The trucking industry has increasingly become a target by cyber criminals in recent years. With trucks moving upwards of 70% of the nation’s freight, it’s important that trucking companies understand what the cyber threats are and how to guard against them.
The National Motor Freight Traffic Association is at the forefront of the fight against cybercrime in trucking and helping fleets increase their cybersecurity to ensure they don’t become victims of cyber criminals. To understand how to protect your fleet, it’s important to understand what you’re protecting it from.
NMFTA is hosting its annual Cybersecurity Conference in Austin, Texas, from Oct. 26-28. The event will feature sessions on numerous topics around cybersecurity for trucking companies and the industry.
Contents of this video
00:00 10-44 intro; Cybersecurity and cybercrime trends in trucking
00:47 Cyber-enabled cargo theft
02:14 Phishing emails and social engineering
03:48 The most common ways cargo theft happens
05:43 Vulnerabilities on trucks; telematics and onboard technology
07:12 Data security and privacy
10:13 Managing access to the TMS
12:37 Cyber insurance
15:29 Creating a plan against cyberattacks
Matt Cole:
What are the biggest cybersecurity and cybercrime trends in trucking and how can fleets protect themselves from criminals?
Jason Cannon:
Hey everybody. Welcome back to CCJs 10 44. I'm Jason Cannon and my co-host is Matt Cole. The trucking industry has increasingly become a target of cyber criminals in recent years with trucks moving upwards of 70% of the nation's freight. It's important that trucking companies understand what cyber threats are and how to guard against them.
Matt Cole:
The National Motor Freight Traffic Association is at the forefront of the fight against cyber crime and trucking and helping fleets increase their cybersecurity to ensure they don't become victims of cyber criminals. To understand how to protect your fleet, it's important to also understand what you're protecting it from.
Ben Wilkens:
Cargo crime, cyber-enabled cargo, crime fraud, identity theft, those things are at unbelievably high levels in the industry right now. You don't have to look very far to come across a broker or a carrier that's been a victim. And I think what we've seen is a combination of a couple of accelerating forces come together with technology advances and also the increased digitization of the industry kind of outpaced our defensive capabilities. If you look back towards 20 20, 20 21, we really start to see a major shift upwards in the crime trends there. And to date, we really haven't put effective controls around things like carrier identities. Things like what do we do once we have either a carrier or a broker identity that's been compromised and how do we then put additional protections around the rest of their network, right? All of their trading partners get the word out quickly. We have some reporting mechanisms, but it's unfortunately there after the fact for the most part. So you have freight guard reports and things like that, but the speed and scale with which these crimes are being committed, by the time the reporting is done and the rest of the industry is aware of a potential bad actor, the damage is done and the criminals are on to another identity that they've compromised and they're now using that. So I think we're in a late phase of the Catchup game right now.
Jason Cannon:
While the most common point of entry into a fleet is still through phishing emails, cyber criminals are getting more sophisticated with how they attack trucking companies.
Artie Crawford:
So I think when we start to look at this, right, and you start to understand the complexities, the first way in is still the most efficient way in. And that's the phishing way in like Ben alluded to, we're seeing a lot more identity theft, broker identity theft, stealing of MC numbers, and then with these digitizations of the loads, they're being more pinpointed in what they're actually stealing and how they're stealing it. So they know exactly the route, they know exactly what's on the truck. They even have a good sense of understanding the industry enough that they know how far that truck's going to go before it makes a fuel stop or what the good halfway point is or what they perceive the safest stop is, and that's where they're doing that at. So again, the quickest way in is still the phishing business. Email compromise is still pretty quick and easy, and then the other ways that they're using are a lot of identity thefts at this point.
Ben Wilkens:
As email defense has gotten better, we're actually seeing a shift where phishing is not going away by any means, but we're seeing social engineering over the phone, a lot of social engineering over the phone trust building, relationship building over time to establish a trusted partnership. Well, the bad actor waits for the correct opportunity, so maybe they'll get a couple of shipments a week and then some higher volume comes through and that's the day they decide to strike. And they'll take five or six loads in a whack
Matt Cole:
With the explosion in cargo theft in recent years, particularly through strategic theft involving stolen identities or rerouted shipments unbeknownst to the shipper or motor carrier a fleet cybersecurity practices can make all the difference.
Artie Crawford:
We've put together this cargo theft or cyber enabled cargo theft risk mitigation framework, which takes probably five or six of the most common ways that cargo theft is employed or used. And what we do is we take those and we kind of wrap them in the cybersecurity pieces that would help reduce that or help mitigate that. So things from like multifactor authentication, identity management and things of that nature that will kind of help you good process orientation and processes internal to an organization to kind of help start to mitigate that. It's not going to remove it, but it's sure going to make it a little more difficult. The the resources that the bad actors are going to have to use are going to be more complex, a little higher set of resources, and there might be a lesser target out there that they want to spend their time on instead of trying to break through some of these. So I think by employing just good cyber practices and good cyber hygiene, that's the best first start that any organization can make.
Ben Wilkens:
Cargo crime being facilitated by the same tactics that cyber criminals have been using is a newer phenomenon in the industry or a newer issue in the industry for transportation. The techniques to guard against these tactics exist in the cybersecurity world and have been developed over time and refined over time. And so there are resources out there and there are training tools out there and our framework and other frameworks that can help raise the cybersecurity maturity of any organization, which in turn helps to lower the risk of these types of cargo crimes being successful
Jason Cannon:
Beyond the back office, trucks themselves can also be vulnerable to attacks with all of the telematics and technology on board today,
Ben Wilkens:
That's a big focus that NMFTA has had for quite some time. It's actually how we started in the cybersecurity arena in transportation, is looking at the hardware and the telematics as the volume of technology and the sophistication of the technology on the vehicles has increased. Anytime that happens, the potential attack surface widens. And so there's very real concern these technologies are required for modern transportation. And so we don't want to scare people away from deploying these types of technologies. But one thing that we really are stressing and a lot of our research is going into right now is understanding the supply chain behind the devices and the technology and really focusing on choosing wisely at your procurement stages. Understand what's on the vehicles that you're specking, understand where the telematics devices are made, where the cameras and other sensors and technology on the vehicle is made, understanding how it's tested, what is the security testing process because there are, in any connected technology, there are inherent vulnerabilities that need to be addressed, and there are manufacturers that are more and less security minded across the supply chain. And so really doing your due diligence in that arena I think is paramount. We're heavily invested in digging into those concerns here at NMFTA.
Matt Cole:
Data privacy and data security is a legal gray area in many respects. States like California and Illinois have very strict data as privacy laws. While some states are more lenient with trucking being an interstate business, the lines get blurred.
Artie Crawford:
Well, when we start to look at this from a compliance standpoint, it's really a whack-a-mole type of situation right now because each state is kind of producing its own sets of privacy regulations. Unfortunately, or fortunately, Europe has adopted something called GDPR, which is an overarching privacy policy across the entire eu. We don't have that because we allow the states to operate so autonomously that California has a very, very high set of privacy standards. Illinois has some high sets, and then maybe some other states have a little bit of a lower bar. And it's interesting because there's not enough compliance backed court type of cases yet that bring all of this into place. What was the privacy regulations of the headquarters of the unit? Was it at the transfer station of one of the carriers? Was it in the state of the highest privacy law? So those are kind of some nuances that have yet to be challenged in court, unfortunately, and we're probably going to see this start to happen over the next few years, but when you start aggregating all of this together, if you operate in the state of California and the state of California being the most restrictive, then you probably ought to up your privacy and your data standards to that level so you can be compliant with everybody that's below the state of California.
But with that, making sure that you have encryption in transit and encryption at rest, backups are encrypted. All of these type of just, I want to say normal, but good cyber hygiene practices, right? When it comes to your data, understand that your data is your keys to your kingdom. And when you have data like that, whether it's privacy or proprietary, which can be completely different or the same at that point in time, but understanding your responsibility as the owner of that data or the transmitter of that data, that you actually have inherent responsibilities to make sure that you've safeguarded that in process.
Ben Wilkens:
And I think one thing that I always like to add with concerns about data privacy and data security is the idea of data minimization as well. And a lot of organizations tend to store all of the data they collect, and you want to make sure you're minimizing the data that you keep in order to minimize the risk of data being exposed in a breach. So obviously keep data that you need for your operation, but don't just keep everything because it comes in, really understand what you need operationally or for compliance reasons or financial records or things like that, but really pair down that excess data that may or may not be required for your operation. And don't hold onto that unnecessarily.
Jason Cannon:
Ben says fleets should also carefully manage who has access to what within their TMS.
Ben Wilkens:
One of the things that's really important is number one, access across these systems is really important to manage carefully. Not everyone that needs access to the system needs access to the same parts of the system or to have the same level of access even within a single practice area in the systems. So that would be number one is ensuring role-based appropriate access to your TMS or your other fleet management systems. But then also, again, like already mentioned, you want encryption at rest, encryption and transit. We also want to make sure that we have strong onboarding and offboarding procedures. So often provision a new employee with the access they need and everything's great, but then when that person changes roles or leaves the company, it's important to have controls in place so that their management is either tailored or removed when those transitions happen as well to limit lingering access or over access for someone in a new role.
Artie Crawford:
Not only do we have to manage people, manage people with their roles or their attributes on how they're going to have their control, but we also have to manage parts of the network that have access to other parts of the network. For instance, the maintenance bay probably doesn't need access to the main headquarters network. The dock probably doesn't need access to the Maintenance Bay Network. And what these things do is just kind of segment the network that we can kind of shut parts down when we find things that are hanky to use the technical term that are just not right in that side of the network, we can segment that side of the network off and keep the rest of the network safe and vice versa, wherever that problem occurs. So it's not only making sure that systems or making sure that people have the right accesses in the right roles, but systems or networks of systems have the right accesses in the right segmentation in place, and that kind of makes the unit itself, the organization itself, it kind of puts it in a much higher state of readiness because now instead of just breaching one section and being able to go anywhere you need to or breaching one account, now you have to actually traverse purposely to get into places that you can't get into, which is much easier to recognize from a defensive posture than to recognize everybody going everywhere at all the times.
Matt Cole:
Fleets looking to protect themselves beyond their cybersecurity systems in place can look into cyber insurance, but it's important to understand what it covers and what it doesn't.
Ben Wilkens:
The thing with cyber insurance is it really does vary from insurance carrier to insurance carrier and policy to policy within those insurance carriers. And then what you're trying to cover against, there is a common misconception that cyber insurance can be an alternative to spending money on a ton of cybersecurity internally. And right out of the gate, we have to dispel that myth because there are cybersecurity best practices and kind of baseline controls that you're going to have to put in place before you qualify for cyber insurance period. And after that, it's really a question for the organization of understanding your own risk appetite and understanding what your exposure is to then determine if there's a policy that fits within those constraints in your organization and is also in your budget. So it's really a very personal decision for each organization to make about how it fits in their risk model, their organizational model, their financial model. It can be an extremely useful tool, particularly when it comes to coordinating an incident response. Often, a lot of insurance carriers provide incident response handling and they have connections already pre-made with incident responders. They can help on the legal side kind of scaffolding that plan, but there are organizations for which it's not going to be a good fit. And it may just be, like you said, it may just add a line item on the insurance budget without adding a lot of benefit to them if it's not properly scoped for their organization.
Artie Crawford:
If there's one piece of advice that I can absolutely anybody looking into cyber insurance is this is truly one of those things where you need to redefine print. What does it cover? How does it cover it? What is my responsibility for it to be covered? Right? And Ben alluded to it, meaning, and cybersecurity insurance has been our best friend and our worst friend in a lot of ways, right? As cybersecurity practitioners like Ben and I we're like, yay. Cybersecurity insurance is making organizations become cyber before they'll issue a policy. But then on the flip side, they've been our worst friend because of the fact it's like, oh, wait a minute, you didn't cover very much or they found a loophole. So it truly is, it's a blessing and a curse, but there's a lot of things that need to be done and understood, and I think Ben said it exactly right. Each organization, it's a personal decision for each organization on how they want to implement, what limits, what is it going to cover if it happens, is it just the ransom? Is it lost revenue? And all of these things are factors into how that insurance policy is issued. So it's truly a read the fine print because the devil's in the details.
Jason Cannon:
With all these threats in mind, fleets need to have a plan in place in the event that they do get hit with a cyber attack.
Artie Crawford:
I can't stress enough. Build a plan, exercise that plan, practice that plan, figure out what the holes in the gap. Don't just pat everybody on the back that we made a plan and we executed it flawlessly in a training exercise. Look for the gaps in that plan so that you know how you're going to fill those gaps, but have a plan and practice that plan so that when it happens, whether you throw the plan out the window or whether you use it step by step, step-by-step, the situation will dictate that, but at least you've already have the cognitive senses to start working through that. You should have had a plan. Step one is to get some experts involved as quick as possible. If you have an internal security team, make sure that they're on board as quick as possible, an internal IT team that has some understanding of cybersecurity and the practices. If you don't, and you're using an MSP or an MSSP, reach out to them immediately and get them on the phone and say, Hey, look, I think we've been breached.
Ben Wilkens:
I can't help but I go into operational head for a minute and say, number one, contain it, right? Any effective system needs to be quarantined, cut off from the rest of your network as quickly as possible. And that's what you were alluding to, Artie when you were talking about network segmentation and making sure systems don't just have a flat access across your network. That will make this process a lot easier. I guess a good analogy is when you have a serious accident, you've got to stop the bleeding before you start treating any of the other symptoms. And so you really need to contain, you need to already mentioned, get your incident responders, whether those are internal, external, reach out to your local FBI field office. Depending on the scale of the breach, they'll be able to offer resources. CISA can offer resources, get your team assembled, get the incident contained, and from there, you can then decide your next best action depending on the specifics of the scenario.
Jason Cannon:
That's it for this week's 10-44. You can read more on ccjdigital.com. While you're there, sign up for our newsletter and stay up to date on the latest in trucking industry news and trends. If you have any questions or feedback, please let us know in the comments below. Don't forget to subscribe and hit the bell for notifications so you can catch us again next week.