The transportation industry faces a dizzying array of risks, with cyber among the most costly. CIR’s latest podcast with sector experts at Tokio Marine HCC examined how the sector is coping when it comes to managing these risks

Deborah Ritchie, Editor, CIR in conversation with:

Glyn Thoms, Head of FINEX GB, Cyber & TMT, WTW
Isaac Guasch, Cyber Security Specialist, Tokio Marine HCC
Arnaud Lapillonne, Cyber Senior Underwriter - Continental Europe, Tokio Marine HCC
Xavier Marguinaud, Head of Cyber, Tokio Marine HCC


Digitalisation, complex operational technology, increased connectivity, and slow adoption of standards and regulation make the transportation and logistics industries particularly vulnerable to cyber risk, with potentially significant ramifications for often vital infrastructure.

How have the main exposures evolved?

Arnaud Lapillonne: Whilst the logistics industry has been slow to adopt digitalisation, the robotisation of warehouses, last mile optimisation and predictive maintenance for connected equipment have recently begun to drive speedy digital transformation. The downside to this progress is that digitalisation has exposed a series of inadequacies that make the industry extremely vulnerable to cyber attack. Whether in maritime, rail, trucking or logistics providers, all sectors are affected.

What are the key exposures?

Glyn Thoms: There are variations in exposure, depending on whether the business is airfreight, logistics, airlines, road, rail and so on. Data protection issues will be much greater for companies with direct customer-facing business, such as a commercial airline – much more so than would, say, a freight transportation company. But whether we’re talking about land, sea, air or the transportation of people or goods, there is a time criticality to everything in this industry. Aviation operates on particularly tight timeframes, therefore network interruptions represent an especially critical exposure.

Importantly, most of the subsets of the transportation sector are considered part of vital global infrastructure, therefore the potential implications of a cyber attack are enormous, and often enduring – the recent Suez Canal blockage being just one recent high-profile example.

What are the most commonly underestimated exposures?

Xavier Marguinaud: A combination of legacy OT systems and the increased use of connected endpoints via IoT are key concerns, as security products are mainly focused on traditional IT rather than OT. The dangerous combination of new, poorly secured IoT devices and old, poorly updated OT systems presents numerous opportunities for hackers. Additionally, as a result of digitalisation, the logistics industry is starting to generate a huge amount of structured and unstructured data, which are usually strategic. Finally, the presence of multiple stakeholders and third party vendors in the logistics supply chain emphasise vulnerability. Cloud only increases exposure.

Isaac Guasch: In general terms, a supply chain attack is a combination of at least two attacks. The first attack is on the supplier side; the second on the final target to gain access to its assets. The target can be the final customer or another supplier. These are complex to handle and to mitigate. The mere fact that at least two organisational entities are affected complicates the handling of an incident, forensic analysis and overall management of the incident.

Turning to underwriting, what key elements would be taken into consideration when assessing the risk management maturity of an organisation in this industry?

XM: We expect organisations to have complete transparency and visibility to manage risks in their environment. The first step should be a comprehensive risk assessment. This should include an audit of the network, applications and security protocols. Companies need to categorise and list the number of devices within the network; detect particular risks associated and understand how sensitive the data they produce is. Secondly, they should identify vulnerabilities affecting them. With regards to IoT end point data collection, we expect organisations to conduct vulnerability scans and pen test the potential threats and existing breaches. Thirdly, network segmentation and Zero Trust are key to a secured network layer.

How do you determine the appropriate level of coverage?

GT: Insuring a cyber-physical asset is more straightforward because the value is easier to calculate. Intangible assets like data and systems are more challenging. To answer that question, we would consider scenario analysis to analyse the potential severity, and maximum probable loss. There is much more external loss data available today to help understand what comparable exposure looks like. Peer benchmarking also offers a good data point for a lot of our clients. I would also consider the company’s risk appetite, as we all have to accept that companies don’t have unlimited budgets.

What are the most valuable risk management procedures that can be put in place?

GT: The management of critical OT and legacy systems is vital, due to the high reliance on them within the transportation sector, which typically demands high resilience and high availability. Managing immediate operational exposure, and at the same time developing longer term plans to continue improving that availability and resilience are key here. Secondly, identifying and managing reliance on a third party supply chain can have a huge impact on the ability of a transportation company to continue undertaking its business. A lot of our clients focus on identifying who the key providers are, and how the potential risk they present could be managed – whether that’s contractually or through any other means. Finally, managing regulatory risk is of course essential.

Can you illustrate what can go wrong when the appropriate measures are found to be lacking?

IG: One of the biggest supply chain incidents we have seen recently in the transportation industry took place in March 2021. SITA Company is one of the largest aviation IT companies and provides IT and telecoms services to around 2,500 customers, has a presence at more than 1,000 airports, and claims to serve around 90 per cent of international destinations. The attack they suffered was a data security incident involving passenger data being stored on one SITA passenger service system server. These systems are used by airline companies for passenger processing purposes such as boarding as well as for passenger flow management in airports. As a consequence, multiple airlines were affected simultaneously, and customer data was exposed. Although SITA did not confirm the volume of the data leak, according to the official site, one billion passengers per year use SITA boarding services.

In a separate incident, a global phishing campaign was targeted at the Covid-19 vaccine cold chain. In this case, the phishing e-mails contained malicious XTML attachments that opened locally, prompting recipients to enter their credentials to view the file. An assessment carried out by IBM suggested that the purpose of this campaign may have been to harvest credentials to gain future, unauthorised access. From there, the adversary could gain insight into internal communications, as well as the process methods and plans to distribute Covid-19 vaccines.

AL: Cyber attacks used to occur every few years in the logistics sector; now there may be two major attacks every month. The May 2021 shutdown of the Colonial pipeline could cost some US$50 million. Other attacks may receive little press attention, but often involve high levels of disruption. Better technology can help, and well trained staff should be the first line of defence.

What are the most relevant incident response considerations?

GT: This varies. A data breach for an airline requires something very different to a system failure leading to a ship being stranded at sea, for example. But having a plan and testing it is critical. Initial response could be critical to managing the longer term impact and implications of a cyber event, so having the right response providers – relative to the sector and type of incident – in place, with contracts, is vital.

XM: In every segment of the transport and logistics industry, attack numbers are rising, as increasingly connected networks make tempting targets. Some networks are made even more vulnerable because remote access is poorly secured, leaving OT equipment vulnerable to hacking. In traditional transport companies, the equipment is not often modernised to be compatible with strict security protocols.

What’s on the horizon for the sector?

XM: The transport industry really suffers from a lack of regulations and standards, although this is changing with the arrival of the European NIS Directive, and new standards from the International Maritime Organisation. Those regulations attempt to enforce minimum standards to protect companies’ most sensitive data and operations, in particular customer records and shipping information.


This article was published in the May-June 2022 issue of CIR Magazine.

Download PDF

Listen to the Podcast here.

Share Story: