Fri. Jun 2nd, 2023

Content Assessment: Threats, Incidents, and Actors? An EU View: The Cyber Threat Landscape in the Transport Sector

Information - 93%
Insight - 94%
Relevance - 90%
Objectivity - 91%
Authority - 93%



A short percentage-based assessment of the qualitative benefit of the announcement and report from ENISA on cyber threats to the EU transport sector.

Editor’s Note: ENISA, the European Union Agency for Cybersecurity, was established in 2004 to promote a high level of cybersecurity across Europe. The EU Cybersecurity Act has strengthened its role, and it works towards enhancing the trustworthiness of ICT products, services, and processes with cybersecurity certification schemes, contributing to EU cyber policy, cooperating with Member States and EU bodies, and preparing Europe for future cybersecurity challenges. Through knowledge sharing, capacity building, and awareness raising, ENISA collaborates with key stakeholders to build trust in the connected economy, boost the Union’s infrastructure resilience, and maintain digital security for Europe’s society and citizens. The findings of ENISA’s report on cyber incidents in the transport sector can be beneficial for cybersecurity, information governance, and legal discovery professionals as they provide valuable insights into the prime threats, threat actors, and incident trends affecting critical infrastructure in the transport sector. Understanding these threats and trends can help these professionals develop sound risk management strategies to protect their organizations from cyber threats and mitigate potential damages. Additionally, the report’s assessment of threat actors and their motivations can aid in identifying potential attackers and their likely targets.

Background Note: The report focuses on providing insights into the cyber threat landscape of the transport sector in the EU, covering the four transport sectors falling under the scope of the network and information security directive. The report also considers a wider scope of the transport ecosystem, including transport manufacturers and suppliers and national transport authorities, to provide a more detailed analysis of the sector’s threat landscape. The ENISA Cybersecurity Threat Landscape Methodology was applied to analyze cyber incidents targeting the transport sector from January 2021 to October 2022, which is referred to as the “reporting period” throughout the report.

Press Announcement And Report* (March 21, 2023)

Understanding Cyber Threats in Transport

The European Union Agency for Cybersecurity (ENISA) publishes its first cyber threat landscape report dedicated to the transport sector.

This new report maps and analyses cyber incidents in relation to aviation, maritime, railway and road transport covering the period of January 2021 to October 2022.

The report brings new insights into the cyber threats of the transport sector. In addition to the identification of prime threats and the analysis of incidents, the report includes an assessment of threat actors, an analysis of motivations driving their actions and introduces major trends for each sub-sector.

EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, stated that “Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding the distribution of cyber threats, motivations, trends and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved.”

Prime threats affecting the transport sector

  • ransomware attacks;
  • data related threats;
  • malware;
  • denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks;
  • phishing / spear phishing;
  • supply-chain attacks.

Ransomware attacks have become the most prominent threat against the sector in 2022with attacks having almost doubledrising from 13% in 2021 to 25% in 2022.  They are closely followed by data related threats (breaches, leaks) as cybercriminals target credentials, employee and customer data as well as intellectual property for profit. The attacks are considered to be planned in an opportunistic nature, as we have not observed known groups targeting the transport sector exclusively.

More than half of the incidents observed in the reporting period were linked to cybercriminals (55%). They apply the “follow the money” philosophy in their modus operandi.

Attacks by hacktivists are on the rise. One fourth of the attacks are linked to hacktivist groups (23%), with the motivation of their attacks usually being linked to the geopolitical environment and aiming at operational disruption or guided by ideological motivation. These actors mostly resort to DDoS attacks and mainly target European airports, railways and transport authorities. The rates of these attacks are focused on specific regions and are affected by current geopolitical tensions.

State-sponsored actors were more often attributed to targeting the maritime sector or targeting government authorities of transport. These are part of the ‘All transport’ category which include incidents targeting the transport sector as a whole. This category therefore includes national or international transport organizations of all subsectors as well as ministries of transport.

Observed incidents in each sector


Faced with multiple threats, aviation contends with data-related threats as the most prominent, coupled by ransomware and malware. Customer data of airlines and proprietary information of original equipment manufacturers (OEM) are the prime targeted assets of the sector. Fraudulent websites impersonating airlines have become a significant threat in 2022, while the number of ransomware attacks affecting airports has increased.


Threats targeting the maritime sector include ransomware, malware, and phishing attacks targeted towards port authorities, port operators, and manufacturers. State-sponsored attackers often carry out politically motivated attacks leading to operational disruptions at ports and on vessels.


For the railway sector, threats identified range from ransomware to data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate, primarily due to Russia’s invasion of Ukraine.


The threats in the road sector are predominantly ransomware attacks, followed by data-related threats and malware. The automotive industry, especially OEM and tier-X suppliers, has been targeted by ransomware which has led to production disruptions. Data-related threats primarily target IT systems to acquire customer and employee data as well as proprietary information.

On the availability and reliability of data: challenges in incident reporting

Although ENISA gathered data from a variety of sources to perform its analysis, the knowledge and information on incidents remain limited to those incidents officially reported and for which information was publicly disclosed. Such disclosed incidents on which ENISA based its analysis and conclusions, however, are likely to underrepresent reality if non-disclosed ones outweigh those made public.

Despite Member States having legal requirements for the mandatory reporting of incidents, it is often the case that cyberattacks are disclosed by the attacker first.

In the EU, the revised Directive on measures for a high common level of cybersecurity across the Union (NIS2) and the additional notification provisions for security incidents aim to support a better mapping and understanding of relevant incidents.


The ENISA threat landscape reports help decision-makers, policy-makers and security specialists define strategies to defend citizens, organizations and cyberspace. This work is part of the EU Agency for Cybersecurity’s annual work program to provide strategic intelligence to its stakeholders.

Information sources used for the purpose of this study include open-source intelligence (OSINT) and the Agency’s own cyber threat intelligence capabilities. The work also integrates information from desk research of available data such as news articles, expert opinions, intelligence reports, incident analyses and security research reports.

The data analyzed also result from the input received within the frame of the interviews performed with members of the ENISA Cyber Threat Landscapes Working Group (CTL working group).

The analysis and views included in the threat landscape reports by ENISA is industry and vendor-neutral.

Read the original announcement.

Complete Report: Understanding Cyber Threats in Transport (PDF) – Mouseover to Scroll

ENISA Transport Threat Landscape

Read the original paper.

*Shared with permission under Creative Commons – Attribution 4.0 International (CC BY 4.0) – license.

Additional Reading

Source: ComplexDiscovery


Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT and DALL-E2, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.


Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is a premier online publication renowned for providing essential insights and intelligence in the realms of cybersecurity, information governance, and legal discovery to professionals navigating these fields. As a leading source of information, the publication expertly combines original research with aggregated news to cater to a highly specialized audience. Committed to enhancing readers’ understanding of relevant topics, ComplexDiscovery stands as an impartial and comprehensive resource for exploring trends, technologies, and services associated with electronically stored information.

The driving force behind this influential publication is ComplexDiscovery OÜ, a technology marketing firm that excels in strategic planning and tactical execution for organizations operating within these sectors. Registered as a private limited company in Estonia, a global leader in digital advancements, ComplexDiscovery OÜ dedicates its primary focus to supporting the publication. The company capitalizes on its virtual presence to provide marketing consulting and services to a diverse array of clients around the world, further solidifying its reputation as a leading voice in the eDiscovery ecosystem.

Send this to a friend