Transport cybersecurity has holes, CSIS says

by Krystyna Shchedrina

Groups including the FBI and the Canadian Security Intelligence Service (CSIS) are calling on those responsible for transportation infrastructure to shore up technical gaps in the face of growing ransomware threats. 

Ransomware attacks targeting transportation rose 93 percent in 2021, Check Point Research reports. And concerns continue to grow that Russia may respond to economic sanctions with state-driven cyberattacks of their own. 

“Trains, wayside infrastructure, and signalling systems are particularly vulnerable. These hardware components were built before cybersecurity best practices and have become connected to outward-facing networks, leaving them exposed to ransomware attacks,” said Josh Lospinoso, the CEO and founder of Shift5, a cybersecurity company. 

The Russian threat

While the U.S. is more likely to be targeted by Russian cyber criminals due to longstanding animosity between the countries, he says Canada’s supply chain will be affected too. 

Russian cyber actors remain a threat to Canada, said Brandon Champagne, CSIS spokesperson, adding that in April 2021 they attributed a cyber espionage campaign to the Russian Foreign Intelligence Service (SVR). This campaign involved inserting malware into a software update mechanism for a network management tool published by U.S. technology firm SolarWinds. 

Last month, Canada and its close allies issued an advisory warning, saying organizations are at risk of Russian cyber threat. Champagne said ransomware attacks might result from unprecedented economic costs imposed on Russia and Canada providing material support to Ukraine during its war with Russia.  

“State actors increasingly use these cybercriminal tactics, often through proxies, to advance their objectives and evade attribution. When ransomware attacks cause severe disruption to targeted networks and infrastructure, foreign state actors can also benefit from the resulting chaos. It may bolster their ideological narratives and advance their geopolitical interests by threatening targets’ national stability, cohesion, and physical safety.” 

Railways at risk

Canadian and American rail channels are closely interconnected, and if an American railway is attacked, there will be a downstream effect in the Canadian market, said Lospinoso. He added it might take days and weeks to get back to running the operations, depending on which technology was compromised, if the data was exfiltrated, whether the company has paid the ransom and several other considerations.  

“A ransomware attack on a freight operator could have a tremendous impact on the supply chain. A successful ransomware attack holds technology hostage, rendering it inoperable. Should a rail operator fall victim to a ransomware attack, whether through its I.T. systems like back-office computers or operational technology (O.T.) systems like the train itself, operations could halt and the business could incur downtime, mitigation, and remediation costs.” 

Prevention

However, Lospinoso said there are numerous practices that rail operators can implement to enhance cybersecurity and minimize potential disruptions.  

He believes the first step is to ensure the organization has a comprehensive inventory of its assets. “Quite simply, you can’t protect what you can’t see,” said Lospinoso. He pointed out that gaining situational awareness is also important to safeguard critical data, systems and operations.  

Apart from changing the passwords and installing antivirus software, Lospinoso said operators could close the gaps in cybersecurity by limiting the number of people given administrative access, implementing multi-factor authentication on operation systems, and automating software updates whenever possible.  

Backup and update

Additional protection levels can be provided with constant updates of servers, monitors and firewalls. According to Lospinoso, data backups are critical to ensure offline backups are beyond the reach of the malicious actors. Data encryption will make it impossible for cybercriminals to use the stolen information.  

Lastly, developing an incident response plan is a vital part of the fight against a ransomware attack. However, the plan alone is not enough. Lospinoso said employers should also be educated about common tactics attackers use over email or websites.  

“Make sure your incident response team has a plan and run drills to ensure they are on their toes and ready to go if the unexpected happens.”