As digital systems become increasingly embedded in road operations, so the cyber risks grow. This guide outlines eight core actions—rooted in industry best practice—to help road operators strengthen defences, respond to incidents, and protect public safety.
Cyber-attacks are on the increase globally, and infrastructure is among the targets. In its 2025 Threat Landscape report, the European Union Agency for Network and Information Security (ENISA) analysed 4,875 incidents from the previous year and found that 7.5% affected transport infrastructure. Ransomware, data theft and disruption of critical services were among the leading concerns.
As organisations continue to invest in digital infrastructure, their attack surface increases, creating new blind spots and weaknesses in oversight. ENISA reports that 42% of the threats they analysed targeted mobile devices, with Android devices facing a higher level of threat. This compares with web threats (27%), operational technology (18%) and supply chain (11%).
The transport sector is one of the most targeted and exposed sectors due to its reliance on digital systems, IoT devices and interconnected third-party services, all of which create complex webs of vulnerability. A single attack can stop services, endanger lives, jeopardise toll collection, and disrupt supply chains. This threat landscape is precisely why the transport sector is a key focus of the European NIS 2 Directive, which will soon impose reinforced cybersecurity, risk management and incident‑response obligations on essential and important entities.
In September 2024, Transport for London (TfL) was hit by a cyberattack that exposed the data of 5,000 customers and forced 30,000 employees to reset IT credentials. Critical operational systems were impacted including traffic cameras, digital bookings, contactless ticketing and payment processing. (Source: WISDIAM)
How does Egis support its O&M companies?
Egis offers a tried and tested cybersecurity roadmap, with continuous improvement loops, as well as a Cybersecurity Startup Kit – both valuable parts of the digital resilience toolkit for our road O&M companies.
The roadmap includes i) high-level risk assessment resulting in a score ii) validated action plan addressing gaps/weaknesses iii) on-site evidence-based audit (rescore, renew action plan) iv) vulnerability and penetration testing, and v) red team assessment – a fully integrated approach. Our audits compare current practices with recognised frameworks like ISO27001 or NIST. The audit measures how well the organisation can prevent, detect and recover from attacks. We can also go further and test incident response with tabletop exercises.
The Startup Kit covers organisational requirements, policies and processes, and provides ready-to-use documents, templates and procedures. It’s an excellent tool for organisations that are not already certified against other frameworks and that need a solid starting point. Business continuity is also covered in the kit.
Building resilience
A clear, repeatable maturity audit gives leaders an evidence-based roadmap. It helps them identify where to spend money for the biggest risk reduction. It also helps them meet rules and partners’ expectations. Customers and regulators increasingly require proof of controls, and these support tools are an important part of the mix.
Even with the best defences in place, it’s likely that some incidents will occur. So, the focus should be on building our ability to recover quickly and keep road services going under stress. It might involve exploring digital twins, retaining paper back-ups, and finding ways for systems to degrade rather than completely fail when compromised.
Eight cyber essentials for road operators
-
Choose your framework to follow (Egis Startup Kit, NIST CSF, CIS Controls, etc.) and appoint a board-level owner for cyber risk and to ensure that road-operations teams understand how cyber incidents could disrupt traffic flow, safety and emergency response.
-
Define your action plan for network and system hardening (eg. segmenting IT and OT networks, applying controls to all internet-facing and admin systems).
-
Address access control and remote management for engineers and contractors working on roadside equipment, traffic signals and tunnel control systems. Also consider separate radio-based comms for field crews so they can coordinate during a cyber-incident (or energy blackout) that disables corporate IT or public networks.
-
Ensure incident detection, monitoring and response is in hand covering, for example, anomalies, unauthorised changes, or ransomware-like behaviour in systems and servers.
-
Develop and test incident response plans, as well as business continuity and disaster recovery plans for a range of scenarios.
-
Review your fail-operational modes for critical systems such as traffic signals or tunnel ventilation.
-
Enhance security around supply chain and connected devices (roadside sensors, cameras, VMS, tunnel monitoring).
-
Involve teams in training and awareness sessions to build skills in recognising phishing or unusual system behaviours. Similarly, run sessions to test attack responses and validate that contingency plans work.