Telematics devices, ELDs, dash cameras, transportation management systems. Trucks abound with technology. That technology can put a trucking company – and the greater supply chain – at risk.
The transportation sector, with its vast amount of data and its critical role in the economy, has increasingly become a cybercrime target as the industry becomes more digitized. The National Motor Freight Traffic Association often warns trucking companies about the potential for cyberattacks, primarily through phishing scams, and more recently regarding cyber-enabled cargo theft.
Now, the organization is warning trucking about China.
NMFTA Cybersecurity Principal Engineer Ben Wilkens and Director of Cybersecurity Artie Crawford recently hosted a webinar in which the two cautioned trucking companies about the risks associated with Chinese-made technology.
The webinar focused on the Made in China 2025 initiative, a 10-year plan to transform its manufacturing sector into a high-tech, globally competitive powerhouse by focusing on 10 key sectors, including transportation and critical infrastructure.
“There's a concerted effort in this particular plan to force other entities to be dependent on Chinese manufactured goods or have dominance in these fields, and this extends from manufactured goods all the way back into some of the supply chain and the actual raw materials going into these (goods),” Wilkens said.
The threat
The risk, Wilkens said, is if any component in a piece of technology is manufactured in China, there's a potential for remote access.
Crawford gave the example of ship-to-shore cranes used at U.S. ports that China sold to the U.S. at a heavy discount. The cranes were phoning home information about containers: how many, contents, where they were going and how (rail, intermodal, etc.). The cranes were embedded in the power grids and telecommunications infrastructure, he said.
In trucking, Wilkens said it goes beyond risk to a trucking company; it’s a concern at the national level, critical infrastructure, even national defense.
An asset tracking technology with a Chinese-manufactured component, for example, could potentially model transportation networks, the flow of goods, consumer demographics and where different resources are located and being moved.
Crawford said that poses potential disruption to manufacturing of certain goods or understanding shipping routes to manipulate traffic signs to wreak havoc, even in just one area of the U.S., to cause cascading supply chain disruption across the country.
“We want to be very clear about some of these risks, but we don't want to veer into fear mongering or conspiracy theory type territory,” Wilkens said. “But it is important to see how all of these systems are connected. By systems, I don't just mean our technical systems but our supply chain ecosystem and our different infrastructures as systems in our society. The cascading effect is important to understand, and that's why it's so important to protect something like transportation anywhere we can.”
Reducing your exposure
Wilkens said this warning isn’t about one specific technology but the breadth of technology trucking companies deploy. He said points of entry are potentially in any technology stack, so companies need to be careful about sourcing and point of origin.
The Cybersecurity and Infrastructure Security Agency reported a telematics device that had vulnerabilities in a communications module, Wilkens noted. What is a trucking company to do if it has deployed that device across its entire fleet, he asked.
“That's the real issue here,” he said. “We need to get in front of that on the supply chain side and the point of origin side in order to reduce that risk before we get into a position of being overly reliant on a particular component.”
Trucking companies operate on razor-thin margins and so have to be mindful of cost when purchasing new hardware or software. Wilkens said lower costs increase the likelihood of components being made in Chinese manufacturing facilities.
Crawford said that, in his opinion, chip manufacturing in some cases needs to be brought back to the U.S. so industries aren’t reliant on a single nation to build particular chips used for daily needs.
In addition to other measures, Wilkens said communication channels to Chinese IPs need to be blocked because most trucking companies have no legitimate reason to have data flows to and from them.
Questions to ask when procuring technology
Where is it made, and where is it assembled? Crawford said the two aren’t necessarily the same.
“It may be made here in the USA, but it may still have some of those chips that come from other parts of the world that that may or may not be in the best interest,” Crawford said. “Having this informed procurement strategy is really a good first step … (to) selecting a secure device and vendors.”
The NMFTA is soon going to release a vendor checklist that is mindful of low-cost solutions while informing where the device comes from.
White labeling, Crawford said, is another concern. There are cases where, say six ELD devices are the same device just renamed something different. He said the practice of white labeling has gotten worse over time because it’s cheaper to bring one device in and resell it under several different names, so ask “has it actually been manufactured by somebody else and rebranded under your name.”
For software, his tip is to open the user agreement, which typically supplies information like where the source code originated from. Wilkens added that the user agreement should also provide where your data is going to be stored and shared.
But the overall key to protecting your company and the broader supply chain, Crawford said, is as simple as being conscious of the type of risk you may be introducing to your organization via technology.
The technology may be less expensive, but it could cost more in the longterm, Crawford said.
“If it's a deal that's too good to be true, it's probably too good to be true,” he said. “You're probably giving something back on the backside.”
