Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA

Ransomware and data related attacks are the top cybersecurity threats to the transport sector in the EU, ENISA says.

Ransomware has become the top threat to the transport sector in the EU, and the European Union Agency for Cybersecurity (ENISA) expects ransomware groups to disrupt operational technology (OT) systems.

The overall number of cyberattacks targeting aviation, maritime, railway and road transport organizations has increased between January 2021 and October 2022, with cybercriminals responsible for most of the incidents (54%), according to a new report from ENISA.

Ransomware emerged as the primary threat, being used in 38% of the observed incidents, with data related attacks taking the second position, at 30%.

Malware (17%), DoS and DDoS (16%), phishing (10%) and supply chain attacks (10%) were also observed, along with breaches, fraud, and vulnerability exploitation.

As part of a ransomware attack, threat actors compromise a target’s systems, deploy file-encrypting malware, and demand a ransom payment in exchange for decryption keys. Representing a significant portion of the identified incidents, including several high-profile attacks, ransomware is presented separately from malware.

“The data on incidents collected until October 2022 indicate an increase in reporting of ransomware attacks during 2022. The number of ransomware attacks reported to the transport sector almost doubled, rising to 25% in 2022 from 13% during 2021. Contrary to ransomware, we observed a decline in malware incidents in 2022 compared to 2021 (from 11% to 6%),” ENISA explains.

The agency has reiterated its previous warning that “ransomware groups will likely target and disrupt OT operations in the foreseeable future.”

Advertisement. Scroll to continue reading.

It noted that, until now, OT systems and networks were only affected when entire networks were impacted or when safety-critical IT systems became unavailable.

However, ENISA believes we will see OT systems in the transportation sector being directly targeted due to several factors, including an increasing number of industrial control system (ICS) vulnerabilities, growing IT-OT connectivity, and the significant business and social impact of such an incident, which increases the cybercriminals’ chances of getting paid.  

The number of data-related incidents, which include both data breaches and data leaks, has declined compared to ransomware, but remains high. The observed attacks have impacted the information of employees and passengers, as well as corporate data and intellectual property.

An analysis of the threat actor activity targeting the transport sector shows that cybercriminals are the main threat, followed by hacktivists – mainly responsible for an increase in DDoS attacks and motivated by operational disruption and ideological beliefs – and state-sponsored groups.

Financial gain, operational disruption and espionage were the main identified motivations for the observed attacks, but a motive has not been determined for roughly one-third of the observed attacks.

“More than half of the incidents observed in the reporting period were linked to cybercriminals (55%). This is also linked with the motivation behind these attacks which is predominately financial gain (38%). The transport sector is considered a lucrative business for cybercriminals, with customer data considered a commodity and with highly valuable proprietary information when the transport supply chain is being targeted,” ENISA notes.

Aviation emerged as the most targeted sector (accounting for 28% of the attacks), followed by road transport (24%), railway (21%), and maritime transport (18%).

Transport authorities were the primary target of the attacks, followed by railway undertakings and infrastructure managers in the railway sector, port operators, airlines, service providers, OEMs, airport operators, surface transport operators, and the supply chain.

ENISA’s report provides a full break-down of the observed attacks by sector and threat actor motivation.

Related: Toyota’s Japan Production Halted Over Suspected Cyberattack

Related: Car Parts Giant Denso Targeted by Ransomware Group

Related: Port of Houston Target of Suspected Nation-State Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.