Ransomware gunning for transport sector’s OT systems next

ENISA (the European Union Agency for Cybersecurity) has reason to believe that ransomware gangs will begin targeting transportation operational technology (OT) systems in the foreseeable future. This finding is further explored in the agency’s 50-page report entitled ENISA Threat Landscape: Transport Sector.

The transportation sector, which comprises the aviation, maritime, railway, and road industries, is a subgroup under the industrial sector, according to the Global Industry Classification Standard (GICS). It doesn’t only deal with the movement of people but also of products. An OT system ensures transport services are safe, reliable, and available.

An OT system refers to the hardware and software directly involved in detecting, monitoring, and controlling processes and equipment. It interfaces with the physical world and is often part of a nation’s critical infrastructure. Examples are Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Distributed Control Systems (DCS). These systems have been targeted and attacked by the WannaCryStuxnet, and Triton malware, respectively.

ENISA says the three dominant threats to the transportation sector are ransomware (38 percent), data-related threats (30 percent), and malware (17 percent). However, each subgroup has reported experiencing other attack types than ransomware.

The aviation industry, for example, has dealt with more data-related threats than others. Airline customer data and proprietary information of original equipment manufacturers (OEM)—companies that provide parts for another company’s finished product—are the primary targets of attackers in this subgroup.

ENISA notes that most threat actors target IT systems, which can cause operational disruption. However, reports of OT being targeted have been rare. The agency believes this will change soon because of many factors, including ongoing digitization efforts within the industry that increase IT and OT connectivity, the high probability of companies paying ransom demands to avoid critical business and social impacts, and the increasing number of identified vulnerabilities within OT environments.

The report also listed a number of observed cyberattack trends, such as the following, within the transportation industry:

  • Ransomware attacking industries within the transport sector has been on an uptick.
  •  Fifty-four percent of the time, cybercriminals are responsible for attacks against the sector and its subgroups.
  •  Hacktivist and DDoS (distributed denial of service) attacks will likely continue due to geopolitical tensions and ideological motives.
  •  Hacktivists in the EU primarily targeted airports, railways, and transport authorities.
  •  The top motivators for attacking the transport industry are financial gain (38 percent) and operational disruption (20 percent).

From the report:

“The transport sector is considered a lucrative business for cybercriminals, with customer data considered a commodity and with highly valuable proprietary information when transport supply chain is being targeted.” …

“While we have not observed notable attacks on global positioning systems [emphasis theirs], the potential effect of this type of threat to the transport sector remains a concern. Jamming and spoofing of geolocation data could affect their availability and integrity, affecting transport sector operations. This type of attack requires further analysis in the future.”

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.