Critical infrastructure
Features
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Transportation
Vulnerabilities

Addressing OT cybersecurity threats in transportation sector through enhanced strategies, collaboration

January 28, 2024
Addressing OT cybersecurity threats in transportation sector through enhanced strategies, collaboration

Rising OT (operational technology) cybersecurity threats in the U.S. transportation sector targeting critical infrastructure are problematic even though this is not new, as cyber adversaries continue to exploit these infrastructures. Increasing interconnectivity of transportation systems, such as traffic management and vehicle control, amplifies their vulnerability to cyber-attacks. Legacy systems often lack robust security measures, making them susceptible to exploitation. Additionally, the widespread adoption of IoT devices and automation introduces new entry points for malicious actors.

By 2024, the transportation industry is likely to demonstrate technological improvements in cybersecurity strategies. The efforts of incorporating AI (artificial intelligence) and ML (machine learning) in threat detection and response procedures are likely to focus on enhancing defense systems. Partnerships between governmental institutions, companies, and cybersecurity professionals are very likely to escalate toward developing consistent procedures and mechanisms for sharing information. In addition, the deployment of blockchain may strengthen the front system and ensure security for supply chain logistics activation.

Although these are significant improvements, there remain challenges of needless persevering workforce training and regulatory compliance in addition to the new nature of cyber threats. With this effective and innovative approach, taking action before disaster strikes is one of the best ways to prepare against risks that challenge transportation systems negatively in an emergent cybersecurity landscape.

The U.S. TSA (Transportation Security Administration) also recommends that every stakeholder subscribes to alerts from the Cybersecurity and Infrastructure Security Agency (CISA), as new vulnerabilities and mitigation measures are frequently released first through CISA alerts and should be immediately reviewed for application to their systems and networks.

Industrial Cyber reached out to transportation experts to evaluate how entities in the transportation sector are currently addressing the distinct cybersecurity challenges related to OT. They also shed light on specific vulnerabilities within the OT infrastructure of the transportation sector that have become more prominent in recent times. The experts also discuss the measures that have been implemented to mitigate these cybersecurity risks. 

Scott Gorton, TSA Surface Division Executive Director
Scott Gorton, TSA Surface Division Executive Director

Scott Gorton, executive director of TSA’s Surface Policy Division told Industrial Cyber that entities that are covered by TSA’s performance-based, outcome-focused security directives (for surface) and security program amendments (for aviation) are making good progress in enhancing the security of their OT systems. 

“The measures outlined in TSA’s security policies are intended to address the most pressing and prevalent risks to the transportation sector,” according to Gorton. “Although entities not covered by these directives and amendments are not required to comply, TSA recommends that these entities adopt best practices similar to the required measures for covered operators.”

Aviel Tenenbaum, CEO of Cyviation
Aviel Tenenbaum, CEO of Cyviation

“It really varies between different segments in the transportation sector. In general, I would say that all are addressing the cyber challenges and deploying various mitigation solutions,” Aviel Tenenbaum, CEO of Cyviation, told Industrial Cyber. “Usually more advanced on the general IT systems and less on OT systems. Initial response is usually to set a focal point for responsibility around cyber security and then setting the cyber event management processes.”  

Tenenbaum added that regarding actual technologies – there are some new solutions for vessels and trains and relatively higher investment in automotive. “Airlines and aviation are lagging behind. Some of the large carriers are already engaging in cybersecurity processes, others are still in an exploratory mode.”

Omar Benjumea, lead cybersecurity GRC expert at Cylus told Industrial Cyber that the rail industry is dealing with increasing cybersecurity challenges, particularly in operational rail technology environments, due to heightened connectivity and a more hostile threat landscape. “This has led to increasing vulnerabilities, especially in legacy systems, IT-OT interfaces, and remote access points.” 

To combat these cyber risks, Benjumea outlined that the industry is adopting measures like robust network segmentation, real-time cybersecurity monitoring, and stringent access controls. However, aligning cybersecurity updates with the rigorous safety homologation processes presents a real challenge. 

He also pointed out that the industry is actively seeking resolutions, exploring more agile homologation processes for cybersecurity, and prioritizing updates for critical vulnerabilities. “Collaboration among key stakeholders in the rail ecosystem is crucial in this effort, to strike the necessary balance between maintaining safety standards and effectively countering cybersecurity threats.”

The transportation sector has long been aware of the complexity of securing their longest-lived and most valuable assets – the planes and trains on the frontlines of operations, evaluated Josh Lopsinoso, CEO and co-founder at Shift5. “Most of these platforms are built on legacy systems that lack modern cybersecurity protections, and the operational technology that keeps them running is increasingly converged with IT, creating a broader attack surface that mitigates traditional cybersecurity strategies like network segmentation,” he told Industrial Cyber.

Josh-Lospinoso-CEO-and-co-founder-at-Shift5
Josh-Lospinoso-CEO-and-co-founder-at-Shift5

Lopsinoso added that today’s most advanced aviation and rail operators understand the direct link between cybersecurity and safety and treat cybersecurity with the same urgency. “These operators understand they need an awareness of the activity happening onboard planes and trains to make informed decisions. They are working to gain observability into onboard operational technology to gain insights, detect threats, and unlock critical insights to understand and manage cybersecurity risks.”

The executives further discussed the significance of regulatory compliance in shaping cybersecurity strategies within the transportation industry, as well as how organizations proactively meet compliance requirements. They also explored the collaborative efforts between transportation organizations and cybersecurity experts, along with the adoption of innovative solutions to strengthen their overall cyber resilience.

“TSA utilizes a regulatory and non-regulatory approach to work with stakeholders to strengthen their cybersecurity posture. Due to the ongoing and evolving cybersecurity threats, TSA issued Security Directives to reduce cybersecurity risks and improve cyber resilience,” Gorton said. “TSA’s Security Directives are performance-based and beneficial because they allow companies to plan and deploy solutions that work best for their specific environments.” 

While TSA’s current regulatory initiatives focus on inspections and investigations, outreach programs consist of training, exercises, community outreach, and information sharing, all of which are an integral part of keeping surface stakeholders informed about evolving threats, Gorton added. “TSA’s training, exercises, and engagements are conducted by TSA security professionals to educate transportation entities on mitigating real-world threats.” 

Evaluating that regulation has a major role, Tenenbaum added that especially in aviation  – regulation is a key driver to implementing cybersecurity to comply. “However, relevant cyber regulation only started around 2016 with general ‘recommendations.’ Recently, in 2023 – we see EASA (European Aviation Safety Agency) picking up the pace, setting a deadline (Oct 2025) and providing more guidelines on how to comply and what is needed to deploy.” 

He added that as a domain expert, his company has seen much more interest and focus starting in 2023. “Airlines and related players are exploring solutions for cyber security, but more importantly – appointing responsible owners within the organization, and setting budgets.”

Benjumea said that regulatory compliance plays a pivotal role in shaping cybersecurity strategies within the transportation and rail industries – with requirements varying significantly by region, such as the TSA directives in the U.S. and NIS2 in Europe. “The rail industry, for example, is proactively engaging in standardization initiatives like TS-50701 and IEC 63452, driven by joint efforts from operators, manufacturers, integrators, and security vendors, setting the stage for future specific regulations and certification schemes.”

“Beyond mere compliance, the industry is collaborating closely with cybersecurity experts and embracing innovative new solutions, including AI and machine learning, to enhance cyber resilience,” according to Benjumea. “This approach not only meets but often exceeds regulatory expectations, positioning the transportation and rail industries well against evolving cyber threats and establishing new benchmarks for cybersecurity in the transportation and rail sectors.”

Regulatory compliance is crucial in shaping cybersecurity strategies for OT, and has driven significant progress in OT cybersecurity within the transportation industry, Lopsinoso said. “Within the past year, we’ve seen a flurry of activity from CISA and the Transportation Security Administration (TSA) to develop baseline regulations and guidance to improve cybersecurity in the transportation sector — a notably positive trend. For example, the most recent TSA Regulations for rail call for implementing network segmentation, access controls, and continuous monitoring.”  

He added that all of these are steps in the right direction that help build a solid foundation for OT cybersecurity, but the reality is that none are a silver bullet. OT cybersecurity requires a strategy on its own and often needs net-new technology investments to be effective. 

Lopsinoso expressed that he has been pleased to see collaboration within the transportation sectors, from government to industry, working to push OT cybersecurity as a priority. “I’d like to see more progress regarding talent development and training, joint cyber defense initiatives, and information sharing as it pertains to threat intelligence.”

The experts examine important factors that transportation entities should consider when creating and executing incident response plans for OT cybersecurity incidents. They also explore the impact of technological advancements, such as AI and ML, on the outlook of the transportation sector.

Gorton said TSA has identified some key considerations for cyber incident response plans, including identifying those persons or positions responsible for taking action and how the operator will accomplish prompt containment of an infected server or device, segregation of the infected network, and ensuring the security and integrity of backed-up data. “TSA also recommends regular situational exercises to test and evaluate the effectiveness of the plan and those charged with executing the plan. Plans are required to be assessed every year,” he added.

Tenenbaum said that for OT and the transportation sector in particular – setting a clear process for incident response – can save lives. 

“Beyond the financial impact, like in many other industries – when it comes to transportation (and Aviation in particular) cyber attacks can impact flight safety and have a high level of risk to passengers and crew,” according to Tenenbaum. “Effective processes, and clear collaboration with many related organizations (National CERT, operator’s SOC, government agencies, ATC (Air Traffic Control) and first response, etc.) are critical to be considered in a cyber event on OT.” 

Yet, he added that understanding specific OT vulnerabilities, building specific awareness, and deploying IDS/IPS solutions (Intrusion Detection and Intrusion Prevention systems) is key. “AI and Machine learning will be part of the knowledge aggregation and scalability of all solutions.”

In the transportation and rail sectors, Benjumea said that developing OT cybersecurity incident response plans requires a risk-based approach, rigorous regulatory compliance, and sector-specific cybersecurity expertise for continuous monitoring and rapid incident response.

“Technology advancements including AI and machine learning can be key. ML, already a focal point for predictive maintenance, is proving invaluable in cybersecurity improving preemptive threat detection by identifying anomalies in network traffic and system behavior, while AI is serving to dramatically improve Security Operations Center (SOC) processes, automating tasks such as alert triaging and incident response,” Benjumea added. “These technologies are integral, not just as supplemental capabilities but as core components that boost the resilience and responsiveness of continuous cybersecurity monitoring and proactive defenses against evolving threats in the transportation and rail sectors.”

The executives explore significant trends in 2024 that highlight the evolving dynamics of cybersecurity threats in the transportation sector. They also delve into emerging technologies and trends that are anticipated to shape the landscape of OT cybersecurity in the transportation industry.

Another notable trend for 2024 is not a new trend, but rather a continued focus on updating and mitigating older systems against new vulnerabilities. OT and ICS systems and networks continue to be plagued by a failure to review and patch against known vulnerabilities. Working with the original equipment manufacturers (OEM) vendors to secure these systems against known vulnerabilities will go a long way to securing the overall infrastructure until more secure-by-design systems can be developed and deployed. This work will supplement current mitigations mandated under TSA’s cybersecurity policies applicable to regulated entities.

One notable trend is the increasing use of AI in the transportation sector, Gorton observed. “While AI has the potential to bring improvements in efficiency, it also has potential risks if not appropriately governed and applied. TSA will work with its federal partners and industry stakeholders to assess the use and risks of AI in accordance with Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” he added.

“The key point is that all new vehicles (aircraft, trains, vessels, etc.) are becoming fully ‘connected.’ Less and less analog components are there – and as such most systems are vulnerable to cyber attack,” according to Tenenbaum. “Furthermore – any autonomous transport solution relies on data communication and multiple channels in parallel may be impacted (and are new targets for a cyber attack. Unfortunately, much of the drive to adopt new measures is still actual cyber events, but I am confident that the adoption of critical cyber measures (solutions and processes) will ramp up fast in 2024.”

Moving forward, Benjumea estimates that the transportation sector, and especially rail, will continue to face intensified cybersecurity threats amid continued increases in digitalization and connectivity of OT environments. “These threats will include ransomware, supply chain attacks, and AI-driven or targeted APT assaults.”

Addressing these, transportation and rail organizations are pivoting towards the adoption of vertical market-specific cybersecurity technologies and advanced solutions,” according to Benjumea. Furthermore, efforts are underway across organizations to cultivate more robust cybersecurity cultures. This encompasses regular staff training, cyber-attack simulations, and streamlined incident response processes. 

He added that collectively, new cutting-edge, vertical market-specific technologies combined with organizational preparedness will serve to fortify the sector’s defenses against an evolving and sophisticated cyber threat landscape.

Lopsinoso said that one trend he is closely monitoring is the proliferation of GPS jamming and its impact on the transportation sector. “GPS jamming is a form of Electronic Warfare (EW) where an adversary uses signals to deny, degrade, disable, or deceive a target. These attacks are on the rise in alignment with geopolitical conflict and pose a true cyber-physical threat to transportation operators.”  

“In the past few months, we’ve seen instances of GPS spoofing in the Middle East, Poland, Finland, and other countries, triggering responses from international advisory bodies, including the International Air Transport Association (IATA),” according to Lopsinoso. “If done well, GPS spoofing can be missed entirely by operators who put their trust in GPS navigation systems, which is dangerous. An adversary could adjust the altitude or trajectory of an aircraft such that it disrupts the flight path or landing, which can cause a catastrophe. In the next year, we’ll see much more activity within the industry to mitigate these risks.” 

Other emerging trends that Lopsinoso is watching include observability and the use of AI/ML in OT cybersecurity. “Observability refers to the ability to derive real-time, context-rich insights from refined onboard data to enable not just a more comprehensive understanding of the state of a system—or system of systems—but ultimately to enable smarter, faster decisions and actions. Commercial air and rail fleets generate massive amounts of onboard data; however, the challenge lies in the fact that operators and maintainers of these fleets lack the instrumentation and tooling needed to access, capture, analyze, and act on any of it.” 

He added that for cybersecurity, better observability enables more reliable detection, identification, and generation of alerts for anomalous activities and known threats. These real-time notifications can enable faster response and proactive mitigation of potential cybersecurity risks.  

“In alignment with observability, AI/ML comes into play for OT cybersecurity by identifying patterns and anomalies in significantly sized datasets,” according to Lopsinoso. “The saying ‘garbage in, garbage out’ rings true here – for AI or ML to be useful for OT defense, cybersecurity solutions require the right datasets to generate meaningful and useful insights. Every frame of data from every database, regardless of physical layer bus type or protocol, is valuable and must be captured and retained to effectively train machine learning models. The more onboard OT data collected and analyzed, the better ML/AI becomes at identifying anomalies, enabling effective threat detection and response,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems