On the Move: Cyber Attacks on Transportation Systems

Everything is on the move. People. Agriculture. Water. Power. Materials ranging from home goods to hazardous waste all flow through a massively complex, public/private, interconnected – and increasingly automated – hive of vehicles and transport systems.

According to the Department of Homeland Security:

  • More than 19,000 airports with 780,000 commercial flights a month
  • 361 ports and 95,000 miles of coastline
  • Billions of passenger trips on mass transit (buses, subway, commuter, etc.) annually
  • Four million miles of roadway with 600,000 bridges and 400 tunnels

Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP and transports nearly 20 billion tons in goods annually. Over the past couple of years, the industry has grown in complexity in logistical chains, production, facility and manufacturing partners, and plant management operations.

As a result of such growth, the industry has shifted to more automated processes, turning paper documents into digital formats, and using advanced analytics to address customer needs. Those efforts have placed more transportation systems online. With the expansion of the transportation industry into the digital domain, transportation cyber security has become more important than ever before.

Historical cyber attacks on transportation systems

  • Maersk: Petya malware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
  • LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecie airport in June 2015.
  • Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.

While many transportation companies understand the importance of keeping data and passengers safe and secure, a few companies have experienced the detrimental effects of an attack similar to other industries like the financial sector and healthcare.

From ransomware attacks to data breaches, the transportation sector is not immune to malicious hackers. While the industry has been thought of as “less vulnerable,” it also means the industry could be next in line for hackers to target. This is especially true now that automobiles and transit systems are becoming increasingly more connected via IoT, or the Internet of Things. Many cars now come with their own WiFi hotspot, public transportation utilizes apps to help you get around, and specialty lanes on the highway use the internet to charge for driving in things like the express lane.

Unauthorized users know that such “untapped” industries are indeed at risk because they haven’t been attacked yet, leading industry professionals to believe their systems are secure and not defenseless. A system may appear to be secure, but until the first oversight or staffing shortfall impacts security, it’s hard to be 100% certain. The transportation industry is new territory that can be easily exploited if persistent cyber learning, procedures and processes are not put in place.

Since most transportation organizations keep cybersecurity responsibilities in-house, building a culture of awareness within the organization that prioritizes education, skill-building, and continual awareness, is crucial to staying on top of threats. Transportation industry cyber teams and CISOs would do well to be proactive in their cybersecurity efforts instead of hoping their systems are secure from hackers. Hope isn’t a strategy.

So, what is the best strategy? Continuous learning that upskills your cyber teams. It can and should be a part of the transportation sector’s cyber readiness efforts to constantly improve their posture. Because, as we know, the only constant in cybersecurity is change. The transportation industry is dynamic and evolving, just like cyber threats. Cybersecurity is the responsibility of everyone, not just those in IT. All need to take ownership of how they contribute to the security of the company.

Failure to provide responsible oversight will not only impact everyone personally employed in the company, but it will have a ripple effect that extends out to the great social, political, and economic groups that depend on transportation.

Transportation’s reach and integration with so many other industries requires and demands a stronger cybersecurity arm. To start strengthening the sector, we’ve prepared four strategies to form an elite cyber team. Without a strong cyber team in place, the newest technologies and tools will only go as far as the skill sets and knowledge base of your cyber team.

Hope for Cybersecurity: Cyber Teaching Challenges & New Horizons for Cyber Learning

The statistics are dismal. An estimated 3.5 million unfilled cyber positions by 2021 and today, we have over 300,000 openings in the U.S. alone. According to a New York Times article, “filling those jobs would mean increasing the country’s current cybersecurity workforce of 715,000 people by more than 40 percent,” according to data presented at the National Initiative for Cybersecurity Education Conference. If you’re a student in cyber or are just undeclared, there hasn’t been a better time to consider cybersecurity as a professional career. The field has come a long way from the stereotypical hoodie-wearing, Mountain Dew sipping worker in a dark room performing tedious coding tasks.

Cybersecurity is so much more than that—and it’s exciting! Don’t believe us? At Divergence Academy, we are preparing the next generation of cyber professionals to enter the workforce and alleviate the skills gap through gamified learning. If more institutions adopted such an approach, we as educators would be more successful at not just engaging our students in teaching relevant concepts and theory, but successful at helping them build skills needed in today’s workforce.

Cyber Teaching and Learning Challenges

But before we get into the “hopeful” part of this article, we need to understand the challenges in teaching cyber in the first place. The way that cybersecurity has been taught throughout the years often include lectures, PowerPoint presentations or online models that students complete on their own. Inherently there is nothing wrong in teaching new information in this way. However, the opportunity exists to help students learn how to apply this knowledge to a real-world setting. The act of doing and creating the needed experience is the single most important quality job candidates can bring to an employer and this is the gap Divergence Academy is hoping to close.

When students sit in a classroom, information can be presented in a systematic way, where in real life this may not always be the case, especially in the world of cybersecurity.

When you think of teaching someone how to think like a hacker, you are fundamentally teaching them how to be creative in how they approach a situation.

The concept of teaching someone to think like a hacker is easier said than done, which is why diversifying the way students can process information is crucial. Not every student learns in the way same.

There’s Hope for Cybersecurity: Continuous Skills Acquisition and Application

As cyber educators and instructors, we know there is no “one-way” to teach and that’s the good news! While certifications and technical degrees are a starting place for cybersecurity readiness and workforce development, instructors must think of new methods that provide persistent access to cyber education.

This statement can best be described with an analogous story. If an aspiring baseball player was training for the major leagues and went to practice to hone his/her skills, they would certainly learn something. However, if that aspiring baseball player then applied for the major leagues a year or so later, without attending training leading up to that point, he/she would be a little rusty, wouldn’t you say? The same situation can be applied to cybersecurity. You wouldn’t attend a class or even complete a full degree in cybersecurity and then apply for a job and say you were a “seasoned cybersecurity professional,” would you? Of course not. There is no “final inning” in cybersecurity signaling a professional’s peak of learning and skills acquisition.

Threats evolved day by day and if a student graduates thinking about phishing or malware detection one way and ends up in a work environment where that knowledge isn’t applicable anymore, we won’t be able to help the next generation of cyber pros be successful in their jobs. To keep current students and alumni actively engaged in critical learning, persistent access to cybersecurity training must be employed. In this industry, the only constant in cybersecurity is change, and for that reason (in addition to the multitude of attacks businesses every day), educational institutions can be vigilant in putting learning to work for the businesses and workplaces we rely on to support our daily functions.

As technology and interconnectivity evolve with each passing day, steps must be taken immediately to adopt a pedagogy that values and emphasizes continuous learning to best prepare our students for the career they want. With gamified learning at the helm of a new teaching approach for cybersecurity, we can be on our way to minimizing the cyber skills gap and empowering today’s students in a more effective way.

For more information about our gamified learning cyber courses, visit https://divergenceacademy.com/.