Mobility as a service: MAnaging Cybersecurity Risks across Consumers, Organisations and Sectors (MACRO)

Mobility as a service (MaaS) concept offers a user a unified service that combines various forms of transport at a single gateway. MaaS carries a promise of reduction of traffic congestion, improvement of customer convenience, reduction of social inequalities and carbon emissions by fostering the use of public transport. Key enablers for MaaS encompass (1) a single application allowing to plan and conduct journeys, (2) software system allowing multiple actors deliver MaaS, and (3) AI-based analytics allowing journey and resource optimisation. All those are susceptible to a wide range of types of cyber-attacks and the complexity of the MaaS ecosystem (customers, transportation providers, data providers, etc.) and its dependence on the data creates a unique challenge from the cyber security perspective.

This interdisciplinary proposal leverages leading research expertise and excellence on energy transitions, infrastructure systems modelling, and artificial intelligence from Cranfield University and cybersecurity and human factors from University of Kent.

The ambition is to develop the world's first agent-based modelling framework that will explicitly focus on the cyber security aspects of the MaaS ecosystem. This shall be achieved by use of agent-based simulation techniques to define a modelling framework that will encompass cross-sector and cross-organizational agent interactions in the context of mobility, data sharing, and cybersecurity threats. While our ambition is defining a comprehensive view of the MaaS ecosystem, the proposal intends to focus on a MaaS customers' perspective: incentives, behaviours in both terms of transportation needs and cybersecurity behaviours and attitudes - this will be achieved by developing agent-based simulation with complex, adaptive agents who are capable optimise their behaviour.

One of key enablers of the MaaS ecosystem is exploitation of data by means of predictive Artificial Intelligence (AI) models. It has been widely accepted that machine learning and AI algorithms can be exploited by malicious actors using sophisticated cyber attacks. One of the proposed work streams will explore how the rapid deployment of new deep learning algorithms by service providers can be adversarially fooled to create unfairness and failures in the individual sectors and in the wider MaaS ecosystem and how this can be effectively mitigated in a wide range of case studies.

The practical value of the framework and its ability to capture interdependencies between physical aspects of MaaS and cyber domain will be validated by means of integration of case studies data. The validity of model definition and produced outputs will be reviewed during a series of expert workshops and knowledge dissemination activities. These would be attended by stakeholders and subject matter experts comprising a mix of representatives of academics, government, regulators and industry, including our past/ current collaborators such as Ofgem, National Rail, local authorities, bus operators, Data Communications Company, and commercial providers developing integrated technologies or services (e.g. IBM). The public acceptability of the developed MaaS scenarios and strategies to make them secure will be analysed in focus groups.

The final report will discuss insights and lessons learned from development of a cross-sector cyber security framework, the fitness of existing institutional landscape for the development of MaaS and opportunities, barriers and risks for the alignment of policy and regulatory frameworks across communications, transport and energy systems to address potential conflicts and vulnerabilities from the cyber security perspective.