The Transportation Systems Security Assessment (TSSA)

Table of contents

• What is Transportation Systems Security Assessment
• Why is transportation cyber security essential
• TSSA and NIS2 directive: a mandatory combination
• How a TSSA is structured: technical components
• Advanced technologies for real-time monitoring
• Practical examples of TSSA in the transport sector
• Best practices for effective evaluation
• Conclusions: why TSSAs must be a priority

Threats are increasingly increasing and transportation cyber security has become a strategic priority for every modern transportation system.

The increasing digitalisation of railway, airport, port and road networks, combined with the integration between information and operational systems (IT/OT), has made the adoption of the Transportation Systems Security Assessment (TSSA), a fundamental tool for assessing IT/OT risks, indispensable.

In this article, we will look at what TSSA is, why specific measures need to be taken, what are the best practices and the role of the NIS2 directive in protecting critical infrastructure.

What is Transportation Systems Security Assessment

Transportation Systems Security Assessment is a structured methodology for evaluating the security of technological systems that govern transportation infrastructure. It is a systemic approach that analyzes vulnerabilities, threats and protection measures against malicious or accidental events that can affect critical information systems that provide essential public services.

This evaluation can be performed in distinct phases:

• Attack Surface Analysis: Identifying Exposed Digital and Physical Assets
• Threat modeling transport: mapping of threats specific to the transport environment considered
• Evaluating Existing Security Controls: From Physical to Digital Security Measures
• Identifying the gaps: what is missing to ensure resilience and business continuity
• Operational and strategic recommendations for risk mitigation

An effective TSSA must be updated periodically and integrated into the company’s risk management and incident response plans.

Why is transportation cyber security essential

Transportation cyber security is a complex challenge that requires multidisciplinary expertise. Transportation SCADA systems, PLCs, IP cameras, signaling systems, and IoT sensors are now essential components of modern railway, airport, and logistics systems. But this interconnectivity exposes them to an increasing number of cyber threats, from ransomware attacks to state-sponsored sabotage operations.

The Transportation Systems Security Assessment allows you to map these vulnerabilities and anticipate scenarios that can be highly destructive. For example:

• An attack on transport SCADA systems could block railway traffic lights causing disruptions or accidents
• Remote control of a ventilation system in a subway could cause emergency situations
• Manipulation of GPS systems in a freight transport network can be used to divert or steal loads

Furthermore, in the context of the NIS2 directive, companies managing essential mobility infrastructures must comply with increasingly stringent critical infrastructure cyber security standards.

TSSA and NIS2 directive: a mandatory combination

The NIS2 directive (Network and Information Security Directive 2), which has come into force throughout the European Union, requires member states and operators of critical infrastructures to adopt preventive measures to protect digital systems. Compared to the previous version, NIS2 expands the scope of entities subject to the obligations, explicitly including the transport sector.

The Transportation Systems Security Assessment is therefore a key element for compliance with NIS2. Companies in the sector must:

• Demonstrate that you have carried out an IT/OT risk assessment
• Have incident response plans in place
• Document the adoption of advanced monitoring and early warning technologies
• Integrating risk management into corporate governance

Without an up-to-date TSSA, organizations risk fines and, more importantly, the inability to respond to security incidents in real time.

How a TSSA is structured: technical components

A good Transportation Systems Security Assessment includes numerous technical and organizational modules. The key sections of a complete assessment are:

• Asset Inventory
• Detection and classification of OT devices, connections and software in the various segments of the transportation system (stations, tunnels, vehicles, control centers).
• Network Topology Analysis
• Analysis of interconnections between IT and OT systems, with a focus on demarcation zones, firewalls, IDS/IPS.
• Vulnerability Assessment
• Scan for known vulnerabilities in devices and software, including misconfigurations and open ports.
• Targeted Penetration Testing
• Controlled simulation of attacks to verify the effectiveness of security measures .
• Incident Response Readiness
• Evaluating incident response plans: procedures, tools, response teams.
• Real-time monitoring & SIEM
• anomaly detection, event correlation and alarm capabilities.

Each element of the TSSA can be integrated with threat intelligence tools, honeypots, and simulation platforms such as transportation industry-specific cyber ranges.

Advanced technologies for real-time monitoring

To ensure truly effective critical infrastructure cyber security, TSSAs must include real-time monitoring systems based on:

• Artificial Intelligence for Detection of Anomalous Behaviors
• Machine Learning for Attack Prediction and Log Correlation
• Edge computing for data analysis directly in the field
• Digital Twin to digitally replicate the system and test crisis scenarios

These advanced technologies can be crucial in responding to cyber attacks promptly and accurately.

Practical examples of TSSA in the transport sector

Several EU member states have already adopted Transportation Systems Security Assessment procedures:

• In Germany, Deutsche Bahn has implemented a resilient SCADA system with network segmentation and AI detection.
• In France, RATP performed TSSA on the entire Paris metro network, simulating attacks on PLCs and payment systems.
• In Italy, the main high-speed railway networks have developed a risk management model based on the IEC 62443 standard.

These cases demonstrate how the TSSA can be an operational and strategic tool to strengthen national cyber security.

Best practices for effective evaluation

For a truly effective Transportation Systems Security Assessment, it is necessary to adopt some shared best practices:

• Involve public and private stakeholders, including government, suppliers and network operators
• Integrate IT/OT Risk Assessment into the Project Lifecycle
• Perform periodic assessments and post-incident analyses
• Maintain up-to-date documentation, essential for compliance
• Prepare training plans for technical and managerial staff

Conclusions: why TSSAs must be a priority

In a world where IT and physical systems are increasingly interconnected, protecting critical transport infrastructures must be a national and European priority.

The Transportation Systems Security Assessment is not just a technical checklist, but a strategic process to ensure that transport systems are resilient, reliable and safe. Without risk management based on real data and advanced threat modeling, no infrastructure can be considered protected.

Questions and answers

1. What is Transportation Systems Security Assessment?
   It is a systemic cyber security assessment of critical transportation systems.
2. Who is the TSSA for?
   Public and private companies that operate essential transportation infrastructure.
3. Is TSSA mandatory for NIS2 directive?
   It is not explicitly mandatory, but it is the most effective tool to be compliant.
4. What is the difference between TSSA and IT audit?
   TSSA also includes OT, SCADA systems and physical devices.
5. How often should a TSSA be updated?
   At least annually or after any significant security incident.
6. What tools are used in a TSSA?
   Vulnerability scanner, SIEM, sandbox, honeypot, simulations and penetration tests.
7. Can TSSA be done in-house?
   It is possible, but it is often recommended to rely on external certified experts.
8. What are the risks without a TSSA?
   Service disruptions, legal penalties, reputational damage, and public safety impacts.
9. How much does a TSSA cost?
   The cost varies based on the complexity of the system, but can start at 10,000 euros.
10. What is the difference between NIS and NIS2?
    NIS2 is a more stringent evolution, with increased security and communication requirements.