THE European Union Agency for Cybersecurity (Enisa) has published its first cyber threat landscape report on the transport sector, covering the period from January 2021 to October 2022.

The report identifies prime threats and examines cybersecurity breaches during this period. It also includes an assessment of threat actors, considers their motivation for launching cyber attacks and identifiers major trends by mode.

Overall, Enisa says that ransomware is the main threat to the rail sector, accounting for 45% of cyber attacks. Data-related threats accounted for 25%, as did denial of service (DoS), distributed denial of service (DDoS) and ransom denial of service (RDoS) attacks.

Breach/intrusion and exploiting known IT vulnerabilities each accounted for 15%, while fraud, impersonation and counterfeit, malware and supply chain attacks each accounted for 5%.

The majority of cyber attacks targeted railway IT systems, including those behind passenger operations ticket systems, mobile phone apps and passenger information systems, causing disruption by making these services unavailable.

Examples included ransomware attacks targeting Swedish public transport authority Skånetrafiken in August 2021 and Italian State Railways (FS) in March 2022 when customers were unable to purchase tickets due to infected IT systems.

Enisa says the only cases affecting operational technology (OT) systems involved entire networks, or where safety-critical IT systems were unavailable.

Notable data thefts included cases at Norfolk Southern (NS), shortline operator OmniTrax and the New York Metropolitan Transportation Authority (MTA) in the United States, as well as at passenger operators Merseyrail in Britain and Lokaltog in Denmark.

Personnel and medical records were stolen, and Enisa says that OmniTrax is the first publicly-known case of a double-extortion ransomware attack against a US freight rail operator.

The report also highlights the extensive disruption to Danish State Railways (DSB) services in October 2022. DSB ICT service provider Supeo was itself the victim of a cyber attack, with the result that DSB drivers could not access a key safety-critical IT system, disrupting DSB operations for several hours.

In January 2022 a group of hacktivists launched a ransomware attack on Belarusian Railways in an attempt to disrupt Russian troop movements in the build-up to the invasion of Ukraine. The group deployed modified ransomware intended to bring down encrypted servers, databases and workstations.

The report says that the increasing proportion of DDoS attacks in the rail sector is due to the increased hacktivist activity which followed the invasion of Ukraine, undertaken by pro-Russian or anti-Nato groups.

Pro-Russian hacker groups have claimed responsibility for attacks in 2022 on Romanian national operator CFR Calatori in April, on Lithuanian Railways and Latvian operator SJSC in June, and against Estonian Railways in August.

Considering the issue of cyber attacks exploiting known vulnerabilities to IT systems, Enisa says that two cases stand out.

In December 2021 Toronto public transport agency Metrolinx temporarily took down its website as a precautionary measure, after being informed by the Canadian government that it was vulnerable to cyber attack.

A system vulnerability potentially allowing access to customers’ personal data held by Swiss Federal Railways (SBB) was reported by an anonymous hacker in January 2022.

Breaking down the attacks by target, the report says that 21, or 72%, were aimed at infrastructure managers and operators, seven (3%) at transport authorities and other public bodies, and only one (3%) at an IT service provider.

“Transport is a key sector of our economy that we depend on in both our personal and professional lives,” says Enisa executive director, Mr Juhan Lepassaar.

“Understanding the distribution of cyber threats, motivation, trends and patterns, as well as their potential impact, is crucial if we want to improve the cyber security of the critical infrastructure involved.”

An in-depth feature on cyber security appeared in our February issue.