Connected Fleets and Cybersecurity

Connectivity, particularly in terms of the Internet of Things (IoT), is positively trending in the trucking industry as fleet managers look to increase productivity and become more agile. But when everything—including smartphones, infotainment systems, in-cab computers and back-end systems—is linked via the internet, the risk also increases.¹ 

As digital technology and connectivity have become more sophisticated, they can provide benefits like cost reduction, increased safety and streamlined operations. However, they have also opened fleets up to more advanced cybersecurity threats.

While organizations like the Society of Automotive Engineers (SAE) have published cybersecurity industry standards for OEM automakers to follow when designing and manufacturing new vehicles, there are still many ways that connected cars and other vehicles can be exploited. Proactively evaluating potential security risks and subsequently putting the right security solutions and protocols into place can enable your fleet’s cybersecurity to keep pace with its digital transformation goals.

What are the most common connected fleet cybersecurity threats to look out for?

According to truckinginfo.com, ransomware and phishing attacks are the most pervasive types of cybersecurity threats. These types of cyberattacks can lead to system outages that interrupt operations and can lead to unnecessary downtime and lost revenue. “The phishing attack is the first step. That’s the strategy hackers use to gain access to your system, which allows them to download the ransomware. When a person clicks a link in a phishing email or text message (smishing), it opens a door into your system.”²

Businessfleet.com points out, “When cybercriminals can create one hack that could affect an entire fleet of trucks, that means less of a monetary investment for them…The more effort they need to put in and the more investment they need to make, the less likely they will be to target your vehicle. If they find there is common protocol across a fleet of trucks, hacking one truck will mean they will be able to hack many more, and it will make it more attractive to them.”³

Find the right solution for your business with our free Fleet Management Buyer’s Guide.

Are there any ELD-specific security concerns?

When the ELD mandate came into effect, a host of companies offering ELDs flooded the market. This means fleet managers have a new data security issue to contend with—making sure the ELDs they deploy are safe from hackers and potential data breaches.⁴ 

Here are some points to keep in mind:

• In 2017, security researchers from IOActive, a global security advisory firm, conducted vulnerability assessment research using several ELDs available over the counter at big-box distributors. What they found “could allow an attacker to pivot through the device and into the vehicle.”⁴
• ELD providers think the vulnerability of any personal data being transferred between the device in the cab, the back office, and the Federal Motor Carrier Safety Administration’s (FMCSA) cloud system for transferring the data to roadside officials is a potential concern in the future.⁴
• For now, “National Motor Freight Traffic Association (NMFTA)strongly recommends purchasers talk to the manufacturer/supplier of their chosen ELD device and ask about automotive cybersecurity, including technical standards or best practices followed (if any), as well as if adversarial testing or third-party security evaluations were performed as part of their product development lifecycle.”⁴

This past May, the FMCSA released a set of cybersecurity best practices. These include questions fleets should ask their ELD suppliers, such as:⁵

• Has the component had penetration tests performed on it?
• Is the communication between the engine and the ELD enforced?
• Does the device have secure boot?
• Does the device ship with debug mode enabled?

The best practices document also includes recommendations once ELDs are deployed:⁵

• Security patches should always be deployed to fleet devices in a timely manner.
• Sharing information and collaborating with other industry members is highly useful for responding to cybersecurity risks and threats efficiently.
• Fleets should consider joining an industry-specific information-sharing and analysis organization, such as the Auto Information Sharing and Analysis Center, the American Trucking Association’s Technology & Maintenance Council Fleet CyWatch Program or the National Motor Freight Traffic Association.
• Have a documented process for responding to incidents, vulnerabilities, and exploits.

Plan ahead to protect your fleet from cyber threats

Whether it’s an inside threat or a savvy cybercriminal mining for load locations or financial information, fleets and companies of all sizes must protect themselves.

So, what can fleet owners and managers do?⁶

• Update outdated or unsecure operating systems
• Perform all software updates when released
• Ensure 3rd-party software and firmware is secure
• Be sure custom software is written with security in mind
• Keep an eye on outgoing data and intrusion detection
• Embrace encryption and multi-factor authentication
• Be wary of suspicious emails/ransomware and malicious attacks

Consider creating a six-step protocol to further strengthen cyberattack preparedness and reactivity:⁷

• Conduct a vulnerability assessment, done either internally or via an outside party.
• Conduct a penetration test every 1-2 years, where a “white hat hacker” tests and probes your systems looking for vulnerabilities.
• Prioritize risks using a simple risk management framework.
• Apply software patches regularly to help prevent viruses from becoming an issue.
• Consider a cyber insurance plan to protect your organization should an incident occur.
• Create an incident response plan now, before anything happens, which outlines who and what should be involved if a breach or cyberattack were to occur.

 Sources:

¹http://www.truckinginfo.com/channel/fleet-management/article/story/2017/10/cyber-security-connect-at-your-own-risk.aspx

²https://www.truckinginfo.com/352987/dont-let-your-trucking-data-be-held-hostage

³https://www.businessfleet.com/314519/fleet-cyberattacks-prevention-and-response

⁴ http://www.truckinginfo.com/channel/fleet-management/article/story/2017/12/how-secure-is-your-eld.aspx

⁵https://www.truckinginfo.com/10123379/fbi-bulletin-puts-spotlight-on-elds-and-cybersecurity

⁶ http://www.truckinginfo.com/channel/fleet-management/article/story/2017/10/cyber-security-connect-at-your-own-risk.aspx

⁷https://www.truckinginfo.com/341883/why-trucking-companies-need-to-plan-now-for-a-cyber-attack