Cyber Crimes Pose Heavy Load on Fleets

By Susan Kuchinskas

---

13th September 2019

Connectivity brings ample opportunity for fleet management but if those connected systems are not secure, then the fleet itself could be left vulnerable.

Cyber-security for commercial vehicles and fleets is somewhat similar to that for passenger vehicles but the stakes may be much higher for fleet owners. First, the number of ECUs capable of receiving over-the-air updates is growing and will continue to grow, says Susan Beardslee, principal analyst for ABI Research. Everything from engines, transmissions, brakes, emission devices and cab control units is getting connected.

These connected, software-run devices provide plenty of value, she says, but they increase the threat of cyber-attack, with severe implications. Vehicle diagnostics and prognostics is another growing are of interest and risk for commercial vehicles, according to Beardslee. “In the future, vehicles will require greater cyber-security measures including intrusion prevention and detection, as well as solutions like hardware security modules to secure ADAS domain controllers,” Beardslee says.

Securing the CAN bus

The formerly lowly CAN bus has become one of the central data channels in the vehicle – something it was never designed to be. “The ODB II standard, available for over 20 years, has brought risk of hacking, so, in this case, standardization has created opportunities for malicious actors to circumvent,” Beardslee says.

She notes that the National Motor Freight Transportation Association (NMFTA), in a consortium that included the University of Tulsa, Geotab, Irdeto and DG Technologies, recently participated in creation of a CAN Data Diode to secure electronic logging devices. “The solution acts as a low-cost firewall for the numerous smaller fleets that must comply with the ELD Mandate,” she says.

A pipeline to the bank account

The growing adoption of mobile payments from vehicles, whether by IoT, apps or fleet management software, opens new vulnerabilities. Integrating payments with fleet management solutions provides strong benefits to operators but it also opens up what could be an even more serious attack surface. Payment processing at electric charging stations is another emerging threat. “Payment systems and electric charging are two of the biggest areas where V2X is expected to take hold,” says Keith McDonnell, CEO of Trillium Secure.

NFMTA established a working group through the US Dept. of Transportation and the Volpe National Transportation Systems Center to coordinate industry and government work on the extremely fast charging stations that will be required by heavy electric trucks. While the manufacturers and operators of charging station equipment are responsible for securing their products, there are few established best practices for accomplishing this, according to Urban Johnson, CTO of the NMFTA.

The working group aims to develop a best-practices document that can be used by manufacturers, buyers and operators. The best practices will be tied to those recommended by other groups including those published by NIST, SAE, and IEE. Johnson says: “We hope that by making this information available before electric trucks are in full-scale production, the cyber security issues will have been addressed in the underlying infrastructure.”

Detection and prevention

When it comes to connected trucks themselves, it’s not enough to detect intrusions, according to McDonnell, although that’s vital. The issue with only using intrusion detection is that there can be many false positives, he says. “You don’t want to pull over the vehicle for an intrusion if it’s a false positive. The key is to be able to determine if there’s really been some kind of intrusion.”

Fleet managers should also monitor the overall “cyber health” of the fleet,” he says. “It’s not enough to wait until a vehicle is acting up and check it out. It has to be just like your PC, where it’s scanning and searching [for threats] all the time, every time it’s on.” In his experience, heavy-truck makers are even further behind in their cyber-security initiatives than the makers of passenger cars. He says, ” We haven’t met any to date that have any sort of protection for their fleet vehicle. They’re talking about it but much slower-moving than the major OEMs.”

On the other hand, this sector also is slower to deliver connected vehicles. McDonnell doesn’t think the work on security standards for heavy truck is too little, too late. “This is in the infancy stage,” he says. “It’s the right time for these types of standards.”

Today’s line in the sand is 2021 and beyond, although these predictions have a way of moving further out. What’s clear is that commercial trucks will be electric and connected and that securing them is a must.