Thinkstock
thinkstockphotos-cyber-security-promo.jpg

Four questions about cybersecurity every fleet executive must ask

July 15, 2019
Cybersecurity is an executive responsibility; it cannot be abdicated or blindly delegated — be it to an inside department or outside provider.

Is cybersecurity for connected fleets a “nerdy” topic that is best left to the computer scientists and other IT experts, or do fleet executives have a direct responsibility to understand and ensure the security program for their fleet?

This was my opening question at a panel on cybersecurity for connected fleets at the recent Connected Fleet Conference in Brussels, Belgium. I had a chance to discuss this and related questions with two eminent experts in the field: Dr. Dan Massey, director of technology, cybersecurity and policy at the University of Colorado Boulder and part of the Neutral Vehicle Consortium (and formerly program manager for the Cybersecurity Division at the U.S. Department of Homeland Security); and Ted Guild, connected vehicle lead at W3C and research staff at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL).

Their answer was clear and unequivocal: Cybersecurity is an executive responsibility; it cannot be abdicated or blindly delegated — be it to an inside department or outside provider. This was their analogy: Senior executives must not and will not leave a firm’s finances to the accounting department (alone) or people development to the HR department (alone); the same way, fleet executives must have a grasp of cybersecurity at the concept level and must ask the right questions of their IT departments and vendors to satisfy themselves that a robust program is in place.

At the same time, cybersecurity is of course a highly technical subject matter and fleets must rely on experienced and specialized technical experts both inside and outside the firm. Thus, taking responsibility does not mean becoming a cyber expert; but it does mean understanding the fundamentals. So the answer to our questions is actually not “either-or” but “both.”

The follow-up question was: “How do executives take responsibility?”

The answers here were very practical. With all the technical sophistication and often enormity of detail in cybersecurity there are four principles that should be top of mind for fleet executives:

  1. Cybersecurity for connected fleet starts with a standards-based security program that is then tailored towards the specific context of connected fleets. An example of a fleet specific set of security recommendations that can be implemented in the framework of a broader standard such as ISO or NIST is the telematics cybersecurity primer for agencies prepared for the Department of Homeland Security by the U.S. DOT Volpe National Transportation Systems Center. Such a specific set of recommendations will ensure that fleet-related risks, threats, and vulnerabilities are appropriately addressed. The Neutral Vehicle Consortium at the University of Colorado is actively engaged in bringing forward fleet specific security recommendations and advance their adoption in the fleet industry.
  2. Fleet executives must appreciate that it will always be hard for “insiders” who have designed the system to take on the mindset of an outside intruder. The “bad guys” just think differently. Therefore, while it may sound counter-intuitive, “open systems” — those that are fully disclosed and documented — are actually more secure than closed systems that are only known to insiders and adversaries looking for vulnerabilities. In closed systems, the defender is on their own whereas in an open system the defender can enlist their system users as allies. Companies should also employ outsiders to assess the security system and look for weaknesses — this outside perspective and testing is crucial.
  3. Security is always a journey and never a destination. Adversaries will constantly always look for new and creative ways to break through; there simply is no such thing as a flawless system. Those who say otherwise either suffer from ignorance and hubris or are willfully lying. The key therefore is to start with a sound architecture, detect flaws early and patch them immediately. That’s why over-the-air patching using digitally signed updates is the third crucial component of any fleet security program.
  4. Finally, connected fleets do not exist in isolation. They typically rely on systems and components supplied by third parties who must follow the above principles in their systems.

Thus, fleet executives should be asking four critical questions:

  1. Does our fleet follow leading cybersecurity standards and is their implementation geared towards the fleet and transportation industry?
  2. Do we use outside experts to test/challenge our security program?
  3. Do we disclose security vulnerabilities and do we have a reliable system for over-the-air patching?
  4. Do our strategic partners have good answers to the above questions?

Asking these four questions — not just once but on a regular basis — and insisting on answers that are clear, unequivocal and understandable is a concrete way that fleet executives can and must take responsibility for managing cyber risks. 

About the Author

Dirk Schlimm | Executive Vice President

Dirk has been a member of the Geotab Advisory Board since 2010 and has helped advance Geotab’s global strategy, corporate practices and risk management. He oversees data governance and data usage arrangements, European business development, and initiatives to preserve in-vehicle data access as a source of innovation, collaboration and value in connected mobility. Dirk previously was a member of the senior executive team at Husky Injection Molding Systems, a global technology leader in the plastics industry. Dirk holds a law degree from Bonn University, Germany, and a doctorate in comparative law (United States/Germany) from Konstanz University, Germany. Dirk also teaches boardroom effectiveness in the ICD/Rotman Directors Education Program across Canada and consults with corporations in various industries. Dirk is the author of Influencing Powerful People (McGraw Hill, New York and authorized Chinese translation).

Voice your opinion!

To join the conversation, and become an exclusive member of FleetOwner, create an account today!

Sponsored Recommendations

AI is Scary for Your Competition - How Adopting New Technologies Can Provide a Competitive Edge

Unlock the power of AI and leave your competition behind! Join our webinar to discover how adopting cutting-edge AI technologies in transportation can enhance safety, boost efficiency...

Proactive Fuel Risk Management Guide

Download this informative guide to explore innovative techniques to prevent fuel fraud and misuse before it happens. Understand how to save 11% or more in fuel-related costs while...

Going Mobile: Guide To Starting A Heavy-Duty Repair Shop

Discover if starting a heavy-duty mobile repair business is right for you. Learn the ins and outs of licensing, building, and marketing your mobile repair shop.

Increase your fleet’s fuel economy with the right lubricants

See how Mobil Delvac™ oils boosted GP Transco's fleet.