Transport systems give hackers a moving target

Transport and travel groups are proving doubly attractive targets to cyber criminals — as both operators of critical national infrastructure, and as treasure troves of valuable customer data.

Over the past five years, cyber attacks on the IT systems and databases of transport organisations have increased and evolved, experts say.

In 2017, malicious software, or “malware”, hidden in a document used to file tax returns infiltrated the IT systems of Maersk — and cost the global shipping company up to £300mn. A year later, hackers shut down 2,000 computers belonging to the Colorado Department of Transportation in the US.

And now, transport systems are seen as prime targets in international conflicts.

“There is some evidence from [US] government sources that nation-states and associated criminal organisations target lifeline [transport] infrastructure for cyber attacks more than other industries because these industries are strategically important to national security and the economy,” says Bob Kolasky, a former assistant director at the US Cybersecurity and Infrastructure Security Agency.

Today, Kolasky is senior vice-president for critical infrastructure at Exiger, which advises companies on risk.

Meanwhile, fraudsters are hacking private travel companies’ customer data. In 2020, easyJet discovered the email addresses and travel details of nine million customers were compromised, plus some credit card information.

Since then, both industries have reported a sharp increase in the use of ransomware (malware software that encrypts data to hold the owners to ransom), plus distributed denial of service attacks (which overwhelm a network or website with messages), as well as phishing (whereby cyber criminals pose as legitimate organisations to steal consumers’ financial details).

In the case of transport organisations, attacks are typically mounted against IT systems, to cause maximum economic and social disruption to passengers and supply chains.

One of the vulnerabilities they face is the rudimentary nature of their “operational” technology − such as rail signalling, sensors, and port networks − when compared with state of the art corporate IT systems.

“Operational technologies . . . can be disrupted by a hack, which can result in physical safety risks for people,” points out Massimiliano Claps, research director and transport lead at IDC, a research company. “From that perspective, transportation is one of the industries that has one of the highest [cyber security] risk profiles.”

And the areas of risk are widening, consultants warn. To automate maintenance and improve efficiency, transport companies are digitising their operational and external IT systems.

“[Operational] systems were never designed to be connected to other systems and never had security designed and built into them,” notes Justin Lowe, a cyber security expert at PA Consulting.

Transportation has one of the highest risk profiles

In the case of travel companies, attacks tend to be focused on customer data, which can be financially valuable if sold on the “dark web” — hidden parts of the internet — and used for fraud.

Ross Henton, a former head of cyber security at American Express Global Business Travel, and now director at Mitiga, a cyber security technology company, says using this data safely must be a priority for travel groups. “One of the concepts we talk about in [cyber] security is the CIA triad: confidentiality, integrity, and availability,” he says.  

Fortunately, travel company IT systems are typically more advanced than those in the transport sector. But they contain more customer data, which creates different security risks.

Hospitality businesses are the third most targeted by cyber attackers of all industry sectors, behind retail and financial services, according to Trustwave’s 2020 Global Security Report.

Criminal groups attack hotel IT systems using methods including “spear phishing” (a targeted cyber attack against an organisation or individual) or they hack hotel WiFi, says Maximilian Heinemeyer, vice-president of cyber innovation at Darktrace, a cyber security technology company.

After breaching the hotel WiFi, a cyber criminal can scan the network for devices with security vulnerabilities and try to take them over remotely, using a “remote code execution” attack.

If the attack is successful, “keyloggers” — malware software — can be installed on a victim’s device, recording everything the person types and sending an activity log to the hacker.

Opportunities for customer data attacks exist because the quality of cyber security in hotels, airlines, and car rental companies varies. A further contributing factor is the extent of “interconnectivity” between companies’ IT systems and the data, says Sherron Burgess, senior vice-president and chief information security officer at BCD Travel, a global travel agent for businesses.

BCD has responded to the threat by using “vulnerability management” technology to scan for security weak spots in its IT systems, and has adopted recognised cyber security standards, including ISO 270001. This stipulates that suppliers and trading partners follow minimum cyber security standards − including the use of firewalls and data encryption − and that security is checked regularly. “Anyone can do really well for one month,” points out Burgess.

Regulators are also applying pressure. In the US, the Transportation Security Administration has issued directives requiring rail operators and pipeline companies to strengthen cyber security against ransomware attacks and other threats. They are also being made to implement a cyber security “contingency and recovery plan”.

Similarly, the European Commission has published proposals to update and strengthen cyber security rules for network and information systems, which includes making senior managers accountable if their company fails to comply with the directive. This directive applies to travel companies, confirms Paul McKay, a cyber security and risk analyst at Forrester, a research company.

Cyber threats to travel and transport sectors are not expected to diminish, though, as the boom in ransomware continues, and as transport companies connect more industrial sensors and devices to the internet.

Operators are therefore advised to detect and resolve the risks — or at least minimise the damage of any security breaches — with standard cyber security software, staff training, and a well-rehearsed “incident response”.

However, too often, companies in transport and travel take a “reactive” approach to cyber security and may only examine it after a breach, warns Henton of Mitiga. It may improve the situation in the short term, but “doesn’t really [tackle] ongoing problems or drive cultural change”, he says.

This article has been amended since original publication to provide more details of how keyloggers work