Email Security Gaps Put Transportation Companies and Public Safety at Risk
Editor’s Note: This blog post was originally found on the Agari Email Security blog
By John Wilson
Don’t be surprised if heightened tensions with Iran, China and Russia push email security to the top of every CISO’s agenda this year — including those in the transportation industry.
It’s well known that the threat posed by phishing in the transportation sector has surged over the last year. But now, an email attack leading to the theft of radioactive materials from a cargo ship, a serious train derailment, or the weaponization of hazardous materials trucked through populated areas isn’t just the stuff of Hollywood blockbusters anymore.
Suddenly, it’s prudent scenario planning — thanks to easily-exploitable vulnerabilities in rail, shipping, and trucking company email security that could cause significant financial and reputational damage while putting the public at risk.
Recent international incidents such as the US airstrikes that led to the death of Iranian general Qasem Soleimani have certainly amplified concerns that Iran and other foreign threat actors may soon step up cyberattacks against utilities, critical infrastructure, transportation systems and other targets. But that may be old news for this sector.
The truth is, the transportation industry is already under assault from a growing number of cybercriminal organizations, nation-states, and non-state actors. And email appears to be a preferred avenue of attack.
Phishing for Dangerous Cargo
This past May, the US Coast Guard issued a maritime alert triggered by three different spear-phishing attacks reported by commercial vessels along the East Coast. In each of these offensives, scammers posed as Port State Control authorities using an email address from a lookalike domain to request information from the ships’ captains.
The first attempt, in January, asked for sensitive information about the ship, its cargo, and its crew — information that ships include on the Notice of Arrival they submit to port authorities. Among other sensitive data, these notices include crew members’ names, passport numbers, and dates of birth.
The second and third phishing attempts, in March and April, targeted a different ship with a more direct and ominous request: Did the vessel carry explosive or radioactive material onboard? Thankfully, crew training to inspect message details like the sender’s address thwarted these phishing attempts. But that may not be enough to thwart every new attack.
Reeling in Rail and Road Transportation Targets
Other transportation systems face email threats of their own. In March, a trio of rail security consultants issued a call for stepped-up cybersecurity practices in the railroad industry. They described modern railways as a “relatively soft and highly tempting target for those looking to wreak havoc” by stealing hazardous cargo or targeting passengers and urban stations.
Rail’s legacy control and communication systems contribute to the industry’s overall cyber risk. So does the industry’s relative laxity about cybersecurity. As RailwayAge.com recently put it, “Railroads, like other asset-intensive industries, typically do not have a culture of cyber awareness, which makes their workforces vulnerable to social engineering (such as phishing).” The consequences of taking the bait could range from service outages and lost revenue to disasters like a “hacker-caused train collision or derailment.” At least one significant spear-phishing attack on regional freight railroad managers in the US has been reported and analyzed.
A similar situation can be found in the trucking industry as well. Small and midsize trucking firms and their back-office staffers are especially vulnerable to phishing attacks, according to industry experts and the American Trucking Association. In 2018, one trucking firm reported that more than a quarter of the 100,000 emails it received each day were spam. That’s a lot of opportunities for one wrong click. The most troubling risk associated with successful phishing attacks is the shutdown or takeover of a big truck’s systems — or of a whole fleet.
Chaos Isn’t the Only Risk
Life-and-death sabotage stemming from phishing attacks may be one of the most dangerous risks the transportation industry faces today, but it’s not the only one. Vulnerable email systems leave company operations open to costly cargo and data thefts, ransomware attacks, and logistics disruptions.
Nation-state operatives such as China’s Periscope appear to be targeting transportation companies in several countries for access to trade and military secrets. And last month, the Coast Guard reported that a phishing attack on a maritime shipping facility led to deployment of Ryuk ransomware that disrupted the organization’s entire operations for 30 hours and breached critical data.
Ransomware demands averaged $36,000 in the second half of 2019, up from just $12,000 earlier in the year. And for US-based transportation companies, total costs associated with a data breach top $7.5 million per incident, double the global average, according to the 2019 Cost of a Data Breach Report from Ponemon Institute.
And those are just the initial ramifications. Follow-on consequences can include brand damage, lost customers, costly liability settlements, fines, as well as system remediation or replacement costs.
Taking a Modern Approach to Email Security
Training personnel to recognize phishing attempts is an important part of the solution. So is keeping phishing attempts out of their inboxes. But in the year ahead, that will grow more challenging.
As security controls grow more proficient at sniffing out malware and malicious content, more attackers will turn to sophisticated social engineering tactics that easily bypass those measures.
What’s more, the rising availability of breached login credentials mean employees will face scam emails sent from hijacked email accounts belonging to trusted sources — complete with context-aware email messages informed by surveillance of ongoing email conversations.
Organizations in the transportation industry may find that fighting those kinds of attacks means they must augment traditional security controls with modern email security solutions that leverage machine learning to continuously scrutinize email far more deeply than any human ever could, preventing attacks from ever reaching recipients.
Cybercriminals and foreign threat actors know that ships, trains, and trucks make valuable targets. Given international tensions and trends in email security, it’s a safe bet that phishing attacks will produce unprecedented risk for transportation businesses, their customers, and the public at large in the year ahead.
We’d all better hope the entire industry is ready for it.
To learn more about advanced email security, check out our solution brief on Agari Phishing Defense.