Cyberattack prompts FMCSA to issue HOS waiver for fuel haulers

Cannon Mug Headshot
Updated May 10, 2021

This article was updated May 10, 2021.

A sweeping cyberattack prompted the Federal Motor Carrier Safety Administration (FMCSA) on Sunday to issue a regional emergency declaration to waive hours of service regulations for drivers hauling fuel. 

A hack launched against the Colonial Pipeline has disrupted the fuel supply on the East Coast, and the HOS waiver applies to truckers hauling gasoline, diesel, jet fuel and other refined petroleum products in Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas and Virginia.

Accounting for about 45% of Southeast's gasoline supply, International Association of IT Asset Managers (IAITAM) President and CEO Dr. Barbara Rembiesa called the Colonial Pipeline – which stretches from Texas to New England – the “jugular” of the U.S. energy supply line.

"All the people behind these ransomware attacks need is someone running a laptop in an unauthorized fashion on a non-secure network, such as a home Wi-Fi system. They don’t need much more than a central computer system that is running software that has not been properly patched or otherwise updated," she added. "And they are delighted to find an employee who is tapping into key systems remotely on a personal cellphone or other device that has not been authorized for such access."

[Related: Cyberattacks in trucking could have doubled in 2020]

The White House said Monday there is no issue with the supply of fuel itself, but disruption of distribution to this extent couldn't come at a worse time. Petro-chemical haulers already face a shortage of qualified drivers and the upcoming summer travel season is expected to be one of the heaviest in several years. 

Trucking is a target
John Wilson, vice president of administration, safety & human resources for B-H Transfer Co., gets dozens of emails every day.

But an email he received in late 2017 was a little different.

Crudely written, the email demanded $5,000 in cryptocurrency in exchange for access to the company’s own files.

Partner Insights
Information to advance your business from industry suppliers

The Macon, Georgia-based tank carrier was locked out of its main TMS system and the keys to get back in were going to cost some serious Bitcoin.

ransomware definitionTrucking companies in most cases would be targeted by ransomware because attackers understand without the ability to move freight, the company can’t make money.

“It was an old user account that I had kind of abandoned but never disabled completely,” Wilson said. “It had a weak password on it and it was sitting on one of my servers.”

The ransomware attack found its way into the company’s database using that inactive account. Once the account was compromised, anything the database had access to was encrypted by the attacker across multiple servers — locking the company from accessing its own system.

The attacker wasn’t able to encrypt the database, only the application files, which had to be wiped in order to be restored. With the assistance of McLeod Software, Wilson was able to get everything back online after about six hours using backed up versions.

“Fortunately, we had good backups and other than losing about half a day, we were very lucky that we restored it very quickly,” he said. “We just chose to see if we could get it restored before we even considered paying [the ransom]. We were lucky. I’m telling you we were lucky.”

B-H Transfer, which also came under a phishing attack about six months later, isn’t alone in being targeted by cyber thieves.

A ransomware attack grounded computers at Birmingham, Alabama-based J&M Tank Lines in 2019 for four days – four days that CEO Harold Sumerford said the company couldn’t bill customers and could only pay drivers based on what they’d earned in weeks prior.

Even large, sophisticated fleets aren’t immune. In its public earnings report from this year’s third quarter, Roadrunner Transportation (CCJ Top 250No. 47) reported that it had fallen victim to a malware attack on its systems in September, costing the fleet nearly $8 million in lost production and server downtime.

“Some times now, a lot of people hack in just for disruption,” said Chris Wolfe, CEO of logistics company PowerFleet. “They’re doing it just to cause problems. It’s almost like, ‘Hey, I’m going to bring your system down and hold you for ransom.’ If I take your mobile units out of operation, that can cripple a large trucking company.”

B-H Transfer, J&M Tank Lines and Roadrunner each managed to dodge being crippled but certainly walked away maimed.

[Related: You've been hacked: Top 5 signs and what trucking CIOs do next]

Since its two brushes with cyberattacks, Wilson opted to have as much data as possible hosted off-site, “and be out of that business completely,” he said. “We’re big enough to run it ourselves but we can avoid a lot of other problems by not.”

Cloud-based software, Wolfe said, generally offers better protection than hosting locally, and Wilson noted he is “a huge believer in off-site backups [and] cloud backups. It works no doubt. That was the savior on that one.”

B-H Transfer also installed antivirus that targets ransomware attacks.

“I don’t rely on that as much as I’m more into making sure we’re practicing good sound password management, account management and bring really careful about email,” Wilson said.

Local malware protection isn’t a set-it-and-forget-it solution. It has to be active and updated to the most recent versions, says Wolfe. However, he says, any form of malware protection should be considered “Level One protection.”

“The minimum would be [to] make sure all your devices that are smart, that connect to your intranet, all have malware detection on them,” he said.

hand on trackpad of laptop

Security starts before the front door
Trucking companies in most cases would be targeted by ransomware because attackers understand without the ability to move freight, the company can’t make money and the person who controls the carrier’s ability to re-start operations has immense leverage.

“The thing about trucking is that it’s real-time,” Wolfe said. “It’s not like we can just put things on the desk and deal with it tomorrow. The loads are moving today. Drivers are moving today. You go a couple of days without visibility and without access and you just can’t catch up.”

Trucking companies house very little data that can be used for other nefarious purposes, such as Social Security information used in identify theft. But the volume of information available to would-be hackers shouldn’t be taken for granted based on the fact that it doesn’t appear valuable to anyone other than the fleet manager and driver, Wolfe said.

“You can gather a lot of information on drivers that you can use if you had other sources of data to verify it,” he said. “Like if you wanted to get his credit card from some other source but you needed his street address, or you needed how much money he makes. If they’re going to steal your identity, they have to build a skeletal profile of you so they can apply for the next credit card or something like that. All information is valuable if combined with others.”

“A lot of the transactions are happening in the telemetry space,” Wolfe added. “You have a lot of driver authentication, the actual unit itself, the freight … those can actually be penetrated at the firmware level, at the hardware level.”

And while it may sound more like a plot from an action movie, Wolfe said having access to a fleet’s route planning is striking gold for sophisticated cargo thieves.

“If I know that pharmaceuticals always leave here on Tuesday and they always go here on Wednesday, if you’re going to hijack a truck … that information would be invaluable for your planning if you’re a thief. They would love to know the traffic patterns.”

Wolfe said many companies think that security starts when you just can’t get into the facility, or you just can’t get beyond the firewall, and that’s not necessarily true.

“If I hack your cell phone,” he said, “basically, I have all your information and I can use your cellphone to access your apps that can also access what is behind their firewall.”

Drivers using a mobile device-based ELD to watch movies or check personal emails are vulnerable to phishing attacks in that if they click on a link that exposes the device to malware, that virus has access to everything on the device.

The next layer of cyber security, Wolfe said, would be connecting with a consulting agency that can audit annually a fleet’s best practices and find weakness before hackers use them as an access point.

“It’s not that expensive,” he said. “Consulting groups are worth it and a security audit is worth the value you get. You can’t do a self-audit if you don’t have the skills to do it.”

A disaster recovery plan, which Wolfe said should be developed as part of a security audit, should include operating protocols if fleets lose control of their systems, otherwise they are at the mercy of the ransom.

“A security breach is a disaster,” he said, “at least it’s a business continuity issue.”

Jason Cannon has written about trucking and transportation for more than a decade and serves as Chief Editor of Commercial Carrier Journal. A Class A CDL holder, Jason is a graduate of the Porsche Sport Driving School, an honorary Duckmaster at The Peabody in Memphis, Tennessee, and a purple belt in Brazilian jiu jitsu. Reach him at [email protected]