Digital transformation has become prevalent among transportation companies, improving all facets of the industry. This process has created unprecedented efficiencies and opportunities to expand revenue streams. The downside of this digitization is the creation of new security risks that have made transportation businesses vulnerable to cyber-attacks. Every sector of the industry—including maritime, rail, aviation, trucking, logistics providers, and package couriers is affected. The impact is costly, disruptive to operations, and has the potential to create further liability, particularly when sensitive customer data is breached.
Connected, widely distributed IoT devices are at the heart of this (r)evolution in the transportation industry. Being able to effectively validate the trustworthiness of the machine identities of these IoT devices is an important component of a policy to mitigate the emerging cyber threats. In a fast-moving industry serving millions of people, the failure to manage the rapidly increasing numbers of IoT machine identities can cause problems that stack up quickly and take a long time to recover from.
IoT in transportation is already a big business. Allied Market Research reported that the market was valued at $135 billion USD in 2016 and was expected to grow to $328 billion USD by 2023. Transportation companies reap the benefits of IoT devices through various applications including traffic congestion systems, fleet management, system maintenance, tolls and ticketing, and connected cars.
The use of IoT in transportation enables the networking of systems via embedded sensors, actuators and other devices that gather and transmit data about real-world activities. IoT devices are changing the way that the transportation companies operate, collect and make use of data.
Some wider benefits that apply to the use of IoT technology within the transportation sector include:
There are multiple reasons for the increased threat faced by the transportation sector. For one, the expanded use of operational technology (OT), which opens new wireless channels that are connected directly to the companies’ digital ecosystems, is a favorite target. In addition, the transportation industry suffers from lagging cyber regulations and standards, inadequate cyber threat awareness and a shortage of cybersecurity talent.
While in the past cyber-attacks targeting the transportation sector may have gone unnoticed, nowadays these attacks have become high-profile news items. For example, a cyber-attack in May 2021 effectively shut down the Colonial Pipeline, which provides gasoline to almost half of the east coast of the United States. Other cyber-attacks, such as those aimed at major shipping companies, often involve disrupting email and logistics systems.
The vulnerabilities that transportation companies face can be grouped in three categories: technology, regulation and people.
In every aspect of the transportation industry, the expanded cyber-attack surface is evident. For instance, among maritime companies, relatively simple distress-and-safety systems have been replaced by full-fledged, cloud-based, local area networks, like the International Maritime Organization’s (IMO) e-navigation program. These networks are a tempting target for adversaries because they collect, integrate, and analyze on-board information continuously to track ships’ locations, cargo details, maintenance issues, and a host of oceanic environmental considerations.
Similarly, in the rail industry, traditional wire-based train control and management systems (TCMS), which have had only limited communication with external systems, are giving way to wireless standards like GSM-Railway, a broad network linking trains to railway control centers.
These networks which link OT systems with internal IT equipment, such as servers, PCs, and mobile devices, open new entry points for the attackers to exploit. The lack of oversight makes these interconnected systems even more vulnerable. Management interfaces with poor built-in security controls are installed in critical equipment for remote access, control, and troubleshooting. Further, existing computing ecosystems are rarely modernized to be compatible with strict security protocols.
Finally, transportation companies depend on a vast network of suppliers and contractors, creating a highly interconnected supply chain. Cybersecurity protocols maintained by these partners are generally not policed, leaving transportation businesses in the dark about whether their integrated ecosystems are a growing risk.
Although the commercial and operational aspects of the transportation industry are regulated in many regions, there are a relatively small number of rules covering cybersecurity. Among the regulations already established are the EU’s Network and Information Security (NIS) directive and the CLC/TS 50701 and EN 50126 standards for railroads, as well as a series of rules for ships promulgated by the IMO. In the US, the Department of Homeland Security Transportation Security Administration (TSA) has promulgated cybersecurity requirements to cover the maritime, aviation and railroad sectors, while CISA has developed guidelines for securing autonomous ground vehicles.
Cyber threats continue to evolve, but the common thread for some of the most vulnerable areas is the human factor. For example, employees who are unable to identify a phishing email could allow for easy initial exploitation for hackers. Making matters worse is a large and growing global talent deficit of cyber protection specialists. As many as 4 million cyber specialist jobs were unfilled in 2020, according to (ISC)2.
The proliferation of digital technologies in the transportation industry and developments such as autonomous vehicles will only increase the already expanded threat surface—especially for machine identities. It is now time for the responsible entities to take action and reduce the overall business risk to operations safety and reliability.
In accordance with Claroty’s ICS Risk and Vulnerability report for H1 2021, “Proper access controls and privilege management are crucial to contain or remediate damage” caused by cyber-attacks on OT systems supporting the transportation sector. As the boundaries of businesses are blurred, machine identities are the new perimeter to manage and defend.
An identity-centric approach to digital and cyber-enabled OT infrastructure can enable transportation corporations to scale and support new services and capabilities easily and, most importantly, securely. Transportation companies can benefit in many ways by effectively managing the machine identities of their connected IoT devices.
Machine identities are the foundations for securing the digital transformation initiatives of the transportation sector by creating networks of trust, managing overall risk, protecting privacy and enforcing security policies. Machine identities have become high-value assets, which need to be managed carefully. These digital identities must be protected from tampering, impersonation, and disruption, which could expose a business to fraud, disrupt services, and damage trust.