The European Union Agency for Cybersecurity (ENISA) publishes its first cyber threat landscape report dedicated to the transport sector.
This new report maps and analyses cyber incidents in relation to aviation, maritime, railway and road transport covering the period of January 2021 to October 2022.
The report brings new insights into the cyber threats of the transport sector. In addition to the identification of prime threats and the analysis of incidents, the report includes an assessment of threat actors, an analysis of motivations driving their action and introduces major trends for each sub-sector.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, stated that “Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding the distribution of cyber threats, motivations, trends and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved.“
Prime threats affecting the transport sector
- ransomware attacks;
- data related threats;
- denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks;
- phishing / spear phishing;
- supply-chain attacks.
Ransomware attacks have become the most prominent threat against the sector in 2022, with attacks having almost doubled, rising from 13% in 2021 to 25% in 2022. They are closely followed by data related threats (breaches, leaks) as cybercriminals target credentials, employee and customer data as well as intellectual property for profit. The attacks are considered to be planned in an opportunistic nature, as we have not observed known groups targeting the transport sector exclusively.
More than half of the incidents observed in the reporting period were linked to cybercriminals (55%). They apply the “follow the money” philosophy in their modus operandi.
Attacks by hacktivists are on the rise. One fourth of the attacks are linked to hacktivist groups (23%), with the motivation of their attacks usually being linked to the geopolitical environment and aiming at operational disruption or guided by ideological motivation. These actors mostly resort to DDoS attacks and mainly target European airports, railways and transport authorities. The rates of these attacks are focused on specific regions and are affected by current geopolitical tensions.
State-sponsored actors were more often attributed to targeting the maritime sector or targeting government authorities of transport. These are part of the ‘All transport’ category which include incidents targeting the transport sector as a whole. This category therefore includes national or international transport organisations of all subsectors as well as ministries of transport.
Observed incidents in each sector
Faced with multiple threats, aviation contends with data-related threats as the most prominent, coupled by ransomware and malware. Customer data of airlines and proprietary information of original equipment manufacturers (OEM) are the prime targeted assets of the sector. Fraudulent websites impersonating airlines have become a significant threat in 2022, while the number of ransomware attacks affecting airports has increased.
Threats targeting the maritime sector include ransomware, malware, and phishing attacks targeted towards port authorities, port operators, and manufacturers. State-sponsored attackers often carry out politically motivated attacks leading to operational disruptions at ports and on vessels.
For the railway sector, threats identified range from ransomware to data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate, primarily due to Russia’s invasion of Ukraine.
The threats in the road sector are predominantly ransomware attacks, followed by data-related threats and malware. The automotive industry, especially OEM and tier-X suppliers, has been targeted by ransomware which has led to production disruptions. Data-related threats primarily target IT systems to acquire customer and employee data as well as proprietary information.
On the availability and reliability of data: challenges in incident reporting
Although ENISA gathered data from a variety of sources to perform its analysis, the knowledge and information on incidents remain limited to those incidents officially reported and for which information was publicly disclosed. Such disclosed incidents on which ENISA based its analysis and conclusions however are likely to under represent reality if non-disclosed ones outweigh those made public.
Despite Member States having legal requirements for the mandatory reporting of incidents, it is often the case that cyberattacks are disclosed by the attacker first.
In the EU, the revised Directive on measures for a high common level of cybersecurity across the Union (NIS2) and the additional notification provisions for security incidents aim to support a better mapping and understanding of relevant incidents.