Tallinn University of Technology

Author: Dr Adrian Venables, TalTech Centre for Digital Forensics and Cyber Security Senior Researcher

Cybersecurity in Estonia today

Estonia’s digital society has brought huge benefits to the country and its people. However, there are costs as well as benefits to a way of life relient on the Internet. With a near total dependency upon a wide range of technologies for the functioning of the state, ensuring their security and resilience is a critical function of government.  This importance is recognised by the Ministry of Economic Affairs and Communications (MKM) in the publication of its 2019-2022 Cybersecurity Strategy. This states that cybersecurity is universally accepted as an integral part of the functioning of the country and its economy, as well as for internal and external security. Within this document are stated the government’s Strategic Objectives, with the first being to ensure that Estonia is a sustainable digital society relying on strong technological resilience and emergency preparedness. To support this objective, reference is made to the Cybersecurity Act of 2018, which defines the service providers that maintain utilities essential for the functioning of society. The first of these are those organisations that provide a vital service under the terms of the Emergency Act, but the following three refer specifically to the transport sector, listing railways, aerodromes and ports. This emphasises the importance of an industry, which may be overlooked in terms of its significance and dependence upon communications technology to function.

Automation in the transport sector

The transport sector is becoming increasingly automated with many aspects now totally relient upon computer and networking technologies. The security of these systems is complex and includes unique challenges such as understanding the separate systems that manage the modes of transport and those that provide supporting services. Although the relationship between these two are sufficiently close that if one is significantly compromised, it may stop the movement of people and goods entirely, they have different security requirements. Examples of this are the aviation industry, which includes aircraft avionics that enable them to fly, air traffic control to coordinate their movements, and passenger booking systems to manage the customers experience. The rail and maritime industries have similar requirements, but will operate many different types of software each tailored to meet their exclusive needs.

The transport industry is very effective at harnessing new technologies to improve its cost effectiveness and safety. These can be used to increase the speed and efficiency of the service, reduce the numbers of personnel required to operate it, and enable it to operate in conditions that would otherwise not be possible. The level of automation is now at such a level that manual operation is no longer possible in some circumstances. For example, the port of Qingdao in China is the first fully automated port. It is able to load and unload ships faster than any other similar facility and operate 24 hours a day.[1] Such is the level of computerisation linked with 5G communications that manual operation is not possible, with the entire functioning of the port dependent upon computer controlled systems.

Railways are also increasingly becoming automated with less requirement for train drivers and manual signalling equipment. China again leads the world in this area with a new driverless train service launched in preparation for the 2022 Winter Olympics in Beijing. Capable of speeds of up to 350 km/h, it is also the fastest autonomous train in operation. Slower driverless trains have been in operation since the 1980s with the London Docklands light railway in operation since 1987. This is the most extensive system of its kind in the UK and its route through the east London and autonomous operation has made it a popular service. Although automation has eliminated the requirement for drivers, many trains still have onboard staff. These provide security and customer service or in the case of London Underground, utilise fully qualified drivers whose sole task is to open and close the doors. The reasoning behind the introduction of driverless trains in London has been suggested as a response to poor industrial relations – no drivers means no striking drivers. However, the reality is more complicated in that the investment required to operate ’unattended trains’ is substantial and may not be economically feasible. Union resistance to change can be expected and passengers may also feel uncomfortable in an underground train with no trained member of staff available should an  emergency situation occur.

Cybersecurity incidents in the transport sector

Despite the politics of industrial relations, the transport Industry is increasingly utilising networked technology to enable it to operate more effectively and efficiently. Any disruption to these systems can potentially have very significant, and potentially life threatening, consequences. Although these may be as a result of system failure or operator negligence, to be regarded as a cybersecurity incident it must be the result of malicious action. Fortunately, there have been no catastrophic failures as a result of deliberate acts of sabotage, but there have been a number of incidents that demonstrate their vulnerabilities. In 2013 the IT system in the port of Antwerp that controlled the movement and location of containers was compromised. Drugs were hidden in legitimate cargo and criminals were able to determine the location of containers enabling them to be stolen before the unknowing owner arrived. The airline industry was also victim of financially motivated crime when British Airways was targeted in an attempt to steal customers’ data. This resulted in a record fine of £183 million under the EU’s General Data Protection Regulation (GDPR). Perhaps the most well known compromise of administrative systems in the transport industry affected the Maersk shipping line in 2018. Although not deliberately targeted, the company was infected by the ’NotPetya’ malware that widely affected organisations using the Ukrainian tax-filing software ’MEDoc’.[8] This action was later attributed to Russia as part of its campaign to undermine the Ukrainian economy by attacking its financial, energy and government institutions. Although the attack did not directly affect the ships, the cost to the company was estimated in the region of $300m.

Although there have been no reports of individual aircraft or ships being subject to a successful cyberattack, railways have been targeted. As early as 2008 the tram system in the Polish city of Lodz was compromised by a teenager who altered signals and track settings with a device similar to a television remote control.[2] Since then, the prevalence, accessibility and dispersed nature of railways have been recognised within Europe. In 2020 the European Union Agency for Cybersecurity (ENISA) released a report focusing on the cybersecurity challenges facing Europe’s railways.[3] The risk to ships and planes has also been acknowledged and several cybersecurity companies have demonstrated vulnerabilities in both their systems and how they are operated.  Potential vulnerabilities in aircraft have been identified with security researchers using passenger inflight entertainment systems and satellite connections as a potential means to access more critical systems. Ships have also been the targets of security researchers, with one having highlighted several vulnerabilities. These included being able to access the ship via its satellite communications system and potentially interfering with its electronic navigation and engineering systems.[5]

The methods of transport addressed in this article have been in use for many years. As with the rest of society new technology has been introduced, much of which remains hidden from its passengers. As part of a nation’s critical national infrastructure, transport resilience is vital to its economy, but it also has a significant safety of life component. We neglect the cybersecurity issues of this sector at our peril and understanding and mitigating the risks it presents an ongoing challenge that must faced and overcome.

The article was published in Edasi.org in May 2021.