David Carroll approached one of his local grocers during the COVID-19 pandemic and asked what would happen if trucks stopped. Feast or famine within 13 days was the grocer’s response.
“If trucking stops, America stops,” Carroll said Monday during his keynote session delivered at the National Motor Freight Traffic Association (NMFTA) Cybersecurity Conference held in Austin, Texas.
Carroll, vice president of capability engineering and strategy at General Dynamics Information Technology, is an information warfare officer for the U.S. Navy Reserve Office of Naval Research and a former associate director at the Cybersecurity and Infrastructure Security Agency (CISA). One of his duties as an information warfare officer is to do cyber exercises for NATO. Two years ago, it was for the European fuel system in France; last year, it was the faulted cabling electrical system in Latvia. Coming up, is overland trucking in Sweden.
“And those are not just contested supply chain or ransomware crime but actual warfare,” Carroll said.
While warfare on critical infrastructure like trucking can happen, he said the low-hanging fruit that is ransomware remains the most common cyberattack experienced by the U.S.’s $940 billion trucking industry, responsible for 72% of all freight by weight. Based on his personal research, 90% of major carriers report cyber intrusions monthly. Someone in the audience said daily.
“Ransomware … is supply chain paralysis,” Carroll said, and the first place of attack that he has generally seen has been GPS and telematics manipulation, which can reroute fleets.
“As you go up the stack, and you become more critical, and you're carrying more critical things or more timely things that are required for folks to live, I think it just gets worse,” he said.
The amount a ransomware loss costs the logistics industry is also going to grow, he said, sharing that the median loss was around $1.3 million per incident in 2024.
[RELATED: Fleet cybersecurity 'only as strong as your weakest vendor']
A call to action
Carroll laid out a call to action Monday, citing data sharing as the key to preventing cyberattacks.
“We need a collective defense. Collaboration and sharing are literally the fuel of defense,” he said. “It’s a team sport.”
Using what’s out there already, such as collective defense models like CISA’s Joint Cyber Defense Collaborative (JCDC) threat playbooks, can reduce threat detection time by at least 40%, Carroll said, and that timing can make the difference.
One example he gave was when one data scientist shared a model with a major U.S. telecommunications and cable provider, helping them to find Volt Typhoon, a Chinese state-sponsored hacker group that particularly takes aim at critical infrastructure, on their network within six days. He said that would have taken the provider a month without that model.
“In cyber … if you get a decision and you can put that in a library, then share that with everybody. Don't make it proprietary,” Carroll said. “If those models are out there … get it to each other because it's going to save folks’ lives. Always share the data.”
In addition to sharing the data, these are some other pathways to collaboration Carroll shared:
• Operational collaboration: perform joint ransomware playbook exercises to learn about each other’s business to find and fill gaps.
• Build or join trusted circles: cooperate with competitors to create system resilience because cyber affects everyone.
• Connect to NMFTA and CISA JCDC feeds.
• Conduct 45-minute tabletop ransomware drills:
“More drills; I’d start there,” Carroll said. “The control systems, I think that's where you're going to see it first. You're going to see it start that way before it gets into … ‘Hey, we're going to take over the POUs on your Freightliners. I don't think they're going to get there before they go right after a ransom. It's just too easy to target. If the data is not protected, they're going to go grab it, and then they're going to tell you to pay them for it.”
