Cyber risk and transport: Why threats are moving beyond data breaches to damaging physical infrastructure

As cyber technology becomes more sophisticated, the threat of attack is moving from data breaches to interrupting physical critical infrastructure, exposing transport operators to potentially severe risks. Stephen Wares of Marsh argues that this is a critical business risk and urges senior executives to take responsibility.

Why is the transport sector particularly vulnerable?

Transport networks have become increasingly digital, with a wide range of data flowing across systems, tracking and monitoring both digital and physical networks. As more devices and control systems are connected online, more vulnerabilities will appear, increasing the potential for disruption to physical assets.

What’s more, advances in electronic platforms and communications across electronic and physical networks mean that the potential to detect threats has become a challenge, and the potential to disrupt is now a serious concern.

Companies that have interconnected data systems flowing throughout the value chain are particularly vulnerable, leaving rail infrastructure owners and operators, airlines and airport infrastructure, logistics operators, and automotive suppliers especially exposed.

The industry view

In the aviation industry, technical advances in navigation systems and airframe design have reduced the chances of an accident; however, the increasing reliance on computers poses a different kind of threat. As aircraft move ever closer to becoming fully e-enabled and automation increases, pilot practices and training will need to adapt in the event of system failure or security breach.

In July 2013, for example, passport control systems at the departure terminals at Istanbul Atatürk and Sabiha Gökçen airports were interrupted by a cyber-attack. Passengers were delayed at the point of entry and exit and flights were delayed for many hours.[i]

In the logistics industry, cyber security is more crucial to resilience and safety than to the protection of customer data. The vast quantities of data exchanged across networks to transport goods in a supply chain leave the sector particularly vulnerable. The more frequent use of goods tracking systems and real-time control applications with web interfaces also opens up a growing number of weak points to be managed across a large supplier base.

The rail industry also relies heavily on IT and automation. These systems:

• Control train movement;
• Deliver power to the network;
• Control signalling infrastructure;
• Report on the condition of the rolling stock and associated infrastructure;
• Support operational planning and timetabling.

As the rail industry adapts and becomes increasingly dependent on electronic sensors and network technologies, new vulnerabilities to physical networks are presenting themselves.

This was starkly illustrated in Lodz, Poland, where a 14-year-old modified a TV remote control so that it could be used to change track points. The teenager broke into a number of tram depots to gather the information needed to build the device, which turned the tram system in Lodz into his own personal train set. As a result, four vehicles were derailed, injuring twelve people.[ii]

Attention c-suite

The threat to critical infrastructure is one of the reasons why governments, and especially the UK Government, have acted to alert all commercial companies to the wider risks posed by a large-scale cyber-attack. The UK Government believes the insurance industry has a strong role to play in helping firms outside of the critical national infrastructure to manage their cyber risks efficiently.

However, insurance is no panacea; organisations need to take preventive action. An organisation is vulnerable if they:

• Rely on computer networks and IT to secure sales and process transactions;
• Rely on IT to direct operations and run administrative functions;
• Rely on industrial control systems to automate physical processes;
• Store or process third-party confidential information, including personal data, on computer networks;
• Store and transmit sensitive corporate information that can be accessed over the internet (or intranet) by third parties.

While technical and procedural security controls are critical, organisations increasingly recognise that risk control and responsibility extends beyond information technology and the IT leadership. The potential for material and even catastrophic impacts from cyber-attacks place this firmly as a business risk that requires the attention of executive management.

The organisation should understand fully the potential range of impacts from cyber-attacks, the extent to which it has the operational capability to respond effectively and conduct financial modelling to ensure that it can both evaluate the total capital cost of an event and its shorter-term ability to survive a cash crisis.

This combination of technical, operational and financial preparedness will be critical to ensuring that an organisation can reduce the impact and trade through these events. No enterprise is completely immune to cyber-attack, but a comprehensive proactive strategy can eliminate many threats.

Stephen Wares is cyber risk practice leader, Europe, Middle East and Africa, at Marsh. To contact Stephen, please email: Stephen.wares@marsh.com. To contact Marsh’s Transportation Practice, please Ian Hayhoe, Senior Vice President, ian.e.hayhoe@marsh.com 

Stephen Wares