TRANSPORT CYBERSECURITY TOOLKIT

Transport Cybersecurity Toolkit training



Overview

The European Commission published on 16 December 2020 its Transport Cybersecurity Toolkit, a repository of tips and recommended practices to enhance cybersecurity and cyber-resilience in the transport sector.

Cybersecurity is becoming a growing concern for the transport industry. Yet, many employees remain insufficiently aware of the risks, and their actions may sometimes inadvertently open the door to attackers.

Against this background, the transport cybersecurity toolkit aims at contributing to greater levels of cyber-awareness and cyber-hygiene, with a specific focus on the transport sector. It addresses transport organisations, regardless of their size and domain of activity.

Concretely, the toolkit contains basic information on four threats that may affect transport organisations: malware diffusion, denial of service, unauthorised access and theft, and software manipulation.

For each of those threats, the toolkit lists good mitigating practices, which are relevant for all transport staff, regardless of their occupation.

The toolkit also contains a more advanced level, which provides information that is particularly relevant for security and cybersecurity professionals in transport organisations. This advanced level is organised by transport mode: air, maritime and land. For each transport mode, the toolkit provides guidance on identifying, protecting, detecting, and responding to cyber-threats.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.


Transport Cybersecurity Toolkit

Target Audience

The Commission's Directorate-General for Mobility and Transport, which is responsible for EU policy on mobility and transport, has contracted the development of the Transport Cybersecurity Toolkit to enhance the awareness and preparedness of transport stakeholders to cyber threats.

The Transport Cybersecurity Toolkit provides insights for understanding cyber threats and mitigating their impact on transport services, systems, and operations. This toolkit provides alternative awareness paths targeting:

- All transport staff. It targets all staff of transport organisations, from staff in transport service operations to administrative staff. It provides guidance towards an increased understanding and awareness of the most common cyber threats targeting transport services and systems. Additionally, it provides insights on how to deal with potential cyber threats, including identifying, reporting, and mitigating them by cybersecurity good practices.

- Transport decision-makers in cybersecurity across the different transport modes. It targets staff who have decision-making responsibilities for cybersecurity in transport organisations. This path highlights good practices tailored to the different transport modes for enhancing cybersecurity posture of transport organisations. In particular, it provides good practices in order to identify, protect, detect, and respond to emerging cyber threats targeting transport organisations.

The program is also beneficial to suppliers and service providers of the transport and logistics industry.


Duration

One hour to one day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.


Transport Cybersecurity Toolkit 2

Course synopsis

Transport threat landscape.

- The cyber threat landscape is dynamic and continuously evolving. Nevertheless, it is possible to identify cyber threats, which all transport modes face in operations of services and systems.

- Emerging cybersecurity threats affecting different modes of transport.


Threat actors.

- Individuals or organisations that may potentially impact safety and security of transport services and systems.


Emerging cyber-threats.

- Selected cyber-threats that may potentially represent attack vectors impacting safety and security of transport services and systems.

- The most significant malicious actors intentionally targeting transport organisations: Cyber criminals, insiders, nation states and state-sponsored groups.

There are a substantial number of cyber threats targeting transport:

- distributed denial of service,

- denial of service,

- data theft,

- malware diffusion,

- phishing,

- software manipulation,

- unauthorised access,

- destructive attacks,

- falsification or bypassing of security operator decision process,

- masquerading of identity,

- abuse of access privileges,

- social engineering,

- defacement,

- eavesdropping,

- misuse of assets, and

- hardware manipulation.

The most pressing emerging cyber threats affecting transport are: Malware, (Distributed) Denial of Service, Unauthorised Access and Theft, and Software Manipulation.


Threat #1: Malware.

- Malicious software that may potentially affect individuals or organisations across transport modes.


Threat #2: (Distributed) Denial of Service.

- Cybersecurity attacks preventing individuals or organisation access relevant transport services and resources.


Threat #3: Unauthorised Access and Theft.

- Unauthorised access, appropriation, and exploitation of critical assets.


Threat #4: Software Manipulation.

- Cybersecurity attacks targeting software in order to modify its behaviour and conducting specific attacks.


Good practices against malware.

You can protect your organisation by following good practices for identifying and preventing the diffusion of malware, such as:

- Follow security policies such as scanning storage media and files for viruses, avoiding opening and emailing specific types of files (e.g. executable files such as .exe, .bat, .com, etc.), installing only authorised software, ensuring software (including antivirus) is up to date and functioning properly, and other policies.

- Backup your data regularly into secure (and authorised) data storage devices or services, which should support encryption mechanisms in order to protect data at rest and being available for data restore procedures.

- Protect with suitable security measures (e.g. password, encryption, etc.) all systems including mobile and endpoint devices, and remember to lock (physically and digitally) securely all systems if unattended.

- Avoid opening attachments and clicking on hyperlinks contained in unexpected emails and suspicious web browser popup windows with a strange body text or from unknown senders and internet domains.

- Avoid inserting into your computer untrusted or unknown removable devices such as USB sticks, hard disks, and other storage devices.

- Avoid disabling malware security measures (e.g. antivirus, software, content filtering software, firewall, etc.).

- Update installed software regularly to the latest available versions (which information security officers or system administrators may release with regular updates).

- Avoid using privileged (e.g. administrator-level) accounts and credentials for regular activities and operations.

- Report to information security officers or system administrators any suspicious email or unexpected system behaviour.

- Focus attention on information security among daily routine work in order to recognise IT security concerns and respond accordingly.


Good practices against Denial of Service.

You can help in protecting your organisation by identifying Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks. You should contact immediately your security and IT teams if you detect or experience any of the following indicators of potentially ongoing DDoS and DoS attacks for your services or systems:

- Increasing requests consuming network capacity (perceived as slow services and responses) resulting in service or system failures due to overload.

- Increasing demand of memory resources usage without an obvious reason.

- Unexpected behaviours of services and systems, frequent crashes, and strange error messages due to malicious consumptions of computational resources or network connections.

- Degraded performances of devices, long executions for trivial tasks and noticeable activities (e.g. noisy fan while devices performing slowly).

- Unexpected internet connections or loss of connections to services and systems.

- Subtle behavioural changes of operation controls or technologies resulting in physical damages.

- Denials of accesses to privileged or administrative accounts in order to block incident response procedures from recovering.


Good practices against Unauthorised Access and Theft.

In order to prevent attacks involving unauthorised access and theft, it is necessary to follow principles such as ‘need to know’ and ‘security and privacy by default’, which emphasise that sensitive and confidential assets (including personal and sensitive data, transport systems, etc.) should be accessible only to whom has the right to access them in order to perform their duties. You can help in protecting your organisation by following good practices for identifying and preventing unauthorised access and theft, such as:

- Follow security organisational policies.

- Avoid sharing and publishing online credentials and personal data, including pictures that may contain such information.

- Avoid using or transmitting credentials and personal data (and other sensitive data) to untrusted and unsecure networks, devices, or web services (e.g. websites that use unsecure protocols or addresses http:// and not secure ones https://).

- Never reveal to anyone your credentials (e.g. login and password) even via email or phone.

- Protect sensitive data typed on keyboards or shown on screens (including on mobile devices) from unauthorised individuals, install privacy screens, and avoid working from public places with private devices, and avoid leaving any device unlocked and unattended.

- Use complex passwords (e.g. sufficiently long password combining alphanumerical and special characters) complying with relevant organisational security policies in order to prevent unauthorised access.


Good practices against Software Manipulation.

You can help in protecting your organisation by following good practices for identifying and preventing software manipulation, such as:

- Avoid installing unreliable software on systems and devices (including personal computers, servers, peripherals, network devices, smartphones, etc.).

- Always install software and updates from official sources and websites (e.g. producers, corporate repositories, etc.).

- Avoid downloading software and applications (and any file) from illegal sources.

- Uninstall unnecessary or not recently used software, and disable unnecessary connections (e.g. network protocols and services) including access to remote services (e.g. cloud storage services).

- Scan any software or storage devices with a reliable and updated antivirus.

- Download safe industrial software (e.g. updates, patches, new products, etc.) from trusted suppliers using white station principle.

- Update all installed software in compliance with organisational policies and practices.


Good practices tailored to Air Transport.

Aviation organisations need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).

Examples of services and systems in air transport: Those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).

Examples of OT are Supervisory Controls and Data Acquisition (SCADA) systems, heating, ventilation, and air conditioning (HVAC) systems, security checkpoints for cabin baggage, baggage handling systems (BHS), access control, monitoring, surveillance, alarm response, screening technology, airfield lighting control systems, radar systems and sensors, Global Positioning Systems (GPS) systems, Air Traffic Management (ATM) systems, Communication, Navigation and Surveillance systems (CNS), Aeronautical Information Systems, Meteorological Systems, Security Operation Centre Systems, airline on-board systems, and others.


Good practices tailored to Land Transport.

Organisations in land transport (rail and road) need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).

Examples of services and systems in land transport: Those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).

Examples of OT are Supervisory Controls a, and Data Acquisition (SCADA) systems, heating, ventilation, \ and air conditioning (HVAC) systems, Global Positioning Systems (GPS) systems, access control, monitoring, surveillance, alarm response, and screening technology.

Specific systems for rail transport are, for example: operational (control and command systems) including signaling systems, the European Rail Traffic Management System (ERTMS), on-train systems, maintenance systems.


Good practices tailored to Maritime Transport.

Organisations in maritime transport need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).

Examples of services and systems in maritime transport: Those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).

Examples of OT are Supervisory Controls and Data Acquisition (SCADA) systems, heating, ventilation, and air conditioning (HVAC) systems, Global Positioning Systems (GPS) systems, access control, monitoring, surveillance, alarm response, screening technology, on-board navigation systems, SafeSeaNet, bridge systems, cargo handling and management systems, propulsion and machinery management and power control systems, access control systems, passenger servicing and management systems, passenger facing public networks, administrative and crew welfare systems, communication systems, and others.

Closing remarks and questions.


For more information, you may contact us.



Good Practices and Security Measures tailored to Air Transport, from the European Commission


Transport Cybersecurity Toolkit 3

Governance to Identify Cybersecurity Threats

Governance: Aviation organisations need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).


Good practices for organisations of any size involve:

1. Ensuring that senior management levels report cybersecurity concerns to executives and boards, who can make informed decisions on resource allocations.

2. Appointing a senior role, accountable for cybersecurity as well as physical security, with overall management responsibilities for the security of Information Technology (IT) and Operational Technology (OT), but without involvement in operations in order to avoid conflicts of interest.

3. Defining clearly, roles, responsibilities, competences, and clearances related to cybersecurity and communicating and agreeing on them with relevant personnel, in particular, for members of Computer Emergency Response Teams (CERTs).

4. Ensuring cybersecurity governance throughout the entire security supply service chain, including both physical and digital interfaces, f ram technology manufacturers and installers to security providers.

5. Agreeing on activities and controls, including shared responsibilities, to manage cybersecurity risks, and ensuring that these responsibilities are sustained throughout the lifetime (e.g. by service agreements) of security solutions and services.

6. Defining governance mechanisms (e.g. policies) in order to comply with obligations drawn from relevant regulations and directives such as, for example, Regulation 2018/1139 on common rules in the field of civil aviation and Commission Implementing Regulation 2017/373 laying down common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight as well as the NIS Directive (EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems).


Examples of services and systems in air transport

Examples of IT are those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).

Examples of OT are Supervisory Controls and Data Acquisition (SCADA) systems, heating, ventilation, and air conditioning (HVAC) systems, security checkpoints for cabin baggage, baggage handling systems (BHS), access control, monitoring, surveillance, alarm response, screening technology, airfield lighting control systems, radar systems and sensors, Global Positioning Systems (GPS) systems, Air Traffic Management (ATM) systems, Communication, Navigation and Surveillance systems (CNS), Aeronautical Information Systems, Meteorological Systems, Security Operation Centre Systems, airline on-board systems, and others.


Identify Cybersecurity Threats

Risk Management: Aviation organisations need to take appropriate steps to identify, assess, and understand cybersecurity risks to the network and information systems supporting the operations of essential functions.

This requires an overall organisational approach of risk management, which involves:

1. Ensuring a clear overview over the various hardware and software systems deployed for delivering different services. In the context of aviation, such systems involve Information Technology (IT) as well as Operational Technologies (OT).

2. Performing cybersecurity risk assessments, which take into account emerging threats, known vulnerabilities, and operational data in relation to the systems in scope. Organisations such as the European Air Traffic Management Computer Emergency Response Team (EATM-CERT) and the Aviation Information Sharing and Analysis Centre (A-ISAC) may provide insights on threats targeting air transport.

3. Ensuring that the risk assessments also cover the risks related to personnel daily activities (e.g. social media usage, personal device usage, data processing, information sharing, etc.).

4. Identifying and implementing risk treatment measures and plans to mitigate cybersecurity risks.

5. Implementing a comprehensive Information Security Management System (ISMS) and a Privacy Information Management System (PIMS) aligned with other management systems. Such management systems (i.e. ISMS and PIMS) involve implementing security (as well as data protection and privacy) controls in order to mitigate and prevent emerging threats affecting security of aviation services and systems (including their data).

6. Taking into account any constraints concerned with asset management and resource planning (that is, constraints that may affect the delivery, maintenance and support of critical systems for operations of essential functions in air transport).


Examples of risk management frameworks

Different frameworks (e.g. standards in the 150/IEC 27000 family, NIST cybersecurity framework, MITRE ATT&CK Framework, 851 IT-Grundschutz, etc.) may inform and underpin a tailored risk management approach for air transport. International organisations such as IATA and ICAO provide guidance for cybersecurity risk assessments.

ENISA, EASA, EUROCONTROL, and Airports Council International (ACI) among others highlight good practices for securing airports, air traffic management providers, and other aviation organisations.

SESAR Joint Undertaking coordinates and concentrates all EU research and development (R&D) activities in Air Traffic Management covering also aspects of safety as well as security.



Good Practices and Security Measures tailored to Land Transport, from the European Commission


Transport Cybersecurity Toolkit 4

Governance to Identify Cybersecurity Threats

Governance: Organisations in land transport (rail and road) need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).


Good practices for organisations of any size involve:

1. Ensuring that senior management levels report cybersecurity concerns to executives and boards, who can make informed decisions on resource allocations.

2. Appointing a senior role, accountable for cybersecurity as well as physical security, with overall management responsibilities for the security of Information Technology (IT) and Operational Technology (OT), but without involvement in operations in order to avoid conflicts of interest.

3. Defjning clearly, roles, responsibilities, competences, and clearances related to cybersecurity and communicating and agreeing to them with relevant personnel. This is necessary, in particularly, for members of Computer Emergency Response Teams (CERTs).

4. Ensuring cybersecurity governance throughout the entire security supply service chain, including both physical and digital interfaces, f ram technology manufacturers and installers to security providers.

5. Agreeing on activities and controls, including shared responsibilities, to manage cybersecurity risks, and ensuring that these responsibilities are sustained throughout the lifetime (e.g. by service agreements) of security solutions and services.

6. Defjning governance mechanisms (e.g. policies) in order to comply with obligations drawn f ram relevant regulations and directives. This encompasses a broad set of policies covering the specific transport modes as well as different types of stakeholders (e.g. including manufacturers of vehicles and rail systems) as well as the N/5 Directive (EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems).


Examples of services and systems in land transport

Examples of IT are those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).

Examples of OT are Supervisory Controls and Data Acquisition (SCADA) systems, heating, ventilation, and air conditioning (HVAC) systems, Global Positioning Systems (GPS) systems, access control, monitoring, surveillance, alarm response, and screening technology. Specific systems for rail transport are, for example: operational (control and command systems) including signalling systems, the European Rail Traffic Management System (ERTMS), on-train systems, maintenance systems, and others.


Identification of Cybersecurity Threats

Risk Management: Land transport organisations need to take appropriate steps to identify, assess, and understand cybersecurity risks to the network and information systems supporting the operations of essential functions. This requires an overall organisational approach of risk management, which involves:

1. Ensuring a clear overview over the various hardware and software systems deployed for delivering different services. In the context of land transport, such systems involve Information Technology (IT) as well as Operational Technologies (OT).

2. Performing cybersecurity risk assessments, which should take into account emerging threats, known vulnerabilities, and operational data in relation to the systems in scope. Examples of systems in the land transport modes are: payment systems, network and communication systems ( e.g. internet, radio communication, WiFi, etc.), on-board equipment, operational control centres, identity management systems, safety systems, and others.

For rail infrastructures, examples of systems are: rolling stock, operation and traffic management subsystems, control command, and signalling on-board and trackside subsystems, and others.

3. Ensuring that risk assessments also cover the risks related to personnel daily activities (e.g. social media usage, personal device usage, data processing, information sharing, etc.).

4. Identifying and implementing risk treatment measures and plans to mitigate cybersecurity risks. Such as implementing a comprehensive Information Security Management System (ISMS) and a Privacy Information Management System (PIMS), aligned with other management systems.

Such management systems (i.e. ISMS and PIMS) involve implementing security (as well as data protection and privacy) controls in order to mitigate and prevent emerging threats affecting security of land transport services and systems (including their data).

5. Taking into account any constraints concerned with asset management and resource planning (that is, constraints that may affect the delivery, maintenance, and support of critical systems for operations of essential Junctions in land transport).



Good Practices and Security Measures tailored to Maritime Transport, from the European Commission


Transport Cybersecurity Toolkit 5

Governance to Identify Cybersecurity Threats

Governance: Organisations in maritime transport need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).

Good practices for organisations of any size involve:

1. Ensuring that senior management levels report cybersecurity concerns to executives and boards, who can make informed decisions on resource allocations.

2. Appointing a senior role with overall management responsibilities for the security of Information Technology (IT) and Operational Technology (OT). This role should be accountable for cybersecurity as well as physical security.

3. Defining clearly, roles, responsibilities, competences, and clearances related to cybersecurity, defining levels of authority and lines of communication between, and amongst, shore and shipboard personnel, and agreeing on them with relevant personnel. This is necessary, in particularly, for members of Computer Emergency Response Teams (CERTs).

Personnel with roles relating to EU maritime security and safety legislations, such as Port Facility Security Officers, Port Security Officers or Company Security Officers or the Designated Person Ashore (DPA) and the Master on board, should at least be familiar with the cybersecurity measures taken by the organisation.

4. Ensuring cybersecurity governance throughout the entire security supply service chain, including both physical and digital interfaces, from technology manufacturers and installers to security providers.

5. Agreeing on activities and controls, including shared responsibilities, to manage cybersecurity risks, and ensuring that these responsibilities are sustained throughout the lifetime (e.g. by service agreements) of security solutions and services.

6. Defining governance mechanisms (e.g. policies) in order to comply with obligations drawn from relevant regulations and directives, for example, Regulation 2019/1239 establishing a European Maritime Single Window environment (EMSWe), Regulation 725/2004 on enhancing ship and portfacility security, Directive 2005/65/EC on enhancing port security, and Regulation (EC) No 336/2006 on the implementation of the International Safety Management (ISM) Code, and Resolution A.741(18) adopting the ISM Code for the Safe Operation of Ships and for Pollution Prevention.

In this context, it is also relevant mentioning the Common Information Sharing Environment (CISE), an EU initiative that aims to make European and Member States surveillance systems interoperable to give all concerned authorities access to the classified and unclassi{1ed information they need to conduct missions at sea.


Examples of services and systems in maritime transport:

Examples of IT are those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).

Examples of OT are Supervisory Controls and Data Acquisition (SCADA) systems, heating, ventilation, and air conditioning (HVAC) systems, Global Positioning Systems (GPS) systems, access control, monitoring, surveillance, alarm response, screening technology, on-board navigation systems, SafeSeaNet, bridge systems, cargo handling and management systems, propulsion and machinery management and power control systems, access control systems, passenger servicing and management systems, passenger facing public networks, administrative and crew welfare systems, communication systems, and others.


Risk Management to Identify Cybersecurity Threats

Risk Management: Maritime organisations need to take appropriate steps to identifying, analysing, assessing, and communicating cybersecurity risks, and accepting, avoiding, transferring, or mitigating them to an acceptable level. This requires an overall organisational approach of risk management, which involves:

1. Ensuring a clear overview over the various hardware and software systems deployed for delivering different services. In the context of maritime transport, such systems involve Information Technology (IT) as well as Operational Technologies (OT), and how these systems connect and integrate with the shore side, including public authorities, marine terminals and stevedores.

2. Identifying and evaluating key ship board operations, which are vulnerable to cyber-attacks, and performing cybersecurity risk assessments (including assessing potential operational impacts and likelihood of occurrence) which should take into account emerging threats, known vulnerabilities, and operational data in relation to the systems in scope.

Where appropriate, making the link to security assessments carried outfor ships (SSAs), port facilities (PFSAs), and ports (PSAs) as set out by EU maritime security legislation. These identify possible security threats to port infrastructure and security weaknesses. Additionally, maritime organisations such as the International Maritime Organisation (IMO) and maritime ISACs may provide insights on threats targeting maritime transport.

3. Ensuring that risk assessments also cover the risks related to personnel daily activities ( e.g. social media usage, personal device usage, data processing, information sharing, etc.).

4. Identifying and implementing risk treatment measures and plans mitigating cybersecurity risks. For example, implementing a comprehensive Information Security Management System (ISMS) and a Privacy Information Management System (PIMS), aligned with other management systems such as Safety Management Systems (SMS) in accordance with the International Safety Management (ISM) Code.

Such management systems (i.e. ISMS and PIMS) involve implementing security (as well as data protection and privacy) controls in order to mitigate and prevent emerging threats affecting security of maritime services and systems (including their data).

5. Taking into account any constraints concerned with asset management and resource planning (that is, constraints that may affect the delivery, maintenance and support of critical systems for operations of essential functions in maritime transport). As for assessments, make a cross-reference where appropriate to requirements of the ISM code, Safety management Systems (SMS) and security plans carried out according to EU maritime safety and security legislation.