On the Move: Cyber Attacks on the Transportation Systems

Reading Time: 3 minutes

Everything is on the move. People. Agriculture. Water. Power. Materials ranging from home goods to hazardous waste all flow through a massively complex, public/private, interconnected – and increasingly automated – hive of vehicles and transport systems.

According to the Department of Homeland Security:

  • More than 19,000 airports with 780,000 commercial flights a month
  • 361 ports and 95,000 miles of coastline
  • Billions of passenger trips on mass transit (buses, subway, commuter, etc.) annually
  • Four million miles of roadway with 600,000 bridges and 400 tunnels

Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP and transports nearly 20 billion tons in goods annually. Over the past couple of years, the industry has grown in complexity in logistical chains, production, facility and manufacturing partners, and plant management operations.

As a result of such growth, the industry has shifted to more automated processes, turning paper documents into digital formats, and using advanced analytics to address customer needs. Those efforts have placed more transportation systems online. With the expansion of the transportation industry into the digital domain, it has become even more alluring and accessible to cybercriminals.

Historical transportation cyber attacks

  • Maersk: Peyta malware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
  • LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecie airport in June 2015.
  • Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.

While many transportation companies understand the importance of keeping data and passengers safe and secure, a few companies have experienced the detrimental effects of an attack similar to other industries like the financial sector and healthcare.

From ransomware attacks to data breaches, the transportation sector is not immune to malicious hackers. While the industry has been thought of as “less vulnerable,” it also means the industry could be next in line for hackers to target. This is especially true now that automobiles and transit systems are becoming increasingly more connected via IoT, or the Internet of Things. Many cars now come with their own WiFi hotspot, public transportation utilizes apps to help you get around, and specialty lanes on the highway use the internet to charge for driving in things like the express lane.

Unauthorized users know that such “untapped” industries are indeed at risk because they haven’t been attacked yet, leading industry professionals to believe their systems are secure and not defenseless. A system may appear to be secure, but until the first oversight or staffing shortfall impacts security, it’s hard to be 100% certain. The transportation industry is new territory that can be easily exploited if persistent cyber learning, procedures and processes are not put in place.

Since most transportation organizations keep cybersecurity responsibilities in-house, building a culture of awareness within the organization that prioritizes education, skill-building, and continual awareness, is crucial to staying on top of threats. Transportation industry cyber teams and CISOs would do well to be proactive in their cybersecurity efforts instead of hoping their systems are secure from hackers. Hope isn’t a strategy.

So, what is the best strategy? Continuous learning that upskills your cyber teams. It can and should be a part of the transportation sector’s cyber readiness efforts to constantly improve their posture. Because, as we know, the only constant in cybersecurity is change. The transportation industry is dynamic and evolving, just like cyber threats. Cybersecurity is the responsibility of everyone, not just those in IT. All need to take ownership of how they contribute to the security of the company.

Failure to provide responsible oversight will not only impact everyone personally employed in the company, but it will have a ripple effect that extends out to the great social, political, and economic groups that depend on transportation.

Transportation’s reach and integration with so many other industries require and demand a stronger cybersecurity arm. To start strengthening the sector, we’ve prepared four strategies to form an elite cyber team. Without a strong cyber team in place, the newest technologies and tools will only go as far as the skill sets and knowledge base of your cyber team.

Oil and Gas Cyber Security: Understanding Risks, Consequences, and Proactive Measures

Reading Time: 4 minutes

The oil and gas sector is susceptible to security vulnerabilities as it adopts digital communication methods that help power energy production and distribution. To understand the cyber threats to the oil and gas industry, there exist approximately 1,793 natural gas-powered electricity plants in the U.S. and they generated 34% of the nation’s electricity in 2018. Much of how we live and work is dependent upon the energy produced from oil and gas production, including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. Therefore, even the smallest cyber attack on one of the thousands of interconnected and digital systems can pose a serious cyber risk to oil and gas production.

A company that goes through an attack can experience a plant shutdown, equipment damage, utility interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of surveyed oil and gas senior executives have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.

Cyber Attacks on Oil and Gas, Energy, Utilities Companies in History

Security threats to the oil and gas industry have already manifested across facilities worldwide with no signs of slowing down.

  • In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computers and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.
  • In December 2018, Saipem fell victim to a cyber attack that hit servers based in the Middle East, India, Aberdeen and Italy.

These examples show other oil and gas companies the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.

How Circadence Can Help

To manage security risks in the oil and gas sector while lessening the attack surface, cyber security teams need to be prepared to address all possible scenarios that can occur in order to effectively protect and defend infrastructures.

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in the oil and gas industry. Further, targeted training can be achieved from the library of mission scenarios to work on specific skill sets.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kind of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close skills gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem-solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cybersecurity teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Users are the last line of defense against threat actors so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cybersecurity in oil and gas sectors.

This solution coupled with proper collaboration between IT and OT divisions to share real-time threat intelligence information will do wonders for companies looking to stay out of the negative news headlines and stay safe against an attack.

Download our Infographic “oil and gas cybersecurity” for more details on cyber readiness and training.

oil_gas_infographic

DOWNLOAD INFOGRAPHIC

Keeping Critical Infrastructure Strong and Secure

Reading Time: 2 minutes

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to protect our Nation’s critical infrastructure.  Circadence’s mission is to build awareness about how next-generation cybersecurity education and training can improve cyber preparedness. This month is an excellent time to talk about that in relation to critical infrastructure.

“We are seeing government agencies and companies work to make systematic, holistic, and cultural changes through improved cybersecurity standards, best practices, processes, technology, and workforce,” said Josh Davis, Director of Channels. “The massive, distributed, and legacy infrastructure we have today demands a layered security approach that focuses on building a true understanding of what’s at risk within critical infrastructure systems —and that requires a targeted focus on the people who operate these systems both digitally and physically.”

We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the communication systems we rely on for business as well as staying connected to friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.

During November (and year-round), Circadence focuses on engaging and educating public and private sector partners to raise awareness about the security posture of the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.

Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks.

This November, help promote Critical Infrastructure Security and Resilience Month by:

Our virtualized cyber ranges-as-a-service (CyRaaSTM) provide public/private entities the opportunity to train in realistic cyber environments that mirror their actual interconnected, internet-of-things networks. These virtualized ranges can model the digital footprints of companies, agencies, entire city networks and even Nation State operation exercises, into living physical and fifth domain environments. Teams can collaborate and train together to test and improve their cyber skills in protected environments that can scale and flex as their organizations’ inter-connected structure does, but without impacting live systems and networks.

By combining Circadence’s Project Ares®, Orion Mission Builder™, and StrikeSet™, your organization can learn and grow without impacting your operations. This next-generation combination transforms traditional lecture-based learning, taking it out of the classroom and into interactive real-world environments, at any scale, anytime, anywhere.

We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.

To learn more, visit www.dhs.gov/cisr-month.