Cyber Security Essentials | Operational resilience

May 5, 2023

The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened impact) has recently been under increased scrutiny. The tensions caused by Russia’s invasion of Ukraine, boarder geo-political tensions and the increased criminal and nation-state-sponsored cyber-attacks have exacerbated our need for concern.

Planes, Trains and Automobiles

On March 21st, the European Agency for Cyber Security (ENISA) – posted a report that was, for the first time, quite specific to the transportation sector. They drew attention to primary risk types that have led to attacks on the transportation sector in the last 2 years, covering:

  • Airports, airlines and air traffic control
  • Ports (cargo and passenger services)
  • Rail operators (track and passenger services)
  • Roads and traffic management

The report is here: https://www.enisa.europa.eu/publications/enisa-transport-threat-landscape

This comes as a backdrop to the increased disruption to transportation sector that we have all experienced in the last little while, through ransomware attacks by cyber criminals.

Whether it’s the return to passenger travel post COVID, the supply chain pressures experienced in many industries, the effects of industrial action across Europe and the UK or simply cost of living pressures; everyone is now aware of our dependence on the transport sector to convey us, feed us and transport the goods and services we buy and sell.

An attack on a major freight carrier, or one that takes down air services across a region, or disrupts rail travel, could have serious implications for us all. And the reality is, this is not a peek at the future by ENISA, but a chronicle of events in the last few years.

The OT/IT dilemma in critical infrastructure

Critical infrastructure industries, like most others, are increasingly depending on IT systems for: ticketing, billing, passenger management, freight inventories, customs and excise links and even port and airport logistics. In supporting these tasks, they can expose more vulnerable operational technology (OT) systems like – traffic management, navigation, controls systems, warehousing and stock management and safety systems – to the risks of attack. There really is a lot to go wrong, and the transportation sector is only one example of the duality of OT and IT threats to manage across multiple Critical Infrastructure sectors.

Leaving on jet plane

Most of us have witnessed disrupted air travel in recent times. The complete embargo resulting from COVID restrictions was a rather extreme case, but the inability to travel affected people more than freight. Putting aside staff shortages, IR issues and the rather lengthy re-start after COVID; disruptions to the aviation industry have also been caused by IT failures, air traffic control outages and even navigational delays that have grounded planes and rendered airports dormant. Industry participants have been pressed.

Most have seen how these problems in the airline industry can quickly cause a drag on economic confidence.

In mid-2021 the trade body EuroControl observed that “every week a ransomware attack hits an aviation actor somewhere across the globe, disrupting business continuity and capable of bringing operations to a grinding halt”. Read more here.

In this blog on the subject, GlobalSign note:

“Free Wi-Fi on planes, in-flight entertainment systems, and digital boarding passes are just some new technologies that are reshaping the industry…. passengers, airlines and airports increasingly utilize software to manage their supply chain. Also, airplanes increasingly rely on digital controls to operate effectively, and aviation companies utilize IoT devices and cloud services to enhance their services further.”

The risks from more targeted attacks on these in-flight, airport, and even maintenance systems remain high.

Last train to transcendental

While the train network doesn’t have the complexity of the aviation sector; it is no less reliant on technology; both IT and OT, and so equally at risk of cyber-attacks.

This directive on railway cyber security was issued by the Department of Homeland Security in the US late last year. It recognises the importance of rail transportation, particularly for freight in the US; but with rail travel a part of life for many in Europe, disruptions caused by a cyber-attack to our leisure, commuting or freight transport needs could quickly impact our everyday lives.

While a train cannot fall out of the sky, signalling systems, timetables and ticket booking, safety system failures and other technologies are fundamental to the smooth running of many economies. As occurred recently, when as a side-effect of Russia’s invasion of Ukraine, activist hackers targeted the Belarus railway system to interrupt troop movements.

When the ship comes in

Cyber security in the shipping sector was brought into sharp focus in 2017 with the ransomware attack on shipping and logistics giant, Maersk. While lives were not directly lost as a result of the attack, supply chain and disruptions caused by protracted and expensive losses of cargo and other freight and ferry services, reportedly cost around US$200-300 million, and was just a taste of the damage that could be caused.

There is guidance and advice available – including from the industry bodies here.

The guidelines caution about risks that can potentially result from the shipping sector’s increasing reliance on IT services and systems:

“Shipping is relying increasingly on digital solutions for the completion of everyday tasks.”

And go on to say:

“The rapid developments within information technology, data availability, the speed of processing and data transfer present shipowners and other players in the maritime industry with increased possibilities for operational optimisation, cost savings, safety improvements…However, these developments to a large extent rely on increased connectivity often via internet between servers, IT systems and OT systems, which increases the potential cyber vulnerabilities and risks.”

Back on the road again

Finally, on the road network, the scale of problems and risks might be less, but here too, ENISA flags that there are still threats affecting car manufacturers, taxi and transport companies and government directorates.

Whether it’s the freighting of goods that is becoming increasingly dependant upon digitally integrated warehouse, logistics and freight services; or the coming age of automated traffic signalling and self-drives vehicles, road systems will become targets too. Already there is significant evidence to suggest that hackers can over-ride even the most sophisticated vehicular systems to take control of key aspects of vehicle security or operating systems. Just think about that on a peak-hour morning – when suddenly, any control you thought you might have about destinations and travel times, suddenly disappeared.

Summary

If, as ENISA warns, digital extortion is coming for OT systems, the transportation sector, as an obvious target, will need to improve its defences. Whether these attacks are driven by cyber criminals or sovereign governments stakeholders will have to assess the risk and disruption that cyber-attacks pose, and the range of health and safety, environmental and economic impacts that could result from a cyber-attack.

In a zero-trust world, the ability to deploy security as close to end points and terminals as possible and build in comprehensive monitoring of fault detection failures and malicious attacks, is going to prove vital if we are to avoid the wheels, literally, falling off this important part of the international economy.

Top 10 Questions about Cyber Security Management for Executives & Directors (AU)

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.