How dangerous is cyber attack for transport?
If an attacker breaches a transit agency’s systems, the impact could go far beyond server downtime or email leaks. Imagine an attack on a transport authority that manages train and metro routes. The results could be terrible.
Between June 2020 and June 2021, the transportation industry saw a 186% increase in weekly ransomware attacks. At one event, attackers breached New York Metropolitan Transportation Authority (MTA) systems. Fortunately, no one was injured, but incidents like these are concerning. It’s clear that transportation organizations need strong security to keep their systems and their passengers safe.
Essential public infrastructure
According to the recent X-Force Threat Intelligence Index, ransomware was the top attack type globally in 2021 for the third consecutive year.
The report states, “Malicious insiders emerged as the top type of attack against transportation organizations in 2021, accounting for 29% of attacks against this industry. Ransomware, [remote access Trojans]data theft, credential harvesting, and server access attacks also played a role against transport in 2021.” We’ll come back to the topic of “malicious insiders” later.
As part of essential public infrastructure, transportation is particularly at risk. Most people and businesses depend on transportation, whether it’s getting to work on time, sending goods, or receiving medical supplies. If an attack disrupts transportation, entire supply chains could collapse. Disruption of traffic lights or rail transport could cause physical harm.
New rules for digital defense
In response to the growing threat, the Department of Homeland Security’s Transportation Security Administration (TSA) announced new cybersecurity requirements for surface transportation owners and operators.
The requirements apply to high-risk freight railways, passenger rail transport and rail transport. They require owners and operators to:
- Appoint a cybersecurity coordinator
- Report cybersecurity incidents to the Agency for Cybersecurity and Infrastructure Security within 24 hours
- Develop and implement a cybersecurity incident response plan to reduce the risk of operational disruption and
- Perform a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.
Motives behind cyberattacks
The motives for attacks on transport agencies can vary. Intrusive actors can steal information or use ransomware for profit. Meanwhile, other attackers may receive support from foreign nations seeking to cause disruptive or destructive effect to advance foreign policy goals. While any incident can lead to systems disruption, foreign attacks can carry a higher risk of equipment malfunctions and accidents.
Rogue Foreign Actors
During the attack on the New York MTA, the attackers made no financial demands. Instead, the breach appears to have been part of a recent series of widespread intrusions by skilled attackers. According to FireEye, a private cybersecurity firm that helped find the flaw, the intruders were likely backed by the Chinese government.
In late 2018, another attack resulted in the indictment by a federal grand jury of two Iran-based men. They were accused of hijacking the Colorado Department of Transportation’s (CDOT) computer system as part of the SamSam malware. Apparently, the Iran-based attackers demanded a Bitcoin ransom to decrypt the infected CDOT data. The incident brought down the computer systems of 1,700 employees. It took six weeks and nearly $2 million to bring the ministry’s systems back online.
In the end, the CDOT did not pay the ransom. The state had digital backups that allowed it to restore the encrypted data. Additionally, segmented network operations helped prevent the spread of malware to other departments or agencies. That’s why servers controlling traffic lights or other road systems in Colorado didn’t feel the impact.
What should transport leaders do?
Given the widespread and ongoing threat to the transportation industry, the TSA has developed a toolkit. If we dig into the guidelines for rail, mass transit, and surface transportation, we find that cybersecurity coordination, reporting, and response plans are critical. Vulnerability assessment is also a high priority, and the TSA recommends that agencies refer to the NIST Cybersecurity Framework for guidance.
Vulnerability assessment should include Internet of Things (IoT) security as more sensors and devices are deployed in industry. In order to align the many moving parts and logistics of any transportation system, IoT devices are essential. However, device connections are potential entry points for attackers, and you should assess this risk as well.
Transport Attack Risk Mitigation
Like any organization, transportation agencies are exposed to the threat of a cyberattack, but the stakes can be higher. This is one of the reasons why Alejandro Mayorkas, Secretary of Homeland Security, said that “Ransomware is now a threat to national security.” Although the TSA guidelines address incident response, where can one find guidance on mitigating risk?
The X-Force Threat Intelligence Index not only examines the current risk landscape, but it also offers advice on how to reduce the risk of compromise. Here are some suggestions from the X-Force report to mitigate cyber risk:
Zero Trust: This approach assumes that a breach has already occurred and is intended to increase the difficulty for an intruder to navigate a network. Zero Trust understands where critical data resides and who has access to that data. Robust verification measures (multi-factor authentication, least privilege, identity access management) are deployed across an entire network to ensure that only the right people are accessing this data in the right way. This is very important for transportation, as nearly a third of agency attacks come from malicious insiders.
Security automation: With global threats, various types of attacks, and multiple layers requiring protection, security automation is essential. Machines complete tasks much faster than any analyst or human team. Automation also makes it possible to identify mechanisms for improving workflows.
Extended Detection and Response (XDR): Detection and response technologies that combine several different solutions provide a significant advantage. XDR spots and removes attackers from a network before they reach the final stage of their attack, such as deploying ransomware or stealing data.
Ensuring transport safety
The efforts of government agencies help raise awareness and reduce the risk of harm. Individual transport organizations have also taken responsibility for protecting their systems and the safety of travelers. The risk of attack on transportation agencies will certainly continue, and passenger safety is of the utmost importance.