As recent cyberattacks on T&L companies reveal, by and large the T&L industry is ill-equipped to handle the risks it’s facing, due largely to three factors: inadequate regulation (compared to other national-critical infrastructure like power generation), lack of awareness among decision makers and the overarching shortage of OT-security experts.
As mentioned, the transition to lloT-based automation, communications and operation management systems has increased the attack surface in the T&L sector. This is due to the large amount of data and interconnected systems that they handle, which makes them prime targets for hackers. For example, the International Maritime Organization’ (IMO) strategic transition to e-navigation allows continuously collecting, integrating, and analyzing ship and container information to track ships’ locations, cargo details, maintenance issues and more; this means that a breach into the e-navigation system would affect the entire spectrum of shipping operations, rather than disrupting on area of operations.
As for regulation, despite the sector’s global operations—or perhaps because of them—regulators have had a hard time agreeing or focusing on a set of cybersecurity standards that T&L companies should follow wherever they operate. Among the regulations proposed or already established are the EU’s Network and Information Security (NIS) directive and the soon-to-be-implemented CLC/TS 50701 and EN 50126 standards for railroads, as well as a series of rules for ships promulgated by the International Maritime Organization.
Finally, the T&L sector is competing with practically all other OT and IT sectors over a small pool of cybersecurity talent. As many as four million cyber specialist jobs were unfilled in 2020, according to the information security trade group ISC2. To makes matters worse for the relatively slow-moving T&L industry, it has little appeal to recent information security graduates, who tend to be drawn to industries that involve more innovation and creativity.