When fleets think about cybersecurity, oftentimes the first thought is related to the enterprise side of the business. But as attack capabilities are advancing and evolving on the asset side, National Motor Freight Traffic Association Chief Operating Officer Joe Ohr said carriers are beginning to have conversations with OEMs and suppliers about their approach to cybersecurity as they seek to protect their tractors and trailers.
And more and more, cyber criminals are targeting assets like tractors and trailers as attack vectors broaden.
“New vulnerabilities are coming all the time. What tends to happen is once industry starts tightening down one area, the attackers will move to something else,” said Karl Heimer, cofounder of CyberTruck Challenge, during the NMFTAs recent webinar titled Securing the Future of Heavy Vehicle Cybersecurity: The CyberTruck Challenge. “New capabilities are being added to vehicles … It exposes new threats. This makes new risk. This requires people to develop techniques against it.”
A new threat
One of the newest modes of attack, he said, is the cellular domain, which five years ago was considered relatively secure compared to other attack vectors. This year’s weeklong CyberTruck Challenge event, which NMFTA sponsors, will include some classes surrounding the cellular domain.
Many don’t realize how many cellular devices are on a truck; it’s not just a driver’s phone, Ohr said.
[RELATED: The impact of diminishing wireless connectivity on the trucking industry]
Ben Gardiner, NMFTA senior cybersecurity research engineer, said every supplier wants to put a telematics device on their components for monitoring. Cellular attack vectors on a truck range from the telematics devices for the transmission, brakes and engine to the OEM telematics device, the carrier’s chosen telematics device, an ELD, a TPMS and more.
“Cellular attacks impact the trucks that can also impact the kind of modems that you might have deployed at remote sites such as distribution centers,” Gardiner said.
Heimer said there has been an increase in the number of attacks on that are occurring via cellular. These are called “man-in-the-middle” attacks, where a computer with software defined radios pretend to be a cell tower and intercept communication from the tower to the cellular device in the vehicle.
Ohr said that could easily result in cargo theft when that interference impacts the ability to capture GPS location.
[RELATED: Small fleets could be at higher risk of cyber threats]
“Understanding what the exposure is there as well as some of the techniques and then learning how to maybe mitigate that … is one of the goals that we're we've got for this year” at CyberTruck Challenge, Heimer said.
CyberTruck Challenge
At the event, OEMs and other sponsors, which could include carriers, supply equipment like tractors and trailers, etc. for students to test.
Students sign NDAs, all findings go to the equipment providers, and all data is destroyed thereafter.
Heimer said there have been several instances where manufacturers who provided equipment to test have engaged with CyberTruck Challenge teams post event because those teams found meaningful findings.
Ohr said the value of hands-on experience gained at the event is key.
Heimer said digital twins or cyber ranges (both are virtual cybersecurity training methods) are great, but they’re not the same as working with a real-world system.
“We don't have sufficient fidelity in our models to be able to replace the actual material on hand, and we aren't going to for a long time … so you’re not going to get reality,” he said. “The other thing you're not going to get is the people that are developing the virtual twin don't necessarily know your back-end business logic. The other thing with the entire system is you see how it relates together.”
Why carriers should attend
Heimer said carriers should consider attending the CyberTruck Challenge for several reasons.
One is they can see how the different OEMs in attendance are addressing cybersecurity issues.
[RELATED: NMFTA guides cybersecurity protocols for mid-size fleets]
“They can get a sense of comparison. They can see how they're engaging the cyber talent. They can see the kinds of engineers that are present and how they're looking at problems,” Heimer said. “They're being able to see from a design, implementation, test and validation point of view how the different potential product providers to their fleets are concerned with the problem.”
He said, too, it will help them generate requirements documents for suppliers to meet.
And lastly, he said, is many carriers don’t yet have a large cybersecurity presence, and this can help them identify someone to help generate requirements and validate products and vendors.
“The point is pretty much to take a look at conducting periodic assessments of the vehicle fleet and understand your posture, as well as be able to integrate with some of the threat advisory boards,” Heimer said. “Understanding how the things that are being discovered or the emerging threats would actually impact your industry and help you control, or at least understand, the risks that you're facing.”
