Fleets Top Target For Cyber Attack

Motor freight transportation’s key role in the global supply chain makes it an attractive target for cyber-attacks.

As attacks on the transportation industry increase, ransomware is a particular area of concern. Several recent high-profile ransomware cases against the transportation industry and other critical infrastructure components have raised the awareness level and internal prioritization of cyber security preparedness by fleet operators.

At the same time, the complexity of operations and physical infrastructure inherent in fleet management – a universe of connected devices with a broad attack surface – means partners from across the ecosystem need to focus on collaboration and establish common security standards. “Freight and fleet organizations are going to have to think differently,” Sean Peasley, cyber IoT security leader for Deloitte, told TU-Automotive.  “Their cyber component is probably not as mature as some other industries, so they have to catch up but also have to think wisely about how they’re going to do that.”

He explained there needs to be a change in culture, where cyber is considered at an earliest stage as possible, and the fleet industry has to start looking into artificial intelligence (AI) technologies to defend fleets. “We’ve got to get serious and, I’m afraid, that there aren’t enough of those capabilities currently to detect malicious actors who have these same capabilities and could use them against organizations.”

Further complicating the picture are sets of regulations that vary on a state-by-state basis, to say nothing of the challenge of finding common standards and regulatory frameworks for shipping networks that stretch across countries and continents. “The industry needs to focus on the ecosystems, because you’re gong to have interesting mash-ups of organizations that would otherwise not get together. Fleet management and smart cities, for example, said Leon Nash, cyber automotive leader at Deloitte. “We don’t know exactly how it’s going to evolve but we need to make sure the industry focuses on the integration points. You’re only as strong as your weakest link.” Nash pointed out that because everything is going to be driven by data, partners across the ecosystem, from automakers to telematics providers to fleet managers and operators, must ensure they can prevent unauthorized acquisition or manipulation of that data, which can bring down a connected fleet.

Urban Jonson, chief technology officer at National Motor Freight Transportation Association (NMFTA), added: “Complexity, homogeneity and connectivity are among the top cyber threats facing connected fleets. Trucks have an increasing number of complex ECUs connected to each vehicle’s CAN bus network and telematics systems that are connected to the internet.”

He explained there is a relatively high degree of homogeneity in the overall composition of individual fleets and across North American commercial vehicles as a whole. “Having large numbers of similarly configured vehicles increases the potential impact of a single attack,” he said.

Jonson said most fleets recognize that cyber-attacks are a matter of when, not if, and have taken appropriate steps to harden their defenses to improve their cyber posture. “We strongly recommend that fleet operators view their cyber-security and that of their suppliers in the larger context of business continuity,” he explained.

This includes having an incident response plan, periodical reviews of that plan and keep it updated. “For instance, consider what would happen if your telematics service provider experienced an outage or went out of business?” Jonson asked. “Which aspects of your operations would be impacted? Is a backup plan in place and readily deployable and easily activated in each of those areas?”

He noted cyber criminals are becoming increasingly sophisticated and responding to these hardening-measures by adapting their tactics, techniques and procedures. For instance, threat actors have responded to increased adoption of multi-factor authentication (MFA) by circumventing MFA through common social engineering and technical attacks. “We strongly recommend implementing a robust cyber education and maintenance program that includes, at a minimum, ongoing user education about social engineering and phishing testing, timely patching of software and firmware, proactive network defenses and enforcing a strong policy of least privilege to access,” Jonson said.

NMFTA is working on several initiatives to help motor freight carriers improve their cyber-security posture. They have partnered with IOActive and telematics service providers Omnitracs and Geotab to organize a threat modeling and incident response workshop exclusively for motor freight carriers to raise their level of preparedness. “We expect the ransomware attacks on back end business systems to continue and for cyber criminals to increasingly target the transportation industry,” Jonson said.

As heavy vehicle manufacturers and Tier 1 suppliers continue to make improvements in the cyber-security posture of their vehicles and equipment, the risks to the vehicles themselves should begin to lessen as newer models increasingly permeate the fleet inventories. Also, the adoption of cyber-security best practices and open telematics standards by telematics service providers should help harden telematics systems and thus enable fleets to become more resilient.

The autonomous driving and platooning pilot projects have shown that the current legal framework and some industry standards need to change to address issues that are unique to this developing technology. For instance, the New York City Connected Vehicle Deployment Pilot Program proposed a change to an exception in SAE J2945/1 Standard’s Certificate Change (CERTCHG) requirement to decrease the amount of time/distance traveled required before a SCMS (security credential management system) certificate change. The proposed change could better protect the identity of vehicles operating in urban congestion. As more pilot projects and small-scale deployments are conducted in real-world scenarios, it is likely that more proposals to revise established standards will emerge.

Leave a comment

Your email address will not be published. Required fields are marked *