Intelligent or smart public transportation and shipping systems require more and more data to function efficiently and effectively. Governments and companies alike need to take measures to safeguard the cybersecurity and privacy of these systems.

The rise of smart cities and smart shipping has connected critical infrastructure to the internet, creating numerous opportunities to collect data on the use of roads, ships and public transportation. While real-time tracking could reduce congestion in cities, and improve management of overseas shipping, security and privacy risks emerge that need to be addressed sooner than later to avoid incidents that disrupt the functionality of the systems.

A recent report by International Data Corporation (IDC) titled “Surveillance Avenue—Urban Mobility and Addressing the Erosion of Privacy” states it is becoming difficult for people to use public transportation systems without surrendering at least some of their personal data. Facial recognition cameras, license plate readers, mobile phone data and other technologies are increasingly used to track people as they move. Combined with other datasets, that information could be used to create a detailed profile of every citizen and could render anonymity a thing of the past.

“As increasing amounts of data are collected, we are faced with the issue that one must exchange personal privacy for the use of publicly funded transportation networks or assets.” says Mark Zannoni, IDC research director for Smart Cities and Transportation and head of IDC’s Worldwide Urban Mobility Program, “Whether initially personally identifiable or anonymous, individual data from urban mobility can be deanonymized, which is not only invasive but also enables potentially dangerous situations. Data collectors and owners must assure the public of responsible data use, which will come to realization by the adoption of extensive data privacy protection laws or guidelines,”.

Hence, without proper security protections, this information could easily fall into the wrong hands. The wave of ransomware attacks against major cities around the world indicates that safeguarding huge amounts of data is not an easy thing to do. Failure to secure our digital infrastructures could result in all this personal data being left vulnerable to malicious attacks or even unintentional errors and disclosures.

The challenges of smart transportation systems do not end in protecting personal data. It is also about protecting the reliability and availability of these systems. In August 2019, Transport for London (the local government body responisbile for the transport system in London) was forced temporarily to close down the online facility for its card system due to a data breach. In July 2019, New York City Metropolitan Transport Authority’s subway system shut down six major rail lines across the city without any warning, following a widespread “failure in the computer system that powers the signals” of the affected lines.

The security of transportation systems is a pressing issue. Without significant cybersecurity deployment, transportation systems equipped with Internet of Things (IoT) and Artificial Intelligence (AI) capabilities would be vulnerable to outside interference. While leaving users’ data at risk of hacking poses privacy concerns, potential compromise of the operating systems of transportation systems could risk passengers’ safety.

For these reasons, the Department of Homeland Security has issued the Transportation Systems Sector (TSS) Cybersecurity Framework Implementation Guidance, which helps TSS owners to adapt the requirements of the NIST Cybersecurity Framework to the needs of the transportation sector to help reduce cyber risks. At the same time, the European Commission has launched projects in the framework of the Digital Single Market Strategy to promote solutions that result in a more efficient management of the transport network for passengers and businesses.

Security and privacy risks in the maritime sector

In the maritime sector, Information Technology (IT) and Operational Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. The increased integration of systems and the greater use of digital ship-to-shore communication and data links now exposes ships to cybersecurity risks.

“Vessels digitalization with the numerous different OT devices deployed creates a digital landscape previously unknown to a big extent due to the specific hardware and software being used. New security risks are evolved with the impact being very significant mainly due to the direct connection with the physical world and the consequent operational damage,” says Isidoros Monogioudis, Adjunct Professor at the Hellenic American University.

The maritime digital environment includes systems such as Vessel Integrated Navigation System (VINS), GPS, satellite communications, Automatic Identification System (AIS), and engine control systems. Fault tolerance and near-real-time response to incidents are crucial to ensure the high availability of ships. With more IoT devices onboard and the use of Artificial Intelligence, the future of Internet of Ships and Maritime Autonomous Systems (MAS) is imminent.

A completely digitalized shipping means greater reliance on systems that exchange sensitive data for the management of cargo and the ship. A cyber incident in ships might have severe consequences for the crew, the passengers, and the cargo on board. Considering that many ships carry harmful substances, such as chemicals, a cyber incident might have severe environmental consequences or might lead to hijacking the ship to steal the cargo.

For these reasons, the United Nations International Maritime Organization (IMO) and Baltic and International Maritime Council (BIMCO) have issued guidelines which offer guidance to shipowners and operators on how to assess their operations and develop the necessary procedures and actions to improve resilience and maintain the integrity of cyber systems onboard their ships.

“Both proactive and reactive measures must be developed and applied with the real-time security awareness and visibility being possibly the most critical solution since OT environment remains extremely sensitive in providing timely and accurate services,” says Isidoros Monogioudis.

Cybersecurity controls are important to preserve the reliability of the smart transportation and shipping systems and the integrity and confidentiality of the mission-critical and personal data required for the operation of these systems. These measures are also required to preserve the safety of the passengers and the goods shipped. In the case of the safety of products and substances, distinct regulations apply, such as the U.S. Coast Guard Maritime Transportation Security Act (MTSA), which creates a consistent security program for all ports to better identify and deter threats, or the CISA Chemical Facility Anti-Terrorism Standards.

While technology transforms the transportation and shipping organizations, it introduces new security risks and challenges. Organizations must take all required security measures proactively to minimize the likelihood of an event that may jeopardize people and environment safety.

ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in the energy, healthcare, transportation, education, retail and financial sectors.  We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event.