1 of 7

DHS THREAT INTELLIGENCE BRIEF - TRANSPORTATION SYSTEMS SECTOR��

UNCLASSIFIED//FOR OFFICIAL USE ONLY

DEPARTMENT OF HOMELAND SECURITY

(U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS and FBI policy relating to FOUO information and is not to be released to the public, the media, non-US Citizens or other personnel who do not have a valid need to know without prior approval of an authorized DHS or FBI official. Federal, State and local homeland security officials may share this document with authorized critical infrastructure and key resource personnel and private sector security officials without further approval from DHS and FBI.

(U) This product contains US person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It has been highlighted in this document with the label USPER and should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures.

TLP:AMBER - Limited disclosure, restricted to participants’ organizations. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

Hello everyone. My name is Tony Militano. Thank you for joining us for this two-part brief focused on the Cyber Threats and Vulnerabilities associated with the Aviation sub sector. The first portion of the brief will be presented by me and will focus specifically on the cyber threats most likely encountered within. I will be immediately followed by Chris Hild, who will be concentrating on the cyber vulnerabilities associated with the aviation industry.

This brief was a collaborative effort across four DHS partners. It includes input and analysis from the Cybersecurity and Infrastructure Security Agency (CISA), the Transportation Security Administration’s Office of Intelligence Analysis, the DHS Office of Intelligence and Analysis Cyber Mission Center, and the United States Coast Guard.

2 of 7

Agenda

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Defining the Threat Environment

Threat Overview – Transportation Systems Sector

Cyber Threat Actor Capabilities and Attributes

Aviation Threats

3 of 7

Defining the Threat Environment

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Threat = Capability + Intent + Opportunity

Threat Mitigation = Threat - Opportunity

Let’s start with defining the threat environment.

In analytic terms, threat can be defined as Intent + Capability + Opportunity

As seen in the graphic Intent is defined as the goal your adversary hopes to achieve. Capability is the means your adversary possesses which are needed to successfully breach your organization and achieve their intended goals, and Opportunity is your adversary’s timing and knowledge of your environment including its vulnerabilities.

A legitimate defined threat must consist of all three pieces of the formula, otherwise it simply exists as a potential threat. It’s critical to separate the two because words have meaning and will serve as the benchmark for this brief moving forward.

The last half of the threat formula includes threat mitigations. As seen in the graphic, Threat Mitigation is Threat minus Opportunity; Opportunity being the easiest of the three you yourself can control; disallowing a threat to become actualized.

In the cyber world, cyber threats to a network refer to the person or persons who attempt unauthorized access to a control system device, and/or network, using a data communications pathway. This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the Internet. Threats to control systems or data networks can come from numerous sources, including national governments, aka Nation State Actors, terrorists, industrial spies, organized crime groups, hacktivists, hackers, and inadvertent actions of an authorized user. Cyber attacks disrupt service, deny capabilities, and degrade network integrity.

4 of 7

Threat Overview – Transportation Systems Sector

UNCLASSIFIED//FOR OFFICIAL USE ONLY

The Transportation Systems Sector faces a multitude of cyber threats at the hands of criminals, hackers, insiders, and nation-state actors.

Disruptive attacks, such as cyber physical manipulation, GPS spoofing and jamming, represent low-frequency—but potentially catastrophic threats—to the transportation industry.

Interdependencies between layers of air, rail, and maritime transportation systems provide actors with opportunities to perform operations leveraging a variety of attack surfaces.

The Transportation Sector is a critical part of the global economy that enables the movement of people and products. It is also a vital link in the supply chain supporting many industries. Transportation is comprised of numerous subsectors including, but not limited to aviation, mass transit, freight rail, and maritime. The Sector is heavily reliant on cyber enabled technology designed to ensure safety and efficiency of operations across its subsectors. In many cases, it utilizes a wide array of computer-based interconnected systems, such as air navigation systems, on-board aircraft control and communication systems, maritime-related GPS systems, positive train control systems, and security screening systems. These interconnected systems and the heavy dependence on technology create an optimal environment for the emergence of new and existing threats. Recent TSA reporting focused on cyber incidents affecting aviation and surface related transportation assets during the 1^st quarter of 2021 highlights 55 separate cyber-attacks directed toward the transportation industry over a 90-day period. The most frequent tactic, technique, and procedure (TTP) known to compromise victim networks was ransomware, which accounted for nearly one-third of all attacks. The general threat across the Transportation Sector can be analyzed by identifying the various types of malicious cyber actors, why they attack their targets i.e. motive, and the means by which they conduct their attacks.

5 of 7

Cyber Threat Actor Capabilities and Attributes

(U) Cyber threat actors are not equal in terms of capability and sophistication, and have a range of resources, training, and support for their activities. Cyber threat actors may operate on their own or as part of a larger organization (i.e., a nation-state intelligence program or organized crime group). Sometimes, even sophisticated actors use less sophisticated and readily available tools and techniques because these can still be effective for a given task and/ or make it difficult for defenders to attribute the activity.

(U) Nation-states are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination. Some nation-states have operational relationships with private sector entities and organized criminals. Nation-States such as China are believed to place a strong emphasis on building out China’s rail transportation industry in order to meet state goals outlined in various strategic plans to include Belt Road Initiative (BRI), Made in China (MIC) 2025, among others. Nation-State actors continue to map US critical infrastructure sectors for strategic advantage, deterrence and escalation options and have likely conducted numerous cyber espionage campaigns within the sector focusing on transportation-related technology supporting its industrial, economic and military development, and large-scale data collection for intelligence purposes.

(U) Hacktivists, are typically at the lowest level of sophistication as they often rely on widely available tools that require little technical skill to deploy. Their actions often do not have a lasting effect on their targets beyond reputation.

(U) Cybercriminals are generally understood to have moderate sophistication in comparison to nation-states. Nonetheless, they still have planning and support functions in addition to specialized technical capabilities that affect many victims within the transportation sector. Cybercrime actors represent a high-frequency and intensity threat to the transportation sector. As with other transportation subsectors, we have increasingly observed actors monetize access to compromised corporate networks and databases via access brokers, and we assess with high confidence that this trend will continue for at least the near to midterm.

While we are on the topic of cybercriminals, now would be a good time to briefly discuss one of their most used services, which is Ransomware as a Service.

(U) RaaS is a business model utilized by ransomware developers in which the developers lease ransomware variants for use by those willing to pay for the ransomware, often called affiliates. RaaS provides those malicious cyber actors who possess limited technical abilities, the tools to launch a ransomware campaign from which a percentage of the extortion is paid as a commission to the malware developers.

One final cyber threat actor, not included on the graphic is the insider. Insider threats are individuals working within their organization who are particularly dangerous because of their access to internal networks that are protected by security perimeters. Access is a key component for malicious threat actors and having access privileged access eliminates the need to employ other remote means. Insider threats may be associated with any of the other listed types of threat actors but often include disgruntled employees

6 of 7

Aviation - Cyber Threats

UNCLASSIFIED//FOR OFFICIAL USE ONLY

The aviation industry encompasses almost all aspects of air travel and the activities that help to facilitate it.

Aviation cyber-reliance includes;

Air navigation systems,
On-board aircraft control and communication systems,
Airport ground systems,
Flight information systems,
Security screening

The most frequent tactic, technique, and procedure (TTP) known to compromise aviation victim networks was ransomware, which accounted for nearly a quarter of all attacks.

The vast majority of attacks were carried out by unknown cyber criminals, who exfiltrated sensitive data related to travelers’ passport numbers, facial recognition data, frequent flier program memberships, and other PII.

The Aviation subsector of the wider Transportation System Sector is comprised of numerous facets including, but not limited to airline companies, airports, and aviation-related IT service providers. The aviation industry is reliant on cyber enabled technology designed to ensure safety and efficiency of air transport. It utilizes many far-reaching, computer-based interconnected system, which includes air navigation systems, on-board aircraft control and communication systems, airport ground systems, flight information systems, security screening and many others that are used every day for all aviation related operations. This interconnectivity of systems and a heavy dependency on technology create an optimal environment for the emergence of new and existing threats. As discussed earlier, recent TSA reporting highlighted 55 cyber incidents affecting aviation and surface transportation during the 1^st quarter of 2021. Of those 55 incidents, 48 were directed at the aviation sub sector. The most frequent type of attack was ransomware, which accounted for nearly a quarter of all incidents.

Ransomware attacks mostly affect aviation-related business operations such as email, HR, or administrative functions.However, in several instances there have been operational impacts to airports, either from the ransomware itself, or from secondary effects such as unintended consequences of mitigation measures, or cascading effects of service outages.

Ransomware can also cause operational impacts through direct effects on airport systems and networks, such as baggage handling, arrival and departure displays, or through indirect effects. For example, several Air New Zealand flights were cancelled and forced to turn back because destination-required COVID-19 test results could not be accessed allegedly due to a ransomware attack. When Garmin suffered a ransomware attack, reported impacts included outages in Garmin Pilot and flyGarmin apps, which include flight plan filing services. And following the attack that shut down Colonial Pipeline’s operations, some airlines were forced to reroute aircraft to account for potential fuel shortages.

Additionally, Russian state actors as of 1 December 2020 conducted a campaign targeting U.S. Aviation sector targets in order to locate high value assets and exfiltrate data. The actor may have sought access to prepare for future disruption.

1 of 7

2 of 7

3 of 7

4 of 7

5 of 7

6 of 7

7 of 7