Cybersecurity threats in transportation industry call for greater systemic initiatives, as federal action continues to roll in

Increased adoption and dependence on interconnected digital systems have heightened the threat of cybersecurity attacks and risks within the U.S. transportation sector. These rising threats across the transportation industry have pushed the need to embed cybersecurity needs from the design stage right up to the implementation of new systems and technology adopting collaborative governance models. The approach will help manage the increased risk associated with the growing number of connected physical devices that are now part of the technology stack within these organizations. 

In a recent report, Deloitte said that transportation system owners no longer can afford to consider cybersecurity as an afterthought. As their infrastructure becomes increasingly connected, it leads to increased cyber vulnerability in an expanding ecosystem of smart technologies, infrastructure providers, and transport modes pushing cybersecurity reviews to be incorporated from the procurement stage onward. Devices should be tested in local facilities to understand their vulnerabilities and develop protocols for breach events, with the growing need to address potential issues before these devices are installed in tunnels, tolling stations, floodgates, and other infrastructure.

Furthermore, governance models and agency culture must evolve to reflect the increasing convergence between the physical and virtual worlds, bringing engineering teams into closer collaboration with security teams to increase the agency’s overall cyber posture. Evidently, there is a growing need to make the transportation industry resilient and future-ready, while driving federal cybersecurity measures to reimagine traditional funding models, governance structures, and technology investments. 

The bipartisan Infrastructure Investment and Jobs Act (IIJA) has released funding for cyber resilience, with an allocation of US$2.5 billion in grant funding to state, local, and tribal governments to fuel infrastructure, and recipients must ensure that their plans address cybersecurity and privacy considerations to use the funds. The funding grants are largely expected to nudge transportation agencies to ensure that cybersecurity principles are baked into every stage of the modernization process, from strategy and design to implementation and operations.

The Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines calling for asset owners and operators within the transportation industry to implement a cybersecurity framework created by the National Institute of Standards and Technology (NIST). Additionally, the Transportation Security Administration (TSA) issued security directives in 2021 and 2022 in response to the cybersecurity threat to surface transportation systems and associated infrastructure, in a bid to protect against the significant harm to the national and economic security of the nation that could result from the ‘degradation, destruction, or malfunction of systems that control this infrastructure.’

More recently, the TSA detailed that hackers have demonstrated their willingness to engage in cyber intrusions and conduct cyber-attacks against critical infrastructure by exploiting the vulnerability of OT (operational technology) and IT systems. As pipeline and rail owners/operators begin integrating IT and OT systems into their ICS (industrial control system) environment to further improve safety, enable efficiencies, and/or increase automation, these environments increasingly become more vulnerable to new and evolving cyber threats. 

The agency also assessed that a successful cyber-intrusion could affect the safe operation and reliability of OT systems, including SCADA systems, process control systems, distributed control systems, safety control systems, measurement systems, and telemetry systems. From a design perspective, some pipeline and rail assets are more attractive to cyber-attack simply because of the transported commodity and the impact an attack would have on national security and commerce.

Transportation companies, including automotive manufacturing, automotive sales, trucking, and shipping, are typically high-dollar businesses, which makes them attractive targets for scammers. Hackers know that these companies stand to lose much more in business revenue and reputation than even the greatest ransom demands. 

Historically, transportation companies have been more focused on safety and physical security than cybersecurity. As technological advancements have created the ability and the need to be ever more connected, that paradigm is changing. Transportation companies are vital to the economy, which is a fact that cybercriminals know and will continue to exploit any vulnerability they can find to achieve their goals.

Data released by CyberTalk.org identified that transportation industry trends indicate that ransomware represents a growing concern. “Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. Major transit systems have recently reported breaches. While an attack in April left passengers unharmed, the cyber intrusion rattled those who run the rails,” the post added.

Industrial Cyber reached out to experts in the transportation industry to evaluate the progress that the transportation asset owners and operators have made over the last year, regarding their cybersecurity stance. Additionally, they also assess the level of preparedness of asset owners and operators to face a cybersecurity incident. 

“Transportation is in similar circumstances as other industries where they see the looming potential of new regulations surrounding OT, specifically, and many unknowns,” Ben Miller, vice president of services at Dragos, told Industrial Cyber. “Their OT security programs are still either new or just being implemented. The rail industry has notably been actively engaged in the OT security space for a number of years. They understand the challenges, and they’ve been engaged across manufacturers and government partners and have shown real awareness and coordination these last 2-3 years,” he added.

Pete Lund, vice president of products for OT security at OPSWAT, told Industrial Cyber that cybersecurity posture within the transportation industry has not changed dramatically, but operators are starting to assess and understand how big the problem is for their organization and what they plan to do about it. 

“Historically, the transportation industry has not invested in cybersecurity for their digital assets, and while more work needs to be done, I would say they are slightly more prepared given the rise of ransomware attacks within the industry over the last few years and increased regulations in 2021 and 2022,” Lund added. 

2022 saw a major increase in cybersecurity adoption by automotive OEMs and their suppliers, David Barzilai, vice president for sales and marketing and co-founder at Karamba Security, told Industrial Cyber. “The reason was the ratification of the ISO 21434 standard, and the UN R155 regulation, which mandates new vehicle types to be cyber-secure in order to be sold in the EU.” 

OEMs have been requesting their suppliers to provide them with hard facts and detailed documentation of how they meet the regulation, in order to enable relevant vehicle types to pass the new homologation process, according to Barzilai. “The required processes and control cover the vehicle’s entire lifecycle: from development, to pen testing, to assuring supply chain security, embedded controls, and ongoing vulnerability management for vehicles on the road.”

Over the year, the TSA issued in October a cybersecurity security directive regulating designated passenger and freight railroad carriers to enhance cybersecurity resilience by focusing on performance-based measures. The security directive will further enhance cybersecurity preparedness and resilience for the nation’s railroad operations and build on the agency’s work to strengthen defenses in other transportation modes. The U.S. administration also scheduled classified cybersecurity briefings with executives from across the aviation industry in September.

Before that, in July, the TSA revised and re-issued its security directive concerning cybersecurity to oil and natural gas pipeline owners and operators. The directive also extends cybersecurity requirements for another year and focuses on performance-based rather than prescriptive measures to achieve critical cybersecurity outcomes.

The underlying intention of these security directives has largely been on reducing the cybersecurity threats posed to the transportation sector. Thereby, making it important to determine the effect that these guidelines have had on the overall cybersecurity position of the sector. The experts weigh in on whether these measures have led to a greater and more enhanced cybersecurity posture across the sector, or is it about the same as before these measures were issued. 

Miller said that critical infrastructure is largely owned by private industry in the U.S. “Laws like CIRCIA are designed to help the US gain visibility into the threats and vulnerabilities in critical infrastructure, and OT specifically, where they simply have had a blind spot up until now.” 

“New security directives that are being released will help establish a floor of security for those asset owners who still have large gaps,” Miller added. “For those with programs, hopefully, it’ll give the opportunity to address their known gaps faster than they otherwise would have.”

The main impact these directives have had is that they have driven executive awareness of how at-risk transportation is, and the main need is to budget mostly in the form of staff and tools to address the problem, Lund said. “This has resulted in a major shift in communication. Many organizations and individuals are looking to share knowledge and learn from one another for the benefit and resilience of the industry as a whole, as all are needing to learn and expand their understanding of critical infrastructure cybersecurity,” he added.    

Barzilai said that the difference is night and day. “From voluntary, anecdotal, attempts to secure vehicles or ECUs, OEMs and suppliers must go through a detailed and well-defined journey that covers secure software development, penetration testing, assuring suppliers’ security posture, embedding security controls, and creating best practices to address new vulnerabilities that are identified during vehicles’ lifetimes,” he added. 

The cybersecurity landscape in 2022 has been marred largely by the geopolitical context giving rise to cyber warfare and hacktivism. In a recent report, ENISA revealed that the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. “While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact,” it added.

Geopolitics and cybersecurity have become inextricably linked, Paul Proctor, distinguished vice president analyst at Gartner, said in a recent interview. “Therefore, as security leaders, you need to be looking at the global threat landscape from a business lens. Every business decision made in this environment has security implications and vice versa. Modern enterprise security leaders cannot just focus on vulnerabilities or security technologies. Rather, they must lead the enterprise to make informed decisions about its cyber-related risk exposure, and understanding the security impacts of global events is a key component of that new role,” he added.

With 2022 showcasing that geopolitics can lead to cybersecurity threats and attacks, the experts analyze how asset owners and operators across the transportation industry reacted to these rising threats, while probably having to alter their cybersecurity blueprint to deal with these incidents. 

“Geopolitical tensions compounded with new TSA-driven regulations in the U.S. are forcing them to look closely at their budgets and determine what protections can be put in place and the associated costs,” Lund pointed out.

Barzilai said they haven’t seen such a phenomenon. “On the contrary, we saw how car hacking expanded from government-sponsored bodies to armature hackers that succeeded to attack vehicle OEMs, and have published their findings.”

Addressing the cybersecurity challenges that transportation owners and operators continue to face as we head into 2023, and necessary cybersecurity recommendations that organizations must put into place at the earliest, Miller pointed to the visibility into their OT environments as a challenge across transportation and other critical infrastructure. “You can’t defend your environments if you don’t know what’s in them, and you can’t proactively detect a threat unless you’re actively looking for it. Understanding how to create this visibility in a way that’s meaningful for OT is a first step.”

“The biggest challenges they are still faced with are a lack of visibility into their OT networks, workforce and solutions gaps, new and increasing threats, and additional regulations coming,” Lund said. “While visibility does not equal protection, it’s important that organizations quickly understand what they have visibility into. Then they can pivot to processes and technologies that provide protective controls.  They should also continue adapting a defense in depth approach, with end-to-end security measures from the cloud all the way down to protecting critical operational assets, which should include both portable media security and network segmentation,” he added. 

Lund added that the revised TSA pipeline security directive makes a clear separation between IT and OT, with enhanced security measures and disaster and recovery plans for the OT environment. “An incident at the IT level may be inevitable, but OT operations shouldn’t be impacted and shouldn’t be shut down as we saw with Colonial Pipeline.”

“We view cyberattacks trajectory increases in 2023, due to common use of open source software in ECU architectures and opening the vehicle to third party applications,” according to Barzilai. “We recommend to constantly scan ECUs binaries during the development phase. Such binary scan doesn’t interfere with R&D and highlights security issues while it is still relatively easy to remediate them.”

Barzilai concluded by saying that it is highly recommended to use vulnerability management software that keeps track of new vulnerabilities, cross-references with the vehicle’s software bill of materials, for blast radius analysis, and advises which vulnerabilities should be remediated compared to those that can be ignored.