Cybersecurity. That word alone makes people’s eyes roll back in their heads. Most people are proficient using computers, but understanding how they work? That’s above their pay grade. Most people recognize that certain threats exist, but they haven’t the foggiest idea how to effectively protect against them. Consequently, many of us put off learning about protection or taking the steps necessary to secure their data and limit access to sensitive parts of their network.
One part of the problem is that many people don’t know where to go to get the resources or the training to deal with the problem. Another part is that many think the solution is more complicated than it actually is. And a third stumbling block is assuming that hackers couldn’t possibly be interested in such a small company. “I’m just a little guy, I’ve only got 10 trucks. Why would anyone want to attack me?”
“The answer is that small companies are easy prey,” says Mark Zachos, general manager of vehicle network solutions company DG Technologies of Farmington Hills, Michigan. He’s also the chair of the American Trucking Associations’ Technology and Maintenance Council’s S.5 Cybersecurity Issues task force.
“The big guys are well defended,” Zachos says. “They have built up their defensive shields and they know the value of strong passwords and two-factor authentication. They have their data encrypted and stored in the cloud. When it comes to the smaller, poorly protected companies it’s a matter of volume. Attackers go after hundreds of companies at a time, and two or three attempts might be successful. To the hacker, that could still mean dozens or hundreds of thousands of dollars in ill-gotten revenue.”
In a so-called ransomware attack, criminals will insert some code into a company’s files that on command will encrypt all the data, rendering it inaccessible. The attackers then demand payment, or ransom, to decrypt the files. However, fewer than half of companies ever see their data again, despite paying the ransom, Zachos says.
The latest trend in ransomware attacks is potentially even more catastrophic. Attackers seize a company’s private data and threaten to release it publicly or sell it to the highest bidder. Wired Magazine recently reported Apple Computers suffered such an attack launched against a third-party supplier. Thieves stole documents and drawings related to upcoming laptop computers and offered them for sale online.
While it’s unlikely a 10-truck fleet would fall victim to such a scheme, you can imagine how a much larger company could be severely compromised by an extortion attack.
Protecting your company from cyber attacks doesn’t have to be expensive or complicated. Windows-based PCs have Windows defender built into the operating system. Aftermarket security products from Norton, McAffee, or Malwarebytes can add additional layers of protection. More sophisticated commercial products are available that offer additional protection or network configuration options. Internet security specialists can help install and configure those products based on fleets’ needs, but basic online security isn’t that complicated.
In any case, basic electronic security begins with good online habits and staff training on how to avoid unwanted intrusions in the first place.
Click With Caution
The majority, about 90%, of cybersecurity attacks come from phishing emails, Zachos says. You have undoubtedly received numerous emails from what appear to be friends or familiar entertainment streaming services, online retailers, banks, or even government agencies. They urge you to take some sort of action like updating your profile or verifying an account. They usually offer convenient links to follow or include attachments for you to review.
“Those attachments are usually malicious viruses that instead of opening a PDF or an image, it opens up and runs a program in the background on your computer that you don’t even know about,” he says. “Even legitimate looking attachments like spreadsheet documents can contain macros that can be used to start a program executing in the background.”
It would be easy to imagine a busy employee habitually clicking on such a file and triggering an unpleasant chain of events.
These email messages are often nicely packaged and look very much like what you’re expect from, say, Netflix. However, the sender’s email address can be spoofed to look like it came from Netflix, but the senders real address can often be revealed by hovering your cursor over the address, like this example from my own inbox: The address shown was email@example.com, but the sender’s address was actually firstname.lastname@example.org. That’s probably not legitimate either, but it’s clearly not from the popular streaming service.
“Those login links are trying to trick you into giving up your login credentials,” says Jane Jazrawy, co-founder and CEO of CarriersEdge. “One of the easiest ways to break into a system is by tricking a user into giving up their password or some of their login credentials. Sometimes a request will come from a coworker’s email address asking for a phone number or a password.”
Jazrawy says new employees are more vulnerable because they want to be seen as cooperative team players and happy to help.
“Social media platforms like Facebook and LinkedIn make it easy for hackers to search out names of people who have just started a new job with a company,” she cautions.
During evaluations for its Best Fleets to Drive For program, Jazrawy says a very low percentage of carriers trained their drivers or office staff in cybersecurity best practices.
“People would say, well, our drivers don’t really have access to our internal systems so it’s not a problem,” she says. “However, drivers and internal staff are texting and emailing each other, and those lines of communication are vulnerable.”
Zachos urges fleets to teach staff to be wary of every email they open, even from trusted sources.
“There’s usually some tell-tale indicator of fraud, such as misspelled names, odd-looking formatting, and foreign languages, but some of them can be pretty convincing,” he says. “Opening the email isn’t a real hazard, but clicking on links or opening attachments, especially from unfamiliar senders, is risky.”
CarriersEdge and others offer courses in cybersecurity and mitigation measures, but Jazrawy says they are not among the company’s most popular course offerings.
How Secure Are Trucks?
Trucks are rolling data factories, cranking out gigabytes of information every day. And they are very connected, through cellular and satellite telematics devices, Bluetooth, and various internet-facing platforms. And then there are the peripherals drivers connect to the truck for personal use. It’s safe to say many of those products may not have built-in data encryption and offer only the most basic privacy protection.
Even ELDs are a potential source of unauthorized access. A bulletin distributed to the trucking industry by the FBI in 2020 warned that cyber criminals could exploit vulnerabilities in those devices. But it goes much deeper.
According to Michael Dick, president and co-founder of automotive cybersecurity lifecycle management platform C2A Security, every connected component on a truck is at least somewhat vulnerable to cyber attack – including electronic braking and steering systems, navigation systems and automated safety systems.
“Until very recently, there was no definition of who’s responsible for cybersecurity, whether it’s the manufacturers or the Tier 1 suppliers or whoever,” he says. “Most of the components of the truck are outsourced and therefore integration is a big challenge for the OEM. It’s a very complicated supply chain.”
Dick says individual components, the networks they are connected to and up-and down-stream components all function as a single system, so any potential infection in one vulnerable component could affect the rest of the network and ultimately have an impact at the vehicle level.
Recently United Nations Economic Commission for Europe under a protocol called WP.29 established a chain of responsibility which forces manufacturers and their suppliers to manage vehicle cybersecurity through testing, threat analysis and risk assessment, and data sharing. As with almost every United Nations-based endeavor, the scope of the program is big and hairy, but the outcome of the effort means that vehicles sold in 14 specific countries (and by extension through globalization and at-scale manufacturing) have to be as hardened against attack as they can be for the life of the vehicle.
It’s a massive undertaking and it’s due to come into force in June 2022.
“In order to get type approval for any new on-road vehicle in any of the UNECE countries, manufacturers will have to be compliant,” Dick says.
Not all US-based manufacturers are signatories to this agreement, but because they sell vehicles into those 14 signatory nations, they will have to comply with WP.29 as well.
Dick says the threat to safety was the governments’ priority in developing these standards. They weren’t concerned about ransomware or denial of service attacks, the threat to national security of planned attacks carried out by a vehicle, or severe damage to critical supply chain elements – like electronically disabling trucks.
Zachos says Russian hackers are working a feverish pace trying to disrupt global distribution in an effort to stall weapons delivery to Ukraine and curb the flow of vital energy resources to dependent nations. If they could succeed with a zero-day attack that shut down trucks or other critical infrastructure, we’d be in a heck of a mess.
“They’re not going to like hijack a truck and crash it into White House, they’re looking to find a convenient place to disable something at the worst possible time like bringing commercial traffic to a halt on the George Washington Bridge at 9 a.m. on a Monday morning,” he says. “We’re not talking about common cyber-criminals. We’re talking about very sophisticated and resource-rich nation states whose goals are to shut down or disrupt global supply chains.”
The Genie Is Out of the Bottle
That kind of attack is no longer fodder for science fiction buffs. Those types of attacks are carried out on a regular basis in laboratories around the world and in real life, but on a smaller scale.
“Cars are stolen that way all the time,” Dick says.
Given the sheer number of trucks built in the last decade and still in operation, the security vulnerabilities are manifest. Dick says the best way to minimize the changes of a vehicle hack is to avoid plugging anything into the on-board diagnostic port on the truck.
“That’s nice to say that, but it’s not realistic,” he adds. “There are hundreds of fleets of trucks driving around the US with boxes connected to the OBD port. The real challenge comes from the aftermarket. Even with WP.29, OEMs can take steps to secure the system, but if someone plugs in an unprotected device or something with malicious code embedded, well, that could be a serious problem.”
As noted earlier, cybersecurity threats are systemic and there are weaknesses at every level. From office staff mistakenly opening malicious emails to a driver plugging some kind of personal device into the OBD port, your trucks and your operation are probably more vulnerable than you realize.
This article first appeared in the May 2022 issue of Heavy Duty Trucking.