on this page
-
Markets
Transportation
Christian Compton
Principal cyber security consultant, Epsom, UK contact form
Christian Compton, AtkinsRéalis Principal Cyber Security Consultant, discusses rising cyber threats and new regulations for the highways sector in Highways Magazine
The highways sector hasn’t traditionally been a primary target for cyber criminals, but consider the scenario of a prominent tunnel experiencing an attack: Traffic management systems go dark, CCTV feeds freeze and digital signage displays incorrect information. Traffic builds up for miles as motorists are left confused and operations personnel are locked out of systems.
While hypothetical, the threats facing the highways sector are very real. The Transport for London cyber incident in late 2024 was a stark reminder of how transport infrastructure is an attractive target for cyber criminals and state actors.
The risk will only increase as the highways sector embraces new technologies – from smart gantries to AI-powered traffic management systems. Each of them introducing new efficiencies but also new vulnerabilities.
As the US Federal Highway Commission noted1 last year, “In the past, our most frequent cyber incidents were pranksters changing construction zone traffic signs. Today, we face risk from criminal organizations who are targeting nonfinancial organizations with ransomware.”
In the UK, the National Cyber Security Centre (NCSC) reported2 a tripling of severe cyber attacks on organizations in 2024, with critical national infrastructure increasingly targeted and CEO Dr Richard Horne warning of a "widening gap" between cyber threats and defenses.
Impending regulatory changes
This gap is seemingly prompting the first major legislative changes since the introduction of the Network and Information Systems (NIS) regulations in 2018.
The forthcoming Cyber Security and Resilience Bill, announced in the King’s speech, would expand regulatory scope and strengthen compliance requirements, introducing new obligations for supply chains, enhanced powers for regulators, and faster incident reporting timelines.
Additionally, the enhanced Cyber Assessment Framework (eCAF) will introduce additional requirements for “contributing outcomes”, with mandatory compliance from March 2028.
The highways sector can prepare itself for these new obligations by managing technology integration issues, strengthening incident reporting and supply chain assurance, and continually developing a cyber security-conscious culture.
The IT and OT duality
Much like a Victorian bridge originally engineered for lightweight horse-drawn carriages but now bearing the weight of heavy EVs, operational technology (OT) is being compelled to interface with information technology’s (IT) more dynamic and interconnected networks.
This convergence creates fundamental security challenges. IT typically prioritizes confidentiality, while OT focuses on availability, a clash which becomes critical when integrating systems. OT environments - from tunnels to traffic systems - are now exposed to cyber threats through their connection to enterprise networks. These legacy systems, often difficult to update, can become vulnerable entry points for threat actors.
A key challenge is asset management. The first step in protecting an OT network is knowing what you have, but organizations can lack a complete inventory of devices due to decades of accumulated equipment and limited documentation. While asset discovery tools exist, these can also introduce new risks. Selecting and implementing appropriate solutions requires specialist expertise. AtkinsRéalis has supported water and aviation clients in deploying these tools.
In the US, the Federal Highway Administration has emphasized the importance of collaboration between operations and IT specialists so each understands how critical OT systems are different from common enterprise technologies. This reflects the demand for multi-disciplinary capabilities - blending engineering expertise with cyber security knowledge in OT environments.
Cracks in the supply chain
The complexity of cyber security extends beyond organizational boundaries to supply chain vulnerabilities. SecurityScorecard data suggests3 29% of breaches are linked to third-party vectors, explaining why robust incident reporting and supply chain management feature prominently in the impending Cyber Security and Resilience Bill.
The challenge is particularly acute in OT environments, where suppliers may not fully grasp the cyber security implications of their goods or services. While this is being addressed in the UK through guidance documents for emerging technologies, the sector also faces tightening incident reporting requirements.
Current 72-hour reporting windows under NIS regulations are likely to shrink to 24 hours if the UK follows the EU's NIS2 framework, with new requirements for detailed follow-up reports.
Cyber conscious cultures
Even with strong protections in place around technology, policies and processes, creating a cyber conscious culture is key. And it requires more than training sessions.
Artificial intelligence introduces new threats, such as deepfakes, requiring awareness and monitoring. And organizations must integrate security considerations into project planning from the outset, adopting a "secure by design" approach.
Wargame exercises are becoming essential in the cyber defense toolkit, putting organizations through their paces to test them in dynamic situations and identify any blind spots. AtkinsRéalis has conducted these exercises with clients such as Network Rail to enhance capabilities and procedures.
Clear incident reporting procedures and whistleblower protection form key elements of security culture. Organizations need to foster an environment where staff can raise security concerns without fear of repercussion, ensuring ongoing improvement and appropriate investment in protective measures.
Avoiding tunnel vision
Resource constraints may lead organizations to focus on baseline compliance, but the NCSC’s warning about the growing gap between threats and defenses emphasizes the need for action. While cyber threats evolve, the fundamentals remain: understanding assets, streamlining processes, and fostering a cyber-conscious culture are central to effective cyber security.
While a busy tunnel may seem an unlikely target to some, our increasingly digital highways - from smart tunnels to AI systems - demand more than just regulatory compliance. Cyber resilience is essential to keep millions of motorists moving safely every day.
A truncated version of this article first appeared in the March 2025 edition of Highways Magazine. AtkinsRéalis is a strategic supplier to the UK highways sector; its portfolio includes supporting National Highways with the delivery of its major technology programmes and, as part of Connect Plus Services, helping to manage and operate the M25 network.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
Downloads
Trade releases