When we think of connected devices, most of us consider computers, phones and tablets – perhaps smart TVs and connected gadgets around the house. We aren’t thinking about the transportation industry. Yet, if you drive a newer model car, it likely relies on many internal microchips and external sensors just to back out of the driveway.
From smart or autonomous automobiles to next-gen GPS devices, the transportation industry is experiencing significant changes thanks to transformative transportation technologies and the Internet of Things (IoT).
The transportation sector supports the movement of people and goods and includes the combination of vehicles, infrastructure, and operations that enable these movements. The transportation system includes aviation, roads and bridges, inland waterways, ports, rail, and transit.
The transportation industry is vital to the Canadian economy and disruption to the system can have a significant socio-economic impact. While digital technologies have improved functionality and efficiency for transportation infrastructure, these cyber systems also bring increased risk. That means that, overall, the transportation sector needs to improve its cybersecurity practice. Robust cybersecurity is essential for the secure and continuous operation of transportation systems and the safety of the people and goods being moved.
Efficiency Means Vulnerability
Information technology and interconnectivity have improved efficiency and functionality for transportation infrastructure. However, they have also brought an increased risk associated with being online.
Currently, electronic data can track the location, status and condition of assets and the associated infrastructure. Also, it can monitor and communicate environmental factors such as weather-related risks, traffic, and closures at ports and borders in real-time. The more interconnected data systems flowing throughout the value chain, the more exposed a company is. Airlines and airport infrastructure, railway infrastructure owners and operators, logistical companies, and the automotive industry are all prone to cyber attacks that have the potential to interrupt physical networks and cause massive disruption.
Why is the transportation sector particularly vulnerable to cyber risks?
Like every other sector, more digital transformation means more risk. In transportation, there is a wide range of data communicating across networked transportation systems, monitoring both physical and digital networks, often spanning extensive geographic areas. As more control systems and IoT devices are brought online, more vulnerabilities will surface that increase the potential for disturbance to physical assets. Threat detection is made more challenging by the vast electronic and physical networks that comprise the transportation sector, expanding the threat landscape.
There are many types of incidents that affect the transportation industry. The most commonly occurring events are malicious data breaches. Malicious data breaches account for 27.1 percent of all incidents, resulting in an average loss of $330,000 per episode.
Privacy-related incidents account for 22.9 percent of cyber incidents with average losses of $1.52 million for unauthorized contact or disclosure and $1.61 million for unauthorized data collection.
Of all of the types of cyber incidents, unintentional disclosure of data is the most destructive, costing victim companies on average $3.17 million per occurrence. Unintentional disclosure of data usually results from companies failing to comply with government regulations on information disclosure, which then results in fines, reprimand, and a loss of reputation.
Attacks on Transportation
Hong Kong-based airline, Cathay Pacific Airways Ltd., was the target of the world’s largest airline data breach in 2018. A hacker retrieved credit card, passport and contact details of approximately 9.4 million customers. The data theft caused Cathay Pacific Airways Ltd.’s shares to slump, reducing its market value by $361 million. The positive in this situation was that flight safety wasn’t compromised, nor does it appear the stolen data was used nefariously.
In 2015, United Airlines, the world’s second-largest airline and major contractor for U.S. government travel, was hacked by a state-sponsored group from China. This time, credit cards weren’t the focus. Flight manifests were stolen which contain information on all flight passengers including their origins and destinations, meaning that the hacker group gained “data on the movements of Millions of Americans” some of whom could have been high-ranking military leaders.
Airlines are certainly not the only target. Time to market in a digital marketplace has placed increasing pressure on the fast delivery of goods to manufacturers, retailers, and customers. That means the Operational Technology (OT) transportation sector is increasingly reliant on networked devices to speed up delivery and is, therefore, more susceptible to cyber threats.
Cybercriminals have abused container shipping companies and container port operators’ technologies. By hacking into networked OT systems, criminals have been able to gain entry into cargo systems, redirecting containers, and worse, making them disappear off the grid. More and more, the most successful way to disrupt critical transportation infrastructure is by targeting the OT network, specifically IoT devices and systems that have been joined to traditionally isolated OT environments. Tying consumer data to shipping helps track the delivery of goods; however, that data now exposes the same consumer to risk.
The escalating connectivity of navigation and cargo systems to satellite and Internet communication brings with it a rapid growth of cyber risk. In 2013, a University of Austin student participating in an experiment aboard an $80M yacht managed to successfully trick the ship’s navigation system, steering the ship off course. In 2017, the U.S. Department of Homeland Security demonstrated that it could hack a parked commercial 757 aircraft remotely by exploiting its aircraft communications system.
Persistent Threats
Rick Peters, Operational Technology Global Enablement Director, Fortinet, warns:
Advanced Persistent Threats (APT’s) also represent a clear and present danger to the transportation industry. Compromised ticketing and scheduling systems, for example, can shut down transportation hubs for hours or days. Airlines security experts agree that to combat sophisticated cyber-attacks more intelligence across the cyber kill-chain must be shared between carriers, but this requires public-private cooperation that doesn’t currently exist.
For manufacturers of transportation devices, such as ships or airplanes, espionage is another primary goal. 47% of malware aimed at manufacturers was intended to steal intellectual property and trade secrets. According to the National Center for Manufacturing Sciences, 21% of manufacturers lost intellectual property as a result of a cyber attack, with more than 90% of the corporate data exfiltrated by criminals considered “secret” or “proprietary.”
Cybersecurity for the Transportation Industry
The threats to the transportation sector are many and complex. Despite escalating cyber risks, many OT operators have still not taken adequate measures to protect their systems. The reality is that many organizations haven’t deployed Secure Shell or Transport Layer Security traffic encryption for their communications. Also, many companies don’t employ role-based access control for employees and actually multiply their risk by giving vendors and partners high-level system access.
Zero trust
A zero trust, or earned trust, access model needs to be put in place. Start by examining your OT network calculating the potential harm that could occur should it become compromised. Map out functional zones and implement segmentation and access controls to limit the scale of any potential OT system breach.
User and Entity Behavior Analytics
User and Entity Behavior Analytics systems should be installed to detect and respond rapidly to any abnormal behaviour that threatens continuous and safe OT operations.
Educate
All companies need to prioritize cybersecurity education in their cybersecurity strategy; including cybersecurity awareness programs, cyberliteracy programs and cyber hygiene training. As the Canadian Institute for Cybersecurity, University of New Brunswick stated, “Cybersecurity and privacy, once issues only for technology experts have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem. It is a business problem; it is everyone’s problem. The weakest link in cybersecurity is now people, not devices. As such, the human factor is considered the biggest threat to cyber safety.”
Culture
Create a culture of cybersecurity in your organization – making cybersecurity a priority for employees at all levels.
Ask a specialist
Partner and communicate with a cybersecurity specialist.
Assess
Conduct a vulnerability assessment.
Strategize
Develop and follow a cybersecurity incident response plan.
Practice
Conduct organization-wide cybersecurity exercises to keep staff sharp.
Stay alert and adapt
Stay current on the changing threat landscape and adjust your incident response plan accordingly.
Protecting transportation infrastructure is of vital importance with cyber attacks increasingly targeting transportation providers. Transportation and transportation infrastructure operators need to respond with network fortification measures and transport-specific incident response plans.
Talk to the cybersecurity solutions specialists at ISA, who have over 27-years of demonstrated industry excellence, about how to protect your transportation company from a cyber attack.