Assessing and Proposing Countermeasures for Cyber-Security Attacks

— Cyber-attacks on IT domain infrastructure directly affect the security of businesses’ operational processes, potentially leading to system failure. Some industries have a high risk than others due to the sensitivity of their data, including the transportation industry, which has recently moved from traditional data management to digitalization. This study aims to identify the main cyber threats in the transportation sector by analyzing related works and highlighting the main countermeasures used to respond to such threats as well as enhance overall cybersecurity. This paper presents a comprehensive cybersecurity risk assessment for the transportation companies, identifying the most common attacks and proposing methods to minimize risk as much as possible. A risk assessment analysis was prepared by industry experts that included previous cyberattack scenarios. The results of our paper identified the most critical attacks on the transportation company’s booking system and recommended suitable countermeasures to minimize the risk of those attacks.


A. Background
Cyber-security attacks are considered one of the hot topics in the field of information security and can result in huge losses to organizations if not carefully handled. Cybersecurity attacks usually result from several factors related to threats, human errors or insufficient knowledge [1]. Cybersecurity relates to technologies, processes, practices, and information assets, aiming to protect against any damage or unauthorized access caused by cyberattacks [2]. Cyberattacks on information systems, in particular, directly affect the operational processes that support businesses, potentially leading to corporate paralysis. Some industries are at more risk than others due to their highly sensitive data, one of which is the transportation industry, which has recently moved from traditional data management to digitalization. This transition has raised concerns about cybersecurity and necessitated proper risk assessments due to their importance in protecting critical infrastructure; for instance, cyberattacks on aircraft, which are considered essential transportation, can impact safety-of-flight systems and/or the systems supporting the airlines' business [3]. Cyber threats often take advantage of the increased complexity of infrastructure systems, placing critical industries' security at risk [4]. A physical cyber threat not only harms the integrity of the IPs but may also disrupt production processes and cause serious damage to various systems [5]. To understand cyberattacks, it is important to dig deeply and identify their main causes. Spreading awareness and proper knowledge about cyberattacks and providing sufficient training can reduce the damage they cause. This is often difficult to accomplish because cybersecurity behaviors do not necessarily come naturally, and people need support and encouragement to develop and adopt them [1]. As technology becomes increasingly present in daily life, cybercrime, and cybersecurity tools and techniques require innovative solutions at all organizational levels [4].
Transportation systems, in particular, offer major services that can be put at risk by an absence of real awareness, and neglecting the proper assessment of vulnerabilities can lead to major damage [6]. Cyberattacks on transportation technologies are usually unexpected and require considerable effort to classify the threats, identify impacted assets, develop proper countermeasures, and engage IT teams throughout the process. However, transportation systems vary in their ability to handle threats and in the ways in which organizations prioritize their assets when a risk is identified. This paper discusses how risks to booking systems in the transportation industry are assessed at times of risk and presents a comprehensive cybersecurity risk assessment of information systems in a transportation company to identify the most common threats and recommend methods for minimizing risks as much as possible. A risk assessment report was prepared by industry experts that included previous cyberattack scenarios. This paper aims to answer the following questions: What are the common types of cyberattacks on transportation systems?
What are the main techniques used to identify vulnerabilities in transportation systems?
What are the main risks and countermeasures used to mitigate these risks?

B. Motivation
Understanding the nature of cyberattacks and their main causes can enhance the overall cybersecurity of an organization. A cyber threat may disrupt production processes and cause serious damage to various systems [5]. Identifying the root cause of such problems can help organizations solve them at a deep level and avoid future attacks rather than relying on temporary prevention solutions. Information systems generally contain critical data that businesses place a high priority on protecting. Some industries, such as the transportation industry, hold more sensitive data than others; hence, their risks from cyberattacks are huge and can directly impact operational processes. It is therefore vital for them to identify the main causes of cyberattacks and the main practices they should adopt to protect sensitive data from exposure. Cybersecurity for transportation systems has been affected by the dynamic nature of the technology used within the industry. Cybersecurity guidelines have been developed for transportation systems, especially in the past few years, to ensure cybersecurity and raise awareness of its importance [6].

C. Cybersecurity
The main reasons for cybersecurity failures are human error and insufficient knowledge [1]. According to [2], cybersecurity is central to all technologies, standards, and procedures developed to protect infrastructure elements against serious cyberattacks. Some cyberattacks cause major harm to system users, sometimes unintentionally [7]. In other words, cybersecurity protects property rights in an infrastructure context if an attack occurs. Furthermore, cybersecurity is concerned with related issues such as access, extraction, manipulation, or modification of property [8], protecting property against the harm that can be caused by an attack [7] To maintain a secure environment, effective cybersecurity behaviors must be identified and promoted to raise awareness among users from different backgrounds. Both human and technological aspects of information systems need to be clearly identified to maintain a strong cybersecurity environment [1].

1) Cybersecurity in information systems:
Today's technology allows for easy, rapid communication across different systems, particularly in domains such as teleworking and m-commerce, which have grown rapidly [9]. Moreover, information and communication technology (ICT) applications have increased dramatically and cyberattacks have spread easily across such applications [10]. The more sensitive the data is, the greater attention needs to be paid. Sensitive data can be vital for businesses because they use it to make critical decisions; major problems can result from cyberattacks that place data at risk of exposure. Protecting infrastructure is a major priority for preventing unauthorized access that can lead to data misuse or corruption. Both individuals and organizations can suffer hugely from data exposure [11].
Recently, cyberattacks have increased due to advances in the technologies used in most information systems. Consequently, most organizations need to invest in cybersecurity and employee training to raise awareness of the importance of securing systems and their sensitive information [12]. One approach to protecting information systems was suggested by [13], which suggested that integrating information systems across organizational environments can improve cybersecurity. The researchers suggested and tested three hypotheses to investigate whether integration is positively related to cybersecurity countermeasures (see Table I).
Although [14] suggested considering all ICS features, the researchers proposed a targeted multilevel Bayesian network for identifying attacks, the functional level of attacks, and incident models. This dynamic cybersecurity risk assessment approach can help assess the risks caused by unknown attacks (see Fig. 1).
Study [10] evaluated power supply reliability using Stackelberg Security Game (SSG) strategies to assign defense resources to various cyber-threat targets. This paper discussed how to benefit from the intrusion tolerance capability of SCADA systems that provide buffer periods before the failure of substations. The overall goal was to improve network strength in the face of cyber threat events. Different cyber threat scenarios were tested to assess intrusion tolerance capabilities, and the authors designed an insurance premium principle to provide incentives for enhancing intrusion tolerance capability.
Study [5] conducted a literature review to identify the impact of cyberattacks on total productive maintenance in smart manufacturing systems. Cyberattacks can directly affect manufacturing equipment and, hence, the services provided, including maintenance services. This paper highlighted major physical cyberattacks and proposed countermeasures to reduce the negative impact of such attacks. The authors identified different challenges in enhancing equipment effectiveness in light of current cybersecurity threats in the manufacturing industry. Supported IS integration causes fewer weak points, reducing the possible impact of breaks.
H2. H1 will be more powerful when considering external IS integration rather than internal IS integration.

Supported
Weak points in external IS integration involve greater risk exposure because of greater uncertainty.
H3. Organizations tend to use self-protective controls more often in highly volatile environments than in less volatile environments.

Supported
Although the impact may not be strong, volatile environments can impact the three aspects of vulnerability. This means that the addressing of weak points must highlight these aspects. 886 | P a g e www.ijacsa.thesai.org According to study [15], attack graphs are essential for identifying the variables involved in an attack and reducing their impact on networks. This research introduced a cyberattack path method that used restrictions and an in-depth search to successfully produce attack graphs according to the interests of users. The researchers used real data from a maritime supply chain to ensure the validity of the proposed method.
In [16], the author identified the effects of cyberattacks on general systems. As cyberattacks continue to develop, it is becoming more difficult to identify the nature of the attacks; therefore, there is a great need for smart risk assessment. This research proposed the use of a fuzzy inference (FIS) model to produce risk assessment outputs, which relied on four risk factors-vulnerability, threat, likelihood, and impact-to identify risks targeting a system entity and suggest possible solutions for them. A summary of related work is provided in Table II.

2) Cybersecurity threats in the transportation industry:
The transportation industry needs to distinguish between operations systems and business systems to provide the right protection for each [6] Over the years, the industry has shifted from traditional business to e-business, and this shift has expanded technologies and their features [2]. According to [11], 80 % of assets in transportation infrastructure are being digitalized. In recent years, many attacks have been made on transportation, which has increased the need for cybersecurity protection guidelines [6], and some factors are critical for ensuring the effectiveness of overall cybersecurity, such as PCS systems, knowledge about cyber threats, and communication between private corporations and public agencies [17]. In the air transportation domain, cybersecurity tends to focus greatly on protecting the operational and technical aspects of businesses; hence, fast adaption to a rapidly changing risk environment is vital, and the framework of technical and operational systems should be redesigned based on continuous risk analysis and simulations [18]. The rapidly changing nature of the transportation industry makes it important to focus on cybersecurity to protect valuable assets and protect the business from harmful threats.
Study [18] was conducted to address the increase in cyberattacks, the impact of which could critically affect civil aviation functions. The huge increase in technologies and integrated connectivity tools can expose air traffic management (ATM) to major risk, despite its high value as an asset. This study evaluated cybersecurity difficulties in ATM to develop a threat model that included likely risks. It also included an overall framework that required full collaboration between entities to identify threats and protect systems from attacks.
Study [19] asserted that the port industry is experiencing a transformation in connectivity between ports, where most functions are being digitalized. This necessitates focusing on cybersecurity to protect major infrastructure against advanced attacks and maximize the use of new technologies with minimum risk of affecting valuable business assets.
Study [11] highlighted the importance of data-driven functions that many business aspects depend on, such as operations, maintenance, planning, and decision-making. To ensure the smooth operation of all functions relating to railways, data should be strongly secured against cyberattacks and unauthorized access to avoid major losses. This paper identified possible challenges, impacts, threats, vulnerabilities, and methods for managing risks and protecting railway infrastructure data, particularly in an e-maintenance context. Study [6] used a case study to raise awareness of the cybersecurity attacks that affect the transportation field. It developed an attack-fault tree for the mentioned case study as proof of concept for integrated risk analysis. The overall purpose was to help companies understand that no attacks targeting critical technological systems should be ignored, and potential risks should be analyzed.
The author in [3] proposed a new system for gathering, managing, and reporting aircraft failures. The motivation behind this paper was the great expansion in connectivity and communication infrastructure that is affecting aircraft. The increase in mobile computing device use among individuals has allowed for external connectivity increments as well as providing internet access for passengers, involving a greater risk of aircraft cyberattacks that can affect other critical systems supporting the business. The proposed system can help identify such attacks, hence reducing their impact. A summary of related work in the transportation domain is provided in Table III. To develop a dynamic risk assessment approach that could identify risks due to unknown threats and enhance the accuracy of risk assessment processes.
To illustrate the impact of cyberattacks on total productive maintenance in smart manufacturing systems and to discuss countermeasures to reduce the negative impact of an attack.
To use a fuzzy inference (FIS) model to produce risk assessment outputs, which relied on four risk factorsvulnerability, threat, likelihood, and impact-to identify risks targeting a system entity and suggest possible solutions for such threats.
To introduce a cyberattack path method that used restrictions and an in depth search to successfully produce attack graphs according to the interests of users using real data from a maritime supply chain to ensure the validity of the proposed method.

Possible Threats
• a denial-ofservice ( Acquiring an agile maintenance system and considering both mean time between failures (MTBF) and mean time to repair (MTTR), relying on a short repair time. A proposed plan for system recovery, enabling repairs to be performed as quickly as possible.
The proposed solution senses a weak item and moves it to a risk assessment model, which then determines the items for the spatial computation methods and passes them to the next model for approval. Approval suggests the end of the process. However, if an item is not approved, it will be moved to other models for vulnerability estimation using fuzzy theory. Information will be displayed to interested parties, enabling them to decide mitigating actions. The process starts again, relying on human judgment to decrease uncertainty.

Purpose
To analyze potential targets and risks.
To maximize the benefits of using full technology while ensuring that major infrastructure elements are well protected against cyberattacks.
To identify possible difficulties, impacts, and risks of data security for railway infrastructure, and to highlight methodologies for attaining and securing data against possible breaches.
To enhance awareness of possible weaknesses that impact transport systems. Also, to install spotting lights on the embedded devices used by those systems and prevent major attacks that can target them if not well protected.
To track and monitor incidents/failures and protect aircraft and related systems from cyberattacks.

A. Scenario
Daily DDoS attacks against company systems are a great concern for IT managers; however, the previous severe DDoS attack, which was repeated twice, resulted in approximately four hours of total downtime, was extremely intense, and aimed to fully disrupt the company's booking services, which could have had a significant financial impact. IT leaders directed the cybersecurity team to immediately conduct a risk assessment of these cyberattacks and provide feedback for decision-making. A risk analysis report was prepared using various cybersecurity risk management methodologies to overcome the above-mentioned issues, and the general scenario related to "the risk associated with cyberattacks against the availability of the booking system." [22][23][24][25][26].

B. Risk Assessment
The company follows a combined approach to risk assessment, which is managed by the Cybersecurity Department and the IT Governance, Risk, & Audit (GRA) Department. Their goal is to ensure the management of information technology and security risks [27][28][29][30][31][32].

1) Asset identification:
To identify the assets related to the system, system functions were first had identified [32][33][34][35][36][37][38]. The scope of the risk assessment was the company's booking system, represented by an application that provides reservation and ticketing services to various transport sectors through the company's digital channels (see Table IV). List of the most common risks and their corresponding controls targeting booking systems is shown in Table V. Table VI contains the most common threat types targeting web-based systems and their threat communities. Due to the high level of data sensitivity, vulnerabilities were derived from study [20], which highlighted the most common vulnerabilities of Webbased systems but did not necessarily reflect the actual company's data [39][40].

2) Threat and vulnerability identification:
Vulnerabilities can be divided into two classes. The first class includes vulnerabilities that affect a host or only a service running on it: • host crash.
The second class includes vulnerabilities that affect only a single service: • inaccessible service.

3) Techniques to identify vulnerabilities:
Companies use various techniques to identify vulnerabilities in their systems, and this paper identifies the set of techniques used by transportation companies; for instance, the network security team scans the system a number of times daily, and firewalls and scanners are in place to detect spikes in incoming traffic. Additionally, a DDoS protection service is in place to protect the system. The IT Security team conducts regular exercises to identify vulnerabilities using various technologies, including system vulnerability scans, penetration testing, Web application assessments, and network mapping. Furthermore, the IT team conducts special system scans for indicators of compromise upon requests from the NCA. The company also has monitoring, incident response, and forensics teams working closely with security business partners to cover various areas, such as system logs and audit reports.

C. Minimizing Risks
The chosen risk was based on the two previous high-DDoS incidents that affected the transportation company's system. Management direction played a critical role in selecting what type of risk to manage (see Table VII).

1) Threat community profile:
Each threat was known to have its own community profile and could have different initiating factors or triggers. Below are common factors relating to cybersecurity attacks (particularly regarding DDoS; see Table VIII). 890 | P a g e www.ijacsa.thesai.org  • block the domain.
• request to take down the domain A copy of a company application.
• request to remove the app Employee login credentials on the dark Web.
• check the accounts • reset passwords • enable MFA Company internal environment exposed.
• hide the internal environment • restrict access to authorized personnel only Malware detected internally.
• remove the malware User logon from a risky IP address.
• check with the user • block the IP Activity from a Tor IP address.
• check with the user • block the IP Files shared with unauthorized domain.
• check with the user • block the domain

Primary intent
Illegal activities to maximize profit.

Sponsorship
Non-state or illegal gangs.

Preferred general target characteristics
Easy financial gains via remote means.

Preferred targets
Financial services and retail organizations.

Capability
Professional, skilled, and well-funded hackers.

Personal risk tolerance
Relatively high, without being exposed.
Concern for collateral damage Prefer to keep their identities hidden.

D. Likelihood Estimation
Threat event frequency (TEF) was used to estimate the likelihood of a threat, indicating the probable frequency within a given timeframe that a threat would result in loss (see Table IX). Similarly, loss-even frequency (LEF) was calculated to indicate the probable frequency within a given timeframe of a loss being expected to occur (see Table X). 1) Likelihood scale for the identified risk: According to the previously identified incident, the likelihood of a DDoS attack being successful was 2 (as per the previous incident). Table XI was used to derive the loss event frequency (likelihood) and total risk category to be input into the risk matrix.
2) Impact identification: The table below shows the total impacts due to loss of availability. Impact types varied between lost revenue, the cost of hiring an incident response team, and the cost of investigating the crime (i.e., forensics cost; see Table XII). Table XIII shows the availability impact scale used by the company to identify the severity of an impact for the risk matrix. According to the scenario provided by the company's IT team, the DDoS attack was repeated twice, resulting in an approximate downtime of four hours (see Table XIV).

3) Risk matrix:
The following risk matrix includes two factors: impact and likelihood. Both factors have a rating scale of 1-4, as shown in the previous scaling tables. The IT team identified the likelihood of the risk occurring as stated in the scenario (i.e., twice a year; medium rating = 2), and the teams also measured the loss impact of four hours of total system downtime (very high rating = 4). The risk level was then calculated as the likelihood of risk occurrence * impact of a loss, resulting in a risk level of eight (see Table XV).
The company's main risk objective was to protect the organization's information and technology assets by maintaining confidentiality, integrity, and availability of service effectively with minimum cost and without affecting business operations. The strategy for responding to risks 892 | P a g e www.ijacsa.thesai.org depended on the individual risk situation and was based on risk assessments and recommendations from decision-makers. As shown in Table XV, the risk level was relatively high and needed to be managed; hence, the transportation company decided to mitigate the risk by applying appropriate countermeasures. A list of countermeasures suggested by IT experts was prepared by the transportation company's IT team (see Fig. 2).

a) Internal controls
Procedures: enhance the DDoS Response Plan with: • a systems checklist including all assets to ensure advanced threat identification and assessment.
• notifications and escalation procedures for quick recovery. Training: • train special teams to extensively monitor traffic and look for abnormalities, including unexplained traffic spikes and visits from suspect IP addresses and geolocations.
• create additional response teams to minimize the impact of attacks. • purchase threat intelligence software to monitor social media and the dark Web for threats, suspicious conversations, and boasts that may hint at an incoming attack. Outsourcing: • use third-party DDoS testing (i.e., pen testing) to simulate attacks against IT infrastructure so that the company can be prepared for any real threats.
• Use DDoS-as-a-service to provide improved flexibility for environments that combine in-house and third-party resources, or cloud and dedicated server hosting.
• outsource DDoS prevention to cloud-based service providers operated by software engineers whose job consists of monitoring the Web for the latest DDoS tactics. For decision-makers to choose between countermeasures for mitigating DDoS attacks, IT experts used the following scale to evaluate the effectiveness of each control.
Each control had a corresponding estimated cost and effectiveness rating (see Table XVI and XVII). The following criteria were used to choose the appropriate controls: • If the control will reduce the risk more than needed, a less expensive alternative should be used.
• If the control will cost more than the risk reduction provided, an alternative should be used.
• If the control does not sufficiently reduce the risk, either more or different controls should be used.
• If the control provides sufficient risk reduction and is the most cost-effective option, use it.  Outsource DDoS prevention to a cloudbased service 500,000 Fully effective c) Suggested controls for implementation: A costbenefit analysis was conducted to identify the most appropriate controls and provide the greatest benefit to the company given the available resources. Two selected controls were recommended for implementation based on a costbenefit analysis performed to justify why decision-makers should implement them (see Table XVIII).

E. Cost-Benefit Analysis
The selected controls minimized the likelihood of a DDoS risk occurring twice to 0 or 1 (very low rating = 1), while the impact of DDoS was reduced from a total downtime of three hours to a medium impact (30 min-1 h), with a score of 2 (see Tables XIX and XX).   Table XXI), the new risk level was calculated as the likelihood of risk occurrence * impact of a loss, resulting in a residual risk level of two.

III. CONCLUSION
As shown in the case study scenario, the risk assessment identified the most critical attacks on the transportation company's booking system and provided suitable countermeasures to minimize the risk of attacks. The risk level decreased from eight to two, indicating the effectiveness of the selected countermeasures. Risk assessment was extremely useful for assessing potential risks and suggesting useful controls. Moreover, the two identified DDoS attacks were mitigated by implementing suitable controls, and recommendations were made to analyze and monitor incidents and increase the company's preparedness for another wave of DDoS or other attacks.