Transport – is your risk in the third party?

Thursday, 1 June 2023

Wherever there is a critical service, there is an attractive target for cybercrime.

We were reminded of this recently when South African Airlines lost its website and customer app for a day due to a ransomware attack¹. The incident followed recent attacks on Washington’s Metropolitan Area Transit Authority² and Denmark’s State Railway³. In the two latter breaches, the hackers gained access to the transport operators’ systems through third-party suppliers or contractors.

The list of breaches is long and the impacts expensive. More examples include a ransom demand for stolen data from San Francisco’s Bay Area Rapid Transit, a Chinese hack into the New York Metropolitan Transit Authority and two attacks on Toronto’s Metrolinx, one of which affected trip-planning apps, the website and more. Vancouver’s TransLink had its payment and communications systems disabled and employee personal data breached. When the Southeastern Pennsylvania Transportation Authority was hit by a ransomware attack, travellers in San Francisco rode for free.

We are equally exposed in Australia. Transport NSW has experienced two data breaches via third-party suppliers in which customer data was accessed⁴. We can expect more.

What makes these systems attractive to hackers is a unique combination of factors, including access to valuable customer data, the high level of disruption the threat can cause, their reliance on automation technology and the vulnerability of a public entity. Most important, perhaps, is a reliance on third-party suppliers for aspects of systems delivery. Public operations rely on the tax dollar for survival and are run to tight budgets, often by a rigid bureaucracy that can make rapid decision-making difficult. All this gives the hackers an excellent return on their investment effort.

The compliance bar for cybersecurity in business is now very high. Business needs to comply with upgraded legislation and have a new level of maturity in technical systems, staff training and organisational culture. Third-party suppliers should be expected to adhere to the same level of scrutiny as your own.

In Washington Metro’s case, a former contractor was able to access the system remotely from a computer in Russia. The Authority’s own inspectorate reported it had not acted on 50 previous cybersecurity recommendations from oversight agencies. This example highlights the importance of allowing only relevant access and only when it’s needed. The Danish attack came via a company providing enterprise asset management solutions to transport operators. The NSW transport examples, too, involved third-party suppliers.

As these transport examples demonstrate, the more parties who have access to an organisation’s data the greater the risk. Too many businesses fail to consider their third-party suppliers and contractors when assessing their own cybersecurity risks. It means businesses who think they are managing their risk can be destroyed by association with those who are not.