Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA

Ransomware has become the top threat to the transport sector in the EU, and the European Union Agency for Cybersecurity (ENISA) expects ransomware groups to disrupt operational technology (OT) systems.

The overall number of cyberattacks targeting aviation, maritime, railway and road transport organizations has increased between January 2021 and October 2022, with cybercriminals responsible for most of the incidents (54%), according to a new report from ENISA.

Ransomware emerged as the primary threat, being used in 38% of the observed incidents, with data related attacks taking the second position, at 30%.

Malware (17%), DoS and DDoS (16%), phishing (10%) and supply chain attacks (10%) were also observed, along with breaches, fraud, and vulnerability exploitation.

As part of a ransomware attack, threat actors compromise a target’s systems, deploy file-encrypting malware, and demand a ransom payment in exchange for decryption keys. Representing a significant portion of the identified incidents, including several high-profile attacks, ransomware is presented separately from malware.

“The data on incidents collected until October 2022 indicate an increase in reporting of ransomware attacks during 2022. The number of ransomware attacks reported to the transport sector almost doubled, rising to 25% in 2022 from 13% during 2021. Contrary to ransomware, we observed a decline in malware incidents in 2022 compared to 2021 (from 11% to 6%),” ENISA explains.

The agency has reiterated its previous warning that “ransomware groups will likely target and disrupt OT operations in the foreseeable future.”

It noted that, until now, OT systems and networks were only affected when entire networks were impacted or when safety-critical IT systems became unavailable.

However, ENISA believes we will see OT systems in the transportation sector being directly targeted due to several factors, including an increasing number of industrial control system (ICS) vulnerabilities, growing IT-OT connectivity, and the significant business and social impact of such an incident, which increases the cybercriminals’ chances of getting paid.  

The number of data-related incidents, which include both data breaches and data leaks, has declined compared to ransomware, but remains high. The observed attacks have impacted the information of employees and passengers, as well as corporate data and intellectual property.

An analysis of the threat actor activity targeting the transport sector shows that cybercriminals are the main threat, followed by hacktivists – mainly responsible for an increase in DDoS attacks and motivated by operational disruption and ideological beliefs – and state-sponsored groups.

Financial gain, operational disruption and espionage were the main identified motivations for the observed attacks, but a motive has not been determined for roughly one-third of the observed attacks.

“More than half of the incidents observed in the reporting period were linked to cybercriminals (55%). This is also linked with the motivation behind these attacks which is predominately financial gain (38%). The transport sector is considered a lucrative business for cybercriminals, with customer data considered a commodity and with highly valuable proprietary information when the transport supply chain is being targeted,” ENISA notes.

Aviation emerged as the most targeted sector (accounting for 28% of the attacks), followed by road transport (24%), railway (21%), and maritime transport (18%).

Transport authorities were the primary target of the attacks, followed by railway undertakings and infrastructure managers in the railway sector, port operators, airlines, service providers, OEMs, airport operators, surface transport operators, and the supply chain.

ENISA’s report provides a full break-down of the observed attacks by sector and threat actor motivation.

Related: Toyota’s Japan Production Halted Over Suspected Cyberattack

Related: Car Parts Giant Denso Targeted by Ransomware Group

Related: Port of Houston Target of Suspected Nation-State Hack