Is cybersecurity for connected fleets a “nerdy” topic that is best left to the computer scientists and other IT experts, or do fleet executives have a direct responsibility to understand and ensure the security program for their fleet?
This was my opening question at a panel on cybersecurity for connected fleets at the recent Connected Fleet Conference in Brussels, Belgium. I had a chance to discuss this and related questions with two eminent experts in the field: Dr. Dan Massey, director of technology, cybersecurity and policy at the University of Colorado Boulder and part of the Neutral Vehicle Consortium (and formerly program manager for the Cybersecurity Division at the U.S. Department of Homeland Security); and Ted Guild, connected vehicle lead at W3C and research staff at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL).
Their answer was clear and unequivocal: Cybersecurity is an executive responsibility; it cannot be abdicated or blindly delegated — be it to an inside department or outside provider. This was their analogy: Senior executives must not and will not leave a firm’s finances to the accounting department (alone) or people development to the HR department (alone); the same way, fleet executives must have a grasp of cybersecurity at the concept level and must ask the right questions of their IT departments and vendors to satisfy themselves that a robust program is in place.
At the same time, cybersecurity is of course a highly technical subject matter and fleets must rely on experienced and specialized technical experts both inside and outside the firm. Thus, taking responsibility does not mean becoming a cyber expert; but it does mean understanding the fundamentals. So the answer to our questions is actually not “either-or” but “both.”
The follow-up question was: “How do executives take responsibility?”
The answers here were very practical. With all the technical sophistication and often enormity of detail in cybersecurity there are four principles that should be top of mind for fleet executives:
- Cybersecurity for connected fleet starts with a standards-based security program that is then tailored towards the specific context of connected fleets. An example of a fleet specific set of security recommendations that can be implemented in the framework of a broader standard such as ISO or NIST is the telematics cybersecurity primer for agencies prepared for the Department of Homeland Security by the U.S. DOT Volpe National Transportation Systems Center. Such a specific set of recommendations will ensure that fleet-related risks, threats, and vulnerabilities are appropriately addressed. The Neutral Vehicle Consortium at the University of Colorado is actively engaged in bringing forward fleet specific security recommendations and advance their adoption in the fleet industry.
- Fleet executives must appreciate that it will always be hard for “insiders” who have designed the system to take on the mindset of an outside intruder. The “bad guys” just think differently. Therefore, while it may sound counter-intuitive, “open systems” — those that are fully disclosed and documented — are actually more secure than closed systems that are only known to insiders and adversaries looking for vulnerabilities. In closed systems, the defender is on their own whereas in an open system the defender can enlist their system users as allies. Companies should also employ outsiders to assess the security system and look for weaknesses — this outside perspective and testing is crucial.
- Security is always a journey and never a destination. Adversaries will constantly always look for new and creative ways to break through; there simply is no such thing as a flawless system. Those who say otherwise either suffer from ignorance and hubris or are willfully lying. The key therefore is to start with a sound architecture, detect flaws early and patch them immediately. That’s why over-the-air patching using digitally signed updates is the third crucial component of any fleet security program.
- Finally, connected fleets do not exist in isolation. They typically rely on systems and components supplied by third parties who must follow the above principles in their systems.
Thus, fleet executives should be asking four critical questions:
- Does our fleet follow leading cybersecurity standards and is their implementation geared towards the fleet and transportation industry?
- Do we use outside experts to test/challenge our security program?
- Do we disclose security vulnerabilities and do we have a reliable system for over-the-air patching?
- Do our strategic partners have good answers to the above questions?
Asking these four questions — not just once but on a regular basis — and insisting on answers that are clear, unequivocal and understandable is a concrete way that fleet executives can and must take responsibility for managing cyber risks.