In a few weeks, in a hotel parking lot in Houston, Texas, the National Motor Freight Traffic Association (NMFTA) team will make a tanker truck do some very troubling things.
It’s going to chuff its brakes and it’s going to make strange and uncomfortable noises, an indication that the truck is dumping its pneumatic air supply, which is not an example of optimal vehicle performance. But we’re going to make it happen.
The alarming part of this demonstration? We won’t even have to get in the truck to do it, nor will we need to take advantage of modern wireless technologies like Wi-Fi or Bluetooth.
Instead, Ben Gardiner, NMFTA’s senior cybersecurity research engineer, will use a budget antenna of two wires, through which he will deploy radio frequency signals to send the command to the trailer powerline network. That’s it.
This alarming live demonstration of how easy it is to hack into a vehicle using rudimentary technology should make everyone nervous. That’s why we’re hosting the Digital Solutions Conference on Cybersecurity in Houston, Texas, Oct. 22-25.
Our goal is to help carriers understand the gravity of how important cybersecurity is to our industry and to learn how to prepare for and prevent a cyberattack.
It shouldn’t be this easy to hack into a truck, but it is because the trailer brake controllers use code from the 1980s. The controllers themselves were developed in the ’90s by sticking converter chips in front of the existing code, from an era when no one had any reason to worry about things like encryption or authentication.
We’ve seen more than a few vulnerabilities in assets over the past few years. And one big problem where the assets are concerned is that it’s far too easy for skilled hackers to commandeer a trailer’s diagnostic system. That’s because this same 1990s technology (trailer powerline networks) is still prominent on all trucks and trailers in North America since 2001. Fleets love to get decades’ worth of service out of their vehicles, and even in the 1990s truck manufacturers were doing an excellent job of building in quality that would stand the test of time. But cybersecurity wasn’t on the radar for the people who designed these systems in the 1980s. Today it has to be.
There are things fleet owners can do right now
For truck diagnostics, gateways could be installed in older trucks to put in a first line of defense, which would prevent hackers from disabling engines or brakes even if they do manage to get into the system. We’ve collected security requirements for gateways that will define what functions they need to perform and how they need to perform it. We’ve published that for free on our Github repo.
It’s expensive and difficult to retrofit an entire fleet to deal with these issues, although it’s not impossible. Fleet operators should be looking at the vulnerabilities of their assets and looking into firewalls and other mechanisms to secure their diagnostic systems. Whenever fleets purchase new trucks the first question they should ask is whether the vehicles they are considering have mitigating technologies to protect the truck and trailer diagnostic systems against attacks like this.
Understand: The chuffing of the brakes is just one thing a hacker can make a trailer do. Ben is using this particular command for our demonstration because it’s dramatic and attention-getting. But hackers can do a lot of other things once they’ve gained access to a trailer’s diagnostic system.
What would be the consequences if a hacker managed to change your axle configurations, or your axle lift settings, for example? And what of potentially exploitable vulnerabilities in the 1980s software running on those trailers?
Many hackers can do these things if you give them the chance. In some limited situations, they could completely immobilize a truck and trailer.
The best-case scenario for the industry would be for OEMs to prioritize vehicle network segmentation and separation by security gateways and include powerline attack mitigations in coming vehicle models. NMFTA is working with both carriers and OEMs to understand why this is so critical.
There is no slowing down the digitization of the trucking industry, nor should there be. We need the efficiency these technologies offer. The customers we serve depend on us to embrace this progress.
But we also must recognize that many of the older assets we’re still using were not designed to be secure in an internet-connected environment. It’s regrettable that we must stay two steps ahead of cyberattackers just to run our businesses and serve our customers.
We have no choice, though. When bad actors can disable our trucks with antennas and cheap radio frequency transmitters, we simply have to take the necessary steps to prevent these attacks from happening.
Let’s do what we can today to prepare and prevent criminals from exploiting system vulnerabilities. We can start by gathering at the Digital Solutions Conference on Cybersecurity and arm ourselves with expert guidance.
We’ll see you in Texas.