In an era of automation and networking, 2018 has seen an overwhelming increase in cyberattacks against the transport industry. Hackers, finding themselves with systems that are frequently too vulnerable, vie with each other to exploit weaknesses in ever more imaginative ways. This includes the most secure networks.
Last May, in Copenhagen, a self-service bike hire company found itself the victim of hacking. Admittedly it was unsophisticated (the database was erased), but it meant a loss of access to the bike fleet and all the bikes had to be manually rebooted. Was it a disgruntled former employee, a mischievous competitor or just a script kiddie, one of those amateur hackers who sometimes just get lucky? As always, it isn’t easy to identify the motive for an attack of this sort where the consequences are fairly limited. But this was just a bike sharing company. Let’s calmly consider four slightly more startling scenarios.
Are we heading for a “cyber 9/11”?
In the second instalment of the Bruce Willis Die Hard saga, Die Harder, an airport is under siege. Finding themselves without a reliable control tower, the planes are no longer able to land and begin to crash when they run out of fuel or receive incorrect information about the runway. The story takes place in 1990: 28 years later, things would be very different. Unlike the film, rife with gunfire, a takeover assault could nowadays be carried out much more discreetly considering it takes an average of nearly 300 days to realise that an IT structure is corrupted.
No need for commando units, nowadays just an individual hacker capable of targeting the careless employee of a low-cost company and, for example, getting them to connect an infected USB key to their workstation. Although there are many obstacles, airport services and the aircraft themselves are all connected nowadays. This means they are vulnerable: once inside the server where that day's flight tickets are found, a patiently conducted network attack could move from one server to another and reach the control tower, not to mention the baggage sorting or aircraft refuelling systems. They could even take control of a plane. And, even though the groundwork could take a long time, chaos could be unleashed in a matter of minutes by changing runway designation, bringing baggage transfer to a standstill or causing the fuel tanks to overflow. As today's planes are connected technological machines, a “cyber 9/11” cannot be ruled out. Hacking from inside the cabin or from the ground are, therefore, both possible. For instance, an American researcher managed to change an aircraft’s direction by sending a command to one of the engines. So, in 2018, John McClane, the hero played by Bruce Willis, would have to try harder.
Hacking a railway ticket sales system
Nowadays, when rail traffic is opening up to competition, this is one of the most plausible scenarios: not an inter-state declaration of war in the shape of a fatal train crash, but a micro-sabotage which would undermine a brand's image among customers. Do we want to hack websites or increase delays? Make a hole in the till or nibble at the margin bit by bit?
If the goal is to torpedo a company's reputation rather than rob it, one need only ensure that each ticket sold is not shown as such, so that there are twice as many passengers on the platform as seats on the train. The SWIFT inter-bank system has already been hacked and could be again, not in the form of a simple robbery but as a full-on attack aimed at causing real disturbances on the platforms. A railway company’s website is just as complex as any online inter-bank interface and is therefore just as vulnerable to hackers. It is, however, more daunting since, in the event of an attack, the State itself could take an interest in what is going on.
Service stations, tolls, tunnels: potential dangers to the road network
By hacking a computer payment system, some American hackers have recently managed to hack a petrol pump and obtain $1,500 of fuel without paying. When it comes to car transport, there is no point in fearing the competition (there really isn’t any), or the state. On the other hand, ransomware type attacks on tolls and all the tolled sections of the road network are more likely. Take the example of a tunnel operator (such as the one for Mont Blanc or Eurotunnel): anyone hijacking the IT control system could blackmail the company in charge of the facility. Taking control of the exhaust gas extraction system could be a powerful means of blackmail. And even with a bit less ambition, one can always fall back on controlling toll and car park barriers.
This sort of hacking will try to keep control of these blackmail levers for as long as possible. This could be done with a virus such as MyLobot, a malware that can kill all others like itself, repair the weak spots by which it gained access and then embed itself inside the network.
Cyber-hacktivists against marine pollution
What could drive someone to carry out a cyberattack on marine freight? Toxic products are shipped and received in many sites, such as Gennevilliers, France’s main autonomous port, where huge reserves of oil and gas arrive by river. An environmental "hacktivist” could put their message across by infiltrating the IT control systems responsible for inbound shipping.
There is always a way to bridge the air gap - surrounding these pseudo-fortresses
These systems generally operate without an Internet connection, but are not necessarily disconnected and are definitely not impregnable. Indeed, there is always a way to bridge the gap - known as the air gap - surrounding these pseudo-fortresses. The red lights that control the traffic are governed by a network so it is quite conceivable that if a malicious person gained control of them, they would be able to congest the port by allowing too many boats in at once, and even cause accidents.
On this basis, it is not the second instalment of Die Hard that comes to mind, but the fourth one, released in 2007, in which the takeover of the nation's network of traffic signals has serious implications. All it would take is for the hacktivist to find the valve controlling tanker petrol recovery, open the valve and wait for someone to throw away their cigarette butt. Not very ecological in this instance, but nonetheless spectacular. Even if it seems like a Hollywood storyline with hackers who specialise in river trolling, it isn’t hard to imagine what a Holy Grail it would be to take control of the Panama Canal.
Although hypothetical, these scenarios illustrate the vulnerability of the transport industry and its networks. The extended, distributed, spread out, and interconnected characteristics of these networks make them particularly difficult to secure and therefore vulnerable. As an initial response to this situation, government agencies, such as ANSSI in France and BSI in Germany, regularly publish recommendations and best practices.
Many thanks to Robert Wakim, Industrial Offer Manager, for his invaluable help in writing this article, in collaboration with Usbek & Rica.