Trains, Planes, Autos Increasingly in Cybercriminal’s Bullseye

The transportation industry is increasingly being targeted by cyber criminals who see the sprawling multi-billion dollar industry as ripe for financially motivated attacks.

According to IBM’s X-Force security team, the systems behind planes, trains and automobiles have now become bigger paydays for hackers than industries such as the retail sector – once a favorite of crooks after PoS system and credit card data.

In a report, Security Trends in the Transportation Industry, released Tuesday, IBM security researchers say a combination of attacks – denial of service attacks and malicious attachments and links – accounted for over 44 percent of the cyber-attacks targeting the transportation sector between March 1, 2015 and May 15, 2016.

Terrorism, as some might think, is nowhere close to a chief motivator behind cyber assaults of airlines, mass transit and passenger rail systems, said Michelle Alvarez, a threat researcher and editor for IBM Managed Security Services. The transportation sector is rich with passenger data worth money on the dark web. Hackers buy and sell stolen frequent flier points. And DDoS extortion is extremely effective when taking down inter-dependent mission critical systems, Alvarez said in an interview with Threatpost.

“There are so many endpoints and attack vectors in this industry. It’s like other high-value industries. It’s moving fast to shore up its defenses,” Alvarez said. But, the attackers are moving faster, she added.

Case in point, IBM cites a 2015 report (PDF) by a maritime cybersecurity firm that found 37 percent of the servers running Microsoft did not have up-to-date patches and were vulnerable to a remote exploitation.

Source IBM: Most prevalent attack vectors in the transportation industry. (March 1, 2015 – May 15, 2016). Attacks are based on monitored IT networks, not attacks against the control networks or the mode of transit (such as airplanes, trains, truck and ships).

Source IBM: Most prevalent attack vectors in the transportation industry. (March 1, 2015 – May 15, 2016). Attacks are based on monitored IT networks, not attacks against the control networks or the mode of transit (such as airplanes, trains, truck and ships).

The Department of Homeland Security says the uptick in attacks against the transportation sector is tied to “the growing reliance on cyber-based control, navigation, tracking, positioning, and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation.”

IBM agrees with that assessment. “We are seeing this industry emerging as high-value target right alongside healthcare, manufacturing, financial services and government,” Alvarez said.

Still missing is that pivotal moment for the transportation industry that serves as a wakeup call for better security. The retail industry had a sobering jolt with the massive 2013 Target breach of 40 million target credit cards. But Alvarez argues that the transportation industry has come close with the high-profile car hack a Jeep last year and the alleged hack of a computer systems aboard airliner via an in-flight entertainment system.

More concretely, in June of 2015, a Polish airline grounded 10 planes at Warsaw’s Frederic Chopin airport after hackers were purportedly able to modify an entire airline’s flight plans via a distributed denial of service (DDoS) attack. Last July, a security researcher was awarded one million miles as part of a United Airlines bug bounty program for finding several remote code execution bugs in the airline’s computer system.

IBM said there are many challenges when it comes to addressing the security needs of the transportation industry. For one, a trend toward privatization makes it hard to identify and remediate cyber infrastructure vulnerabilities. “Patch management policies may vary widely from one organization to the next,” wrote IBM X-Force researchers.