Transportation networks are foundational to our modern way of life. The current restrictions on global movement and the corresponding reduction in demand for travel and transportation services, while profound, are temporary. Forecasting future demand and capacity requirements is nearly impossible. But, the travel and transportation industries are part of the country’s critical infrastructure. They will return as significant contributors to global gross domestic product (GDP) and employment.
Although global demand and workforces are currently reduced as a result of COVID-19, threat activity against industries such as aviation is not. Travel and transportation companies share a common backbone of critical infrastructure and data that are attractive to malicious actors. Travel and transport providers’ global supply chains require the integration of third-party vendors and present an expansive attack surface. Hence, these providers will never be immune to cyber attacks.
According to the X-Force Threat Intelligence Index 2020, IBM X-Force Incident Response and Intelligence Services (IRIS) reported that the transportation sector was the third-most attacked in 2019. This highlights the growing appeal of data and infrastructure operated by these companies. Airlines and airports are increasingly being targeted by cybercriminals and nation-state adversaries; this has continued in 2020.
For example, in February 2020, Australian transportation and logistics company Toll Group reported that systems across multiple sites and business units were encrypted by the Mailto ransomware. In response, Toll Group shut down multiple systems, impacting several customer-facing applications.
The following month, the San Francisco International Airport disclosed a data breach. Reportedly, the attack was perpetrated by a state-sponsored threat group that targets organizations in critical infrastructure sectors with the objectives of reconnaissance, lateral movement and cyber espionage.
Then, on May 14, 2020, the Texas Department of Transportation (TXDoT) became part of a ransomware incident. TXDoT is responsible for air, road and railway transportation across Texas. They detected an attack after finding unauthorized entry to its network. They isolated the affected computers from the network to block further unauthorized access, affecting operations.
What Does This Mean for Travel and Transportation Providers?
Threat actors are increasingly targeting internet of things (IoT) devices, operational technology (OT) and connected industrial systems, according to the X-Force Threat Intelligence Index 2020. Industrial internet of things (IIoT) solutions promise revolutionary changes to travel and transportation operations. These solutions particularly help manage globally distributed fleets of assets increasingly connected and ubiquitous. But, these IIoT solutions also introduce new attack vectors.
Many of the technologies that enable travel and transport operations are legacy OT/industrial control systems (ICS). Some with critical, un-patched software vulnerabilities. These systems often rely on IIoT devices, which are not without vulnerabilities, for routing, positioning, tracking and navigation and to interface with public applications. If left unpatched, these vulnerabilities in connected ICS and in IIoT devices represent a very real threat.
New vulnerabilities have appeared as providers become more dependent on IIoT platforms and on data services that enable automation. In April 2020, an unspecified vulnerability in Oracle supply chain that allows an attacker to compromise the Oracle Transportation Management component was reported. Use of these platforms and services increases the potential for unauthorized access to proprietary data and critical systems. They place physical and digital assets at risk. Whether executed by financially motivated cybercriminals or state-sponsored adversaries, a successful attack on travel or transportation supply chains can have a severe cascading effect on downstream industries.
IBM’s Institute for Business Value (IBV) reports “IIoT cybersecurity for transportation companies – Mitigating risk and building resilience” and “IIoT cybersecurity for travel companies – Protecting travel operations,” confirm the rapid adoption of IIoT technologies by travel and transport providers and their extensive application in supply chain and logistics processes. Fleet management, predictive maintenance, warehouse, inventory and location management are primary supported use cases.
These reports surveyed 300 IT and OT executives responsible for the security of their travel and transportation organizations’ IIoT environments. It highlights that they are apprehensive about the security of information flowing among their operational, corporate and IIoT networks. These executives also cite gateways and gateway-related connectivity as the most vulnerable IIoT components.Read the IBV report on IIoT cybersecurity for transportation companies
Survey respondents are aware that connecting systems that monitor and control physical environments to public networks, such as the internet, can introduce risks. Yet, only 29% of travel companies and 16% of transportation companies have fully evaluated these risks. This small subset of companies also have established formal IIoT cybersecurity programs to build, manage and update the tools, processes and skills required to mitigate them.
Which IIoT-related Risks Most Concern Travel and Transportation Executives?
When asked to rate IIoT cybersecurity risks, travel executives rated exposure of traveler data as one of their top risks. Data breaches can be a significant financial liability, in addition to a public relations liability.
For example, a large airline was fined $230 million in 2019 in connection with a data breach that violated the General Data Protection Regulation (GDPR). It compromising a variety of personal information, including log in, payment card, travel booking details and name and address information for 500,000 customers. The fine, which represented 1.5% of the airline’s total annual revenue, remains the highest the UK Information Commissioner’s Office has ever levied on a company over a data breach.
According to the IBV, more than two-thirds of transportation executives rated damage to the organization’s reputation and loss of public confidence as a high or very high risk. This is followed by exposure of sensitive data and endangerment of individuals’ safety. Operational disruptions or shutdowns and reduced visibility and control due to the complexity of IT systems being connected to OT systems are also exposed.
The June 2017 ransomware attack on a global shipping company is an example of the cascading effect of operational disruptions in the transportation industry. This attack caused almost 80 ports and terminals globally to either come to a standstill or experience significant delays. The disruption was not limited to maritime ports and container vessels. Trucks destined for inland facilities were also held up at ports. They waited for systems to come back online so they could process and receive or deliver their shipments. This interruption delayed product distribution for extended periods. The shipping company had to rebuild a significant portion of its IT infrastructure at an estimated cost of $300 million.
IIoT solutions span IT, OT and consumer technology. These systems are typically managed in silos by different teams with different areas of expertise. This makes defense against cyber attacks extremely difficult and detection of IIoT-related incidents and intrusions a real challenge. But, it is not insurmountable.
Why Are Some Transportation Companies More Cyber Resilient?
The IBV also found some travel and transportation organizations to be more cyber resilient than others. These companies have a much better grasp of the security requirements of their IIoT deployments — and connected industrial control systems (ICS) in general — than others. The IBV called them “security leaders.”
According to the IBV, security leaders are better at protecting their organizations from IIoT-related attacks. Where they truly differentiate is at detecting, responding to and recovering from incidents and breaches when they occur. And they do so twice as fast as other companies.
The IBV identified 10 security controls and practices. Based on Center for Internet Security (CIS) Critical Security Controls and artificial intelligence (AI)-driven practices from IBM IoT security research, these controls are instrumental to achieving this level of performance. Each of these highly-effective controls and practices relates to a security function: protection and prevention or detection, response and recovery.
1. Create a solid defensive foundation by integrating IIoT into the enterprise risk management process. Plus, incorporate IIoT cybersecurity controls and practices — and their associated technologies — into an overarching IIoT security strategy.
2. Practice your readiness to deal with IIoT-based incidents.
3. Enhance ICS security by leveraging the benefits that artificial intelligence and automation can offer.
Establishing a Strong Defensive Foundation for IIoT
The start of a defensive foundation is incorporating IIoT cybersecurity controls and practices — and their associated technologies — into an overarching IIoT security strategy.
1. Formalize IIoT Cybersecurity
Establish IIoT cybersecurity programs to define, manage and update required IIoT cybersecurity tools, processes and skills. Address IIoT-related risks as part of the broader security risk-management framework. Perform regular risk assessments. Form cross-functional security teams with representation from IT security, engineering, operations and control system and security vendors. Bolster defensive capabilities with highly effective controls. Limit access to networks and control the flow of data across them.
2. Limit Access to Networks and Control the Flow of Data Across Them
Focus on boundary defense; this control has the highest impact on IIoT cybersecurity performance. Use segregation strategies to keep IIoT components operating in their own zones. Or, segregate their own separate networks to mitigate the negative effects a breach of the less-trusted IIoT network could have on the more secure corporate IT network. Limit and control network ports, protocols and services. Fully understand the protocols employed by each device. Then, test IIoT devices and implement malware defenses. Build a strategy to control the installation, spread and execution of malicious code at multiple points throughout the organization.
3. Limit Access to Devices and Data
Fully understand the protocols employed by each device. Then, test IIoT devices and implement malware defenses. Build a strategy to control the installation, spread and execution of malicious code at multiple points throughout the organization. Control the use of administrative privileges. Employees with access to critical systems often present the single greatest threat to enterprise cybersecurity, whether through ill intent or inadvertent behaviors. Take inventory of authorized and unauthorized assets (devices and other hardware). Unauthorized IIoT devices and networks (which are examples of shadow IIoT) operate under the radar of organizations’ traditional security policies, making them difficult to detect.
4. Perform Continuous Vulnerability Assessment and Remediation
Flaws and security holes in IIoT devices and ICS, including SCADA systems, leave transportation companies vulnerable to botnets that spread distributed denial of service (DDoS) attack malware. Once the defensive IIoT cybersecurity foundation is in place, integrate IIoT cybersecurity into security operations while prioritizing the highly effective controls.
How to Adapt Incident Response Management for IIoT
Incident response management (IRM) and its associated controls support an effective response to IIoT-related incidents and breaches. The IBV notes that adopting better protection and prevention practices, plus ensuring systems are securely developed and deployed are excellent starting points. But, this does not guarantee the organization won’t be breached. Companies must act quickly and decisively if this occurs.
Establish, manage and test IIoT incident response plans and processes, such as:
- Define and manage cybersecurity incident response plans (CSIRP) as part of the security management plan.
- Adapt CSIRPs to address the course of action for compromised IIoT components. Test the plans routinely to strengthen the ability to further respond.
- Perform penetration tests and red team exercises for more detailed insights into the effectiveness of IR plans.
- Leverage AI and automation to scale security capabilities.
Scaling IIoT Security Through Automation
The key is to deploy automated, adaptive security capabilities. This can be achieved by implementing highly effective AI-driven controls. According to the IBV, this step is critical because bad actors continually develop new methods for infiltrating systems. It’s imperative to put automated mechanisms in place to help detect and remediate breaches since essential cybersecurity skills are often in short supply.
Here is how to implement automation detection, remediation, response and recovery.
- Apply advanced cybersecurity monitoring and analytics for incident detection and remediation.
- Keep up with IIoT information in real time across operational environments, by establishing comprehensive security telemetry capabilities.
- Apply advanced behavioral analytics for endpoint attack, and breach detection and response.
- Apply AI-enabled threat detection at an enterprise level to uncover anomalous user activities and prioritize risks.
How fast the travel and transport industries will recover from COVID-19 will largely depend upon how effectively industry leaders earn the trust of all stakeholders, including customers, employees, business partners, governments and shareholders. In addition to decisive actions to improve health safety, instilling confidence in their ability to protect sensitive data and the infrastructures that enable mobility of individuals and goods will help to accelerate trust.Read the IBV report IIoT cybersecurity for travel companies