The UK’s critical transport infrastructure is at risk from cyber-attacks. In this article, we explore the threats, the challenges for transport operators, and how to protect supply chains against the hackers.
The UK’s critical transport infrastructure is the backbone of everyday economic and social activity, connecting people and facilitating the ceaseless flow of goods and materials. That makes it a primary target for both cyber criminals and nation-state threat actors alike. Transport systems rely on vast networks of digitally connected suppliers, partners and other third parties, which can introduce a range of cyber security risks. In this article, we explore the complex supply chains within the UK transport sector, the key third-party dependencies supporting those networks, and the cyber security challenges faced by transport organisations and operators.
The UK’s transport and logistics infrastructure comprises complex road, rail, sea and air networks. Our vast road network stretches for more than 245,000 miles, carrying a significant proportion of all traffic and freight. Road transport accounts for around 80% of inland freight movements in the UK. The rail network in Great Britain, meanwhile, comprises around 10,000 miles of track, carrying more than 18,000 passengers and 1,000 freight trains every day. The UK also relies heavily on maritime transport for international trade, and we import and export 95% of goods by weight through our ports. Moreover, we have the world’s third largest aviation network, comprising more than 70 airports, including major international hubs like Heathrow, Gatwick and Manchester.
Moving goods and people swiftly and efficiently relies on seamless integration between these different modes of transport. That requires close coordination and collaboration between the key players in the UK’s transport sector, including major logistics companies such as DHL, DPD and Royal Mail, airport operators and airlines, Network Rail and the train operating companies, public transport companies such as Stagecoach Group and FirstGroup, as well as port operators and shipping lines.
The highly interconnected nature of the UK’s transport infrastructure and its reliance on only a relatively small number of critical operators and transport corridors makes it especially vulnerable to disruption. The sector is facing a rising tide of cyber-attacks on its supply chains and any attack has the potential to upset the finely balanced equilibrium of these networks.
To help tackle the growing cyber security threats, the regulatory landscape has adapted to ensure companies protect their critical systems and infrastructure. Regulations such as the Network and Information Systems (NIS2) directive in the EU, the Digital Operational Resilience Act (DORA) and forthcoming UK Cyber Security and Resilience Bill emphasise the need for enhanced visibility into supply chain dependencies and effective third party risk management. While these regulations help to focus the minds of transport-sector leaders on the need for effective cyber security strategies, they also mean additional pressures and workload. They pose a particular challenge for smaller organisations that may lack in-house cyber security expertise and resources.
The daily interactions between transport operators, logistics businesses, passenger service providers and freight companies are increasingly managed digitally, as are the intricate network of supply chain relationships that support critical transport infrastructure. The trend towards digitalisation places the whole sector at greater risk in the event of a cyber attack, providing an ever-expanding attack surface for cyber-criminals to exploit.
In its Cyber security and resilience policy statement the UK government recognised that the “growing dependency on technology has made supply chains particularly vulnerable, with ransomware and data extortion emerging as significant threats… necessitating heightened vigilance and robust cyber resilience measures.”
Outsourcing services, expertise and systems is simpler than ever in the digital era, and the transport sector now relies on a huge network of third-party suppliers and sub-contractors to maintain everyday operations. Some of the most critical third-party suppliers are technology vendors, which provide IT systems and software for essential functions, from traffic management, rail signalling and travel booking to freight tracking, route planning and flight operations. Digital service providers also play a crucial role in delivering cloud services, data analytics and communications networks.
UK logistics management and freight-forwarding operations are discharged by a wide range of specialist suppliers responsible for moving goods via road, rail, sea and air. The physical infrastructure of the road and rail networks, ports and airports is also maintained and built by outsourced construction and facilities management firms.
Security and surveillance services for critical transport assets are often delivered and managed by specialist providers of monitoring, access-control and emergency response systems. Third-party suppliers also play a critical role in delivering the fuel and energy that is the lifeblood of all modes of transport.
The National Cyber Security Centre’s Annual Review 2024 describes the threat landscape in the UK as “diffuse and dangerous”, with persistent attacks from hostile states and organised crime. The Government’s Cyber security and resilience policy statement, meanwhile, reports that: “Adversaries are exploiting vulnerabilities in critical infrastructure and supply chains, using tools, such as artificial intelligence and commercial cyber capabilities, to enhance their espionage and disruptive activities.”
CISOs in the transport and logistics sector are acutely aware of the risks posed by supply chain attacks targeting their critical suppliers. Megan Poortman, Head of Cybersecurity at London Gatwick Airport, recently had to deal with the fall-out of the CrowdStrike IT outage that disrupted systems around the world. It was triggered by a faulty update, causing around 8.5 million systems to crash. As Megan acknowledges in an interview with InfoSecurity magazine, the incident highlighted the reliance of major transport operators like Gatwick Airport on global IT providers for their essential IT systems. If those systems fail or are attacked, it can quickly cripple transport services and have a massive impact on the travelling public and associated businesses.
The problem with securing the extensive supply chains associated with any transport business starts with gaining visibility into the security status of not only potentially hundreds of partners and suppliers, but also all their sub-contractors and sub-suppliers of those third parties. Monitoring and managing the security status of all those third-, fourth- and nth-party connections is almost impossible.
Without clear visibility of the security posture and cyber security practices in place among suppliers and their dependencies, it’s very difficult for transport organisations to accurately assess supply chain risks. Manual, spreadsheet-based approaches to third-party risk assessment are inadequate to deal with the scale and dynamic nature of the problem. Transport organisations also face resource constraints and must balance the need to conduct thorough risk management with the need to operate efficiently and effectively every day.
While there is much UK Transport providers can do to control security within their own organisations, tackling the risks in their extended supply chains is thus much more challenging. To optimise the use of the limited resources, an innovative new approach to supply chain cyber security might hold the answer - a social network approach.
Traditionally, organisations have approached third-party risk management and supply chain cyber security generally as a one-to-one, and spreadsheet based assurance process with each of their critical suppliers. With often hundreds of critical suppliers, the time and resources required are simply prohibitive. The burden that this approach imposes on suppliers is also enormous. Suppliers receive numerous security questionnaires from clients and prospective clients all the time, leading to a situation where they simply cannot complete these in a timely manner, and it increases the chance that they don’t take each assessment as seriously as they should. This approach is simply no longer viable.
Risk Ledger has developed and successfully implemented an alternative, social network approach, to TPRM that leverages the power of networks and collaboration to reduce the burden for everyone involved, from security teams at organisations wanting to assure their critical suppliers to those at suppliers which are in need of demonstrating their organisations security to their clients.
This new approach is based on the idea of a social network like LinkedIn, but which connects cyber security and TPRM teams of organisations directly with those of their suppliers as well as with those of their peers across their industries. Each supplier has a profile on the platform, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is based on a standardised assessment framework specifically designed for supply chain due diligence, which is mapped against leading international standards like NIST, ISO 27001, the NCSC’s CAF and many others, and is updated twice a year to reflect new regulations and best practices.
This solves one of the major impediments to a more effective TPRM and to effective collaboration within industries on TPRM. It also solves a major problem for suppliers - the need to constantly complete similar yet different questionnaires for all their clients and prospects. On Risk Ledger, they simply complete one security profile, which they can then share with all connected clients at the click of a button. Instead of having to complete numerous different questionnaires, this gives them the space to actually focus on improving their security postures and simply keep one profile up-to-date. Clients can set requirements against our standardised assessment framework, so they can compare suppliers against criteria which matter most to them.
Crucially, suppliers can also use the platform to manage their own supply chain risk, connecting with their own suppliers, thus using Risk Ledger as both a supplier and client in their own right. Organisations acting as both suppliers and clients on the Risk Ledger platform is what uncovers the middle links in supply chains and builds out the map of dependencies within the wider supply chain ecosystem, not just between one client and their third-parties. Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems beyond third-parties, into fourth, fifth and n-th parties.
Security monitoring on the platform is continuous and automated, supporting compliance with NIS2 and proposed new UK regulations. The platform enables confidential information and threat intelligence to be shared securely among groups of peer organisations - if they choose to come together to collaborate - allowing for further resource and efficiency gains.
Crucially, such a collaborative, continuous and dynamic approach to TPRM helps to improve the resilience of the entire transport sector to supply chain cyber-attacks. Such effective collaboration on TPRM can also give greater confidence to stakeholders – from government to the public – in the security and reliability of the UK’s critical transport infrastructure.
As digital threats to UK transport escalate, it’s never been more important for transport organisations and operators to strengthen third-party risk management and supply chain cyber security to mitigate the risks. Transport operations can be severely disrupted by incidents in their supply chains, as the Crowdstrike incident clearly demonstrated.
Building resilience to the changing threats requires constant supply chain-wide collaboration and proactive risk monitoring and management. That’s why advanced TPRM platforms like Risk Ledger have been developed to build supply chain security, safeguard national infrastructure and support regulatory compliance. Now is the time for CISOs and transport-sector leaders to prioritise supply chain cybersecurity and work together to future-proof the country’s critical transport systems against cyber-attacks.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
