Why AI is a growing cyber threat to transit

Public transit is facing increasing levels of hacking from artificial intelligence (AI) and automated attacks, says a leading cybersecurity expert.

David Miller, head of security and data protection officer at Vix Technology–a transport solutions provider–says that as Intelligent Transport Systems (ITS) have evolved dramatically, so has AI and is fast becoming a threat.

“Ten years ago, hacking was more technical and was a lot more time consuming,” he explains. “Whereas nowadays, with the invention of AI and machine learning capabilities, it’s very easy for everyday people to attempt to hack into a system or cause disruption.”

Criminal organisations are increasingly stepping into “crime as a service”, whereby a syndicate sells their skills for ransomware and distributed denial-of-service (DDoS) attacks to individuals or organisations.

This includes nation state attackers. Over the last five years, the public transit sector has seen nation states and criminal organisations launch cyberattacks as well on companies and foreign governments.

“We’ve seen that with Ukraine, where there are attacks against the country’s critical national infrastructure, including power plants and transportation [particularly railway] systems,” he says. “It’s using cyber-attacks to disrupt these essential systems and really causing problems for everyday life.”

Cyber threat landscape

Disruptions to rail operations due to cyber threats have severe consequences – from causing supply shortages or even loss of life. In March this year, the European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report dedicated to the transport sector – covering aviation, rail, maritime and road.

It focussed on the period between January 2021 and October 2022 and found ransomware attacks were the most prominent threat against the sector, with attacks almost doubling, rising from 13 percent in 2021 to 25 percent in 2022. And more than half of the incidents observed in the reporting period were linked to cybercriminals (55 percent).

Twenty-one incidents targeting the railway sector (in the EU) were analysed, out of a total of 98 cyber-attacks.

Risks identified range from ransomware to data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. And hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate, primarily due to Russia’s invasion of Ukraine.

Data-related threats (25 percent) and ransomware (45 percent) were the biggest risks targeting railways and DDoS attacks occurred the most in the rail industry.

A new cybersecurity framework

To further protect railways in Europe, ENISA is developing a new cybersecurity certification framework which will define the criteria and requirements that ICT systems must meet to be certified as secure and trustworthy. Companies that fail to comply may face significant fines and other penalties.

“”All our solutions comply with EU cybersecurity standards ensuring a high level of cybersecurity is enforced,” says Miller. “ENISA’s new cybersecurity certification framework will support and enhance Europe’s cybersecurity capabilities whilst setting a baseline standard for cybersecurity which will help railways and critical national infrastructure remain protected and operational.”

Which data should be protected?

While information such as timetables is publicly available and does not need to be encrypted it’s important to protect the back-end or data house system, which could otherwise allow an attacker to get access to other parts of the network.

“While we do want to protect it (timetables etc), and certainly protect the integrity of it, we’re not so worried about self-confidentiality data,” explains Miller. “But criminals might hack it to modify the information and cause disruption by displaying messages on bus stops that might promote extremism, violence or promote a political message. It’s definitely a contextual risk basis. Not all data needs to be encrypted. It just depends on how sensitive it is and what the risks are.”

At Vix all customer data is secure by design whereby the company builds in “privacy by design” ensuring all customer data is protected.

“We take all that into account from the ground up at every stage of the process,” he adds. “When we’re building and deploying a solution, we ensure it is secure to keep customer data protected and private.”

Using AI to protect against threats

Although AI is a growing concern, the future is not all bleak. Public transit agencies and industry can also use AI to build stronger automated defences.

“Using AI to protect against cyber-attacks is useful but importantly so too is increased industry cooperation,” says Miller. “Maybe five to 10 years ago governments were doing their own thing and industry was doing something else but we are seeing more collaboration between different organisations, different agencies, and different governments.”

Vix ranked in top three for cybersecurity

Bitsight, a cyber risk management company, has ranked Vix at number three within transport technology companies, with a score of 750. The rankings help organisations manage exposure, performance, and risk for themselves and their third parties.

Other certifications that Vix holds include: ISO27001, Cyber Essentials, SOC 1, and Payment Card Industry Data Security Standard.

Vix is also registered with the UK’s Information Commissioner’s Office as a Relevant Digital Service Provider under the NIS Regulations 2018 (NIS Directive).