Reynolds, Billings, Carpenter and Gardiner agree that cyber threats are all too real.
NASHVILLE, Tenn. – It can begin with someone surfing porn on a fleet tablet, clicking on the link in an email from someone who appears to be a trusted customer, or even using a poorly designed ELD. But no matter how a breach in fleet systems is created, the cybersecurity threats in trucking are all too real.
“We’re still seeing a lot of financially motivated hackers targeting the transportation industry,” said FBI Special Agent Regis Billings, during a presentation at Omnitracs’ fourth annual Outlook user conference. “They’re misdirecting funds into other accounts and sending them overseas.” One Tennessee transportation company lost US $340,000 after thieves reached through an employee’s home laptop.
“It’s an ecosystem. There’s lots of ins and outs,” said Sharon Reynolds, chief information and security for Omnitracs.
Virtually any site that appears to offer something for free could create an unwanted pathway into company computers. “If you are subscribing or using ‘free’ services, they are getting something from you,” Reynolds explained. Usually that ‘something’ is in the form of information.
All it takes is one clicked link.
“The attackers are going after the squishy parts of the organization, the human elements of the organization, and where are the most elements of humans in this industry?” Billings says, referring to drivers.
Once an opening is created, criminals being “lateral” moves, shifting through networks on the way to higher-value targets. Then they sit and wait until the time is right, often after monitoring financial transactions.
Fleet computers are already being locked out by so-called ransomware, and released only after a payment is made.
Poorly designed electronic logging devices could be creating paths of their own. “We’re concerned about the new entrants in the marketplace,” Reynolds said. “You don’t know where they came from.”
“They’re very, very bad. I don’t think I’m overstating this,” said Ben Gardiner, principal security engineer with the ethical hacking team at irdeto. “The risk to drivers that are using bad ELDs is very real.”
Students with just two days of training were able to break into some devices during recent tests, he said.
Protecting your business involves understanding the threats, and assigning someone to focus on addressing the issues. Then it’s a matter of getting teams to form what’s essentially a “human firewall” in the form of tougher passwords and best practices – like typing URLs into an address bar rather than simply clicking on links.
Dedicating personnel to the problem can certainly make a difference. “You do not have to be IT or ‘cyber smart’ necessarily, but you need to have the right people around you,” Billings said. “If you don’t have that person, find them outside the organization and start building the relationships.”
Business partners of any sort should also be demonstrate a similar commitment to cybersecurity. “Will they protect your data the same as you’ll protect theirs?” he asked. In one case a company lost $850,000 after it embraced a new technology without realizing the weaknesses in a partner’s system.
Even a simple pdf file or Word document from an unknown source can plant the seeds to execute a code, said Matthew Carpenter, principal security researcher with Grimm. Ensuring software such as a pdf viewer is up to date will help protect against that.
One of the best ways to protect against a misdirection of funds is to pick up the phone if an email appears out of place, Billings added. “That costs absolutely nothing to your company, even if it’s an emergency and it’s a Friday afternoon.” If the customer isn’t in their office, there’s a good chance there’s no emergency ongoing.
Passwords can become tougher to crack by embracing multi-factor authentication, using systems that offer access only after presenting two or more pieces of evidence. In contrast, some people are using the same passwords that they used with Yahoo accounts that were compromised years ago, Billings said. All a cybercriminal needs to do then is to figure out the person’s email account for their current job.
The website at haveibeenpwned.com will show if existing passwords have been breached.
Even the practices on a home computer can make a difference, especially if the computers or networks are used to access work material.
“At home, when you’re doing your personal email or what not, you have to do some of the things you hear at work or from your IT people,” Reynolds said.
Above all, the work never ends.
“Security is never a solved problem. Security is a process,” Carpenter said, referring to ongoing fleet changes that can range from new software to new trucks.
The threats have hardly come to an end. So far, “nation states” have largely focused efforts outside the transportation industry, Billings said. That could change.
“It’s a critical resource for us being able to move goods from one side of the country to the other,” he explained. “It’s an intellectual property goldmine that we don’t realize.”
The cyberattacks could even add a new layer to traditional hijackings. Billings refers to a time in the not-so-distant future when thieves could hack into vehicle electronic control modules, triggering something that causes a driver to pull over, or even shutting down a truck entirely.
The traditional J1939 CAN data bus creates vulnerabilities, Carpenter agreed. “I can control the engine. I can control the brakes. I can do that ransomware on all the vehicles.” Emerging DSRC-based communications systems that link trucks to infrastructure can create pathways of their own, like a radio beacon inviting systems to talk to it. One compromised truck could essentially lead to a vendor’s back office, and then tap into other trucks using the same network.
The threats are not being ignored. Working groups with the Society of Automotive Engineers continue to improve standards and testing, for example. “There is a lot of good progress,” Gardiner said.
Said Billings: “Don’t make yourself the best target out there.”