This year’s NMFTA Digital Solutions Conference on Cybersecurity wrapped up on October 24 in Houston, TX. We had twice as many attendees as last year, including most of the major carriers in the LTL industry and lots of others who interact with the trucking industry.
It’s clear why this happened. The trucking industry sees how serious this issue is, and it intends to fight back.
The Cybersecurity and Infrastructure Security Agency (CISA), one of the federal agencies that presented at the conference, shared some astonishing figures with attendees. They now receive more than 650,000 complaints per year about cyberattacks, with more than 2,000 per day. Victim losses from cyber attacks have totaled more than $10 billion, and we’ve seen ransomware attackers demand as much as $175 million.
(That was apparently negotiated down. Thank goodness for small favors.)
We also saw how easy it is to hack a truck. Ben Gardiner, our own senior cybersecurity research engineer, used a crude mechanism made from two antennae to force a truck to chuff its brakes by dumping air from its pneumatic air supply.
He didn’t use Wi-Fi. He didn’t use Bluetooth. He never even entered the cab. He did it with two antennae.
The group heard a great deal about the tactics that can be used to ward off cyberattacks against the trucking industry – both at the enterprise level and at the asset level, where we need stronger protections for telematics devices, diagnostic systems, and so forth.
But the most important question is: What now?
Any individual trucking company can surely convince itself that someone else will be the next victim. But not everyone is going to be right about that. A trucking company can convince itself it’s too small to be an attractive target, but we learned at the conference that hackers attack smaller carriers as a way of getting access to their shipper customers.
And yes. They can.
The industry has to step up and take this seriously, and we came away from the conference with some high-impact steps that everyone should be able to take. They include:
• Mastering the basics, which starts with training employees not to click links or open attachments that don’t look quite right. This can start the malware download that crashes your entire enterprise.
• Going all-in on stronger passwords and multi-factor authentication. As much as possible this is especially true on the trucks themselves. Telematics and diagnostics are usually far too easy to access for either a person or another application. It introduces a few slight inconveniences, but it’s much better than getting breached. As they said on The X-Files: Trust no one.
• Update and patch software in a timely manner, and make sure your IT team knows how to do it properly. This plugs a lot of the holes that hackers use to get into the system(s).
• Give penetration testers a chance to try to hack your system and find out where you have vulnerabilities. They can show you where you’re at risk and what you need to do. Otherwise, you’ll find out for the first time when the hackers do their thing.
There’s a lot we’re working on here at NMFTA, including the securing of legacy maintenance software, fleet enterprise penetration testing and distribution center vulnerability assessment.
Trucking still lacks a lot of what other industries have put in place, such as firewalls to protect telematics. One of the most important things we can do is let truck OEMs know we need those systems on the trucks before they leave the factory floor. One of the presentations we heard in Houston was from a representative of Bosch who told us that’s starting to happen.
We’re glad to see it.
But nothing matters more than the industry itself becoming vigilant and staying that way. For those who missed the conference and want to get caught up, we summarized everything on our blog, and we encourage everyone in the industry to bookmark it and refer back to it as a definitive reference point. It includes contact information for government agencies that can help. It includes detailed strategies. It includes updates on emerging threats that will disturb but also enlighten you.
The trucking industry has been playing catch-up on digitization. It’s important that we do it, but it’s also putting us at risk, and cyberattackers are watching to exploit our vulnerabilities.
If they take down an individual truck, the results will be expensive. If they take down an entire trucking company, the results will be devastating. And if they launch an attack big enough and sophisticated enough to take down our entire industry, the impact on the U.S. economy will be catastrophic.
This is where the trucking industry says "no." We will not let it happen.