sharing alliances have become cornerstones of transportation cybersecurity strategy.

In this section, we explore how collaborative efforts are making a difference, and why coordination is perhaps the ultimate force multiplier in defending critical infrastructure.

Information Sharing and Analysis Centres (ISACs)

One of the earliest collaboration mechanisms in critical infrastructure was the creation of ISACs for different sectors. For transportation, there are a few: the Surface Transportation ISAC (ST-ISAC), Public Transportation ISAC, and Over-the-Road Bus ISAC. These entities operate 24/7 to gather, analyse, and disseminate threat intelligence to their members. For example, if a transit agency in one state experiences a ransomware attack, the ISAC can alert other transit and highway agencies to watch for similar indicators or vulnerabilities. They also provide a trusted forum under protected legal frameworks to share sensitive information (so companies can share details of attacks without fear of liability or public exposure). The ST-ISAC in particular works with both public and private stakeholders in highways, bridging state DOTs, toll operators, freight companies, etc. By “establishing the transportation sector’s specific information requirements” and sharing in near-real-time, ISACs ensure that no highway operator is flying blind – everyone can learn from each other’s close calls and incidents.

The automotive world’s Auto-ISAC is a parallel example focused on vehicles (with OEMs and suppliers sharing info). The encouraging trend is cross-pollination: the Auto-ISAC and ST-ISAC might share information when a threat spans both vehicles and infrastructure. For instance, if a malware affects both a truck fleet’s onboard units and a highway operator’s systems, both ISACs would collaborate to build a full picture. Information sharing is not glamorous, but it’s hugely impactful – it’s the difference between one organization being a victim vs. ten organizations proactively defending because they were warned.

Public-Private Partnerships (PPP) and Joint Task Forces

Many governments have realized that they need direct partnership with industry to secure infrastructure. In the US, the Department of Homeland Security (DHS) and Department of Transportation (DOT) have sector coordinators who liaise with industry via councils and working groups. For example, the Transportation Systems Sector Coordinating Council brings together private infrastructure owners/operators, while a parallel Government Coordinating Council aligns federal, state, and local agencies. Together they develop joint sector-specific plans, share risk assessments, and coordinate on R&D needs. Through such PPPs, initiatives like “Road Infrastructure Digital Security” research programs get funded – sometimes matching government funds with private funds to pilot new security tech on highways.

The European Union similarly fosters PPPs. The EU’s CECSP (Cooperative, Connected, and Automated Mobility) cybersecurity working group includes car manufacturers, road operators, and telecom companies together devising strategies for secure CCAM deployment. At a more local level, countries like the Netherlands have formed coalitions between their national highway authority and cybersecurity firms to audit and improve road system security after some publicized vulnerabilities in traffic systems came to light.

2021 Log4j Vulnerability Crisis

One concrete example of public-private cooperation was during the 2021 Log4j vulnerability crisis – a critical software flaw that impacted thousands of systems worldwide. Transportation entities using affected software (like traffic management platforms running on Java) had to scramble to patch. CISA (US) coordinated extensively with IT providers (many of which are private) and sectors including transportation to ensure patches were applied and to monitor any exploit attempts in critical infrastructure. They held regular briefings that included both government road agencies and private sector vendors in the loop, breaking down usual silos in an emergency. This demonstrated that in crises, lines blur – it’s all-hands-on-deck across public and private.

Cross-Border and International Coordination

Cyber threats do not respect national borders, and this is especially pertinent in regions with integrated transport, like Europe. The EU, through ENISA and frameworks like NIS2, is improving cross-border coordination. If, say, a highway toll operator in France suffers a cyberattack that might affect European toll interoperability, they now have clearer obligations to report and mechanisms for neighbour countries to be alerted. Europe also holds annual cyber crisis exercises (Cyber Europe) that sometimes include transport scenarios, to practice multinational response.

On a transatlantic note, the US and EU have a working group on transportation cybersecurity as part of a broader security cooperation. In 2022, they held joint workshops on aviation and automotive security. While highways weren’t a primary focus yet, learnings carry over, and they plan to include smart cities and highways in future dialogues. Additionally, organizations like the World Road Association (PIARC) have set up a Task Force on Cybersecurity in Road Infrastructure to facilitate global knowledge exchange – bringing in examples from developed nations and also considering needs of developing countries as they build smart highways (to not build insecurity by omission).

We should note, some highway systems physically cross borders – e.g., the European E-road network, or bridges/tunnels between countries. Coordinated cybersecurity agreements are being considered for such cases. For instance, if the Øresund Bridge IT systems (connecting Denmark and Sweden) were attacked, both nations need a joint protocol to respond and communicate. Similarly, between the US and Canada, critical bridges have bi-national operating authorities that now include cybersecurity in their cooperation agreements.

Vendor and Supplier Collaboration

Many highway agencies rely on a small number of key vendors for traffic control software, sensor hardware, etc. Therefore, vendor-user collaboration is vital. User groups of major traffic system vendors now often have cybersecurity subcommittees. They push vendors for timely patches and security features, and vendors in turn share roadmaps for security enhancements. When a vulnerability is found in a vendor’s product (e.g., a popular traffic signal controller firmware), the vendor often works closely with agencies to deploy fixes and sometimes with government (like DHS/CISA) to issue alerts if needed. This triangle of vendor-agency-government has improved; a decade ago, vulnerabilities might be hidden or ignored, but today they’re more likely to result in a collaborative fix effort.

Bridging IT and OT Silos

Within large departments, collaboration is also internal – the IT security team and the traffic engineering team need to work hand-in-hand. Many agencies have addressed this by creating joint task forces or blended positions (like an OT Security Manager who liaises between the CSO’s office and the operations units). Some DOTs have fun cross-training: they have their IT cyber staff ride along with maintenance crews or sit in the traffic centre to understand operations, and conversely have traffic engineers attend basic cyber training. This fosters mutual understanding and faster collaboration during incidents.

Engaging the Broader Community

Highways exist in a community, and sometimes the public or academia can help. Crowdsourced reporting of cyber issues (like someone noticing a highway sign has been tampered with and reporting it) is being encouraged via easy channels. Agencies have started to publish “if you see something strange on a message sign, call this number” in public outreach materials – treating cyber incidents similar to physical incidents in terms of public reporting.

Also, bug bounty programs are tiptoeing into the infrastructure arena. While one can’t just let hackers poke at live traffic systems, some agencies are considering controlled programs where vetted researchers can test certain components for rewards. The U.S. DoD has a “Hack the Pentagon” program; maybe one day we’ll see a “Hack the Traffic System” challenge in a sandbox environment to crowdsource security improvements.

Role of Insurance and Finance

A collaborative wrinkle often overlooked: the insurance industry (cyber insurers) and government are discussing how to handle critical infrastructure risk. Cyber insurance for highway agencies is increasingly sought. Insurers have a stake in promoting good security practices (to reduce claims) and often provide services like security assessments. They also gather incident data from across clients which can indirectly inform the sector. On the government side, there’s talk of a backstop for catastrophic cyber incidents (like a “Cyber FEMA”). Knowing that, highway agencies are collaborating with emergency management authorities – planning how they would jointly respond to a major cyber-induced disruption, potentially tapping national resources.

In all these ways, collaboration knits together a safety net for highway cybersecurity. Instead of isolated entities each trying to fend off well-organized attackers, we have collective defence: through intelligence sharing, mutual aid, common standards, and shared innovation. A cybercriminal might target a small county’s traffic system thinking it an easy mark, but if that county is plugged into an ISAC and partnerships, they essentially have the backing of a nationwide community – guidance on hardening, early warnings of threats, and federal expertise if needed to respond.

The ethos is captured well by a phrase from a CISA campaign: “One Team, One Fight.” A threat to one highway system is a threat to all, so everyone must have each other’s back. As threats continue to escalate, this unity will be tested, but it’s also the greatest strength the defenders have.

Securing the Road Ahead

What does the future hold for cybersecurity in smart highway infrastructure? In many respects, the journey has just begun. As we look to the next 5–10 years, we anticipate significant advances in both the technologies deployed on highways and the corresponding security measures to protect them. The convergence of trends – more autonomous vehicles, greater data-driven services for travellers, climate change prompting smarter infrastructure for resilience, etc. – will make highways even more digitally complex. This underscores that cybersecurity will be a continuous effort, not a one-time destination.

Here are some key elements of the future outlook:

Cybersecurity as a Safety Pillar: Just as road design has pillars of traffic safety (think “Vision Zero” to eliminate fatalities), cyber will be seen as integral to safety. A cyber attack that disables a safety system is as dangerous as a design flaw in a bridge. We can expect safety regulators (like those in charge of roadworthiness or infrastructure standards) to include cybersecurity in their purview. For instance, future highway design manuals might include sections on network security of control systems, and safety audits for new road projects may have a cyber component. The cultural shift will be complete when every infrastructure project treats cybersecurity requirements on par with structural and electrical requirements.

Continuous Monitoring and Autonomous Response: With the volume of connected components on highways, manual monitoring will be insufficient. We foresee Security Operations Centres (SOCs) tailored for infrastructure becoming common – some large states or countries may have a dedicated Highway Cyber SOC watching over all highway control networks in real time. These SOCs will use AI (as discussed) and possibly have automated response capabilities. For example, if an intrusion is detected in a section of the ITS network, the system might automatically segment that part, switch control to a backup system, or re-route traffic pre-emptively if it senses signal disruptions. Autonomous cyber defence – systems that can fight off attacks or isolate them without waiting for human input – will reduce reaction times from minutes to seconds or less, critical when protecting physical processes.

Integration of Cybersecurity in Vehicle-Infrastructure Communication: As more vehicles get to Level 3 or 4 automation and rely on infrastructure data (like sensor sharing, high-definition maps from road cameras, etc.), joint cybersecurity frameworks between vehicles and infrastructure will likely emerge. We might see “cyber handshake” protocols where a car and a traffic signal not only authenticate via certificates but also validate each other’s behaviour in a trust score. If a traffic light sends odd instructions (perhaps due to being hacked), the car might flag it and query a cloud service to verify. Conversely, infrastructure might sandbox communications from cars that aren’t properly authenticated or behave anomalously (e.g., a car broadcasting contradictory info). Essentially, a web of trust in real time between all participants on the road.

Post-quantum Transition: By the early 2030s, transport communications will probably have undergone a post-quantum crypto transition. This will be a heavy lift – millions of vehicles and thousands of infrastructure devices will need crypto updates. But planning is already underway, and future systems are likely to be designed crypto-agile (able to swap algorithms easily). We might even witness some quantum technologies being used for securing communication (like quantum key distribution for highly critical links, though that might remain more niche for government networks, etc.).

More Sophisticated Attackers: On the darker side, adversaries will certainly get more creative. Ransomware crews might attempt multi-pronged extortion – for instance, simultaneously locking a highway agency’s data and threatening to cause accidents by hacking signals if not paid. State-sponsored actors may target transport as a way to sow chaos without direct conflict (as hacktivists already did in rail). We should be prepared for attacks combining cyber and misinformation – e.g., hacking a highway sign to display an evacuation order or false emergency, then amplifying that on social media to cause panic. Emergency management and cybersecurity will need closer coordination to handle those hybrid events.

Emphasis on Recovery and Resilience: Accepting that some incidents will happen, highway authorities will refine their ability to recover and keep service running under duress. This includes maintaining analogue backups: for example, keeping paper maps and signal timing plans that could be implemented manually if digital systems go down, having reserve radio communication independent of the IT network for field crews, and designing fail-operational modes (systems that degrade gracefully rather than fail completely when compromised). We might see innovative resilience tactics, like using vehicle-to-vehicle communications as a temporary substitute if central control fails – cars could form a mesh network to coordinate basic safety messages until the infrastructure is back (this is speculative, but technically feasible, effectively crowd-sourced traffic management in an emergency).

Legislation and Liability Evolution: Governments may introduce more prescriptive laws around transport cybersecurity. We could see mandates for periodic cybersecurity audits of road operators, or liability frameworks clarifying who is responsible if a cyber incident causes harm on the highway (vehicle OEM vs road operator vs tech supplier). Clarifying liability will, albeit painfully, push all parties to up their game because the financial stakes of negligence will be clear. Conversely, if they implement best practices, they might get safe harbour protections.

Cybersecurity Workforce and Culture: The workforce will need to grow; we will need more cyber-trained professionals in transportation disciplines. The pipeline is being addressed slowly via universities and cross-training existing staff. One could imagine new roles like “Highway Cybersecurity Manager” becoming as normal as “Highway Maintenance Manager.” C-suite roles might appear: some large transport agencies might have a Chief Information Security Officer (CISO) specifically focused on operational tech. Culturally, as Gen Z and beyond – digital natives – move into these fields, comfort with technology and security might naturally be higher (the new traffic engineer might be as versed in Python scripting and basic ethical hacking as they are in civil engineering principles).

Global Collaboration Intensifies: Cyber threats often unify countries facing a common scourge. We predict global bodies (like the UN’s International Telecommunication Union or the World Economic Forum) may spearhead more international exercises and capacity-building, helping raise the security level of highways in developing nations too (so they don’t become easy backdoors that affect interconnected global trade). Perhaps a Global Transport Cybersecurity Alliance could emerge, analogous to those in banking, to set worldwide norms and assist regions with fewer resources.

Positive Outcomes from Adversity: Oddly, just as the pandemic accelerated digital transformation, a major cyber crisis (should one occur in transport) could accelerate security transformation. If, say, a coordinated attack managed to disrupt multiple highways one day, the response would likely be a rapid hardening on an unprecedented scale, similar to how airline security worldwide tightened after certain incidents. We can hope to avoid such a crisis, but if smaller ones continue to prod, they will continually justify the investments needed.

In conclusion, the road ahead will undoubtedly have bumps – some thrown by malicious actors – but the trajectory is toward ever smarter and, importantly, ever more secure highways. The collective awareness and effort observed as of 2025 is a strong foundation. As Upstream’s Yoav Levy warned, threats are evolving fast and require a “transformative and proactive” defence approach. The encouraging news is that transformation is visibly happening: from regulation to technology to collaboration.

Highway authorities and their partners are learning to think like hackers in order to pre-empt them, and to think like safety engineers in order to mitigate any incident’s impact. The concept of cyber resilience – not just preventing attacks but ensuring critical functions can withstand and bounce back from them – will drive system design. For every new technology on the highway, the question “but is it secure?” will be asked at the drawing board stage, not after deployment.

Ultimately, the goal is to preserve the promise of smart infrastructure – safer roads, efficient mobility, user convenience – while minimizing risks. Just as infrastructure designers plan for natural disasters, they will plan for cyber disasters. When successful, the public may never notice anything – which is how it should be. The traffic keeps flowing, goods get delivered on time, and travellers stay safe, with cybersecurity quietly standing guard in the background.

The journey is ongoing and will require vigilance indefinitely. But if the transportation community maintains the same spirit of innovation and cooperation in cybersecurity as it has in advancing mobility, the “smart highways” of the future can indeed be both smart and secure. In the words of JJ Eden: “We must think about security first.” By prioritizing cybersecurity as fundamental to every project and every system, highways can continue to drive forward into the digital era, enabling progress while protecting the public trust.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Support Highways.Today	Subscribe to our Weekly Newsletter Read past newsletters here.	More Links ➙ Get in Touch ➙ Advertising ➙ Editorial Roadmap ➙ Press Release Guide ➙ Media Partnerships