Cyber-security: Full Prevention is not possible
With the threat of cyber terrorism only looking likely to increase in the transportation industry, renowned cyber-security specialist, Dr Anastassia Lauterbach, considers the reasons for properly addressing digitalisation and its vulnerabilities: specifically, the manner in which it carries risks; the reasons why companies often face them with such little preparation; and how public and private carriers can better address the cyber risk.
According to the IBM report Security Trends in the Transportation Industry, “risks to critical transportation infrastructure include natural disasters as well as man-made physical and cyber threats. Man-made threats include terrorism, vandalism, theft, technological failures, and accidents. Cyber threats to the Sector are of concern due to the growing reliance on cyber-based control, navigation, tracking, positioning, and communications systems, as well as the ease with which malicious actors can exploit cyber systems serving transportation. Terrorist attacks, whether physical or cyber, can significantly disrupt vital transportation services and cause long-term sociological and economic consequences.”
Reality of the threat
In 2013 the BBC reported that police in Belgium publicly disclosed an attack on the Antwerp Shipping port, which had been assumed to have taken place over a two-year period from June 2011. Prosecutors say a Dutch-based trafficking group hid cocaine and heroin among legitimate cargo, including timber and bananas, shipped in containers from South America. The organised crime group allegedly used hackers based in Belgium to infiltrate computer networks in at least two companies operating in the port of Antwerp. The breach allowed hackers to access secure data giving them the location and security details of containers, meaning the traffickers could send in lorry drivers to steal the cargo before the legitimate owner arrived.
In 2013 in Lodz, Poland, a 14-year-old modified a TV remote control so that it could be used to change track points. The teenager broke into a number of tram depots to gather the information needed to build the device, which turned the tram system in Lodz into his own personal train set. As a result, four vehicles were derailed injuring 12 people, according to Marsh Transportation Practice report published in 2015.
In 2014 hackers, who stole customers’ personal data, targeted the Chinese National Train Reservation System.
In June 2015 Polish airline LOT suggested that operations at its Warsaw Chopin Airport hub were disrupted by what the carrier said was a cyber attack on its flight planning computers. Ten flights were cancelled and another delayed. The problem was most likely caused by what is known as a Distributed Denial of Service (DDoS) attack — when a hacker deluges an organisation’s system with so many communication requests that it overloads the server, and it can no longer carry out its normal functions.
In November 2015 a cyber attack launched by a Russian APT group may have jammed Sweden’s air traffic control capabilities, according to the Norwegian publication Aldrimer.no.
These examples demonstrate that alongside the healthcare and manufacturing industries, financial services and the government, the transportation industry is becoming a high-stake target for cyber criminals. Its systems handle large volumes of data, which could be stolen and resold on the dark web. Extortion, DDoS attacks and ransomware threats cannot be underestimated.
In this context it is not surprising that venture capitalist investments in cyber-security firms have seen a 235% growth rate over the past five years. According to the SITA Airline IT Trends Survey 2016, 91% of all airlines plan to increase spending on cyber-security in the next three years.
Root causes of the risks
The Internet was never built with security in mind, and its whole system is getting technologically weaker with every passing year. The reasons are simple – hardly anyone writes code or develops applications from scratch. We are still relying on computer protocols designed for openness (not security) from the 1970s and 1980s. The attacking community is systematically searching these core elements of the Internet and discovering new vulnerabilities to exploit. Therewith, the whole ‘fabric’ of the Internet is riddled with holes and bypassing opportunities.
Adoption of open source
‘Open source’ describes an original source code, which is made freely available and is therefore able to be redistributed and modified. The rate of adoption for open source programming exceeds the vetting process for many applications. Cyber experts on open source understand that in 98% of cases companies aren’t sure where they use open source or what its origins are. In the fast moving world, developers are incentivised to launch new features and functionalities, not to protect data or guard privacy. Cyber criminals can exploit loopholes in open source at supplier level without having to go directly to their target victim or organisation.
Human behaviour at work
Using file-sharing applications such as Dropbox and ignoring IT policies can often leave companies at risk. Many employees still prefer to store data on a memory stick, without thinking these devices can be easily compromised by criminals. It is also common for individuals to use multiple devices (or ‘end points’) interchangeably for work and leisure, often without substantial security settings. Although this poses a risk of data being stolen directly from portable devices, the greater concern is that mobile devices are conduits to the cloud, which holds terrabytes of valuable data. The number of new end points or access points to large amounts of data resulting from the explosion in the number of mobile devices vastly increases the challenges to securing cyberspace.
Rise of sensors
The rise in end points is nothing compared to the coming Internet of Things (IoT). Sensors have already been embedded in cars, security cameras, kitchen apparel, and wearables. Every eight seconds 150 new devices are added online. By 2020, according to IT research company Gartner, there will be 26 billion connected end points. IT provider Cisco puts the number at 50 billion and financial solutions provider Morgan Stanley at 75 billion.
The decreasing cost of computer power
Cloud and mobile technologies and the decreasing costs of computing power have caused a shift in global economies. It has never been easier to launch a business, build a product, and reach out to customers. However, one of the negative offshoots of the ever-decreasing cost of computing power is the ability for cyber criminals to launch increasingly numerous attacks at lower and lower costs. These criminals don’t even need to invent malware; they can exploit existing ‘products’ that are often free or inexpensive to obtain.
In spite of these easy-to-launch and execute threats, defenders generally rely on decades-old core security technologies, often cobbled together in multiple layers of point products. There is no true transparency on the situation, nor are the point products designed to communicate with each other. As a result, when attacks are detected responses tend to be highly manual in nature.
In this context, economics works in favour of the attackers. There are more dollars to steal per Internet user, be it consumer, a small business owner, or an employee at a large corporation. Today the figure is US$19 per person globally. Just think about that uneven distribution of wealth and technology and the figure per user in North America, Europe and Australia, for example, gets higher.
At the heart of the cyber-security battle is a mathematical problem. It is relatively simple to understand, but hard to correct and prevent from happening, given the legacy of Internet architecture, vast growth in connected devices and sensors, and incentives for cyber criminals to make money.
It is expected that the number of attacks will continue to grow, and consequences will be even more costly as we constantly increase the connections of various things to the Internet.
Just a few years ago, many viewed cyber-security as a technical problem best left to the company CIO. IT departments often didn’t even employ a dedicated Chief Information Security Officer. Today most security professionals would agree that total prevention is not possible and that cyber risk should be managed through the continual improvement and coordination of several elements in an organisation: technology, process, people, and intelligence sharing. Over the last 30 months three CEOs have lost their jobs over cyber breaches. Since then, cyber risk scored high on corporate governance agenda, involving top leadership teams and boards of directors. It is seen as one of the most dangerous risks impacting companies’ reputation, brand, and sustainability.
Companies should have policies to address cyber risk in seven areas:
- Inclusive top management and board discussion: Company leaders and all nonexecutive directors should be empowered for accountability for cybersecurity
- Proactive addressing of cybersecurity in risk management: Every business decision should incorporate a review of the cyber risk at a very early stage
- Product development with cybersecurity in mind: New products and services should be architected with cybersecurity in mind, including implications on their updates/new releases, customer care and relationship management, and ‘phasing out’ stage
- Risk-oriented prioritisation: Companies need to cluster their IP, intangible and tangible assets for varying levels of cyber protection
- Investment in human defences: Awareness, education and improved communication (including to and from compliance function of companies) around cyber risk is key to reducing negligence
- Audit of third parties: Partners, M&A candidates, and suppliers should be audited for cyber risk they might bring with their infrastructure, within their products and services, or throughout their processes. In this context, risk-oriented prioritisation should apply
- Incident response policies and procedures: Since no one company can be secure all the time, potential breaches should be ‘modelled’ and mitigation of them blue-printed.
In summary, cyber-security is an enterprise risk, not a function for IT. Armed with an understanding of what a mature security programme could look like, companies can learn how to manage it to their best abilities. Fortunately, there are specialised solutions and companies that address every single area of cyber risk management as described above. Companies such as DFLabs, Security Scorecard, Black Duck Software, Nuro, Resilient Network Systems (to name but a few) offer valuable solutions to optimise defences and better understand potential threats.
Anastassia Lauterbach, PhD, is CEO and Founder of 1AU-Ventures, a start-up accelerator focused on artificial intelligence (AI), cyber-security, IoT, and wireless hardware. Dr Lauterbach trains corporate boards and leadership teams in cyber-security, AI and digital transformation and advises Fortune 500 brands in their captive ventures and start-up acceleration programmes. Dr Lauterbach has served as a director of D&B since August 2013, and is a Chairman of the Innovation & Technology Committee. In January 2016 she was appointed to the Board of Directors of eKomi, Berlin and she has served as an Advisor of Evolution Equity Partners, a PE company with focus on cyber-security and enterprise software. She is currently a judge of the McKinsey and Handelsblatt Industry 4.0 Award, and Digital Awards of TMT Forum, a non-profit organisation of telecommunication carriers and their suppliers.