Editor's Note: This is a continuation of a story posted yesterday.
Bill Brown, who retired earlier this year as manager of fleet telematics for Southeastern Freight Lines, said this is the reason the U.S. Dept. of Transportation and Federal Motor Carrier Safety Administration (FMCSA) have been criticized for the data transfer requirements in the ELD mandate.
He noted one method for transferring hours-of-service data from ELDs during inspections is through USB memory sticks, which the U.S. government leveraged to infect an Iranian nuclear plant. “It wouldn’t take a brainiac,” Brown said of the skill level to use a memory stick to launch an attack.
Zachos echoed Brown’s sentiments regarding the dangers of using memory sticks. “One big, simple recommendation is not to transfer any data using memory sticks; that is a big no in cybersecurity,” he explained.
Zachos pointed out that there are more than 100 independent ELD manufacturers. Though many are taking steps to guard against cyberattacks, he believes some are not conducting sufficient testing or validations to ensure security. He compared this situation with accepting a vehicle’s airbag despite it never undergoing crash testing.
Wally Stegall, director of business development at Morey Corp., agreed ELDs could open “a can of worms” if fleets and vendors are not taking the dangers seriously enough.
FMCSA officials declined to comment for this story.
MORE AUTOMATION, MORE RISKS
While vehicle connectivity and automated technologies are often touted for their safety potential, they also come with risks.
“Cybersecurity prevails in everything we do when we try to touch and connect to [vehicles],” said Zachos.
Don Lefeve, president and CEO of the Commercial Vehicle Training Association (CVTA), said cyberthreats should be viewed not only as a security risk but also a high-priority highway safety issue. He said his group opposes efforts by some technology companies and equipment manufacturers to develop on-road vehicles without steering wheels or pedals.
CVTA said members have begun studying how training methods need to evolve as more automated technologies become the norm on new trucks. Lefeve suggested the growing use of training simulators that could replicate a hacking event.
Brown, the former Southeastern Freight Lines executive, noted there have been research cases where hackers have been able to take control of a truck’s brakes or remotely adjust vehicle speed while in cruise control.
Under these circumstances, the driver could regain control by shutting down the ignition or disengaging cruise control. These situations, as well as the 2015 case where hackers were able to remotely take control of a Jeep, illustrate the need for fleets to prepare drivers for “what not to do as well as what to do” in any potentially dangerous scenario, Brown explained.
Even if automation offers truckers greater safety, it will force them to monitor more information, similar to airline pilots, said Jeff Stern, managing director of Chain Security.
If something begins to malfunction, it may not be immediately clear whether it is something more serious like a cyberattack, making this type of training even more critical. Trucks have longer duty cycles than most passenger cars, so the failure of sensors must be anticipated, Stern added.
The growing number of sensors was cited by Andrew Kopecki of Advantage Asset Tracking as a top concern, comparing it with a home. “The more doors on a house, the more unsecured the house is,” he said. From temperature monitoring on a refrigerated trailer to wheel sensors, these all “open up vulnerabilities.”
FIGHTING BACK
With the issue of cybersecurity becoming more prominent, American Trucking Associations has launched CyWatch, a central point for reporting Internet crimes and sharing information. The program coordinates with authorities specializing in cybersecurity.
There are a growing number of companies stepping into the cybersecurity protection space, including BlackBerry, which earlier this year launched Jarvis. The software is aimed at providing various layers of protection, including in driverless vehicles. It is able to scan and deliver insights in minutes, a process that would normally take multiple experts far more time, the company said.
BlackBerry has also crafted a seven-pillar cybersecurity vision that stresses using trusted hardware and software components, isolating critical systems, and implementing rapid incident response networks.
Phillip Poulidis, senior vice president and general manager of BlackBerry’s IoT business, said the company believes existing standards are inadequate and DOT could create a minimum set of requirements.
“What’s definitely still lacking are security mechanisms between the control units and components in the truck,” said Kai Feuerstake, senior vice president of security for automotive engineering firm IAV. “The processes involved demand significant computing capacity and are an immense burden on network traffic.”
As technical as these issues are, Brown suggested extremely basic steps are often the best ways for a company to protect itself. For example, he recommended using individual passwords for engine control modules and making sure they are changed after taking possession of the vehicle from the manufacturer or dealer. “It is a really simple solution that costs nothing and is easy to implement,” he said.
