Our nation’s transportation industry quickly, safely, and securely moves people and goods across the country and overseas. This sector includes aviation, automobiles and motor carriers, maritime transportation, and railways. As this critical industry becomes more dependent on interconnected digital systems, the risk of cyberattacks rises. Historically more concerned with protecting passengers and cargo from physical threats, the industry now faces an alarming increase in cyber attacks.
Educational institutions and cybersecurity professionals must work together to advance security concepts throughout transportation manufacturing, product distribution, communication and entertainment systems, and the robust vendor ecosystem.
Cybersecurity issues in the transportation industry
According to Cybertalk.org, between June of 2020 and June of 2021, the transportation industry witnessed a 186 percent increase in weekly ransomware attacks. The number of ransomware attacks is increasing across all sectors, but transportation entities are seemingly bearing the brunt of this trend. Because transportation companies have not historically deployed large security teams to protect their digital assets, they are more acutely affected by the global cybersecurity skills gap than other businesses.
Notable transportation industry attacks
Maersk: In what many still refer to as the mother of all cyberattacks, and the reason that ransomware malware Petya and its variant cousin NotPetya are household names in the cybersecurity world, shipping giant A.P. Moller-Maersk was attacked in 2017. The attack’s target was a business in Ukraine, but the virus quickly spread to networks worldwide. In the end, it infected nearly 50,000 endpoints and thousands of applications and servers across 130 countries — Maersk being hit the hardest.
The company said that the attack affected all business units at Maersk, including container shipping, port and tugboat operations, oil and gas production, drilling services, and oil tankers. In what started as a phishing email that delivered malware, the adverse effects of the attack were felt by companies worldwide. It was the first of what has now become many wake-up calls to the vulnerabilities of today’s interconnected IT infrastructure.
Metropolitan Transportation Authority (MTA): In June 2021, reports surfaced that North America’s largest transportation network, New York’s MTA, was hit with a cyberattack two months before. The MTA serves 12 counties in downstate New York and two counties in southwestern Connecticut. The transportation system carries over 11 million passengers each weekday, and over 850,000 vehicles travel each day over the seven toll bridges MTA operates.
Cybersecurity experts suspect Chinese threat actors are responsible for the attack. In what was likely a cyber-espionage campaign, the sophisticated attackers were able to achieve persistence on three of the MTA’s 18 computer systems for several days. The MTA insists that no customer data was stolen and the attackers did not tamper with critical systems, further substantiating the likelihood of espionage as the motive.
The Chinese attackers reportedly exploited a zero-day vulnerability in a remote access product from Pulse Connect Secure to infiltrate the MTA’s network. There remains some concern that the April MTA attack may have been only exploratory in preparation for an even larger attack that could bring transportation to a virtual standstill in the northeast.
Matson: In late 2020, the giant shipping company Matson was attacked by a gang of cybercriminals using the Windows REvil ransomware. The thieves claimed to have stolen a terabyte of data.
With annual revenue of about US $2 billion, Matson, and their subsidiary Matson Logistics, provide cargo ship service to much of the world. In what is sometimes called a double-ransomware attack, the attackers exfiltrated data and encrypted it — threatening to release sensitive data on the dark web if Matson did not pay the ransom demanded to decrypt the data.
Commerce across the entire globe is dependent on companies like Matson to deliver the goods we use every day.
ATC Transportation: In March 2021, ATC Transportation discovered that threat actors had accessed their servers and installed malware to facilitate a ransomware scam. The attackers entered ATC’s servers various times. In addition to encrypting critical data to hold for ransom, they potentially obtained personal information of current and former employees and job applicants, including names, Social Security numbers, and DOT required drug test results.
ATC provides equipment and real estate leasing support services to brokerage and logistics companies and companies engaged in transportation, distribution, and warehousing. Trucking businesses depend on support services from companies like ATC to keep their freight moving.
The automotive sector, a case study
Third-party supply chain vendors are critical to the automotive sector, from the parts needed to build a new Tesla to companies that provide support services to our Nation’s trucking infrastructure. Supply chains introduce another layer of vulnerability to every company.
Over 125 million passenger vehicles with embedded connectivity are projected to ship worldwide between 2018 and 2022. Fully autonomous cars are expected to be right around the metaphorical corner. Advancements in automobile technology create an enormous attack surface that could include millions of endpoints traveling at high speeds.
Modern automobile manufacturing techniques depend on just-in-time supply chain vendors. This ecosystem of hardware, software, and mechanical parts suppliers plays a critical role in the security of our cars and trucks. Vendors are trusted with sensitive information and often need access to an automotive company’s computer networks to perform their functions.
The most famous automobile cyber attack wasn’t an attack at all — at least not in the ordinary sense of the word. It happened in 2015, and it was carried out by white hat security researchers Charlie Miller and Chris Valasek. In their proof-of-concept experiment, the two researchers compromised a Jeep Cherokee via a vulnerability in Uconnect, the vehicle’s Internet-connected entertainment system. While Wired reporter Andy Greenberg was driving the car, Miller and Valasek were able to make adjustments to several of the vehicle’s subsystems and eventually cause the Jeep to stop running altogether.
Reported in detail at the 2015 Black Hat conference and written about repeatedly since then, this experiment proved that the interconnected systems of modern vehicles were, and they still are, vulnerable to cyber attacks that can cause great harm to a car and its passengers.
In a detailed description of how the hack was accomplished, Kaspersky Labs said, “Miller and Valasek were able to send commands through the CAN bus and make every — every! — component of the car [do] whatever they wanted. They were able to control the steering wheel, engine, transmission, braking system, not to mention dull things like windscreen wipers, air conditioner, door locks and so on. Moreover, they were able to control all th[ese] things completely remotely, over the Sprint cellular network.”
In June 2020, CISO Mag reported that cyberattacks on automated vehicles rose by 99%, according to a study from Uswitch, a UK-based website. While the prospect of hackers running cars off the road is a scary thought, there is more value to hackers in the data they can pilfer from vehicles. According to the Uswitch study, connected cars produce up to 25GB of data every hour, including information about the driver, the car, and passengers — more than the data that a Boeing 787 jet produces.
Espionage is also a significant threat to the automotive sector. In December 2019, Bleeping Computer reported that German automotive giant BMW was the victim of a group of hackers that gained persistence on the auto manufacturer’s systems for most of that year. The assumed purpose of the attack is to learn trade secrets that could then be sold on the dark web. It was also noted that South Korean car manufacturer Hyundai was also under attack as part of the same campaign.
What makes cybersecurity challenging within the transportation industry?
Government and law enforcement authorities discourage organizations from paying ransom fees. Often ransom extortionists work for terrorist groups or hostile governments, and payments made to them further support criminal behavior, making the problem worse for everyone.
Even after meeting the ransom demands, companies rarely get their files back in their original form. Still, when a transportation company is facing the loss of millions of dollars and the disruption of the global supply chain, there is a great temptation to acquiesce.
Transportation companies, including automotive manufacturing, automotive sales, trucking, and shipping, are high-dollar businesses. These businesses are attractive targets for scammers because criminals know that these companies stand to lose much more in business revenue and reputation than even the greatest ransom demands.
Historically, transportation companies have been more focused on safety and physical security than cybersecurity. As technological advancements have created the ability and the need to be ever more connected, that paradigm is changing. Transportation companies are vital to our economy and our health and well-being. Cybercriminals know that and will continue to exploit any vulnerability they can find to achieve their goals.
Cybersecurity solutions for the transportation industry
As mentioned above, the transportation industry may need to make up some ground related to cybersecurity. There are many steps that these companies take to protect themselves from cyber threats.
Below are some key ways that businesses can shore up their cyber defenses:
Network segmentation: By dividing their network into smaller parts, IT managers can enhance network performance and increase security. When logically segmented, portions of a company’s infrastructure can be isolated if suspicious behavior is detected on another segment. Also, segmentation policies can prevent users of the automotive design network, for example, from accessing the segment for the financial system in the company.
Endpoint anti-malware software: Malware is designed to cause damage, steal data, encrypt files, or gain unauthorized access into digital systems. It is the cyber threat faced most often by organizations. The term describes various malicious software variants, such as trojans, worms, and ransomware.
Anti-malware software uses signature detection, behavioral heuristics analysis, and, in some cases, artificial intelligence to detect and disable malware. It is critical to have anti-malware software installed on every digital endpoint of a network. In today’s world of BYOD (bring your own device) workplaces, ensuring that updated anti-malware is properly installed across all devices with access to the network can be challenging.
Routine patching and software updates: When vulnerabilities are identified in computer systems and software, vendors regularly provide patches and updates to protect their customers. Often, hackers succeed in exploiting vulnerabilities for which patches are generally available, but users neglect to update their systems. Regularly updating and patching systems can mitigate many malicious threats.
Backup data: Basic ransomware depends on the ability to deny organizations access to their critical data. Having a current backup is the most effective mitigation strategy to thwart ransomware criminals. Backed-up data should be isolated from the network containing the original files to prevent attackers from encrypting or exfiltrating the original and the backup copies.
Cybersecurity training: Possibly the most effective measure that transportation businesses can take to protect themselves from cyber attacks is to provide cybersecurity training for their employees. The vast majority of attacks begin with an element of social engineering — usually an email. Modern phishing emails can be very difficult to distinguish from legitimate emails. Training employees to be ever-vigilant in recognizing the telltale signs of a phishing email can provide a practical first level of defense.
Like other critical infrastructure industries, such as agriculture, water, electricity, and telecommunications, citizens and companies depend on the transportation industry to fulfill their daily needs. As the US has seen with recent attacks on the Colonial Pipeline and JBS Meats, life in our society is dependent on a relatively small number of critical industries. A significant disruption in the transportation industry could conceivably cause unparalleled damage and harm.
In many meaningful ways, transportation companies have some catching up to do in the area of cybersecurity. Realizing this shortfall, academic institutions are now providing much-needed specialized training programs, and cybersecurity experts are focusing on the risks and remedies unique to the transportation industry.