Press Release

Understanding Cyber Threats in Transport

The European Union Agency for Cybersecurity (ENISA) publishes its first cyber threat landscape report dedicated to the transport sector.

Published on March 21, 2023

This new report maps and analyses cyber incidents in relation to aviation, maritime, railway and road transport covering the period of January 2021 to October 2022.

The report brings new insights into the cyber threats of the transport sector. In addition to the identification of prime threats and the analysis of incidents, the report includes an assessment of threat actors, an analysis of motivations driving their actions and introduces major trends for each sub-sector.

EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, stated that “Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding the distribution of cyber threats, motivations, trends and patterns as well as their potential impact, is crucial if we want to improve the cybersecurity of the critical infrastructures involved."

Prime threats affecting the transport sector

  • ransomware attacks;
  • data related threats;
  • malware;
  • denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks;
  • phishing / spear phishing;
  • supply-chain attacks.

Ransomware attacks have become the most prominent threat against the sector in 2022, with attacks having almost doubled, rising from 13% in 2021 to 25% in 2022.  They are closely followed by data related threats (breaches, leaks) as cybercriminals target credentials, employee and customer data as well as intellectual property for profit. The attacks are considered to be planned in an opportunistic nature, as we have not observed known groups targeting the transport sector exclusively.

More than half of the incidents observed in the reporting period were linked to cybercriminals (55%). They apply the “follow the money” philosophy in their modus operandi.

Attacks by hacktivists are on the rise. One fourth of the attacks are linked to hacktivist groups (23%), with the motivation of their attacks usually being linked to the geopolitical environment and aiming at operational disruption or guided by ideological motivation. These actors mostly resort to DDoS attacks and mainly target European airports, railways and transport authorities. The rates of these attacks are focused on specific regions and are affected by current geopolitical tensions.

State-sponsored actors were more often attributed to targeting the maritime sector or targeting government authorities of transport. These are part of the ‘All transport’ category which include incidents targeting the transport sector as a whole. This category therefore includes national or international transport organisations of all subsectors as well as ministries of transport.

Observed incidents in each sector


Faced with multiple threats, aviation contends with data-related threats as the most prominent, coupled by ransomware and malware. Customer data of airlines and proprietary information of original equipment manufacturers (OEM) are the prime targeted assets of the sector. Fraudulent websites impersonating airlines have become a significant threat in 2022, while the number of ransomware attacks affecting airports has increased.


Threats targeting the maritime sector include ransomware, malware, and phishing attacks targeted towards port authorities, port operators, and manufacturers. State-sponsored attackers often carry out politically motivated attacks leading to operational disruptions at ports and on vessels.


For the railway sector, threats identified range from ransomware to data-related threats primarily targeting IT systems like passenger services, ticketing systems, and mobile applications, causing service disruptions. Hacktivist groups have been conducting DDoS attacks against railway companies with an increasing rate, primarily due to Russia's invasion of Ukraine.


The threats in the road sector are predominantly ransomware attacks, followed by data-related threats and malware. The automotive industry, especially OEM and tier-X suppliers, has been targeted by ransomware which has led to production disruptions. Data-related threats primarily target IT systems to acquire customer and employee data as well as proprietary information.

On the availability and reliability of data: challenges in incident reporting

Although ENISA gathered data from a variety of sources to perform its analysis, the knowledge and information on incidents remain limited to those incidents officially reported and for which information was publicly disclosed. Such disclosed incidents on which ENISA based its analysis and conclusions however are likely to under represent reality if non-disclosed ones outweigh those made public.

Despite Member States having legal requirements for the mandatory reporting of incidents, it is often the case that cyberattacks are disclosed by the attacker first.

In the EU, the revised Directive on measures for a high common level of cybersecurity across the Union (NIS2) and the additional notification provisions for security incidents aim to support a better mapping and understanding of relevant incidents.


The ENISA threat landscape reports help decision-makers, policy-makers and security specialists define strategies to defend citizens, organisations and cyberspace. This work is part of the EU Agency for Cybersecurity’s annual work programme to provide strategic intelligence to its stakeholders.

Information sources used for the purpose of this study include open-source intelligence (OSINT) and the Agency’s own cyber threat intelligence capabilities. The work also integrates information from desk research of available data such as news articles, expert opinions, intelligence reports, incident analyses and security research reports.

The data analysed also result from the input received within the frame of the interviews performed with members of the ENISA Cyber Threat Landscapes Working Group (CTL working group).

The analysis and views included in the threat landscape reports by ENISA is industry and vendor neutral.

Further information

ENISA Threat Landscape: Transport Sector 2023

ENISA Threat Landscape 2022 - Infographic

ENISA Threat Landscape Report 2022

ENISA Threat Landscape Supply Chain                                                                               

ENISA Threat Landscape for Ransomware Attacks – May 2021 – June 2022

Directive on measures for a high common level of cybersecurity across the Union (NIS2)


For press questions and interviews, please contact press (at)

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies