There’s so much technology in the trucking industry these days to help carriers improve efficiencies by doing things like eliminating phone calls. But the telephone has become Steve Hankel’s best friend.
Hankel, the vice president of IT at Johanson Transportation, said he gets phishing emails at least three times a day saying something like “sign this urgent contract.”
“What I do now is I just delete everything and wait for someone to call if it really is something that they need done right away,” he said.
He said his worst nightmare is a cyberattack on the Fresno, California-based 3PL, and every time there’s an alert, or one of the company’s systems goes down, his first thought is “we’re being hacked.”
“It's ransomware. They're already in. It's kind of like that movie Scream. The call is coming from inside the house,” he said during a panel at the National Motor Freight Traffic Association’s (NMFTA) annual cybersecurity conference held in Cleveland, Ohio, this week.
Though the organization demonstrated a physical truck hacking in a Houston, Texas, parking lot at last year’s conference, industry experts warned that the top threat to trucking companies was in fact not a physical hack but a cyber hack via phishing and business compromised email – both of which are typically one of the first steps to many ransomware attacks.
That trend remained a top concern for 2024.
Insurance broker Marsh had 252 total ransomware incidents reported among its client base in 2023, said Carrie Yang, senior vice president of Marsh’s cyber practice. In the first and second quarters of 2024, 113 ransomware incidents were reported to Marsh, so Yang said she expect this year’s count to be similar, if not more, than 2023.
[RELATED: NMFTA shares cybersecurity risk predictions for 2024]
“I also want to put out that ransomware is just one type of cyber claim that has been reported to us. 88% of the claims reported to us in Q2 this year were non-ransomware incidents or events, including data breach, privacy violation, business interruption, system failure, etc.,” she said. “When we say cyber, ransomware is one type of incident, and there are so many different incidents that we need to think about as well.”
Yang said more and more non-ransomware claims are coming in like those related to regulations violations. She said privacy regulations being pushed out by Europe, the U.S. and even several states are getting complicated, enhancing risks. An example would be if a company collects the data of employees without first getting consent.
That has landed regulations on the list of concerns, too.
Peeyush Patel, global chief information security officer at XPO, said incident reporting regulations are evolving in every country and without clear guidelines.
“I wish there was a sort of global effort around standardizing some of these things, even within the U.S. itself,” Patel said.
Data vs. physical assets
While cybersecurity attacks remain focused on the data side, physical attacks are not off the table, said Ben Gardiner, senior cybersecurity research engineer at NMFTA.
He said carriers still need to worry about vectors into the trucks. Bad actors continually become more sophisticated with their attacks, but the good guys also continually get better at blocking those attacks.
“I'm left wondering what happens when these financially motivated attackers stop succeeding so easily with PC-based ransomware and they start doing the mass derates (crippling the truck into 'limp mode') that we're worried about,” Gardiner said. “A lot of the attacks on trucks can turn into derates. If you talk to the fleets in the room, they're okay dealing with a handful of derates but certainly not fleet wide or even a large proportion of their fleet. Derating continuously would be a really, really big problem.”
NMFTA COO Joe Ohr said most don’t think about the asset side of cybersecurity unless they’re in the trucking industry.
Patel said the same principles that apply to the IT side also apply to the asset side. Know your asset inventory, he said, and then know how to manage risk. XPO has begun deploying GPS and RFID tags on its assets.
“They're not as cost effective today, but I think just knowing your assets is the first step,” he said.
Full circle
Patel said XPO hasn’t found a perfect solution yet because it has only just started to think about risk regarding assets as everything becomes more connected. He said XPO has also started vetting its vendors’ cybersecurity risk profiles.
That comes back to the data side.
As the digital world becomes more sophisticated, implementing security by design, Patel said it’s important to understand your vendors’ risk profiles because “many times it's not a breach of the company itself, but it's the third parties that have been breached.”
“How do we make sure that as we move into hyperscalers … how do you make sure that those firms are implementing enough security, and how do you protect your data,” he added. “Gone are the days when you set up a fort and then put a moat around it.”
