Ben Wilkens, principal cybersecurity engineer at the National Motor Freight Traffic Association, likened cybersecurity to building a home.
Cybersecurity prerequisites like keeping systems up to date, having reliable backups, multi factor authentication and basic user awareness training, among other things, are like the foundation. Intermediate cybersecurity controls are like the electrical and plumbing. This expands responsibility beyond the IT department to companywide and involves a deeper level of understanding the risks to each department and their associated technologies with the addition of a formalized incident response plan. And advanced security is the interior design phase, which means conducting a business impact analysis and forming a business continuity plan.
Wilkens, joined by NMFTA Director of Cybersecurity Artie Crawford and AAA Cooper Transportation Director of Information Systems and Cybersecurity Robert Gray, recently discussed cybersecurity best practices for mid-size fleets as part of the NMFTA’s Roadmap to Resilience initiative, designed to help fleets of all sizes improve cybersecurity from the trucks to the docks to the enterprise.
The organization outlined measures for owner operators and small fleets in a previous webinar.
NMFTA released its Cybersecurity Best Practices Guidebook: Mid-Sized Fleet edition last week. It’s part of a comprehensive three-part guidebook tailored for fleets of all sizes, from single-unit owner-operators to mid-sized fleets with up to 1,000 power units. NMFTA aims to translate cybersecurity frameworks specifically to the trucking industry and make them more accessible and applicable based on different sizes of operation.
Gray said protecting systems is critical to a trucking company’s ability to be profitable and competitive no matter their size.
“The basic fundamentals of cybersecurity should be at the top of everybody's list, making sure that is a key focus and there's maturity in that area, regardless of the size of the carrier,” he said.
Initiating a cybersecurity program
Gray said at mid-size fleet AAA Cooper, the basics were in place, but cybersecurity was more a function of the IT team rather than company-wide, and he knew there was a need to mature its cybersecurity program. So, he created the Department of Information Assurance, responsible for protecting the company's information assets, and it focuses on risk analysis and management and cyber operations.
At the very least, Gray said fleets need to create a network of cyber professionals to gain insight from and have the fundamentals (multi-factor authentication, reliable backups, training, etc.) in place. But that’s only a start to a sophisticated security architecture.
Intermediate cybersecurity controls
A step above is zero trust architecture, a security model that treats all users and devices as untrusted by default, requiring ongoing verification of identity and permissions before allowing access to any resources.
Gray said it can be difficult to do, especially when employees are accustomed to a system that’s been in place for 20-plus years. But, one step at a time, limit employees’ access to systems to only what they need to do their jobs. Then, constantly verify their identity to make sure nobody has injected themselves and is pretending to be that person.
“Not everybody needs admin access across the domain. We should operate on this principle of least privilege,” Crawford agreed.
Gray said AAA Cooper once had 48 domain administrators; today, there are two. And those two people’s actual identities are not used to gain access to the systems; they use an alter ego through a privileged identity management system that also records video and logs everything they do while in the system.
“No human being should ever have administrative access to critical systems,” Gray said. “It's not that we don't trust the people working for us .... It's that we don't trust the threat actors, and we believe in their ability to try to infiltrate our systems,” Gray said.
Wilken said it is crucial to understand the level of access of every person across an organization. The convenience factor of giving everyone access must come secondary.
He said someone in maintenance doesn’t need access to the system the accounting department uses. Someone operating a handheld scanner on a dock doesn’t need access to the HR department workstations. There should be specific controls tailored to the purpose of the business area they’re being applied to, he added.
“You need to understand those acceptable uses, the legitimate purposes and the potential danger points or the security concerns related to that particular environment as you build out these controls,” Wilkens said.
Diagnostic software used in the maintenance department that is often dependent on legacy systems have different vulnerabilities.
[RELATED: Ransomware remains top cybersecurity concern for trucking industry]
“We need to understand what those gaps are and then put controls around those specific devices to protect not just those devices but the rest of the network from those devices,” Wilkens added.
Gray said network segregation is like physical security. If a mall has a guard at the front door but not at the door of each store within, you can enter any store without regard once you’ve entered the first access point. A threat actor may not care about a company’s testing and development environments, but they may use that to gain access to production data.
Advanced security
Gray said fleets need to perform a business impact analysis to implement effective security. Talk to the people who use each technology on a daily basis to discover what they would need in the absence of that technology to continue operations.
What happens when you don’t have a screen to see a bill of lading or a printer to print it out?
Gray said one of AAA Cooper’s operational plans was initially 90 pages long. They had to streamline it down to seven pages with only the critical items.
“You can’t use this in a crisis,” he said. “You're going to break this out and try to read 90 pages when you have 20,000 shipments flowing across your docks? How's that going to work?”
Even more important, Wilkens added, is practicing that plan.
“Don't just develop a good plan and streamline documentation and communication protocols and things like that. Walk through it, table top it. Practice, practice, practice,” he said. “You don't want to be in the middle of a crisis to realize that you missed a critical system in your business continuity planning or in your incident response.”
