, ,


Defense, Commercial, and Passenger Transportation Systems At Risk

By Mike Weigand, Co-Founder and Chief Growth Officer, Shift5

The invasion of Ukraine and the sanctions imposed by the West on Russia and its oligarchs have raised international tensions to levels not seen in a generation. And although the specter of escalation into a full-scale conventional war looms large, intelligence sources say retaliation will more likely come from state-sponsored cyberattacks on our critical infrastructure.

On Monday, The White House reiterated its warnings to private owners and operators of critical infrastructure, including transportation, adding that “evolving intelligence” indicates Russia may be poised to attack at any moment. So far, intelligence sources have accurately predicted Russia’s actions move-for-move, leaving many to consider whether this warning may indicate an imminent threat. 

“Today, we are reiterating those warnings, and we’re doing so based on evolving threat intelligence, that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States.”
— Anne Neuberger, White House Deputy National Security Advisor for Cyber and Emerging Technology

State-sponsored attacks on critical infrastructure happen all the time

Hacktivists and nation-state-sponsored bad actors have come a long way since Stuxnet, an early digital weapon to target critical infrastructure. Attackers know that the operational technology (OT) assets and networks that underpin our critical infrastructure are built for reliability and not security, making them a playground of vulnerabilities where they can experiment and learn. Recent security events in the transportation sector include: 

  • February 2022: A Russian hacking group used ransomware to disrupt business operations for oil terminals across Belgium and Germany, rendering them unable to process incoming barges. 

  • January 2022: Belarusian activists hacked the networks of the state-owned railway system, leaving critical data encrypted and destroying data held on backup servers. 

  • April 2021: Suspected Chinese bad actors hacked the New York City Metropolitan Transportation Authority (MTA) system.

Operational Technology (OT), the elephant in the room

Virtually every part of our nation’s critical infrastructure relies on operational technology (OT) assets and systems. They power the most critical and sensitive functions of infrastructure, including digital components like engine and transmission controllers; braking systems, power/electrical controls; and command and control displays; among others. These OT assets are old, tried and true workhorses that, in some cases, are virtually impossible to replace. In some ways, that’s great because they rarely require costly downtime caused by software updates and adjustments. 

However, that’s terrible for security since there hasn’t been an effective way to monitor and mitigate OT assets for malicious activity, leaving them unprotected. Legacy OT assets, especially those that are Internet-accessible, just weren’t designed to defend themselves against bad actors. With access to a now extensive library of open-source exploits, bad actors are spending less time and effort to carry out attacks. 

What can owners and operators of critical infrastructure do? 

Organizations in critical sectors simply cannot delay taking proactive measures to ensure their cyber resiliency. An important first step is to implement best practices right away to harden defenses against Russian state-sponsored attacks for the transportation sector. 

When it comes to operational technology (OT), any best practices approach should be informed by years of experience securing other technologies and using reference frameworks like NIST. This helps in planning, validating, testing, and measuring results. Each step in the structure builds on the previous step, and the data generated from each step improves the insights for the next step, contributing to a cycle of continuous improvement as more data is gathered. Four starting points for every critical infrastructure organization include:

  1. Visibility – You can’t control what you can’t see, so it’s important to capture all OT data traversing the internal networks of critical infrastructure systems in order to baseline how a healthy system behaves.

  2. Detection – With baseline data, you can more quickly and easily detect anomalies that could be evidence of compromise, and alert crew or maintenance personnel. Armed with large amounts of data collected over time, threat researchers can model, test, and proactively hunt for new threats and tactics, techniques, and procedures (TTPs) before they do damage. Identifying anomalous behaviors and adversary TTPs via effective threat hunting enables advance preparation of effective mitigations. Once the mitigation has been tested, crew and operators can be trained and the mitigation can be incorporated in the standard operating procedures.

  3. Incident Response –  When a compromise is detected, enable cyber analysts to investigate, isolate, and analyze incidents so they can appropriately execute an incident response plan. Analysts can use the information learned in incident response to minimize and harden cyber attack surfaces.

  4. Threat Hunting– Armed with large amounts of weapon system network data collected over time, threat researchers can model, test, and proactively hunt for new threats before they do damage. Cyber researchers can use the robust, high-fidelity data captured from vehicles to identify and model potential and emerging threats.

With so much risk and so much to lose, owners and operators must do more to improve situational awareness, reduce their attack surface, and maintain public trust. Shift5 is committed to helping owners and operators of transportation assets execute these steps called for by The White House and more, such as deploying security tools that continuously monitor, identify, and mitigate threats and unknown vulnerabilities.

And, as we build the next generation of solutions for rail and aviation, we’re looking to forward-leaning leaders who want to get ahead of the curve. If you or your organization wants to learn more, reach out to me personally at mike@shift5.io.

About the Shift5 Platform

At Shift5, we focus on protecting the transportation sector’s most precious assets including rolling stock and commercial aircraft, along with defense systems. Our platform provides pervasive observability into the onboard OT networks that power these most important assets. It captures all data from fleet vehicles (planes, trains, and tanks), uses rule-based and machine learning analytics-based detections to detect anomalies, then centralizes all this data in a public, private, or government cloud for customer analysis, threat hunting, incident response, and more.

For more information about Shift5’s technology and operational intelligence for weapon systems, visit Shift5. Follow Shift5 on Twitter and LinkedIn, and sign up for our newsletter to get news about Shift5.