Transport cybersecurity
Cyber Risk GmbH is monitoring the cybersecurity developments in three major areas:
1. The commercial and private aviation industry.
2. The railway industry.
3. The maritime industry.
Cybersecurity challenges in the commercial and private aviation, the railway industry and the maritime industry.
In the European Union, we have two major developments:
- the Network and Information Security Directive (NIS 2), that replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.
In Annex I (Sectors of High Criticality), we find that the transport sector (air, rail, water and road subsectors) are in the scope of the NIS 2 Directive.
- the Critical Entities Resilience Directive (CER). It covers 11 sectors: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.
In the USA, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, to include the following:
- Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
- Federal Incident Report Sharing: Any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.
- Cyber Incident Reporting Council: DHS must establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements.
CIRCIA additionally authorizes or requires a number of initiatives related to combatting ransomware, to include the following:
- Ransom Payment Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share such reports with federal agencies, similar to above.
- Ransomware Vulnerability Warning Pilot Program: CISA must establish a pilot to identify systems with vulnerabilities to ransomware attacks and may notify the owners of those systems.
- Joint Ransomware Task Force: CISA has announced the launch of the Joint Ransomware Task Force in accordance with the statute to build on the important work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the Federal Bureau of Investigation and the National Cyber Director to build the task force.
Russia’s invasion in Ukraine has changed the cybersecurity landscape and has created new cybersecurity threats across the world. The US Cybersecurity & Infrastructure Security Agency (CISA) has warned all organisations that it’s time to put “shields up.” In the UK, the National Cyber Security Centre (NCSC) has cautioned British organisations about the heightened risk of attacks, asking them to strengthen their defences.
According to the European External Action Service (EEAS) which is the European Union’s diplomatic service: "This war will force us to increase our defence spending. We need to spend more but above all to spend better, i.e. jointly. Some member states, such as Germany, have already taken important new measures in this area with €100 billion additional defence spending in 2022 and an increase of the defence budget to above 2 % of GDP from 2024. This must be the case everywhere where defence spending is still too low."
According to Heraclitus, "War is father of all, and king of all". Tt sounds true for railways cybersecurity, and so many "nice to have" projects have become "must have".
Our training programs
Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the transport sector (air, rail, water and road subsectors), and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.
The Board of Directors and the CEO of entities in the transport sector must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.
Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.
Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.
With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.
Our training programs for the commercial and private aviation industry.
Cybersecurity training for the commercial and private aviation
Cybersecurity training for the Board of Directors and the CEO in the commercial and private aviation
NIS 2 Directive Training for the commercial and private aviation
Our training programs for the railway industry.
Cybersecurity Training for the Railway Sector.
The NIS 2 Directive as it applies in the Railway Sector.
Cybersecurity Training for the Board of Directors in the Railway Sector.
Our training programs for the maritime industry.
Maritime Cybersecurity Training.
The NIS 2 Directive as it applies in the maritime industry.
Cybersecurity Training for the Board of Directors in the maritime industry.