Cybersecurity for Transportation and Logistics: Threats, Risks, and Best Practices
Table of Contents
Transportation and logistics provide critical services across multiple industries. Aviation, maritime, rail, and road are part of an extended critical infrastructure. This pivotal place in our society means that these organizations are targets for cyberattacks intent on disrupting operations and extorting money. Freight Caviar described an 181% surge in cyberattacks threatening the sector. One sector member, the Port of Los Angeles, reported being inundated with around 40 million cyber threats per month.
Sysco: Food Logistics Data Breach
Sysco, a large U.S.-based food distributor with over 71,000 current employees across 90 countries, was the victim of a significant and long-lasting data breach. Hackers hid in the company's IT systems for nearly three months before discovery. During that time, the attackers accessed and exfiltrated the personal information of more than 125,000 current and former employees. The company was subsequently sued in a $2.3 million class action lawsuit.
Top Cybersecurity Threats to Transportation and Logistics
The Sysco breach was an unauthorized access event. Cybercriminals are adept at stealing login credentials and escalating privileges to an administrator level using standard tools. Once they have this level of access, they can do whatever they wish: steal data, install ransomware, take over executive accounts, and so on. The following are some of the most common types of cyberattacks that target logistics and transportation firms:
Phishing
Phishing relies on manipulating behavior - trust, a sense of urgency, concerns, and others are used to trick people into clicking links, maliciously downloading infected attachments, etc. Well-known brands are used to create phishing campaigns to trick people into thinking they are dealing with a trusted company, like PayPal or Microsoft 365. In the case of the logistics and transport sector, USPS and DHL are the most impersonated brands used in phishing attacks.
Phishing is a technique used to steal login credentials, financial information and other personal data. The login credentials or other data is used for follow-on attacks, including data breaches, ransomware attacks, etc.
An industry report by CYFIRMA found that 62% of all phishing threats target logistics firms. The USA receives the highest number of phishing attacks in the sector.
Phishing Threats in Logistics Per Country
Source: CYFIRMA phishing threats in logistics per country
Ransomware
Ransomware infection is a highly disruptive and financially motivated cyberattack. This form of malware encrypts data across a network, essentially rendering the IT infrastructure unusable. Typically, the attacker steals the data before encrypting it to use as leverage to extort a ransom.
The CYFIRMA report shows that logistics in the USA are the most targeted worldwide by ransomware attacks. This is backed up by a report from Sophos that shows distribution and transport are the sectors most likely to have experienced an extortion-based attack. The report notes that 17% of targeted firms say that data was not encrypted but stolen, but they were held to ransom anyway, almost three times the rate of any other sector. The mean cost of a ransomware incident is $4.3 million.
JAS Worldwide, a global freight forwarder, suffered a ransomware attack that took business systems and customer portals offline. Customers were unable to track shipments, which led to widespread disruptions.
Ransomware Targets by Geography
Source: CYFIRMA - ransomware targets by geography
Supply Chain Attacks
Logistics and transportation are often part of large supply chains. Cybercriminals target supply chain members to disrupt the chain and as a method to carry out mass, synchronous attacks. Radiant Logistics, which supplies international freight logistics and supply chain services technology, suffered a cyber breach. The attack affected multiple customers. However, Radiant Logistics quickly initiated its robust incident response and business continuity plans, isolating the affected systems and disrupting the unauthorized activity.
Data Breaches
Logistics and transportation companies hold large amounts of customer, client, and employee data. Cybercriminals target this sector to steal sensitive data for its value on the dark web and to disrupt operations. A massive data breach occurred at DP World Australia, a global shipping operator. The attack impacted Australia's imports and exports. The attackers exploited a system vulnerability known as CitrixBleed. The attack could have been prevented by prompt software patching.
DDoS
Disruption is a serious issue for any critical infrastructure company. Hartsfield-Jackson Atlanta International Airport suffered a massive DDoS (Distributed Denial of Service) attack that temporarily disrupted online services and passengers. Large numbers of infected devices, like laptops and routers, are used to carry out DDoS attacks. These devices are known as "bots." The bots send large volumes of data packets to web servers and websites until they are overwhelmed. Hartsfield-Jackson Atlanta International Airport was able to contain the attack as they had robust DDoS protection in place.
Cybersecurity Challenges in Transportation and Logistics
Transport and logistics face various challenges that make them vulnerable to attack. Firms in the sector are susceptible because they:
- Run a critical infrastructure: Any company at the fulcrum of essential services runs the risk of a disruptive attack like DDoS or ransomware.
- Are part of the broader supply chain: Attackers target supply chains as vehicles into the broader chain, the impact percolating across the chain of vendors. This can serve as a disruptive attack or leverage control to extort ransoms.
- Hold valuable customer and company data: Firms can hold sensitive personal and financial data that is a lucrative target for cybercriminals. These criminals can then sell this data on the dark web and/or use it to carry out follow-on attacks.
Regulations and Standards Affecting Transportation and Logistics
NIST Transportation Systems Sector Cybersecurity Framework (TSSCF): The four parts of this framework cover:
- Cybersecurity posture.
- Enhancement of cyber risk management programs.
- Tools, standards, and guides to support the framework implementation.
- How to Communicate risk management issues for all stakeholders.
National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity(CSF): The TSSCF requires that covered entities follow the tenets of the CSF, which are:
- Identity
- Protect
- Detect
- Respond
- Recover
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This reporting rule requires covered entities that operate in critical infrastructure sectors to report "substantial cyber incidents" and ransom payments to CISA.
California Consumer Privacy Act (CCPA): This rule applies to most businesses, including logistics and transport, that service Californian citizens. It requires any operator that collects, shares, or uses the personal data of Californian citizens to do so in a privacy-enhanced manner.
See also resources at Surface Transportation Cybersecurity Toolkit, Surface Transportation Cybersecurity Toolkit | Transportation Security Administration
Mitigating Cybersecurity Risks: Best Practices
Logistics and transport firms are under pressure to maintain smooth service and protect customers' and clients' data. Cybersecurity measures need to be robust enough to counter the various types of cyberattacks and vectors that target the sector. The following measures should be used as part of a defense-in-depth approach to mitigate cyberattacks and help a firm recover if the worst happens:
Robust Identity Management
Many threats become incidents when login credentials are stolen, and access privileges are abused. Robust identity management is an essential part of an effective cybersecurity strategy. Use measures that include:
- Multi-factor authentication (MFA) to add a layer of authentication security.
- Least standing privileges that ensure that access is only allowed when needed.
- Privileged access management tools (PAM) automate controls over who can access what and when. These tools also ensure that provisioning and de-provisioning are done quickly. One Identity is a vendor that provides these solutions to the sector.
Enforce Encryption Use
Ensure that data is protected by encryption both during transfer and when stored.
Anti-Phishing Tools
Transport and logistics firms are targeted in phishing attacks. Use advanced AI-enabled anti-phishing tools to identify and prevent zero-day and emerging phishing threats. TitanHQ is a firm that provides solutions in this area.
Backup and Restore
If your company is hit by a ransomware attack, having ransomware-resistant backup and restore tools and processes can help mitigate the impact on operations and customers.
Security Awareness Training
Education on cybersecurity attacks can help to build a workforce that is prepared. Phishing awareness training, safe internet and mobile use, and general security in the workplace are taught using security awareness training packages.
Dark Web Monitoring
Sentinex is a dark web monitoring tool recommended for logistics and transport companies. It identifies data stolen during ransomware and data theft attacks. An organization can lock down the data by locating stolen data to stop other cybercriminals from carrying out follow-on attacks.
DDoS Prevention
Anti-DDoS solutions control the volume of network traffic to prevent web servers from becoming overwhelmed by requests. Cloudflare is a vendor that can help mitigate DDoS attacks.
Continuous Monitoring of Critical IT Infrastructure
Continuous monitoring tools provide application layer, infrastructure, and network monitoring to identify patterns of unusual behavior that could be caused by malware infections, unauthorized access attempts, and data exfiltration. The monitoring tools provide alerts about suspicious activity in real-time or near real-time.