- An Israeli cybersecurity startup develops software that aims to protect trains from hackers
- Cybersecurity risks in the aviation industry
- How to protect ships from hackers
- Enhancing cybersecurity in the transportation sector
Technology has had a transformative impact on almost every industry in recent years, so it’s not surprising that the same thing is happening to the transportation sector as well. The adoption of new technologies has significantly increased safety, reliability, and operational efficiency within the sector. It’s also improved the passenger experience by providing unparalleled comfort and convenience.
However, increased connectivity also introduced new security problems that have made the transportation sector more vulnerable to cyber-attacks. In fact, a recent cybersecurity report published by IBM reveals that transportation was the second most targeted sector in 2018, experiencing approximately 13 per cent of total cyber-attacks.
An Israeli cybersecurity startup develops software that aims to protect trains from hackers
Railway networks are especially vulnerable to hacking, as they typically combine modern technological components with archaic physical ones, which weren’t designed with cybersecurity in mind. “Rail travel has undergone a digitization process that may be lagging behind other industries,” explains Amir Levintal, the former director of the Israel Defense Forces’ cyber research and development unit and the CEO of the cybersecurity firm Cylus. “Train companies also use safety systems meant to last 30 years or more, which means many of these have been put in place long before contemporary hacking tools were available or threats known.”
For example, today’s command centres often use wireless signals to control various activities throughout the network, including monitoring train speeds and regulating traffic signals. However, these wireless signals also expose the network to cyber-attacks. “Some train networks use Wi-Fi connections to control critical components of the train, like brakes and doors. Attackers can find ways to access the wireless network to send commands to those components and change the behavior of the train,” adds Levintal. “Once attackers succeed in breaching a network to gather information, they can attack the physical elements of the network.” Gaining access to the network allows hackers to execute all kinds of commands, including derailing the train.
In February 2018, a man named Christopher Victor Grupe was sentenced to one year in prison for sabotaging a railroad company’s computer network. A former IT administrator at the Canadian Pacific Railway (CPR), Grupe was suspended for insubordination in December 2015 and then informed he would be fired. However, he managed to convince the company to let him resign instead, promising to return his laptop, remote access authentication token, and access badges. Grupe did as promised, but before leaving the company, he used his login credentials to access the company’s computer network switches and proceeded to remove some admin accounts, changed passwords for other accounts, and delete certain key files. He then destroyed the logs in an attempt to cover his tracks and finally returned the laptop. It took nearly a month for the company to discover the sabotage. When they tried to log into the switches, they found out they were locked out and had to force reboot all of the devices to regain access. According to the company, Grupe caused approximately $30,000 worth of damage.
Finding a way to protect the physical components is paramount to preventing future attacks. “We must converge old and new technologies and close a complicated security gap,” says Levintal. “We can no longer think that attacks like these won't happen in the future. Rail networks are huge, complex and connected. It's easier than ever to find ways to get into the systems.” Cylus has developed cybersecurity solution called CylusOne that aims to address two main vulnerabilities in the railway industry by monitoring signaling and control networks, including trackside devices, interlocking, and management workstations, and securing onboard operational and passenger comfort systems. In addition to being able to detect cyber-threats before any damage is done, the software can also determine the severity of the threat and offer suggestions on how to respond.
Cybersecurity risks in the aviation industry
The aviation industry isn’t immune to cyber-threats either. In the past, airplanes used to rely on aviation-specific technologies and kept most of their systems isolated, which made them rather safe from cyber criminals. However, that’s changed in recent years with the adoption of new technologies. In an attempt to satisfy changing market demands and remain competitive, the aviation sector is becoming increasingly dependent on software-driven systems, internet connectivity, and digital data. While these innovations have resulted in an improved flight experience for passengers, they’ve also increased the attack surface and made airplanes more vulnerable to hacking. Today’s modern aircraft are complex and highly connected systems that feature a number of elements that are vulnerable to attacks, including in-flight entertainment and connectivity systems, electronic flight bags, cabin crew devices, digital ground and onboard systems, and air traffic management systems.
Yet, despite the increased threat of cyber-attacks, a large number of companies operating in the sector still don’t have a system in place to manage those risks. A 2016 survey conducted by PwC reveals that only 40 per cent of aerospace companies had a comprehensive security strategy. This can sometimes have serious consequences. In 2018, the Hong Kong-based Cathay Pacific Airways experienced the biggest data breach in the history of the aviation sector. A hacker was able to gain access to the personal information of 9.4 million customers, including their names, dates of birth, nationalities, email, telephone numbers, physical addresses, ID cards, passport numbers, credit card numbers, and historical travel information. Even though flight safety wasn’t compromised, the data breach resulted in the airline’s shares falling to the lowest level in nine years and losing as much as $361 million in market value.
However, it’s not just passenger data that’s at risk. In September 2018, the security researcher Ruben Santamarta discovered an unprotected server on Boeing's network that contained code designed to run on the company’s 737 and 787 passenger jets. After examining the code, Santamarta also discovered security flaws in one of the 787 Dreamliner's components that could potentially allow a hacker to infiltrate the plane’s in-flight entertainment system. From there, they could exploit memory corruption vulnerabilities in the Crew Information Service/Maintenance System (CIS/MS) to gain access to critical systems like flight controls and sensors. Boeing has since rejected the possibility of such an attack, claiming that there are additional protection mechanisms in place to prevent these bugs from being exploited. While most security researchers agree that this is far from an immediate threat, the fact that such vulnerabilities exist at all should be a cause for concern. “The claim that one shouldn't worry about a vulnerability because other protections prevent it from being exploited has a very bad history in computer security,” says Stefan Savage, a computer science professor at the University of California at San Diego.
The global cybersecurity provider F-Secure has developed Aviation Cyber Security Services, a new product designed to help aviation companies protect their aircraft, infrastructure, and data from cyber-attacks. The software incorporates security assessments of avionics, ground systems, and data links, security monitoring, vulnerability scanners, incident response services, and specialised cybersecurity trainings for IT managers, as well as cabin and cockpit crews. “A key issue we help organizations with is how to protect an aircraft’s safety-critical systems from compromises in systems that are, in a sense, more exposed but less significant to an airplane’s operations,” says Andrea Barisani, F-Secure’s head of hardware security. “A key protection measure is separating systems into different ‘trust domains’, and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks.”
How to protect ships from hackers
Just like trains and planes, ships have also become increasingly connected in recent years, making them more vulnerable to cyber-attacks. However, given the complexity of the maritime industry, addressing this issue is anything but simple. One of the main reasons is that there are many different classes of vessels that run on different operating systems, many of which are outdated and no longer supported. Another issue is that ship crews are changing all the time and new members are often not familiar with the systems they’re supposed to use, which increases the chances of human error. Last but not least, ships are in constant communication with their parent companies’ terrestrial systems, making them vulnerable to security flaws in land-based infrastructure as well.
Pen Test Partners, a UK-based company that offers penetration testing, security assessment, and training services, recently revealed that it would be relatively easy to capsize a ship by exploiting vulnerabilities in critical ship control systems, such as IP-to-serial converters, GPS receivers, or the Voyage Data Recorder (VDR). Many of these devices still run on Windows XP or Windows NT, have outdated firmware, and use default admin passwords, which are easily exploited. These devices use a standardised messaging system called NMEA 0183 messaging to communicate with the ship’s various control systems, including autopilot systems, dynamic positioning, engine control, propulsion control, ballast control, and digital compasses. By gaining access to these systems, an attacker could cause serious damage to the ship. For example, a small change in the ship’s ballast control systems could potentially cause it to capsize during a tight turn. “Modern ballast control systems provide remote monitoring and operation from the bridge, usually running on a PC,” explains the Pen Test Partners researcher Ken Munro. “So, the attacker would simply send the appropriate serial data to the ballast pump controllers, causing them all to pump from port to starboard ballast tanks. That change in trim alone could cause a capsize.”
The maritime industry has been rather slow to react to this growing threat. In 2016, the International Maritime Organization (IMO), the UN body responsible for regulating maritime space, issued its interim cybersecurity risk management guidelines for the maritime industry. The IMO updated the guidelines in 2017 to provide more clarification on how the industry should conduct risk management processes. According to the new rules, shipowners and managers have until January 2021 to incorporate cyber risk management and security into their safety management systems or risk having their ships detained. While the new guidelines represent an important step, many experts are already calling them outdated, as they don’t even mention the cloud or artificial intelligence technology. “They don’t address the modern cybersecurity exposures created by mobility, applications and the cloud,” says Tom Kellermann, the chief cybersecurity officer at the security firm Carbon Black Inc.
Enhancing cybersecurity in the transportation sector
Like many other industries before it, the transportation sector is currently undergoing a major tech-driven transformation. While the proliferation of new technologies within the sector has brought numerous advantages, such as improved safety, efficiency, reliability, and passenger experience, it’s also made trains, planes, and ships more vulnerable to devastating cyber-attacks. The sector has generally failed to respond adequately to this growing threat. However, that’s slowly starting to change as security researchers continue to discover new, more serious vulnerabilities that could potentially even endanger the lives of passengers. While none of the cyber-attacks on the transportation sector have caused loss of human life so far, the fact that this possibility exists, even if only in theory, has forced the sector to recognise the gravity of the issue and take steps to address it by implementing cybersecurity solutions designed specifically for this sector.