Information security in logistics and transport

2023: The transportation industry is among the top 10 most attacked by hackers in the world. Top Attack Methods

At the end of February 2024, Positive Technologies, a company specializing in the development of information security software, released a study on the situation with cyber threats in the transport industry. It follows from the report that hackers in an attempt to hack the IT systems of operators of railway, aviation, sea and road transport in 2023 most often used malware (35% of the total number of cases), exploitation of vulnerabilities (18%) and attacks on the supply chain (8%).

According to Positive Technologies, transportation in 2023 was among the 10 industries most likely to be hit by cyber attacks. The consequences of such attacks can be very serious for a market participant, for example:

• in the railway segment - this can be blocking cargo transportation, as well as damage or destruction of the transported cargo (for example, oil and coal).
• in aviation - simple booking systems, baggage management system failure and disruption of navigation aids;
• for sea transportation - interference in the processes of fuel storage management, attacks on loading control systems, seizure of the ballast control system of a large ship, as a result of which it can capsize and sink;
• for urban road infrastructure and vehicles - disruption of information boards, traffic lights, taxi booking systems and attacks on transport management systems.

𝓲

Positive Technologies

According to Positive Technologies experts, the number of successful cyber attacks on transport companies in the world in 2023 increased by 36% compared to 2022. Attackers most often use malware because it is the most powerful and accessible hacking tool. Ransomware viruses are offered for rental on the darknet.^[1]

2021

Damage from a cyber attack can reach $50 million or more

Damage from a cyber attack can reach $50 million . The United States and more. This was announced on September 15, 2021 by BCG. While the coverage of potential cyber attacks in the TL sector is increasing and the nature of the risk is becoming more and more diverse, the cost of hacking has decreased significantly. Moreover, the main source of vulnerabilities is not systems, but people. To counter cyber risks in the TIL industries, active action must be taken in three areas: technology, regulation, as well as people and processes. ICT vacancies reach 4m in 2020

The focus of cyberattacks Russia is mainly focused on related, sector and e-commerce retail bank to logistics

Digitalization has spread widely among companies in the field transport of logistics (TL), improving the entire cycle of processes in the industry. This has contributed to unprecedented efficiencies aimed at expanding revenue channels.

This is a positive side. The downside is that digitalization has identified a number of problems in TL companies that make them extremely vulnerable to cyber attacks. This affects every sector of the industry, including maritime, rail, road transport, logistics and parcel delivery. The consequences are costly, disruptive, and can lead to financial liability, especially if confidential customer information is leaked.

There are many factors of vulnerability transport and logistics. First, the increased use of operational technologies (OTs), new communication and wireless channels directly related to the digital ecosystems of TiL companies, make companies an easy target for. hackers Secondly, this is outdated regulation and standards in the field, IT lack of awareness in the field and, cyber security finally, perhaps the most significant factor - the lack of qualified personnel capable of providing protection.

Cyber ​ ​ attacks in the TIL sector used to occur every few years. Now, it seems, one or two of them are organized every month. Some of them are massive. For example, a cyber attack in May 2021 essentially stopped the work of a company Colonial Pipeline that supplies petroleum products for almost half of the east coast for about a week. USA The company said the amount of buybacks and losses due to business disruption could have reached 50 million dollars or more. Other cyberattacks, even aimed at large transportation companies that have suffered more than once, attract less press attention, but often include disorganization of systems email and logistics.

In addition, hackers are increasingly trying to steal data stored in networks, which are vital for the modernization and development of the TL industry, as they provide more efficient and high-quality customer service. These networks enable digital improvements such as automated orders, cargo tracking and access to account information. Although such advantages are extremely valuable to the client, they require storing large amounts of confidential information collected through online platforms, telephone applications and other mobile devices, which, due to the lack of strict cyber defense protocols, are among the most unreliable channels.

And, while the coverage of potential cyber attacks in the TL sector is increasing and the nature of the risk is becoming more diverse, the cost of hacking has decreased significantly. (See Fig. 1.)

Given the growing urgency of the issue, BCG investigated the reasons why the industry is so vulnerable to cyber attacks. BCG has developed a number of integrated solutions that companies can apply to reduce the impact of these risks and create viable and robust methods to protect against them.

The simplest approach to the problems faced by TL companies is the distribution of their vulnerability factors into three categories: technology, regulation, as well as people and processes. It is necessary to carefully study each of these categories in order to meet fully armed new threats to which the industry as a whole is exposed.

Technologies. In each segment of the TiL industry, the expansion of the surface of cyber attacks is obvious. For example, among maritime carriers, relatively simple disaster warning and security systems have been replaced by full-fledged local networks based on cloudy technology, such as navigation the electronic International Maritime Organization (IMO) program. These networks are an attractive target for hackers, as they constantly collect, integrate and analyze the onboard information to track the position of ships, data about cargo, technical problems and a whole range of issues related to the ocean environment. (See Fig. 2.)

A similar situation in the rail sector: traditional wired train control systems (FCSs), whose communications with external systems were previously restricted, are inferior to wireless standards such as GSM-Railway - a relatively wide network linking trains to traffic control points. (See Fig. 3.) As with all passenger companies, TiL companies provide infotainment services and use other equipment, which adds another level of Internet connection.

Although these spreading networks, which essentially connect OT systems to internal IT equipment such as servers, computers, and mobile devices, and themselves present new ways to attack hackers, they sometimes become even more vulnerable due to a lack of understanding of the importance of protection against cyber attacks by both OT providers and TL companies. In some cases, OT providers require potentially vulnerable management interfaces to be built into their equipment for remote access, monitoring, and troubleshooting. In addition, the computer equipment of TL companies is rarely updated to comply with strict security protocols.

It is equally alarming that in addition to relationships with individual OT suppliers, TL companies form more effective and technological partnerships with their suppliers and distributors, which are increasingly dependent on network connections. The cybersecurity protocols of these partners are usually not monitored, which is why TiL companies do not receive information about whether the risk is growing due to their integrated ecosystems.

Regulation. Although the commercial and operational aspects of the transport and logistics sector are regulated in many regions, there are relatively few provisions affecting cybersecurity. Despite the global nature of the sector's activities - or perhaps because of it - it is difficult for regulators to agree or focus on a set of cybersecurity norms that TIL companies would have to comply with wherever they work. In the absence of this complex, cybersecurity investments are not optimized to reduce the overall impact of risk on organizations.

Nevertheless, realizing the possible danger of a large-scale cyber attack on the TL industry for global trade and economic stability, regulators are beginning to take a more active position and demand greater security for companies' networks. Proposed or already adopted regulatory instruments include the EU Network and Information Security Directive (NIS) and the soon to come into force standards CLC/TS 50701 and EN 50126 for rail transport, as well as a number of regulations for maritime transport introduced by the International Maritime Organization. To varying degrees, these regulatory measures are aimed at meeting minimum standards to protect the most important data and processes of companies, especially customer data and information about cargo transportation.

People and processes. Cyber threats are constantly evolving, but a common feature of some of the most vulnerable areas are humans. For example, employees who are unable to recognize phishing emails can be easily used by hackers at the initial stage of the attack. In fact, we can say that the first step in the chain of attacks is usually the actions of the victims themselves, given that much more than half of the data breach can be directly traced and revealed shortcomings in organizational processes and competencies of employees or a lack of their knowledge of cyber attacks.

Worsening the situation is a huge and growing global shortage of cybersecurity specialists. 4 million ICT specialist positions were vacant in 2020, according to the ISC2 Information Protection Industry Group. The lack of well-trained cyber specialists is partly due to the fact that higher education in cybersecurity is a relatively young phenomenon that has existed only about ten years.

According to our information, this shortage is acute in the industry under consideration, especially in the Asia-Pacific region, since graduates with qualifications in the field of cybersecurity and experienced specialists already working in this field usually do not consider transportation and logistics as the preferred area for building a career.

This is partly a perception problem. Most candidates for the position do not look at TiL companies as providing innovative jobs where technology specialists could deploy in areas such as robotics and automation, data analysis, blockchain, self-driving cars and the like. Instead of making cybersecurity work more attractive - perhaps offering more profitable salaries and social packages, as well as encouraging innovation - many TL companies treat cybersecurity as a costly unit that should fit into a tight budget framework.

TL companies should begin to adopt a cybersecurity program with an assessment of the level of cyber defense in their equipment and OT and IT programs. Next, they can take protective measures in the most important and vulnerable applications and networks. Identifying areas at increased risk of cyber attacks and developing a portfolio of safeguards can be simplified through models and tools such as a cyber risk management and quantification program. Companies should assess their vulnerability factors based on a risk approach, where priority will be given to the likelihood and consequences of cyber threats for key assets. Projects can then be ranked based on each one's ability to build cost-driven resilience and thus essentially optimize their cybersecurity investment budgets.

After taking these precautions, TL companies need to focus on implementing more comprehensive cyber defense concepts, such as a zero-trust architecture. This methodology implies that all devices, users, or applications attempting to communicate with the network pose a potential threat. A zero trust strategy can be implemented by segmenting and dividing networks using DMZ (demilitarized zone) technology, providing a tightly controlled environment where connections within and outside an organization are monitored. The same principle needs to be followed to better monitor internal processes where possible, including authenticating users, programs, and endpoints before giving them access to information or assets. TL companies can take three actions to improve their internal cybersecurity skills.

First, in corporate culture, it is necessary to move from inattention to cybersecurity issues to recognition of the urgent need to deal with threats. In each division, the idea of ​ ​ strengthening cybersecurity throughout the organization should be a clear and key aspect. Frequent trainings that increase cybersecurity awareness can seriously contribute to the formation of a team that is aware of the risks. It is necessary to emphasize the measures that individual employees can take to ensure protection against hackers, such as protection passwords and attention to suspicious activities in the company's networks.

Second, this increased focus on cyber risk management is worth using to attract cybersecurity professionals from universities and the private sector. Declare that the organization's goal is to become a time-ahead leader in cybersecurity. Companies can bring in top cybersecurity professionals by telling them they will have the opportunity to develop cyber defense programs from scratch, using the latest technology and replacing legacy systems. Organizations can also consider consulting unbiased equipment suppliers who do not seek to sell their technology.

Finally, we need to find people among the company's technology employees who are ready to engage in cybersecurity initiatives and who have demonstrated the basic abilities that successful candidates need. Improving the skills of these employees and offering them compensation, as well as incentives depending on the position for mastering the required skills, could allow TL companies to quickly fill at least part of the missing cybersecurity workforce.

It may seem to many TL companies that the measures that need to be taken to reduce cybersecurity risks are unsustainable. One of the practical tips to increase transparency and awareness about IT and OT networks and their weaknesses may be to create a cyber information processing center. This center would track, organize, and oversee cybersecurity-related governance, activities, analytics, processes, and technologies, ensuring that data and information are shared among key actors in the process to identify and address cyber threats.

In addition, a cyber information processing center would optimize activities by integrating IT and OT management and control systems. The center should combine the experience and knowledge of specialists in both the field of IT and OT, allowing you to track any non-standard activity both on the Internet and in internal systems - or, importantly, at the point of merger of these two systems - which can signal a cyber attack in time.

To effectively manage risk, TL companies must build high-standard levels of cyber resilience, protect partner supply chains, and follow a risk-oriented approach in developing security tools. Companies need tools to enable their organizations to evolve and take appropriate cyber resilience measures that span multiple dimensions - from technology to regulation to processes to employees. For many TL companies, a pre-thought-out cybersecurity policy has not yet been a priority. But the rapidly growing number of cyberattacks and emerging regulatory tools are making organizations realize that they won't be able to continue to maintain relative indifference for long. Hackers are becoming more active, and they are well aware of which companies are paying insufficient attention to cybersecurity. It is advisable for TL companies not to be on this list.

{{quote 'author = Vadim Pestun said, partner and director of technology and digital transformation at BCG Russia in and CIS. |

In all industries (especially the banking sector and retail), there is a multiple increase in attacks and attempts to violate information security. Interestingly, there is a tendency to move from classic penetration through a secure perimeter to more sophisticated attack methods, such as a combination of social engineering and phishing, address substitution, fake phone calls, etc. We can say that banks have felt an exponential increase in the number of attacks.

Perhaps this is due to the fact that the volume of e-commerce has grown in multiples - people's data and their financial transactions, card numbers, requests - end up online. Given that e-commerce is a tool that combines retail, banks and logistics, the focus of cyber attacks is shifting to these three main types of business. Attacks are carried out primarily on this golden triangle.}}

The banking segment in the Russian Federation is a strictly and well-regulated type of activity. The history of cyber attacks on banks is already quite long. As a result, we see the good preparedness of this "corner" in the country. But, unfortunately, only on the side of banks, but not on the side of users, customers, which is used by attackers who fraudulently trick customers into pin codes, passwords, etc.

Retail is a less regulated area. Retail problems in "paper" information security - in a less developed technological protection base. Unfortunately, it is impossible to protect yourself from attacks with regulations alone. Accordingly, there is an explosive increase in attempts to hack and intercept data, means, commercial information (the competitive factor is not excluded).

Transport and logistics. It is necessary to separate large business (conditional railway operator) and small transport companies. The problems of big business are caused by the need to serve a large number of interfaces and channels through which data is exchanged with third parties. This data may not only be financial in nature, but may be related to traffic and traffic characteristics on the network. Attacks are carried out on these interfaces. Internal security and IT services work intensively, constantly modernizing perimeter protection and control, and controlling third-party access to their "sensitive" components of the application landscape. First of all, in the segment APCSAPCS-.

Small logistics is an area, if not completely unprepared for an impending problem, then the worst understanding of which side the blow will come from, its purpose and consequences. According to information from retail executives, an increase in a significant number of supply disruptions caused by various malicious actions of cyber intruders is diagnosed. The actions are very diverse - from simple extortion to interception of data about customers, supplies, etc. It is not yet always clear what scheme of "monetization" of hacking will be implemented, but, usually, attackers are very inventive in the methods of extracting other people's funds, services and goods.

The shortage of personnel in the field of information security has always been and will only be aggravated, since the need for specialists of a new formation capable of creating working solutions is growing rapidly. For those who can only write regulations, such problems are out of their teeth. There is a possibility that the existing personnel shortage and the increase in the level of cyber attacks may lead to the growth of well-protected services (such as cloud platforms and solutions) and the protection services themselves, which are also logical to provide in a near-cloud way - CyberSec as a Service. There is a need to rethink how IT projects related to the development of IT systems and software are implemented. It is advisable to move from the classic DevOps to the DevSecOps approach, which provides a development team and support for the proper amount of CyberSec expertise built into all processes - from design to development, testing and maintenance. Now there are only a few such specialists on the local market.

To understand the size of the problem and whether it has affected your business, it is necessary, without delay, to conduct a comprehensive IT audit - from software systems and infrastructure to control and protection tools - and perform several penetration tests. However, technical problems are only part of the entire large economy that needs to be "realized." The main source of vulnerabilities is not systems, but people. It is necessary to take measures on social engineering, explaining the importance of compliance with information security rules, regular trainings, etc. Using the language of "product approaches" to IT systems and services, you need to take care of "embedding" the properties and characteristics of cybersec into all services and products that your organization uses or develops.

Major logistics company Transnet attacked by hackers

In mid-July 2021, information appeared about an incident that was associated with a cyber attack on Transnet, as a result of which container operations in the South African port of Cape Town were violated. Durban, the busiest shipping terminal in sub-Saharan Africa, was also hit. Read more here.

Notes