A recent cyber security blog by researcher Maahnoor Siddiqui, he provides a clear picture of the threats and vulnerabilities in the Transportation supply chain. A concern shared by Red Sky Alliance. Our 40-minute commute to work in the morning can feel like an insular event. Whether it is by bus, train, ferry, or car; it can be hard to place this single event within the vast network of transit that occurs every day. These small personal journeys make up a highly interconnected transportation sector that continues to grow and transform via innovation and technology.
Increased interconnectivity invites increased cybersecurity risk. The movement of goods via air, freight rail, trucking, and shipping is a billion-dollar industry for the US. Alone, the freight rail industry moves 1.6 million carloads of agriculture, 70% of the nation’s coal supply, and 13.7 million containers of consumer goods. If this critical infrastructure sector is left vulnerable to cyberattacks, the nation could lose access to these vital resources. And that is what happened when A.P. Moller-Maersk’s computer system was attacked in 2017 and led to a domino effect of worldwide port disruption from the Port of New York and New Jersey to India’s largest container port near Mumbai. The shipping giant was left with $300 million in damages and two weeks of transport disruption.
Along with the transportation of goods, this sector accounts for public transportation agencies. A service grossly behind in protecting its operational data, financial and employment information, and passenger data. An overwhelming 67% of agencies do not have a cyber crisis communication plan and less than half reported auditing their cybersecurity plan at least once a year. Past attacks have disrupted business continuity for a ransom but each progressive attack grows dangerous. An investigation into the 2017 ransomware attack on Sacramento Regional Transit (SaRT) found that hackers were able to control the vehicles and brakes. Transit agencies need to act fast before the lives of their employees and passengers are in the hands of cybercriminals.
Obstacles Within the Sector. According to the US Cybersecurity and Infrastructure Security Agency (CISA), the transportation sector is comprised of seven subsectors: Aviation, Mass Transit and Passenger Rail, Pipeline Systems, Highway and Motor Carrier, Maritime Transportation System, Freight Rail, and Postal and Shipping. The vitality of the sector’s interconnectedness and global presence makes it a tempting target for hackers.
The aerospace manufacturing industry and aviation industry are considerably ahead of the rest of the sector in their approach to cybersecurity and should be used as a service model. According to the Cisco 2017 Midyear Cyber Security Report, 35% of security officials witnessed thousands of security breaches a day. Of the thousands of breaches, only 44% of them were investigated. To make matters worse, security teams are incredibly understaffed. The lack of dedicated resources to security teams has made it increasingly difficult to update security compliance and spot cyber threats in real-time.
Shifting away from segmented systems, ‘smart cities’ are connecting their modes of transportation into a singular cloud-based network. Everything from traffic lights, to airport services, and mass transit rails will be integrated into digitized transportation infrastructure as a service to each smart city. This creates a heavy flow of data to manage and gives cybercriminals the opportunity to hide in the heavy traffic to attack operational and informational data. Despite the world’s continual progress into digital spaces, transportation is still falling short compared to other sectors. A study conducted by Mineta Transportation Institute (MTI), found that 80% of public transit agencies felt prepared for a cybersecurity attack but only 60% had a cybersecurity program in place. Breaches are inevitable, but that does not mean companies should continue to fall victim to them.
Transportation companies have ignored the resources provided by Federal agencies because of industry competition, conflicting priorities, and a lack of focus. Even after an attack, companies are not likely to invest in their security or staffing. The MTI report also found that there was no difference in cybersecurity resource allocation between companies that had and had not faced security breaches. Companies have grown too careless and too comfortable with the status quo.
A Tide of Change Following the Sunburst Attack - the Sunburst attack in December of 2020 exposed vast vulnerabilities within the transportation sector. From the San Francisco International Airport to the US Department of Defense, over 18,000 organizations had been breached. Some had been compromised as far back as March of 2020. With the Biden administration expanding its role in improving the nation’s cybersecurity, new changes have been implemented to upgrade the transportation sector’s governance, risk, and compliance regulations.
The Federal Transit Administration intends to include cybersecurity as a part of its tri-annual audits. An information sharing and analysis center (ISAC), like the surface transportation ISAC, is another available tool that can help agencies monitor the heavy data flow and spot risks before it is too late. Organizations are widely encouraged to use the NIST framework for improving cybersecurity as an implementation guide for their cyber risk practices. The transportation sector has to perform regular risk assessments and consider the policies and standards of the chemical, energy, and pipeline sectors to safeguard its supply chain. The North American Electric Reliability Corporation (NERC) has enforced CIP-13 – which mandates a supply chain risk management program for power utilities. Following the Sunburst attack, US authorities have also put forth an executive order on improving the nation’s cybersecurity, with specific regard to software supply chain security.
Overall, companies need to foster a risk-aware culture. Senior-level executives, operational technology (OT) employees, and information technology (IT) employees need to be cognizant of the risks, standards, and compliance requirements that come with each change. Simply implementing a cybersecurity policy without a cohesive company-wide understanding of the implications would expose weak points for cybercriminals. An integrated risk management (IRM) approach would lift transportation agencies out of the ditch they’ve been stuck in. Combining GRC functions with an enterprise-wide understanding of cyber risk, an IRM solution, like CyberStrong, provides real-time risk assessments and automates compliance management. Additionally, Red Sky Alliance can vastly improve a company’s network defenses by providing real-time and actionable dark web indicators.
Can Insurance Companies Shake Things Up - in this saga of sector-wide negligence and status quo complicity, cyber insurance companies also play a large role in fueling the cycle of ransomware hacks. Usually, cyber insurance companies will just pay the ransom and call it a day. But, after the FBI was able to track down 63.7 bitcoin of the 75-bitcoin ransom paid to hackers who had shut down Colonial Pipeline Co., new questions have been prompted to cyber insurance companies. Will they continue to pay the ransom? And will they finally scrutinize insured companies for their out-of-date or defunct cybersecurity programs? Following the attack on Colonial, insurance companies now feel pressure to assess a company’s cybersecurity programs and practices. This could invite a change to insurance premiums which have typically been charged at a flat rate. This added layer of scrutiny could make premiums available at a variable rate depending on the risk associated with insuring each company. The 2017 SaRT hack showed us that it was possible for cybercriminals to control vehicles and cause a derailment. Insurance companies will not be able to protect agencies from further financial and human repercussions if hackers demand more than a ransom.
Sector-Wide Accountability. Cyber-attacks are inevitable. And it will be impossible to catch every threat or weak point, but the time to instill a risk-first approach is now. The transportation sector cannot continue with the current situation. Its impact on national security, the economy, and the facilitation of day-to-day movement makes it invaluable to the country. Transportation agencies need to invest in integrated risk management software, IT infrastructure and regularly meet compliance requirements. Companies need to foster a risk-aware culture and understand the implications of all the new technology that is being adopted. Another lag in cyber risk management puts more than data at risk.
At Red Sky Alliance, we can help cyber threat teams in any part of the transportation supply chain with services beginning with cyber threat notification services, analysis and the implementation of Data Driven Social Engineering Simulation Training from their partnership with Phin Security. https://www.wapacklabs.com/phinsecurity
Our team has long understood the threats and vulnerabilities associated with transportation. Our team members will be happy to hold a brief call with your team to help them better prepare for phishing, cyberattacks, malware and ransomware. And what if this call led to savings in current duplicated services and forecasted need for additional personnel?
Red Sky Alliance is in New Boston, NH USA and we are proud to be helping in the over-all cyber defense posture. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Interested in a RedXray subscription to see what we can do for you? Sign up here: https://www.wapacklabs.com/RedXray
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments