Managing the cybersecurity risks of operational technology in transportation

Operational technology (OT) uses hardware and software to monitor and control physical processes, devices, and infrastructure. Historically, OT systems were not connected to the Internet and were therefore not vulnerable to cyber-threats.

Internet of Things (IoT)

However, today’s OT systems are increasingly part of a company’s networks as technologies converge and the Internet of Things (IoT) gains prominence. No longer can OT systems be counted on to be “air-gapped,” that is, not connected to other systems.

When OT systems are vulnerable, companies face a “cyber-physical risk.” A bad actor could create a catastrophic risk in the physical security world by compromising OT systems. To understand more about OT and the related cybersecurity concerns, we spoke with Lisa Hammill, VP of Commercial Markets for Shift5, a company that applies cybersecurity best practices to OT systems and networks, thus dramatically reducing their cyber risk.

Q: What is operational technology (OT)? How are the cybersecurity concerns for OT different than those for information technology (IT) systems?

Hammill: Operational technology (OT) refers to the computer systems that underpin critical infrastructure, enabling it to run continuously and reliably. For example, planes and trains rely on OT to execute basic flying or driving commands.

OT cybersecurity solutions for planes, trains, or weapon systems must be capable of the basics of IT cyber-hygiene

Most OT is built on legacy technology manufactured before cybersecurity became a priority and relies on serial bus networks like MIL-STD 1553, CAN 2.0, or RS-232, instead of the standard TCP/IP communications protocols that IT security solutions can monitor and defend.

Any effective OT cybersecurity solution for planes, trains, or weapon systems must be capable of the basics of IT cyber-hygiene, including ensuring signed software and firmware updates, full data capture, and continuous monitoring and detection aboard planes, trains, and weapon systems. This all makes cybersecurity for onboard OT difficult, but not impossible.

Q: What is a “cyber-physical risk” and why is the term important?

Hammill: Cyber-physical systems integrate digital components into physical objects and infrastructure; we focus on critical infrastructure like transportation as well as weapon systems. Cyber-physical risks manifest when actors intrude on these delicate processes to manipulate real-world outcomes, whether that’s grounding plane flights, or disabling train brakes.

The risks of attacks facing OT within cyber-physical systems are highly consequential, can cause disruptions to civil society, economic disruption, and potential harm to citizens, as well as shift the balance of power in military conflict and geo-political matters.

Q: Please describe the breadth of the risks when it comes to OT cybersecurity.

Hammill: Cyber-physical attacks can jeopardise business and mission-critical operations, and risks are highly consequential when it comes to transportation systems, creating safety risks for operators and passengers, economic impact, and millions in downtime losses, remediation, and ransom payments. Transportation is a particularly vulnerable sector of critical infrastructure.

An attacker could leverage a tested playbook to disrupt operations with minimal effort

As we’ve seen from recent attacks demonstrating the attackers’ focus is trained on this space. The motivation of an attacker will vary, but for example, let’s say a bad actor wanted to target an aircraft to disrupt service and ground a flight. There have been examples of basic cyber-attacks targeting noncritical aircraft systems; however, many of these systems remain vulnerable. An attacker could leverage a tested playbook to disrupt operations with minimal effort.

An attacker could target a system considered least critical to passenger safety systems categorised as a Design Assurance Level E (DAL E) like an in-flight entertainment system. This type of system has been hacked before and could be used as a vector for a ransomware attack. If an attacker takes control of video screens on seatbacks mid-flight, they would certainly damage passenger trust. They would also likely try to move up the design assurance level chain to gain further access.

For example, when a plane pulls into a gate, communication between the aircraft and airline operations happens automatically. An attacker could exploit this connection to move from one system to another. If an attacker gets into those communications channels, they could alter data or hold it hostage, while the airline halted operations to resolve the issue.

Q: What industries/markets are most vulnerable to OT cybersecurity threats and why?

Hammill: Operational technology lacks the historical focus on cybersecurity that IT has, and basic best practices are nascent for OT industry-wide. Cyber-attacks targeting Colonial Pipeline and Florida's water systems (in 2021) have spurred those industries into action to prioritise cyber hygiene. The aviation and rail industries are watching and taking proactive steps to prevent such cyber-attacks.

As weapons systems and vehicles on roads, rail lines, and in the air add on new technology, they are at risk of cyber-attacks

Shift5 defends planes, trains, and weapon systems because these vehicles leverage a vast swath of distinct serial bus networks and protocols unseen in other critical infrastructure technologies. We have experts creating a tool that can monitor and detect traffic aboard these bespoke networks. And as weapons systems and vehicles on roads, rail lines, and in the air add on new technology, like autonomation, they are increasingly at risk of cyber-attacks.

Q: What are the various sources of OT cybersecurity risks (e.g., other governments, individual hackers, criminal organisations, etc.)? Which are the most urgent and/or pervasive?

Hammill: Because of their ability to cause deeply consequential impacts on the business, economy, and human safety, OT cybersecurity risks must be considered scrupulously. Attackers targeting OT could have a range of motivations, from financial gain or market advantage through the theft of intellectual property, to insider threats and geopolitical advantage in a contested environment.

It’s no secret that most malicious adversaries choose the path of least resistance when developing their attack strategy. When OT is aboard planes, trains, and tanks, we’re only in the early innings of creating obstacles for those actors to overcome. One threat we’re watching closely is the evolution of ransomware targeting OT. Digital extortion could cause operational disruption and impact consumer trust.

Q: What is the Shift5 approach to cybersecurity?

Hammill: Shift5 extends 40 years of expertise in adversarial tactics, techniques, and procedures from IT endpoint security into the OT world. For the first time in history, operators can apply cybersecurity best practices to OT systems and networks, dramatically reducing their cyber risk.

Shift5 allows rail, aerospace, and defense to generate data-informed insights and make accurate decisions

Shift5 brings complete observability and threat detection to OT systems as cyber-physical attacks become an increasingly attractive strategy for digital attackers. By providing visibility into the data that powers their most expensive, longest-lived, and most consequential fleet assets, Shift5 allows rail, aerospace, and defense companies to generate data-informed insights and make timely, accurate decisions once considered impossible.

Q: Has OT cybersecurity trailed IT cybersecurity in terms of awareness? If so, why is it true, and how can organisations become more aware (and more prepared) of OT cybersecurity risks?

Hammill: OT cybersecurity is nascent compared to IT security, but the industry is catching up. While most organisations understand the importance of visibility and observability in IT systems to enable their defense, very few have this same level of oversight for their most expensive, consequential, and longest-lived OT-powered assets.

Simple best practices geared towards defending OT can make an adversary’s job more difficult. Start with taking inventory of all OT assets, then move to gain situational awareness so you can develop your baseline for “normal” operations (and can identify any abnormal events), and finally take steps to shore up gaps in cybersecurity.

Q: Tell me more about Shift5.

Hammill: Shift5 was founded by Josh Lospinoso and Michael Weigand, two of 40 people hand-selected to stand up to U.S. Cyber Command, the nation’s most elite unit of cyber-defenders. There, Mike and Josh became familiar with challenges in defending weapons systems, and the idea for Shift5 was born.

Shift5 provides OT cybersecurity and operational intelligence for fleet operators and military platforms

Military weapon systems are built on the same OT infrastructure found within planes and trains, and today Shift5 provides OT cybersecurity and operational intelligence for fleet operators and military platforms.

Our customers include the DoD, US Army, Air Force, and Navy, and several of the largest U.S. passenger rail and household-name aviation companies. Many of these industries are beginning to seek out partnerships with Shift5; for example, AEI HorizonX, the venture capital investment platform formed between AE Industrial and The Boeing Company, today works with Shift5.

Q: What is the biggest misconception when it comes to OT cybersecurity?

Hammill: A common misconception is that OT aboard planes, trains, or weapon systems isn’t at risk. Many security experts have implemented air gapping as a cybersecurity strategy to keep cybersecurity threats away from sensitive systems. However, due to the convergence of IT and OT, there are more inroads to OT than ever, and air gapping isn’t as effective.

Transportation assets like planes and trains are flying and rolling data centers that produce valuable and useful data, and they need to be protected just as we protect client data or IP. It’s a hard problem to solve, but the stakes are high and attackers are increasingly aiming their attention at this surface area.

Modern cybersecurity principles must be extended to the onboard OT networks of aerospace, rail, and defense

Amid the war in Ukraine, we saw attackers target the Belarusian Rail System to thwart Russian adversaries, and Russia digitally attacked Viasat to disable this critical piece of infrastructure ahead of a kinetic strike. Digital attacks facing aerospace, rail, and defense targets are on the rise, and modern cybersecurity principles must be extended to their onboard OT networks.

Q: How can organisations start to address these challenges?

Hammill: Cybersecurity done well is a lot of preventative work, and when we hear no news, that’s often good news. The U.S. government has increased the levels of dialogue around cybersecurity risks facing US critical infrastructure operators and has led by example in sharing information to help critical infrastructure organisations bolster their defenses.

I recommend that transportation organisations engage proactively with local FBI field offices or CISA Regional Offices to establish relationships in advance of any cyber-incidents and visit the websites of CISA and the FBI where they will find technical information and other useful resources. They should also take advantage of other resources like TSA, AAR, ICA, and relevant ISACs that have working groups focused on these challenges.

I encourage every transportation operator to understand the risks for these large transportation assets through vulnerability assessments, pen testing, and exercises just as they do with their IT environments.