Cybersecurity: 'White hats' offer tips to help execs head off hackers
It's 11:59 on a Sunday night, and your company's computer system has been shut down until a ransom is paid. Will anyone even notice before the office opens on Monday? Will anyone know what to do when the doors open but the computer system is offline?
These “ransomware” attacks routinely make headlines, as American businesses, government offices, hospitals, and schools all have fallen victim to cybercriminals, typically based overseas.
And trucking is not immune. Additionally, any business that moves items of high value must always take security measures, and modern technology brings a whole new element to old-fashioned highway robbery. And the coming era of truck autonomy adds even more levels of concern for vehicle security and safety.
So what’s a fleet to do? First and foremost, how do we avoid that midnight crisis in the first place?
See also:Trucking remains a top target for cyberattacksThe National Motor Freight Traffic Association (NMFTA) hopes to provide some answers. The organization, traditionally focused on LTL issues, put out an industry-wide invitation to its annual Digital Solutions Conference on Cybersecurity. Held recently in Alexandria, Virginia, the event drew a range of fleet representatives, cybersecurity experts, and policymakers for a couple of days of presentations that ran the gamut from Ph.D.-level cellular network vulnerabilities to common e-mail scams.
Ben Gardiner, NMFTA’s senior cybersecurity research engineer, bridged the gap between the theoretical and the practical with the opening slide deck of the conference. Specifically, Gardiner outlined his successful remote attack on the hydraulic braking system of a tractor-trailer via the J2497 trailer databus, using about $300 of off-the-shelf electronics.
The good news: Gardiner is a good guy, a “white hat” hacker who looks for vulnerabilities and works to resolve them. (His primer on truck hacking is YouTubed below; similarly, for those unfamiliar with the CyberTruck Challenge, follow that link.)
So, because so much of the conference was so far over my head, I sat down with Gardiner for a few minutes to glean some perspective.
“We’ve tried to tread that line between making it enticing for the experts to participate, and making it practical and actionable for the fleets,” he said. “It doesn't take a lot to imagine a truck getting ransomwared someday. People are making a lot of money off ransomware and it's pretty obvious that you could ransom a fleet of trucks.”
Among the challenge for fleets, of course, is that a key asset—the truck—is mobile. But as Gardiner discovered in working to resolve truck security vulnerabilities, today’s trucks feature a lot of technology yet very few people understand both the software and the heavy-duty hardware.
“What I experienced with multiple fleets was either deferring vehicle cybersecurity decisions to their IT department or not really having anyone to deal with cybersecurity vehicle decisions and problems,” he said. “It's not a stretch to say that a lot of IT people don't get what the maintenance people get, and maintenance people understand how the trucks work but don’t understand what the IT people do. So both sides need to learn from each other to be able to really secure those rolling assets.”
See also: Zero trust: Chaos creates cybercriminal opportunities
But, as was obvious at the conference, it takes graduate-level education—and/or a lot of time pursuing the dark web—to understand and mitigate the threats. Surely that’s beyond the expertise (and budgets) of even the most tech-savvy folks at many fleets.
“The LTLs are big enough and have enough resources to have their own IT, their own in-house software development, their own access to resources to secure themselves,” Gardiner said. “They need to start taking more of an industrial control system approach, where their maintenance and their IT staff consider both the IT and the things that roll, to give a unified security perspective on their operations. That's where it's going to have to go to be ahead of that attack.”
And for the rest of us?
“If you're small and you can't spend the money to hire the experts, use cloud services,” Gardiner said. “By purchasing that solution, you're going to have their security teams working for you. So that's a big bang for the buck.”
Decision guides
Additionally, NMFTA has developed resources to ease the anxiety for fleet executives looking at tech investments: the telematics security requirement matrix, or TSRM. The solution is open-sourced and available for developers on GitHub as well, he noted.
“It's a series of cybersecurity requirements in the form of a questionnaire,” Gardiner said. “The fleets can take the questionnaire and give it to two or three telematics service providers that they're thinking of purchasing from in the procurement phase, and then evaluate who has the better cybersecurity. We're trying to move that visibility of cybersecurity closer to the wallet to the people that make the decisions.”
Likewise, NMFTA is working on heavy-duty vehicle cybersecurity requirements.
For NMFTA Executive Director Debbie Sparks, the conference was about “building a community” of experts to guide the industry as it faces “new challenges in the digital era.”
“NMFTA is a leader in cybersecurity and digital transactions, so we understand the importance of making sure that the transportation community is aware of what's at stake and how we work together to make sure that what we do is safe and secure,” Sparks said.
More to come from the meeting—much more—once my brain quits spinning (so yours doesn't have to).