When I was a driver, I would hear from other drivers that a particular truck stop had seen a rash of cargo thefts and was best avoided or, at best, only used during daylight hours. I’d act accordingly and plan my route to avoid stopping there.

Those exchanges were threat intelligence sharing at a small scale. The trucking community has historically been good at this kind of sharing. We look out for each other.

I have spent the last few columns addressing specific threats, such as deepfakes, social engineering, and cyber-enabled cargo theft. This month, let’s look at how the industry tracks and shares information about those threats.

Why? Our current approach to threat intelligence sharing is leaving us exposed.

What is Threat Intelligence?

I’ll start with what good threat intelligence is not. It is not an endless feed of Common Vulnerabilities and Exposures that may or may not apply to your operation. It is not a movie-style wall of monitors with blinking red lights on a map.

Good threat intelligence answers three questions: What is happening? Who is doing it? What should we do about it?

Actionable threat intelligence is relevant, structured information about what the bad actors are doing, how they are doing it, who they are targeting right now, and how to stop them.

When all of these answers come from within the industry being targeted, the intelligence is exponentially more useful than general threat intelligence sources.

But even this type of quality threat intelligence is only as good as the way it is shared. If it stays with those who collected it, it does nothing to help the community make better decisions about the kinds of controls to put in place. It does nothing to prevent others from being successfully attacked in the same way.

The Trucking Cybersecurity Threat Intelligence Landscape

Cybersecurity leaders across the trucking industry are talking to one another more than ever. They are breaking down the taboo that used to exist around talking about cyber incidents that happen to us. They are seeing real value from sharing lessons learned with their peers.

These informal executive networks are getting busier, and more and more industry cybersecurity professionals are joining the conversation.

There is a widespread recognition that the same attacker that hits one of us this month will target one of our peers next month — and that the way to stay one step ahead is to compare notes.

This cultural shift is a foundation we can build on. Cybersecurity leaders in the trucking industry are increasingly willing to stand up and say, “We got hit. Here’s how it happened and the lessons that we learned.”

This is an openness that did not exist five years ago.

However, many of these conversations are limited in scope and informal in nature. A conversation at a conference, a phone call to a peer at another company. They are not structured in a way that lets the spread of intelligence scale to fleets that were not in the room or on the call.

General Cybersecurity Alerts Don’t Tell the Whole Story

The cybersecurity industry’s vendor reports, government advisories, or paid threat feeds are general threat intelligence that typically is not built for transportation. Most of these threat bulletins are written for banks, hospitals, the manufacturing industry, or educational institutions.

The alerts don’t speak to what transportation management system (TMS) platforms or load boards a threat actor may be abusing, or whether they are using a stolen MC number to worm their way into a broker/carrier relationship.

General threat intelligence can keep us up to date with what is happening in the broader cybersecurity world, but not what is happening in trucking specifically.

The Gap

The problem isn’t awareness. It’s information flow.

The trucking industry has lots of information but not enough timely operational intelligence.

Cargo crime has existed as long as trucking itself. But it has reached stratospheric new heights in the past few years and has become intertwined with cybersecurity.

There are many highly informative trend reports and annual reports containing a trove of facts and statistics about the issue. But they are not threat intelligence. They don't provide the timely, relevant, and actionable details that defenders need in their day-to-day fight against cybercriminals and cargo thieves.

Why Fleets Hesitate to Report Cargo Theft — And Why That's a Problem

When cargo theft occurs, many fleets and brokers share only what they must with insurers, affected customers, and possibly law enforcement. The hesitation is understandable. Admitting a theft — especially one tied to a process failure or social engineering attack — can feel like advertising weakness and risking future business.

But cargo theft is not a private problem. A tactic that works against one fleet today will likely be used against another tomorrow.

The criminals behind these schemes communicate constantly. They share what works, warn each other about new detection methods, and avoid companies where the protections make the effort too difficult.

The industry needs to respond the same way — by sharing information quickly, openly, and efficiently.

What's really happening in cybersecurity or in cargo crime is not found in polished trend reports. It is found in the unvarnished accounts from other fleets of what actually happened to them. What they saw, how they detected it, and what lessons they learned. This information, in real time, becomes the kind of threat intelligence we currently lack.

Anonymous, structured reporting fills this gap. No company details shared, no press release explaining what went wrong. Simply a data point that, when combined with hundreds of others from across the industry, lets us all see what’s coming before it hits us.

What You Can Do Right Now

There are three steps you can take to help turn the tide in our industry’s fight against both cybercrime and cargo crime.

• Build a security culture in your organization. Ensure that every cyber event, cargo crime, successful and near misses are captured and documented.
• Designate a single point of contact for external intelligence sharing.
• Take advantage of the intelligence sharing channels that do exist. Talk to your peers, file anonymous reports. There is no downside to contributing in this way.

NMFTA is launching a new Threat Report Portal in June. Anonymous. Built specifically for the trucking industry. It covers both cybercrime and cargo crime in one place because we are all facing both of these increasingly intertwined issues, and we need actionable threat intelligence on both.

Contact NMFTA for more information or to get involved.

A fleet that reports an event is not a weak one. It is the one quietly protecting the rest of the industry from the same attack.