Risky business

Risky business

The drive towards smart cities means that more transport systems are being integrated with traditional network surveillance equipment. But as the number of connected devices increases, so does the cyber risk. Philip Ingram reports


According to a 2016 EU Transport sector economic analysis report, transport plays an important role in today’s economy and society and has a large impact on growth and employment. The transport industry directly employs around 10 million people and accounts for about 5% of gross domestic product (GDP). The quality of transport services has a major impact on people’s quality of life. On average 13.2% of every household’s budget is spent on transport goods and services.

Looking to the Middle East, BMI Research shows there has been a general slowdown in infrastructure projects across the Middle East and this includes transport. However, Qatar is an exception where the government will spend US$54.37bn in 2017 and 21% of this will be allocated to Qatar’s transport sector as part of the preparations for the FIFA 2022 World Cup. This gives an expansion in transport infrastructure of some 11.5% in real terms.

The Middle East’s digital markets are expanding at an overall compound annual growth rate of 12% and could add as much as US$820 billion to gross domestic product and create 4.4 million new jobs by 20, according to the Geneva Centre for Security Policy this year. Of note in their recent paper, Cyber-security Challenges in the Middle East, threats to the transport infrastructure were not amongst the greatest mentioned.

Andy Blackwell of Blackwell Security Consulting says of the threat to the transport sector, “It’s not just physical attacks that the industry has to concern itself with. The aviation sector faces increasing vulnerability to cyber-attacks as technologies such as WI-FI become more widespread. Recent initiatives by the International Civil Aviation Organisation (ICAO) and the European Aviation Safety Agency (EASA) provide us with an indication of the increasing risk to the sector’s cyber security due to increased connectivity.”

Deliberate insiders are probably the most concerning, but not necessarily the biggest risk and therefore at airports vetting for those with “airside” passes are particularly important but we don’t see the same vetting applied to road, rail and maritime transport sectors. This deliberate insider threat is not just related to terrorism such as that caused Egypt Air 804 from Sham El Sheik to blow up in 2016 but can also be related to cyber threats.

Transport networks are becoming increasingly digitised, connecting physical networks with virtual networks through a wide variety of modern but often legacy control mechanisms. It is these legacy devices that could create the greatest cyber vulnerabilities for transport systems. Add in an increasing number of IoT enabled capabilities utilising increased Wi-Fi connectivity and the potential attack surfaces are growing massively.

The Willis Towers Watson 2016 Transportation Risk Index highlighted that for air, the most critical risk identified was failure of critical IT systems and in the maritime and land environments it was increased security threat from cyber and data privacy breaches.

The report goes on to say: “Cyber is the primary risk when an aggregate rating is taken across the five regions and across the 12 transportation sub-sectors. Through that lens, the threat of cyber- attacks is the top perceived risk for companies operating in such diverse business arenas as space, rail freight and third-party logistics.”

As part of its summary it adds: “Business crises tend to have broad technical, financial, operational and reputational consequences, so risk mitigation strategies must be formed in the boardroom, where the full spectrum of possibility is recognised. The responsibility for digital risk management no longer belongs in the IT suite, where technical solutions take priority over any business-continuity response. Not only is it costly to construct a technical response to a cyber-attack or critical systems failure, there are simply more effective ways to limit their commercial and reputational impact.”

With the maritime environment being critical to a significant proportion of Middle East logistics and export, a wary eye is kept on emerging threats to shipping. With increasing interconnectivity on-board vessels and offshore oil rigs, combined with increasing connectivity inside ports and logistic hubs to enable not just industrial control systems, but asset and goods tracking, the cyber-attack surface is growing.

The potential rewards for cyber criminals have increased and with that so does the threat and can cause operational disruption, financial loss or reputational damage as was seen by the shipping giant Maersk after the latest notPetya attack. This has come on the heels of seeing growing numbers of incidents of cyber-attacks in the maritime and offshore sectors. A general lack of awareness and training has been highlighted in many IMO reports across the sector, as one of the major causes.

The accidental insider remains one of the greatest risks to the transport sector as shown by the massive BA systems outage in May this year. Procedures, training and a culture of enablement is what deals with these, with cultural changes proving the most effective.

Some 75,000 people were stranded and a reported up to £150 million compensation bill would follow for what has been described as an engineer allegedly failing to follow proper procedures at an IT centre in Heathrow. His re-booting of computer servers led to ‘catastrophic physical damage’ to other servers across the world.

Whilst this has not been described as a cyber-attack, it highlights the vulnerability of interconnected systems in the transport sector and it could easily have been a deliberate act in other circumstances. It also goes to show the vulnerability of the networks and massive damage that can be caused by network outages rather than data being stolen. Again, this was in the airline sector but the threats are equally applicable to maritime, rail or traffic control and logistics sectors.

Like many industries, transport is reliant on interconnectivity through cyber space and the BA outage highlights just how fragile elements of the cyber infrastructure is. However, this is not just a BA problem, many airlines have similar complex infrastructures. When it comes to deliberate attacks, “Risk is usually accessed by what the attackers might gain,” says Middle East engineering & training manager, Ettiene Van Der Watt from Axis Communications.

Commenting on ways to improve cyber security in the sector, Andy Blackwell says, “an integrated approach to security will help improve resilience. The UK’s Security Management System (SeMS) Framework, developed with industry by the DfT and CAA , if implemented correctly, will provide corporate assurance that ALL known security risks are being managed. Collaborative approaches between industry, government and key stakeholders are vital, particularly with regards to the sharing of information and best practices.” Many of the lessons, processes and regulations from the UK are mirrored overseas.

Van Der Watt from Axis added, “It’s about products, people, technology and ongoing processes. The same approach that is needed to secure smart cities is what is required to secure increasingly integrated transport systems and manufacturers who supply technologies to these sectors must have 100% focus on cyber security and we’re doing everything in our power to mitigate its risks.”