CYBER THREATS TO AUSTRALIA's TRANSPORT SECTOR
As the transport sector becomes more dependent on interconnected digital systems, the cyber attack surface and threats increase in scale and complexity. The transport sector has always focused on safeguarding passengers and cargo from physical dangers. In recent years however there has been a disturbing rise in cyber-attacks on transport infrastructure, which exposes people and assets to harm in new ways and this trend is expected to continue.
To defend our trade-oriented economy it is vital to protect the digital infrastructure that underpins this sector to keep our country moving; delivering jobs and economic prosperity. To effectively manage cyber risk in transport systems as they continue to digitalise it is essential to first understand and stay ahead of cyber threats as they evolve. Sharing cyber threat intelligence among transport industry members through a trusted partner like CI-ISAC allows transport infrastructure owners and operators to generate a more comprehensive and preventive cyber security posture.
Assets at Risk
The Australian transportation sector defined by the SOCI Act (Cth) consists of five sub-sectors, namely air freight and logistics, air, maritime, road and rail transport. As the world's only country-continent, Australia's expansive geography means that it is highly dependent on its wide variety of transportation infrastructure delivered by thousands of companies.
Like other industries, the transport sector’s accelerated digital transformation is exacerbating cyber security threats. Networked transportation systems exchange a wide variety of data for the purpose of monitoring both physical and digital networks. Radio frequency identification systems, wider deployments of the internet of things (IoT), and industrial control systems multiply attack surfaces, creating opportunities for attackers to exploit systems to access valuable data. Cyber-attacks can target systems that combine current technical components with antiquated physical components, as found in many rail systems. The wide geographical extent of digital infrastructure further complicates physical security measures that reduce cybersecurity risks.
The transport sector is impacted by a wide variety of incidents, with data breaches caused by malicious actors being the most frequent. Statistics currently show that malicious data breaches make up 27.1 percent of all events, costing $330,000 on average per incident. The functionality of the transportation infrastructure itself is one of the most important assets at risk. Even though the cost of a data breach may be quite high, a critical failure to operational systems via a cyber-attack may affect a wide range of infrastructure from private cars to public transit networks all with the potential to harm human life.
Operational systems that require high levels of availability place increased pressure on the confidentiality and integrity of systems, (CIA Triad) and transport companies’ information can make them an appealing target for cybercriminals. For the latter, a data breach could expose personally identifiable information, like passport numbers, credit card numbers, and trip itinerary details of individual travelers. Attackers also target businesses in the transportation sector to spread ransomware, acquire and utilize legitimate credentials, and steal customer credit card data.
Top Threat Groups
TA2541: This persistent cybercrime threat actor (TA) has targeted aviation, aerospace, transportation, manufacturing, and the defence industries over many years. TA2541 exhibits consistent use of remote access trojans (RATs) that can be used to remotely control compromised machines. The group consistently uses phishing lures related to aviation, transportation, and travel to induce user execution that initiates and enables attacks.
APT23: (also known as Tropic Trooper, KeyBoy and Earth Centaur): Targeting the transportation sector and the sector's connections with government organisations. This advance persistent threat (APT) group is linked to the government of China, and seeks access to internal documents of targeted organisations. APT23 uses red-teaming techniques to breach the security perimeter of targets and exfiltrate sensitive documents, including travel-related information such as flight schedules and financial plans, as well as individual user data including personal web search/browsing histories.
Sources of Attack
Ransomware
The transport sector had a 186% rise in weekly ransomware attacks between June 2020 and June 2021, and while all industries observed an increase in ransomware attacks over this period, the transportation sector was especially targeted. Attackers likely focus on transport companies because they are disproportionately impacted by the global cybersecurity skills gap when compared with other industries. The sector has not traditionally employed significant numbers of cybersecurity staff to secure their digital assets.
领英推荐
Cyber attacks on the sector locally in Australia often emanate from the constantly evolving global threat landscape that is increasingly driven by or related to geopolitical events. In 2017, the cyber attack involving the ransomware software Petya and its variant NotPetya rocked the global shipping firm A.P. Moller-Maersk and is still widely regarded as the “mother of all cyberattacks.” Although a Ukrainian company was the intended target, A.P. Moller-Maersk was hardest hit, with its operations severely impacted as the virus spread quickly to networks around the world and impacting its servers and roughly 50,000 endpoints across 130 countries where the company operates.
In 2020, the Conti ransomware gang launched a hybrid ransomware and data theft attack against a well-known Canadian logistics company. Within two days, the business was able to independently recover from the ransomware attack and restart normal operations. By then however, the Conti gang had acquired confidential company information and threatened to release it if a ransom was not paid.
Wireless Connectivity Vulnerabilities
Threat actors are aware of the vulnerabilities in WiFi devices commonly used in the sector and may try to take advantage of them, especially by getting access to the WiFi range area. For instance, if hostile actors can utilize WiFi connections to send unauthorized signals to trains, they may be able to compromise rail networks that use WiFi-connected command centres to regulate train speeds, brakes, doors, and traffic lights. Similar risks apply to other transportation industries that use WiFi, including airlines, container shipping companies, trucking companies, taxi services, buses, and other transportation-related businesses.
Injection Attacks
Some transport businesses have fallen prey to injection attacks, in which malicious actors inject harmful code into a website’s data processes to obtain unauthorised access to confidential company data. Attackers also occasionally utilise implanted code that hijack and obtain customers’ credit card information, names, passport numbers, nationalities, residences, dates of birth, and email addresses of clients or attempt the same outcome via a SQL injection attack.
Conclusion
The management of road, air and marine traffic using traffic-signalling systems with road sensors, light detection and ranging (LIDAR) systems, and power supply, maintenance, and station control systems are just a few of the essential systems required to manage transport sector operations. These systems are becoming increasingly complicated and interconnected with the number of IoT devices being deployed increasing rapidly. Transport operators need to prevent unplanned downtime while attempting to identify problems as they develop in a sector where every second counts for human life and/or efficiency.
Responding to threats against the Transport sector in Australia
Many transport sector entities are not currently able to ‘machine to machine’ share cyber threat intelligence, (CTI) so an industry partner is needed as the enabler/facilitator for CTI sharing and collective defence. By taking on the role of the trusted advisor/facilitator for intelligence exchange, CI-ISAC as an industry-led organisation ensures the overall quality of information flowing through its systems and out to transport sector members.
‘Forewarned is Forearmed!’ By joining a trusted cyber community of critical infrastructure owners and operators your organisation can join the movement to share contextual intelligence and establish a proactive approach to cyber defence. Cyber threat activity shared into the CI-ISAC ecosystem by one member has the potential to help others within a sector and across sectors to stop or minimise cyber threats before they impact operations.
CI-ISAC Australia is a not-for-profit, member driven organisation and achieves its mission by leveraging its 'best of breed' intelligence platform, and industry peer-to-peer network to anticipate, mitigate, and respond to cyber threats.
More information on CI-ISAC's sovereign intelligence-sharing capability can be?the official website: https://www.ci-isac.org.au, or by emailing [email protected].