When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.
The CEO of J&M Tank Lines, Sumerford shared the headaches and lessons learned from that experience as part of a panel discussion on cybersecurity on Oct. 6 during the American Trucking Associations’ Management Conference and Exhibition in San Diego.
Although the company was able to get the email and phone systems back up in a few hours, it took four days to get functional again. Although they had backups, he said, in layman’s terms, the computer system “could see the data but didn’t know what it meant.” It was a painstaking process to go through all the lines of code and make it interpretable by the computer system. And during those four days, they weren’t able to bill any customers or enter anything into the system. Drivers got their paychecks only because J&M simply paid them the exact same amount they received the previous week.
J&M was just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers, according to the panel. In fact, a recent article on ZDNet reported that “hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organizations with custom trojan malware.”
Trucking's Cybersecurity Vulnerabilities
Sharon Reynolds, chief information security officer for Omnitracs, explained that the “attack surface” vulnerable to hackers in the trucking industry is ever-expanding and includes:
- CAN bus exploits on vehicles
- Connectivity via satellite, wireless, cellular and Bluetooth
- Internet-facing networks and platforms
Trucks, laptops, mobile phones, etc., connect to web services. Then there are web-based platforms we use such as GoToMeeting or SalesForce that are also points of connection. “So when you talk about the attack surface, think about the whole ecosystem,” she said. “These are all points of ingress and egress.”
Sometimes the point of vulnerability isn’t technology-based at all, but human-based. Moderator Ken Craig, vice president of special projects for McLeod Software, later shared with HDT a story of a “white-hat” test probing a company’s defenses where the “hacker,” unable to find a weakness via computer, called the company’s main phone line and went down the company directory until he found someone whose outgoing voice mail said they were on vacation for the next two weeks – then mimicked that employee’s voice to call the company’s IT help desk, saying she was having trouble logging in remotely, and got the access information needed.
“A high number of people do not survive these attacks financially,” Sumerford said. “This has to be a strategic priority.”
6 Things to do to Protect Your Company from Hackers
The panel offered a number of strategies to help prevent cyberattacks and mitigate their consequences:
1. Conduct an assessment.
Joseph Saunders, CEO of RunSafe Security, said there are many assessments available that you can use as a framework to evaluate the vulnerabilities in your organization. Generally, he said, there are about 100 questions to ask yourself. You can do it internally or hire an outside party to help (but don’t pay more than $15,000, he said.) It’s a good idea to do a new assessment once a year.
2. Conduct a penetration test
In a penetration test, an outside party, a “white hat hacker,” tests and probes your systems looking for vulnerabilities. Don’t tell your team you’re doing it, or they will become more vigilant and skew the results. This is a separate assessment from the self-assessment, and the results may be similar, or the white hat may find something that you did not uncover previously. Like the assessment, don’t just do it once. Repeat every year or two.
As an example of a penetration test, Reynolds cited the Cyber Truck Challenge held in Detroit annually. "We bring our equpment, and college students and professional white-hat hackers hack our devices in an NDA (non-disclosure agreement) environment, and we get that feedback and can go back and say you to developers, you missed this."
3. Prioritize the risks
You can apply a simple risk management framework, Saunders said. On one axis, plot the weaknesses you uncover based on the likelihood of an attack. On the other axis, plot them based on the significance of their impact. The items in the upper-right-hand quadrant that are both most likely and can do the most damage are the ones you want to address first.
“You only have a finite number of resources you can throw at this,” Reynolds added. “So identify the most critical things — but have your containment and mitigation plan in place for those critical systems.”
4. Apply software patches
Saunders compared software patches to washing your hands – it’s something that can prevent viruses, but only if you do it consistently. Yes, it’s a pain, but make it a regular part of operations and maintenance. Talk to your suppliers – they’re regularly coming up with fixes for weaknesses they find in their offerings, and you need to come up with operations that install them consistently.
5. Consider insurance
One of the things J&M Tank Lines did after its attack was purchase a cyber insurance plan. “Cyber insurance is becoming really critical,” said Omnitracs’ Reynolds. “Like any other business risk we insure for, it’s important to view it as a business risk.” However, companies will generally require you to put a robust cyber security program in place as part of the deal. “You have to have good cyber hygiene or they won’t pay.” Sumerford said J&M just renewed its insurance; “We have a pretty in-depth cyber security plan of action.” Which leads us to…
6. Create an incident response plan
Don’t wait until you get that phone call at 2:30 a.m. to figure out what you’re going to do if and when your company is the victim of a cyber-attack, Saunders said. “Knowing what to do when you get that phone call in the middle of the night is key.” Questions to ask yourself include:
- Who is in charge?
- Who gets notified?
- Who is the response team?
- Who is your forensics team? The panel emphasized that it’s important to build the relationship with that forensics company before you have the attack. It’s not exactly a good time to be trying to set up a purchase order with your computers down. Set up a retainer arrangement, Reynolds suggested. “This way, you can call and say, ‘It’s happened, boots on the ground.’”
- Who is your FBI or DHS contact? Again, the time to meet your FBI or Department of Homeland Security contact is not when you’re in the middle of a cyber attack situation. “You don’t want to cold-call the FBI,” Craig said.
- Will you pay the ransom?
Saunders said while these are good things to do in the short term, in the long term, the industry needs to find better ways to “disrupt hacker economics.”
“Often times if they can find a vulnerability in one place, they’re going to do it again and again,” he said. In fact, automated exploits are used in nearly 70 percent of cyber-attacks. “This is an underground business as sophisticated as the ones you operate. The idea is to disrupt hacker economics.”
The military has learned this lesson with drones. “If you think about a fleet of drones… each one is functionally identical, they have the same software, so if there’s a vulnerability on one, it exists in all. The military figured out if you could make it functionally identical but logically unique, so each one is different from an attacker’s perspective, then they have to spend a lot of time to work on each drone. This disrupts the hacker economy.”