This special report means to provide a few keys to enhancing corporate cybersecurity, particularly in the transportation industry.
Cybersecurity and Operational Networks – Tackling New Challenges
As information and operational technologies are growing ever more interconnected and available to the general public, cyberthreats and security breaches pose new challenges that businesses must face.
While the digital transformation of businesses presents a wealth of new business opportunities, it also makes companies more vulnerable. Now present in all economic spheres, cloud-based solutions help blur the traditional boundaries between conventional computer systems and operational systems. Points of contact are multiplying, offering new attack surfaces for cybercriminals.
Unfortunately, the transportation industry has not been spared. The Government of Canada has even identified it as one of the top ten critical infrastructure sectors in terms of cybersecurity risk (1). Although the technologies in use vary from one vehicle to the next, most new vehicles are connected to a certain extent. Transportation networks are also largely dependent on connected equipment (sensors, controllers, onboard computers, management software, etc.), which leaves them vulnerable to cyberattacks seeking to disrupt operations or even take control with malicious intent.
Barring in-depth consideration at the highest echelons of organizations, cyberthreats pose a true challenge to the longevity of businesses and the proper functioning of society.
A New Playing Field
Operational technology (referring to equipment and software used to control physical devices or processes meant for operational environments) used to operate in closed circuits, i.e. with very little interconnection with corporate networks. Today, connected operational technology is omnipresent and integrates with other computer systems, making it possible to automate certain manufacturing processes, manage or control equipment remotely, and install updates.
However, operational systems are too often still run and maintained separately from conventional computer systems. As a result, the companies that operate them continue to consider related security concerns in compartmentalized fashion. There are more points of contact than before, and each one is a potential entry point or security breach for operational equipment.
Types of Cybersecurity
What Drives Cyberattacks?
Historically, cyberattacks mainly targeted organizational information infrastructure, i.e. servers, workstations, networks, etc., generally with the intent of stealing data. Several large-scale infiltrations have occurred in the last few years, including the infamous attack on SolarWinds in 2019.
The attack on one of the US software company’s servers targeted the production system of its flagship software, Orion, used by tens of thousands of businesses and organizations around the world. Among the hundreds of attacked clients that were identified (out of a total of nearly 18,000 clients) were six departments of the US Government, including the Departments of Energy, Commerce, Treasury, and the State Department. Although the nature of the information the group behind the attack sought to steal and the consequences of the operation remain unclear, such infiltrations highlight the vulnerability of organizations and the resulting domino effect on their ecosystems.
In Canada, many businesses and levels of government have also been the victim of cyberattacks in the last few years, underscoring the cybersecurity challenges organizations are now facing.
Recent technological advances have contributed to the spread of malicious software, as it becomes more easily available to individuals or groups with nefarious intent who are honing their strategies and increasingly well organized.
The development of enterprise IT solutions, multiplication of cloud-based services, and implementation of virtual infrastructure have granted businesses a tremendous amount of flexibility that goes beyond organizational infrastructure. Today, these connected operational systems commonly used in the manufacturing and transportation sectors are all potential security breaches that can inflict damage far beyond mere data theft.
What Risks Are Businesses Exposed to?
While profit remains the main motive behind cyberattacks, potential damages can vary widely, depending on the perpetrators.
In the transportation sector, cyberthreats can, for example, seek to take control of equipment to disrupt, cripple, or even destroy a transit system. One recent example involves a computer virus attack on the transit authority of a large North American city. The infiltration affected over 60% of the organization’s servers, as well as a number of workstations, which forced it to mobilize vast resources to restore its servers and ensure no data was stolen. The cyberincident had no effect on the operational bus and subway systems, but other organizational platforms were disrupted, including its website and phone lines.
Another thought-provoking example that served as a wake-up call for the automotive industry involved two American scientists taking remote control of a Jeep Cherokee in 2015. The two information security specialists wanted to show that it was possible to disrupt certain car systems by infiltrating the onboard computer. Conducted with a journalist in the driver’s seat, the operation led Fiat Chrysler to recall over one million vehicles to correct identified vulnerabilities.
Although not all cyberattacks are alike in scope or severity, consequences can still be harmful to victim organizations, jeopardizing their financial health, reputation, and even their continued success.
According to a survey conducted by Deloitte (2), 32% of top executives worldwide indicated that the most significant repercussions are on an operational level. They also mentioned the theft of intellectual property (22%) and drops in share price (19%).
Operational systems are at even greater risk as they were often designed independently of organizational infrastructure and include no cybersecurity components. Generally built to last with life cycles of 10-plus years, operational technology relies on equipment and software with vulnerabilities that are often well known to hackers or become so from lack of updates.
Are Businesses Ready to Respond?
The very diverse nature of cyberthreats makes them difficult to anticipate and forces businesses to develop their cyberresilience. From inventorying assets connected to a network to identifying the skills needed to know, understand, detect, and prepare to face these new risks, businesses must rally their forces to present a united front against these threats.
On a global scale, governments, work groups, and regulatory bodies are also organizing to define new rules. Fighting against cyberrisks will soon involve clients and businesses demonstrating their ability to meet minimum cybersecurity requirements.
In the US, the National Institute of Standards and Technology (NIST), a non-regulatory federal agency, has developed a cybersecurity framework that includes several standards, guidelines, and best practices and made it available at no cost to private organizations seeking to develop or update their own cybersecurity programs.
In the transportation industry, the United Nations has also drafted standards to prompt vehicle manufacturers to develop secure operational systems that include cybersecurity considerations right from the design phase. Adopted in 2021, UN regulations R155 and R156 lay the foundations of a cybersecurity framework for vehicles in various regions around the world, applying to both cybersecurity management systems and software update management systems. The European Union intends to impose these new measures to road vehicle manufacturers by 2022 for all new vehicle types and by 2024 for existing platforms.
In Canada, Transport Canada and various levels of government are taking these new security standards into account, particularly standard ISO/SAE 21434 (Road vehicles—Cybersecurity engineering) that seeks to integrate cybersecurity engineering practices at every stage of a vehicle’s life cycle.
The digital transformation is well underway and shows great potential for the transportation industry, in that it enables manufacturers to achieve greater efficiency and helps improve transportation safety for riders.
However, cybersecurity challenges are a growing concern for businesses, who should give them due consideration at the highest levels of the organization. They will have to assess organizational exposure to cyberrisks, mobilize the necessary resources to protect themselves appropriately, manage incidents and potential crises, and update operational systems. Adopting a comprehensive approach that includes third parties will also be important in managing the inherent risks of the supply chain, as we will discuss in upcoming articles in this special report.
Read the second feature of our series.
(2) The Deloitte 2021 Future of Cyber Survey polled nearly 600 C-level executives about cybersecurity at companies with at least $500 million in annual revenue, between June 6 and August 24, 2021. the