News / Transport and logistics in Europe pushed to beef-up cybersecurity

New EU laws next year will see major parts of the transport and logistics industry forced to boost their cybersecurity – and report all cyber-attacks.

The directive designates airports, airlines, traffic control authorities, ports and port equipment operators and shipping lines as “sectors of high criticality” and will require each member state to assemble a computer incident response team with “adequate resources and technical capabilities”.

The law will also beef-up reporting requirements for companies which have been attacked. The EU agency for cybersecurity, ENISA, must assess and address cybersecurity readiness, including providing an operational template for response teams.

This week ENISA published a report warning of the growing cyber-risk in the transport sector, part of a wider effort by the EU to improve shipping, road, rail and air transport defences against state- and non-state attackers.

Threat Landscape: Transport Sector found aviation was the most-attacked segment between January 2021 and October 2022, with some 27 incidents recorded. Attacks on road were the second highest, at 24, rail at 21 and shipping with 18.

Despite the Russia-Ukraine war beginning during this period, ENISA still determined that financial gain was by far the biggest single motivator for cyber-attacks, accounting for some 55% of cases. Road and aviation proved particularly susceptible, with the latter’s primary vector of attack concerning data leaks rather than ransomware. 

The biggest target among ideology-motivated ‘hacktivists’ appears have been trains, it said. They “have claimed responsibility for attacks on the railway (8%) and aviation (6%) sectors”, it noted and added: “This has to do mainly with attacks linked to Russia’s military aggression against Ukraine,” although “state-sponsored actors” were more likely to attack shipping.

Speaking with The Loadstar, Marijn van Schoote, head of cybersecurity at the Port of Rotterdam which was affected by the NotPetya attack in 2017, welcomed the new measures, which he said would see “the scope of the rules” increased.

He explained that rapid digitalisation in ports had left them without the ability to ‘switch to manual’ in the event of a cyberattack.

“There are some failures we get, where we can switch over to manual port operations. But because of a lack of resources, or a high level of digitalisation, that option will go away.”

Mr van Schoote highlighted the comments of former Russian military leader Andrey Gurulyov on Russian TV, naming Rotterdam as a strategic target in the event of an escalation in the Ukraine conflict. “The public authorities say the likelihood has been increased. We see no direct action yet, or direct cyber attacks planned at [Rotterdam] at this moment.”

At the CMA Shipping Conference yesterday, DNV’s CEO of maritime, Knut Ørbeck-Nilssen, briefly touched on the ransomware attack on DNV’s ShipManager software at the beginning of the year that put 70 clients and 1,000 ships in the firing line.

He said: “I think it’s so important that we share the experiences. If you imagine what we know about companies that have been victims of cyber-attack, you can just imagine how much bigger the portion is of companies have been cyber-attacked and do not share any of the information.

“If we are not sharing, we are making the dark forces more powerful… we will all be cyber victims,” he warned.

The murky nature of the cyber-threat landscape makes it challenging to work out attackers’ true motivation and easy to disguise a state-sponsored attack as petty crime. In the NotPetya ransomware incident in 2017, the biggest cyber-attack on shipping thus far, a financial motivation was initially blamed. But it was later determined to be part of a wide Russian cyber campaign against companies doing business in Ukraine.