Transportation and travel groups are proving doubly attractive targets for cybercriminals – both as operators of critical national infrastructure and as hoards of valuable customer data.
Over the past five years, cyberattacks against computer systems and databases of transportation organizations have increased and evolved, experts say.
In 2017, malicious software, or ‘malware’, hidden in a document used to file tax returns, infiltrated Maersk’s IT systems – and cost the global shipping company up to £300million. A year later, hackers shut down 2,000 computers belonging to the Colorado Department of Transportation in the United States.
And now transport systems are seen as prime targets in international conflicts.
“There is evidence of [US] government sources that nation states and associated criminal organizations target [transport] infrastructure for cyberattacks more than other industries because these industries are strategically important to national security and the economy,” says Bob Kolasky, former deputy director of the US Cybersecurity and Infrastructure Security Agency.
Today, Kolasky is senior vice president for critical infrastructure at Exiger, which advises companies on risk.
Meanwhile, fraudsters are hacking private travel agency customer data. In 2020, easyJet discovered that the email addresses and travel details of nine million customers had been compromised, along with some credit card information.
Since then, both industries have reported a surge in the use of ransomware (malicious software that encrypts data to ransom owners), as well as distributed denial-of-service attacks (which overwhelm a network or website with messages ), as well as phishing. (where cybercriminals pose as legitimate organizations to steal consumers’ financial details).
In the case of transport organizations, attacks are usually mounted against IT systems, in order to cause maximum economic and social disruption to passengers and supply chains.
One of the vulnerabilities they face is the rudimentary nature of their “operational” technology – such as rail signaling, sensors and port networks – compared to state-of-the-art business computing systems.
“Operational technologies. . . can be disturbed by hacking, which can lead to risks for the physical security of people”, underlines Massimiliano Claps, director of research and responsible for transport at IDC, a research company. “From this point of view, transport is one of the industries that has one of the highest rates [cyber security] risk profiles.
And the areas at risk are widening, warn the consultants. To automate maintenance and increase efficiency, transport companies are digitizing their operational and external IT systems.
“[Operational] the systems were never designed to be connected to other systems and were never designed and integrated for security,” notes Justin Lowe, cybersecurity expert at PA Consulting.
In the case of travel agencies, attacks tend to focus on customer data, which can be financially valuable if sold on the “dark web” — hidden parts of the Internet — and used for fraudulent purposes. .
Ross Henton, former head of cybersecurity at American Express Global Business Travel, and now director of Mitiga, a cybersecurity technology company, says using this data securely should be a priority for travel groups. “One of the concepts we talk about in [cyber] security is the CIA’s triad: confidentiality, integrity and availability,” he says.
Fortunately, IT systems in travel agencies are generally more advanced than those in the transportation industry. But they contain more customer data, which creates different security risks.
Hospitality businesses are the third most targeted by cyber attackers across all industry sectors, behind retail and financial services, according to Trustwave’s 2020 Global Security Report.
Criminal groups attack hotel computer systems using methods such as “spear phishing” (a targeted cyberattack against an organization or individual) or they hack into the hotel’s WiFi, explains Maximilian Heinemeyer, vice president of the cyber innovation at Darktrace, a cybersecurity technology company.
After hacking the hotel’s Wi-Fi, a cybercriminal can install “keyloggers” – malware on the victim’s device that records everything they type and sends a log of the activity to the pirate.
The opportunities for customer data attacks exist because the quality of cybersecurity in hotels, airlines, and car rental companies varies. Another contributing factor is the extent of “interconnectedness” between corporate IT systems and data, says Sherron Burgess, senior vice president and chief information security officer at BCD Travel, a global travel agent for travelers. businesses.
BCD responded to the threat by using “vulnerability management” technology to find security vulnerabilities in its IT systems and adopted recognized cybersecurity standards, including ISO 270001. This states that vendors and business partners adhere to minimum cybersecurity standards, including the use of firewalls and data encryption − and that security is audited regularly. “Anyone can do pretty well for a month,” Burgess points out.
Regulators are also putting pressure. In the United States, the Transportation Security Administration issued guidelines requiring rail operators and pipeline companies to strengthen cybersecurity against ransomware attacks and other threats. They are also required to implement an “emergency and recovery plan” in terms of cybersecurity.
Similarly, the European Commission has published proposals to update and strengthen cybersecurity rules for networks and information systems, including holding senior managers accountable if their company fails to comply with the directive. This directive applies to travel agencies, confirms Paul McKay, cybersecurity and risk analyst at Forrester, a research firm.
However, cyber threats to the travel and transportation industries are not expected to diminish as the ransomware boom continues and transportation companies connect more sensors and industrial devices to the internet.
Operators are therefore advised to detect and address risks – or at least minimize the damage caused by any security breaches – with standard cybersecurity software, staff training and well-honed “incident response”.
Too often, however, transportation and travel companies take a “reactive” approach to cybersecurity and can only review it after a breach, Mitiga’s Henton warns. This may improve the situation in the short term, but “don’t [tackle] persistent problems or lead to cultural change,” he says.