The transportation industry today has become increasingly digitalized and connected, relying on technology and interconnectivity for increased efficiency and improved functionality. However, being online also exposes the industry to security threats. In recent years, the transportation industry has suffered from serious cyber attacks, leading to huge losses in revenue as well as compromising the privacy of its customers.
In June 2017, AP Moller Maersk, the world’s largest shipping conglomerate came under the notPetya attack, one of the most devastating in history. The attack virtually rendered the shipping giant motionless and resulted in an estimated loss of over $200 million. An attack of such magnitude prompted Maersk to revamp their systems and overhaul their approach to cybersecurity. At the 4th Cyber Security forum for Transport Sector 2019, Andy Powell, Chief Information Security Officer of Maersk shared with our delegates the lessons Maersk learned from the NotPetya attack.
Much of the technology infrastructure in mass transportation systems have been operational for decades and were not designed with the knowledge of the cybersecurity threats that are present today. As increased digitalization happens, these systems get exposed to threats.
Cybersecurity experts at OBB Holdings are of the opinion that the industry is reluctant to embrace new and innovative technologies.
“For rail-based transportation, the attempt to implement new technology is slowed down and, in some cases jeopardized due to requirements for ‘proven’ technology. This is reinforced by at times a lack of understanding and competence regarding new technology. Both vendors and transport businesses have a deeply embedded culture ‘we have always done it like this …’. Proven technology is most often not built with cybersecurity in mind. As a result, basic information security resistance is at risk as we experience e.g. systems based on non-supported operating systems and systems that are not prepared for patches and updates in software. If updates are possible they require a lot of manual work and time. Software is often regarded as unique at each site, requiring each customer to pay the full development of the updates. Updates then tend to be postponed.“
This reluctance to embrace innovation could prove costly for organizations- exposing their infrastructure to threats and also losing out on increased efficiency. An expert from OBB said, “While reluctant to make use of innovation and findings from e.g. the car industry regarding autonomous driving, rail-based transport loses out on possible improvements to traffic control systems and making use of today’s technology and not yesterday’s.”
The role of cyber defense centers are becoming more relevant than ever, and have a very crucial role to play in preventing attacks as well as containing the incident if it occurs. The human factor in cybersecurity incidents also points towards an increased emphasis on creating a security culture and awareness throughout the organization.
According to Ole Birger Hestvik, Chief Information Security Officer of Sporveien AS, surveillance and creating more awareness are the key steps all organizations need to take to prevent cybersecurity threats.
“I would focus on surveillance, that is carefully monitoring network activities (knowing the normal activity) and building effective response to control attackers when they “break” through. Preventing attackers breaking into networks is still important and necessary, but we need to acknowledge that barriers will be broken and that businesses need to focus on discovering breaches and have a well prepared and trained responses that can limit the damage. Transport businesses can help each other by sharing information on threats and breaches. User awareness, improving competence and understanding for information security will always be important to prevent incidents caused by e.g. phishing.”
In 2018, British Airways suffered an attack that compromised the credit card details and other sensitive information of hundreds of thousands of its customers. The airline was later levied a hefty fine of 183 million Euros by the ICO (Information Commissioners Office), the biggest such fine levied since the implementation of GDPR. This incident surely has to become a wakeup call for all firms, not just in the transportation industry, to invest in their security measures and prevent such incidents from happening and risking millions of euros in fine, a serious dent in the brand’s reputation, plummeting stock values… etc.
In most industries, security breaches result in financial losses; however, as an industry that moves people, the results of security breaches in the transportation industry could prove to be lethal. Criminal or terrorist attacks, derailing, collisions could be direct results of such incidents. The 5th Cyber Security forum for the transport sector 2020 brings together security experts and decision-makers from the industry to discuss the challenges, possible solutions to prevent and manage incidents.