Our 40-minute commute to work in the morning can feel like an insular event. Whether it’s by bus, train, ferry, or car - it can be hard to place this single event within the vast network of transit that occurs every day. These small personal journeys make up a highly interconnected transportation sector that continues to grow and transform via innovation and technology.
Increased interconnectivity invites increased cybersecurity risk. The movement of goods via air, freight rail, trucking, and shipping is a billion-dollar industry for the United States. Alone, the freight rail industry moves 1.6 million carloads of agriculture, 70% of the nation’s coal supply, and 13.7 million containers of consumer goods. If this critical infrastructure sector is left vulnerable to cyberattacks, the nation could lose access to these vital resources.
And that is what happened when A.P. Moller-Maersk’s computer system was attacked in 2017 and led to a domino effect of worldwide port disruption from the Port of New York and New Jersey to India’s largest container port near Mumbai. The shipping giant was left with $300 million in damages and two weeks of transport disruption.
Along with the transportation of goods, this sector accounts for public transportation agencies. A service grossly behind in protecting its operational data, financial and employment information, and passenger data. An overwhelming 67% of agencies do not have a cyber crisis communication plan and less than half reported auditing their cybersecurity plan at least once a year.
Past attacks have disrupted business continuity for a ransom but each progressive attack grows dangerous. An investigation into the 2017 ransomware attack on Sacramento Regional Transit (SaRT) found that hackers were able to control the vehicles and brakes. Transit agencies need to act fast before the lives of their employees and passengers are in the hands of cybercriminals.
Obstacles Within the Sector
According to the Cybersecurity & Infrastructure Security Agency, the transportation sector is comprised of seven subsectors: Aviation, Mass Transit and Passenger Rail, Pipeline Systems, Highway and Motor Carrier, Maritime Transportation System, Freight Rail, and Postal and Shipping. The vitality of the sector’s interconnectedness and global presence makes it a tempting target for hackers.
The aerospace manufacturing industry and aviation industry are considerably ahead of the rest of the sector in their approach to cybersecurity and should be used as a service model.
According to the Cisco 2017 Midyear Cyber Security Report, 35% of security officials witnessed thousands of security breaches a day. Of the thousands of breaches, only 44% of them were investigated. To make matters worse, security teams are incredibly understaffed. The lack of dedicated resources to security teams has made it increasingly difficult to update security compliance and spot cyber threats in real-time.
Shifting away from segmented systems, smart cities are connecting their modes of transportation into a singular cloud-based network. Everything from traffic lights, to airport services, and mass transit rails will be integrated into digitized transportation infrastructure as a service to each smart city. This creates a heavy flow of data to manage and gives cybercriminals the opportunity to hide in the heavy traffic to attack operational and informational data.
Despite the world’s continual progress into digital spaces, transportation is still falling short compared to other sectors. A study conducted by Minnesota Transportation Institute (MTI), found that 80% of public transit agencies felt prepared for a cybersecurity attack but only 60% had a cybersecurity program in place. Breaches are inevitable, but that doesn’t mean companies should continue to fall victim to them.
Transportation companies have ignored the resources provided by Federal agencies because of industry competition, conflicting priorities, and a lack of focus. Even after an attack, companies are not likely to invest in their security or staffing. The MTI report also found that there was no difference in cybersecurity resource allocation between companies that had and had not faced security breaches. Companies have grown too careless and too comfortable with the status quo.
A Tide of Change Following the Sunburst Attack
The Sunburst attack in December of 2020 exposed vast vulnerabilities within the transportation sector. From the San Francisco International Airport to the Department of Defense, over 18,000 organizations had been breached. Some had been compromised as far back as March of 2020.
With the Biden administration expanding its role in improving the nation’s cybersecurity, new changes have been implemented to upgrade the transportation sector’s governance, risk, and compliance regulations.
The Federal Transit Administration intends to include cybersecurity as a part of its tri-annual audits. An information sharing and analysis center (ISAC), like the surface transportation ISAC, is another available tool that can help agencies monitor the heavy data flow and spot risks before it is too late. Organizations are widely encouraged to use the NIST framework for improving cybersecurity as an implementation guide for their cyber risk practices.
The transportation sector has to perform regular risk assessments and consider the policies and standards of the chemical, energy, and pipeline sectors to safeguard its supply chain. The North American Electric Reliability Corporation (NERC) has enforced CIP-13 - which mandates a supply chain risk management program for power utilities. Following the Sunburst attack, the White House has also put forth an executive order on improving the nation’s cybersecurity - with specific regard to software supply chain security.
Overall, companies need to foster a risk-aware culture. Senior-level executives, operational technology (OT) employees, and information technology (IT) employees need to be cognizant of the risks, standards, and compliance requirements that come with each change.
Simply implementing a cybersecurity policy without a cohesive company-wide understanding of the implications would expose weak points for cybercriminals to take advantage of.
An integrated risk management (IRM) approach would lift transportation agencies out of the ditch they’ve been stuck in. Combining GRC functions with an enterprise-wide understanding of cyber risk, an IRM solution, like CyberStrong, provides real-time risk assessments and automates compliance management.
Can Insurance Companies Shake Things Up
In this saga of sector-wide negligence and status quo complicity, cyber insurance companies also play a large role in fueling the cycle of ransomware hacks.
Usually, cyber insurance companies will just pay the ransom and call it a day. But, after the FBI was able to track down 63.7 bitcoin of the 75-bitcoin ransom paid to hackers who had shut down Colonial Pipeline Co., new questions have been prompted to cyber insurance companies. Will they continue to pay the ransom? And, will they finally scrutinize insured companies for their out-of-date or defunct cybersecurity programs?
Following the attack on Colonial, insurance companies now feel pressure to assess a company’s cybersecurity programs and practices. This could invite a change to insurance premiums which have typically been charged at a flat rate. This added layer of scrutiny could make premiums available at a variable rate depending on the risk associated with insuring each company.
The 2017 SaRT hack showed us that it was possible for cybercriminals to control vehicles and cause a derailment. Insurance companies will not be able to protect agencies from further financial and human repercussions if hackers demand more than a ransom.
Cyber attacks are inevitable. And it will be impossible to catch every threat or weak point, but the time to instill a risk-first approach is now. The transportation sector cannot continue with the current state of affairs. Its impact on national security, the economy, and the facilitation of day-to-day movement make it invaluable to the country.
Transportation agencies need to invest in integrated risk management software, IT infrastructure and regularly meet compliance requirements. Companies need to foster a risk-aware culture and understand the implications of all the new technology that is being adopted. Another lag in cyber risk management puts more than data at risk.