Positive Technologies, an industry leader in result-driven cybersecurity, has analyzed cyberthreats relevant to the transportation industry in 2023, revealing industry-specific non-tolerable events. According to the experts, the most popular attack methods were malware usage (35%), exploitation of vulnerabilities (18%), and supply chain attacks (8%).
"In recent years, the transportation sector has undergone a digital transformation," says Ekaterina Snegireva, Senior Analyst at Positive Technologies. "This has improved the efficiency of organizations and the convenience of passengers. However, with the growing reliance on information technology, the industry is becoming increasingly vulnerable to a variety of cyberthreats that can disrupt a company's operations or even affect the economy of an entire nation. Our data shows a 36% increase in the number of successful attacks on the global transportation industry in 2023 compared to 2022."
In 35% of successful attacks on transportation, attackers used malware, with ransomware topping the list. According to Positive Technologies, this type of malware is one of the most powerful and accessible tools for making money illegally. A huge number of ransomware tools is available on darknet forums as part of RaaS (Ransomware-as-a-Service) programs.
According to the report of Positive Technologies, Initial access to the infrastructure of transportation companies is a dark web commodity. Prices vary wildly, from $50 for access to a smaller organization to tens of thousands of dollars for high-privilege access to large transportation companies. In most offers (54% of all ads we found online for 2023–2024), access to a single company can be had for $1,000 or less. The price depends on company size, level of privileges (user, domain user, local admin, domain admin), and the country where the company is located. Thus, access with local user rights to the database server of a large shipping company in Saudi Arabia (with a turnover иof around $270 million) costs as much as $2,500.
In some successful attacks (8%), attackers were able to damage systems by compromising a trusted third-party. Attackers are actively using this attack method because many organizations employ contractors, some of whom have weak defenses. It is often easier to hack into these contractors to steal the target organization's data or gain access to the target's network. In addition, a successful hack of a contractor can disrupt a company's processes.
Half (51%) of stolen information consisted of personal data, and a quarter was trade secrets, the report says. Stolen confidential data usually includes the personal information of the customers of affected organizations: passengers of ground, air, and sea transportation, and users of logistics companies' services. For example, in Fall 2023, as a result of an attack on an Iranian taxi booking company, data of more than 33 million app users was affected, including both clients and drivers. The attackers demanded a ransom, and after refusal, they put the stolen data up for sale.
A cyberattack on transportation facilities can result in non-tolerable events that affect individual companies or even entire industries. A non-tolerable event is an event, caused by a cyberattack, that prevents the organization from achieving its operational or strategic goals or leads to long-term disruption of its core business. Some examples of non-tolerable events in transportation:
- Rail: obstructing or completely blocking freight transportation, as well as damaging or destroying the cargo (like oil or coal).
- Aviation: booking system failure, luggage management system failure, or navigation malfunction.
- Maritime: interfering with control processes of fuel depots or cranes, attacks on the loading control system, or hijacking the ballast control system of a large ship, which may cause the ship to overturn and sink.
- Urban road infrastructure and vehicles: disruption of information boards, traffic lights, taxi booking systems, or attacks on transportation management systems.
"To achieve cyber resilience, the first step for an organization is to create a list of potential industry-specific non-tolerable events. Next, you need to analyze how a particular event can be triggered by an attacker. After that, you can start a digital transformation aimed at strengthening the cybersecurity of your hardware and software (remediating vulnerabilities, eliminating insecure configurations and weak passwords), training the employees, enforcing incident monitoring and response," suggests Dmitry Darensky, Head of Industrial Cybersecurity Practice at Positive Technologies. "A comprehensive set of measures based on the PT ICS solution will ensure cyber resilience of process-related IT infrastructure of an industrial company and prevent non-tolerable events. To assess an organization's security posture, the organization can choose to conduct cyber exercises, which simulate potential attacks on the organization and test the effectiveness of attack detection and response. Another important step to confirming a high level of cyber resilience could be launching a bug bounty program, or a non-tolerable event bounty program."
