Source: The Loadstar
Date: 23rd March 2023
New EU laws next year will see major parts of the transport and logistics industry forced to boost their cybersecurity – and report all cyber-attacks.
The directive designates airports, airlines, traffic control authorities, ports and port equipment operators and shipping lines as “sectors of high criticality” and will require each member state to assemble a computer incident response team with “adequate resources and technical capabilities”.
The law will also beef up reporting requirements for companies that have been attacked. The EU agency for cybersecurity, ENISA, must assess and address cybersecurity readiness, including providing an operational template for response teams.
ENISA has published a report warning of the growing cyber risk in the transport sector, part of a wider effort by the EU to improve shipping, road, rail and air transport defences against the state- and non-state attackers.
Threat Landscape: Transport Sector found aviation was the most-attacked segment between January 2021 and October 2022, with some 27 incidents recorded. Attacks on road were the second highest, at 24, rail at 21 and shipping with 18.
Despite the Russia-Ukraine war beginning during this period, ENISA still determined that financial gain was by far the biggest single motivator for cyber-attacks, accounting for some 55% of cases. Road and aviation proved particularly susceptible, with the latter’s primary vector of attack concerning data leaks rather than ransomware.
The biggest target among ideology-motivated ‘hacktivists’ appears to have been trained, it said. They “have claimed responsibility for attacks on the railway (8%) and aviation (6%) sectors”, it noted and added: “This has to do mainly with attacks linked to Russia’s military aggression against Ukraine,” although “state-sponsored actors” were more likely to attack shipping.
Speaking with The Loadstar, the head of cybersecurity at the Port of Rotterdam which was affected by the NotPetya attack in 2017, welcomed the new measures, which he said would see “the scope of the rules” increased.
He explained that rapid digitalisation in ports had left them without the ability to ‘switch to manual’ in the event of a cyberattack.
“There are some failures we get, where we can switch over to manual port operations. But because of a lack of resources or a high level of digitalisation, that option will go away.”
The head of cybersecurity at the Port of Rotterdam highlighted the comments of a former Russian military leader on Russian TV, naming Rotterdam as a strategic target in the event of an escalation in the Ukraine conflict. “The public authorities say the likelihood has been increased. We see no direct action yet, or direct cyber attacks planned at [Rotterdam] at this moment.”
At a Shipping Conference, a reliable source briefly touched on the ransomware attack at the beginning of the year that put 70 clients and 1,000 ships in the firing line. It is so important to share the experiences. If you imagine what we know about companies that have been victims of cyber-attack, you can just imagine how much bigger the portion is of companies that have been cyber-attacked and do not share any of the information.
“If we are not sharing, we are making the dark forces more powerful… we will all be cyber victims,” he warned.
The murky nature of the cyber-threat landscape makes it challenging to work out attackers’ true motivation and easy to disguise a state-sponsored attack as a petty crime. In the NotPetya ransomware incident in 2017, the biggest cyber-attack on shipping thus far, financial motivation was initially blamed. But it was later determined to be part of a wide Russian cyber campaign against companies doing business in Ukraine.