Good day my good friend.

At the time I am writing this, I am on an LNER train speeding north through the Hertfordshire countryside (having just this second passed over the Digswell Viaduct) towards York, for an event that I may have mentioned once or twice. By the time that this newsletter goes out, it should be lunch at said event, and I will probably be dealing with issue like not enough paper in a room or a lack of post-it notes.

I have co-authored a book on Mobility-as-a-Service, which is a comprehensive guide on this important new transport service. It is available from the Institution of Engineering and Technology and now Amazon. 📕

🔓 Security flaws

Some of you likely know that Transport for London is currently dealing with a cyber attack. And for those of you who know more than the emails are letting on, its a bad one. As in payment systems in lockdown, staff being locked out while all systems are checked, and yes, people’s personal data having been accessed.

Clearly I do not know what was the cause of it (and even if I did it would be a really bad idea to share it for obvious reasons), but this comes as no shock to any transport professionals who have been paying attention. Not because TfL is bad at security, I don’t doubt that theirs was top-notch. But because in the information age, the security of our transport services and infrastructure from cyber attack is often not thought of, and the failure to do so can be catastrophic.

We like the idea of software simply making transport services effortless. Behind things like the Oystercard and contactless payment there are endless systems and communication networks that make the whole thing work. Each of which has weak points that can be exploited and attacked, and each of which needs an understanding of security systems and basic techniques to keep operational systems safe from cyber attack before we can imagine what these systems will be able to offer us by way of service.

Doing that requires understanding that this is not just an operational matter (i.e. not just up to your IT department), but it requires an understanding of how the world of cyber security affects your ability to deliver your strategy. To put it plainly, we know that reducing people getting killed, injured, and coming to harm affects our ability to achieve wider goals like health. We need to start thinking that having infrastructure and services crippled by a cyber attack would also affect our wider goals, from the economy to life.

In some ways it is similar to how we tackle road safety. We understand the causes, the likely actors, the attack vectors, potential for mitigation and resilience measures to be put in place, before considering recovery.

The former two is not what it is often expected to be. When I undertook a study of cyber security and intelligent mobility, the primary actors in this space are likely motivated by money and political factors, as opposed to the image of a hacker trying to hack something for the pleasure of it. Their main attack vectors are not to brute force the firewall (though this is often used to identify weak spots), but to use behavioural psychology to trick people into giving access to critical systems, or their bank details. I am sure many of you can remember that scam email, but those who want to get your data can be far more crafty than that.

What are the practical things that we can do? Well, the first one is obvious but is so often forgotten. Ask yourself whether this system really needs to be connected to the internet. When speaking to Paul Galwas, cyber security expert at the Digital Catapult many years ago, he likened it to building a wall and then putting in gates every few yards just because you can, when all you need is one gate to do the job.

This is especially important for safety critical systems, where you should really be erring on the side of having to physically go out and change things when something needs sorting, rather than having the equipment connected through the internet. Or at least use private communications networks that are highly encrypted. I personally have seen bridge control mechanisms that are activated through an internet-connected WiFi network, which is ripe for abuse.

A further aspect of this is to understand that for those wishing to cause you harm, the choice to do so is a balance of risk and reward. If its low reward, like access to your cooking recipes, its not worth the risk. On the other end of the scale, if you can bring a rail network to a standstill or steal the bank details of millions of people, a greater risk is worth it. In many circumstances, putting up even basic cyber security measures can act in the same way as locking up your bike with a tough lock. If someone wants to steal it from you, they will find a way, but a more casual perpetrator will walk on by and find an easier target.

When it comes to resilience and planning for recovery, having internet-connected services and infrastructure brings further complexity to such operations. Many highway engineers can probably list off options of what to do when a motorway embankment subsidies and closes the carriageway for a long time. But how do you plan for highway network recovery when a cyber attack takes down your traffic control systems, with lights switching at random?

This is all highly complex stuff, and a lot to get our head around as planners. But this is the world in which we live in. More and more things are being connected to internet, and as a profession we are more reliant on the internet than ever before to perform basic functions. With almost no knowledge of what to do when it fails. And at some point, it will, and with catastrophic consequences.

Thankfully, here in the UK, we have genuinely world-leading cyber security capability. Maybe its time we talked to them, and got our systems safe and secure. We do that in the physical world. Now its time to do it in the online world.

👩‍🎓 From academia

The clever clogs at our universities have published the following excellent research. Where you are unable to access the research, email the author – they may give you a copy of the research paper for free.

Urban green spaces in rapidly urbanizing cities: A socio-economic valuation of Nairobi City, Kenya

TL:DR – Green spaces = good.

Do cyclists disregard ‘priority-to-the-right’ more often than motorists?

TL:DR – Yes, but the behaviour is more nuanced than that.

Equity of access to rail services by complementary motorized and active modes

TL:DR – Access to train services affects local inequities.

Matching, centrality and the urban network

TL:DR – Access to work has a funny impact on local labour markets.

📺 On the (You)Tube

Flowers, and making intersections safer. What more can you ask for?

🖼 Graphic Design

Wind power installations as of 2023 (Source: Visual Capitalist)

Even if the transport industry is not decarbonising fast, the power sector might just give us the time to do what needs to be done.

📚 Random things

These links are meant to make you think about the things that affect our world in transport, and not just think about transport itself. I hope that you enjoy them.

• Silent Solar (The Crucial Years)
• The Doom Spiral (The Climate Brink)
• Musk, Thiel and the shadow of apartheid South Africa (Financial Times)
• Why Does Yellowstone National Park Turn Us All into Maniacs? (Outside)
• The Collapse of Self-Worth In The Digital Age (The Walrus)

👍 Your feedback is essential

I want to make the newsletter better. To do this, I need your feedback. Just fill in the 3 question survey form by clicking on the below button to provide me with quick feedback, that I can put into action. Thank you so much.