Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened impact) has recently been under increased scrutiny. The tensions caused by Russia’s invasion of Ukraine, boarder geo-political tensions and the increased criminal and nation-state-sponsored cyber-attacks have exacerbated our need for concern.
On March 21st, the European Agency for Cyber Security (ENISA) – posted a report that was, for the first time, quite specific to the transportation sector. They drew attention to primary risk types that have led to attacks on the transportation sector in the last 2 years, covering:
The report is here: https://www.enisa.europa.eu/publications/enisa-transport-threat-landscape
This comes as a backdrop to the increased disruption to transportation sector that we have all experienced in the last little while, through ransomware attacks by cyber criminals.
Whether it’s the return to passenger travel post COVID, the supply chain pressures experienced in many industries, the effects of industrial action across Europe and the UK or simply cost of living pressures; everyone is now aware of our dependence on the transport sector to convey us, feed us and transport the goods and services we buy and sell.
An attack on a major freight carrier, or one that takes down air services across a region, or disrupts rail travel, could have serious implications for us all. And the reality is, this is not a peek at the future by ENISA, but a chronicle of events in the last few years.
Critical infrastructure industries, like most others, are increasingly depending on IT systems for: ticketing, billing, passenger management, freight inventories, customs and excise links and even port and airport logistics. In supporting these tasks, they can expose more vulnerable operational technology (OT) systems like – traffic management, navigation, controls systems, warehousing and stock management and safety systems – to the risks of attack. There really is a lot to go wrong, and the transportation sector is only one example of the duality of OT and IT threats to manage across multiple Critical Infrastructure sectors.
Most of us have witnessed disrupted air travel in recent times. The complete embargo resulting from COVID restrictions was a rather extreme case, but the inability to travel affected people more than freight. Putting aside staff shortages, IR issues and the rather lengthy re-start after COVID; disruptions to the aviation industry have also been caused by IT failures, air traffic control outages and even navigational delays that have grounded planes and rendered airports dormant. Industry participants have been pressed.
Most have seen how these problems in the airline industry can quickly cause a drag on economic confidence.
In mid-2021 the trade body EuroControl observed that “every week a ransomware attack hits an aviation actor somewhere across the globe, disrupting business continuity and capable of bringing operations to a grinding halt”. Read more here.
In this blog on the subject, GlobalSign note:
“Free Wi-Fi on planes, in-flight entertainment systems, and digital boarding passes are just some new technologies that are reshaping the industry…. passengers, airlines and airports increasingly utilize software to manage their supply chain. Also, airplanes increasingly rely on digital controls to operate effectively, and aviation companies utilize IoT devices and cloud services to enhance their services further.”
The risks from more targeted attacks on these in-flight, airport, and even maintenance systems remain high.
While the train network doesn’t have the complexity of the aviation sector; it is no less reliant on technology; both IT and OT, and so equally at risk of cyber-attacks.
This directive on railway cyber security was issued by the Department of Homeland Security in the US late last year. It recognises the importance of rail transportation, particularly for freight in the US; but with rail travel a part of life for many in Europe, disruptions caused by a cyber-attack to our leisure, commuting or freight transport needs could quickly impact our everyday lives.
While a train cannot fall out of the sky, signalling systems, timetables and ticket booking, safety system failures and other technologies are fundamental to the smooth running of many economies. As occurred recently, when as a side-effect of Russia’s invasion of Ukraine, activist hackers targeted the Belarus railway system to interrupt troop movements.
Cyber security in the shipping sector was brought into sharp focus in 2017 with the ransomware attack on shipping and logistics giant, Maersk. While lives were not directly lost as a result of the attack, supply chain and disruptions caused by protracted and expensive losses of cargo and other freight and ferry services, reportedly cost around US$200-300 million, and was just a taste of the damage that could be caused.
There is guidance and advice available – including from the industry bodies here.
The guidelines caution about risks that can potentially result from the shipping sector’s increasing reliance on IT services and systems:
“Shipping is relying increasingly on digital solutions for the completion of everyday tasks.”
And go on to say:
“The rapid developments within information technology, data availability, the speed of processing and data transfer present shipowners and other players in the maritime industry with increased possibilities for operational optimisation, cost savings, safety improvements…However, these developments to a large extent rely on increased connectivity often via internet between servers, IT systems and OT systems, which increases the potential cyber vulnerabilities and risks.”
Finally, on the road network, the scale of problems and risks might be less, but here too, ENISA flags that there are still threats affecting car manufacturers, taxi and transport companies and government directorates.
Whether it’s the freighting of goods that is becoming increasingly dependant upon digitally integrated warehouse, logistics and freight services; or the coming age of automated traffic signalling and self-drives vehicles, road systems will become targets too. Already there is significant evidence to suggest that hackers can over-ride even the most sophisticated vehicular systems to take control of key aspects of vehicle security or operating systems. Just think about that on a peak-hour morning – when suddenly, any control you thought you might have about destinations and travel times, suddenly disappeared.
If, as ENISA warns, digital extortion is coming for OT systems, the transportation sector, as an obvious target, will need to improve its defences. Whether these attacks are driven by cyber criminals or sovereign governments stakeholders will have to assess the risk and disruption that cyber-attacks pose, and the range of health and safety, environmental and economic impacts that could result from a cyber-attack.
In a zero-trust world, the ability to deploy security as close to end points and terminals as possible and build in comprehensive monitoring of fault detection failures and malicious attacks, is going to prove vital if we are to avoid the wheels, literally, falling off this important part of the international economy.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.