Key Takeaways
- The transport sector's digitalization and increased connectivity have delivered huge efficiency improvements but also exposed companies to greater risk of disruptive and widespread cyber events.
- Cyber incidents affecting transportation groups have increased markedly in recent years, and threat levels are likely to remain high amid geopolitical tensions that have encouraged attacks.
- As such, although rated transportation companies have avoided significant credit quality impairment from cyber incidents to date, we expect this risk to increase going forward, particularly for those with weak cyber hygiene.
Digitalization has transformed the global transportation sector, enabling the integration and streamlining of transport networks, slashing operating costs, and improving customers' experience. However, there is a flip side to those gains that can have implications for the credit quality of operators.
Why it matters: The digital systems that facilitate trade and tourism flows are an enticing target for malevolent actors who know that a successful cyber attack could disrupt networks that are vital to the supply of goods, could inflict material economic damage, and are likely to be high profile.
Cyber criminals have targeted transportation entities for financial gain for many years, typically through ransoms or the theft of data that can be sold. More recently though, the risk of cyber attacks has been exacerbated by heightened political tensions, which have provided states (and their proxies) with new motivation to disrupt transportation systems in support of military aims or in the hope of financially damaging geopolitical rivals.
For example, interference with satellite-based navigation services spiked over 2024 and affected thousands of flights in recent months, according to the European Union Aviation Safety Agency (EASA). The agency noted a 500% increase in "GPS spoofing" (the sending of a false GPS signal to report an incorrect position) this year and linked that primarily to conflicts, including the Russia-Ukraine war and fighting in the Middle East. S&P Global Ratings understands that there has also been a significant rise in GPS jamming (which stops the receipt of location data). Much of that spoofing and jamming appears to have been aimed at disrupting military drones, yet both pose a risk to aircraft safety.
In Europe, the transportation sector was the target of about 11% of all cyber attacks over the year to the end of June 2024, according to a survey published in September by the European Agency for Cyber Security (ENISA). That level of targeting was topped only by attacks on the public sector (19%) and was ahead of the financial sector (9%) (see chart 1).
Chart 1
Digitalization Has Transformed The Global Transportation Sector
Rapid advancements in digital technologies have proven a boon to transport operators and their clients. Connectivity and automation have enabled the integration of global supply chains, reduced costs, and broadened the scale, scope, and diversity of the operations of the companies that transport passengers and freight via sea, air, road, and rail.
Digital technologies can also be used to improve sustainability, with improved logistics planning and tracking helping to reduce fuel consumption and related emissions while supporting compliance with environmental regulations.
Yet increased, and increasing, dependency on digital technologies has also exposed transportation companies to mounting cyber risks, which we consider as part of our wider assessment of creditworthiness. The potential for cyber incidents, including from attacks as well as due to IT issues and infrastructure failure, is likely to increase with the adoption of new technologies that increase complexity, make digital systems increasingly central to physical operations, and have the potential to increase the attack surface for malevolent actors.
This will not be a one-way street, as many of these same technologies may also serve to improve companies' cyber security. For example, AI can help improve detection rates and speed the discovery of malicious activity. However, increased adoption of AI (including machine learning), operational technologies (including hardware and software that monitors and controls devices, processes, and infrastructure), blockchain technologies (that facilitate information sharing across networks), and the Internet-of-Things (connected devices and technologies that facilitate communication between devices and the cloud) will all have to be carefully managed to avoid exacerbating cyber risks for transportation companies.
Cyber-Related Damages Can Be Significant, And Are Increasing
The average cost of a data breach in the transportation sector is about $4.4 million, according to IBM's "Cost of a Data Breach Report 2024," up from $4.2 million in the 2023 version of the same report.
Yet successful cyber attacks on transportation entities can have implications well beyond immediate and direct costs. Disruption to transportation systems and operations can threaten public safety, the environment, and even national security, and may have a cascading impact throughout the supply chain. They are also typically highly visible, often resulting in long lines at airports and queues of ships off ports (or vessels stuck within ports) that attract media attention and can lead to reputational and brand damage.
Cyber incidents can also lead to regulatory costs. That includes potentially significant fines for customer data breaches or insufficient cyber security preparedness, but also extends to investment needed to meet regulatory standards--including as regulations become more stringent (notably with regards to the augmentation of existing cyber-related disclosure rules). Meanwhile, efforts to bolster cyber defenses and improve cyber resilience can necessitate costly investment in new technologies and processes. Any of those costs, or a combination of them, could weigh on credit quality.
Transportation Networks Are Prone To Cascading And Contamination
The effects of cyber-related disruptions on transportation companies can be consequential, particularly given the potential for significant disruption or operational shutdown, including of critical transportation infrastructure, such as air traffic control systems and supply chain networks (see box and "CrowdStrike Update Issues Highlight The Perils To Global IT Systems From Interdependency And Concentration," July 19, 2024).
Grounded: The CrowdStrike Outage And Air Transport
On July 19, 2024, a faulty software update from cyber security vendor CrowdStrike caused millions of Microsoft Windows systems to fail, leading to global disruptions. While the International Air Transportation Association (IATA, an industry trade body) reported that the IT outage did not visibly curb July's global air traffic volumes, the impact on the operations of freight and passenger carriers was significant. Thousands of flights were cancelled or delayed, cargo backlogs lasted over a week, and travellers found themselves in long queues--not least because the outage coincided with summer travel period.
Many airports experienced issues with air traffic control, check-in problems, suspended flights, frozen departure boards, baggage handling, unavailable booking services, and email and SMS issues. Several airlines had to issue tickets by hand. Delta Air Lines reported that the disruption led to a direct impact on its revenues of about $380 million related to the cancellation of about 7,000 flights over five days.
Because transportation companies typically operate (and operate within) complex, interconnected, and automated digital systems and infrastructure, their cyber-related issues are prone to cascading (whereby an issue causes outages across interdependent systems) and contamination (transmission between entities and systems).
Those issues were highlighted (both globally and within the transportation sector) in 2017 by the rapid spread of the "NotPetya" attack, which caused an estimated $10 billion in damage, making it the largest ever cyber attack in financial terms. The attack began with the distribution of malware in Ukraine (see: "Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?" Feb. 22, 2022) and contaminated systems at many global companies, including freight transporter A.P. Moller - Maersk A/S (Maersk), and package delivery company FedEx Corp. Outages at core systems, including active directory networks, led to cascading operational disruptions that contributed to financial losses--though we did not take any resultant rating actions as we assessed the credit implications of the outages to be manageable.
Indeed, the shared connectivity inherent to transportation IT systems means companies are often reliant on third-party service and technology providers. That exposes entities to the prospect of cyber events, including data breaches, within systems they do not directly manage (the NotPetya attack appears to have originated in an update for Ukrainian tax accounting software). Moreover, those external systems are often integral to shared IT, so have significant potential to affect widely-used networks that manage the flow of passengers and freight. For example, we understand that several major U.K. train stations were targeted this year by a cyber attack on Network Rail's Wi-Fi systems, which are provided by a company called Telent.
AI Will Transform Transportation IT And Its Cyber Risks
AI should deliver significant benefits to the transportation sector. At an operational level, AI algorithms will increasingly assist flight planning for airlines--by improving the analysis of complex inputs (like weather conditions and air traffic) to plan fuel-efficient routes and prevent delays. International Consolidated Airlines Group S.A. recently announced the appointment of a Chief AI Scientist, tasked with building and scaling AI products that enhance customers' experiences, optimize operations, and drive sustainable efficiencies.
There is also an expectation that AI will help mitigate cyber risks, including by improving the speed of detection of a cyber attacks, thus reducing response times and the potential for and length of disruptions. For example, AI can help to identify phishing campaigns, making them easier to combat. The technology could also help to predict and monitor emerging risks, such as new cyber attacks, bugs, and other system vulnerabilities.
Key Cyber Risks For Transportation Companies
Our analysis indicates that data breaches and ransomware attacks are among the most common types of serious cyber incidents across all sectors (see "Cyber Risk Insights: Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread," Oct. 24, 2023). Denial-of-service attacks (DOS), which typically flood a system with requests to prevent legitimate requests from being fulfilled, are the most common form of attack on the transport sector (see chart 1). DOS attacks can block access to systems and services but generally do little lasting damage and are increasingly easily managed with technology solutions.
Transportation companies are notably exposed to the threat of data leaks and data theft--not least because they typically collect, process, and store vast amounts of customer and operational data, including sensitive personal identification and payment information from passengers and companies' freight records.
Furthermore, a data breach at a transportation company can cause operational disruption (including due to the need to review the extent of a loss and to secure data storage), can result in legal issues (including fines), and can cause reputational damage.
Transport companies' often critical operations, coupled with their typically high-profile also makes them attractive targets for ransomware attacks. This type of attack, which typically seeks to extort money for the return of data or control of a system, can be massively disruptive and reputationally damaging, particularly given the likelihood of disruption. Remedies, meanwhile, can be costly and involve ransom payments (that come with uncertain outcomes), containment measures, and remediation to improve cyber security.
Transportation Sectors' Digitalization And Cyber Risks
While cyber incidents generally have the potential to cause widespread disruption to critical transportation systems, differing use of IT and digital systems across subsectors of the transportation industry also exposes them to particular risks.
Airlines and airports The integration of digital technology across most operations provides a broad potential cyber attack surface that can result in disruptions and safety issues. Core systems include electronic flight management, predictive maintenance systems, crew scheduling, air traffic control systems, flight logs, weather prediction software, and flight tracking and navigation systems. There is also significant scope for cyber-related disruption and data theft from airlines and airports' commercial systems including those that manage reservations, payments, dynamic pricing, electronic ticketing, boarding and passport controls, baggage handling, and loyalty programs. The risk of data loss is notable given that both airlines and airports collect, process, store, and transmit sensitive data including relating to business partners, payment information, passports, and health records.
Shipping companies and ports Shipping companies and ports widely deploy digital technologies in supply chain management including in route planning, freight management systems, port traffic management, and the automation of freight handling. Shipping companies also use tracking technologies (including GPS devices) to monitor the location of freight, containers, and vessels, while digital sensors monitor cargo for spoilage risk (pharmaceuticals and food) and gas leaks. Digitalization of port operations is inconsistent, with particularly smaller ports in less-developed regions often reliant on outdated IT systems and paper-based processing. That typically reflects limited investment capacity and is a risk factor as older technologies are often prone to cyber issues. There were at least 64 cyber incidents affecting shipping companies last year (up from just three in 2013 and none in 2003), with many of the attacks tied to state-sponsored hackers according to a July report in the Financial Times that cited research by the Netherlands' NHL Stenden University of Applied Sciences.
Rail companies and network operators The use of proprietary and third-party vendor IT across almost all operations has served to improve competitiveness against other transport modes (notably trucks). Modern rail networks deploy near-ubiquitous automation and have increased interconnectivity with customers, inter-change partners, and suppliers. IT systems are also a critical component of safety and investment has notably sought to reduce accidents and derailments, which can be massively disruptive (and dangerous) and are thus a potentially attractive target for cyber attacks.
Trucking companies Trucking companies increasingly rely on digital technologies for dynamic pricing, contract agreements, order tracking, and fleet management, including routing. Direct connectivity between trucks and fleet managers provides truck-specific data (fuel consumption, acceleration, braking, hours of daily service, cargo classification) and customer information. This digitalization has exposed trucking companies to greater cyber risk. In September 2023, ORBCOMM, a provider of fleet management systems, confirmed that a ransomware attack was behind a service outage that left some customers unable to track inventory and forced some drivers to switch to paper logs.
Postal and logistics services Digitalization and automation has transformed postal and logistics companies, notably through the deployment of real-time tracking systems, automated and robotic warehouse management and sorting systems (increasingly enhanced by AI), smart lockers, route optimization tools, and the use of digital signatures and identity verification. Postal and logistics companies gather, handle, store, and use huge amounts of confidential business, operational and personal information, making them an attractive target for malevolent cyber activity. Britain's Royal Mail (a subsidiary of International Distribution Services plc) experienced a well-publicized ransomware attack, in January 2023, that left it unable to send letters and parcels overseas and took several weeks to rectify.
How We Evaluate Cyber Risks
S&P Global Ratings views an entity's vulnerability to cyber attacks as a credit risk. We evaluate cyber risks for transportation companies (and all corporates) within our management and governance assessments. Our view on cyber risk incorporates our assessment of a company's cyber preparedness, governance, and concentration risks (exposure to single points of weakness such as IT service providers).
There is no clear relationship between an entity's rating and its corresponding cyber risk. It is notable however that entities with higher ratings tend to exhibit somewhat higher cyber risk, often due to their larger size and thus wider attack surfaces. Nevertheless, we expect investment grade companies' financial strength will enable them to better absorb the cost of low-impact cyber-related events (including successful attacks).
That is borne out by a study of cyber risk by revenues that was conducted for S&P Global by cyber risk data analyst RiskRecon, a Mastercard Company (see chart 2).
Chart 2
According to RiskRecon's methodology, category A and B companies have a low likelihood of a breach event and an implied good focus on cyber defense. The C category implies moderate risk, while D and F correspond to higher likelihood of a breach event at companies that may be vulnerable to cyber attacks.
Entities with strong credit quality typically have bigger budgets to invest in new digital technologies, the resources to conduct regular cyber risk assessments that identify exposures, and often incorporate comprehensive cyber risk mitigation policies into their strategic planning processes. That includes collaborating with cyber experts to assess and enhance security, extensive staff training on cyber risks, and the purchase of cyber risk insurance that can offset costs following an incident. The combination of those factors should mean that they are better prepared to mitigate the effects of a cyber attack--including by limiting its potential for disruption through containment and speedier recovery.
Cyber incidents in the transportation sector have not yet resulted in business or financial impairments that have directly resulted in negative rating actions for the global transportation entities we rate. Yet we recognize the potential for an event to affect a companies' credit quality, particularly given prevailing high threat levels and amid geopolitical tensions that have encouraged attacks.
Appendix 1
Case Study: The Port Of Seattle Ransomware Attack
In late August 2024, the Port of Seattle experienced a cyber breach, which was discovered by its information security team. Systems were quickly shut down to contain the intrusion, inline with the group's response plan. That resulted in the unavailability of certain traveller information used by Seattle-Tacoma International Airport, as its traveller check-in, flight, and baggage services operated on the Port's technology network. The Port decided not to pay a demanded ransom, based on a cost-benefit analysis of the information stolen. We consider the Port's management to be extremely strong, note that it maintains over $1 billion in liquidity, and that it has a cyber insurance policy. We view it as a credit positive that the Port engaged a consultant to help evaluate an 'after action' plan to determine how to modify and enhance its cyber security protocols and that it is updating its business continuity plan to reflect the experience of the cyber event. An important part of thoughtful cyber risk management is a focus on learning and adapting cyber risk postures.
Writer: Paul Whitfield
Related Research
- CrowdStrike Update Issues Highlight The Perils To Global IT Systems From Interdependency And Concentration, July 19, 2024
- Cyber Risk Insights: Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread, Oct. 24, 2023
- Cyber Risk In A New Era: U.S. Transportation Infrastructure Providers Remain Vigilant On The Road To Cyber Preparedness, Oct. 26, 2022
- Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?, Feb. 22, 2022
This report does not constitute a rating action.
Mastercard group makes no representations or warranties of any kind, express or implied, with respect to the contents of this document. All information is provided for informational purposes only, and the user acknowledges that user uses any such information at its own risk. The information provided by RiskRecon and/or contained in the reports may contain technical or typographical errors. The Mastercard group does not guarantee its accuracy or completeness. All information provided by the Mastercard group is provided for informational purposes only. Without limitation, Mastercard group specifically disclaims all representations and warranties with respect to this document and any intellectual property rights subsisting therein or any part thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability for any purpose (whether or not Mastercard has been advised, has reason to know, or is otherwise in fact aware of any information) or achievement of any particular result. Without limitation, Mastercard group specifically disclaims all representations and warranties that any practice or implementation of this document will not infringe any third-party patents, copyrights, trade secrets, or other rights. Mastercard is a trademark of Mastercard International Incorporated.
| Primary Credit Analyst: | Rachel J Gerrish, CA, London + 44 20 7176 6680; rachel.gerrish@spglobal.com |
| Secondary Contacts: | Raam Ratnam, CFA, CPA, London + 44 20 7176 7462; raam.ratnam@spglobal.com |
| Jarrett Bilous, Toronto + 1 (416) 507 2593; jarrett.bilous@spglobal.com | |
| Contributors: | Geoffrey Wilson, San Francisco + 1 (415) 371 5061; geoffrey.wilson@spglobal.com |
| Nora G Wittstruck, New York + (212) 438-8589; nora.wittstruck@spglobal.com | |
| Scott Shad, Englewood (1) 303-721-4941; scott.shad@spglobal.com | |
| Nik Khakee, New York + 1 (212) 438 2473; nik.khakee@spglobal.com | |
| Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com | |
| Edward Righton, London; edward.righton@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.