As the connectivity of trucking fleets grows, so do cybersecurity risks
Connectivity is changing commercial truck fleet operations. While the development of autonomous heavy vehicles is still in early stages, fleet owners have been increasingly relying on “connected” trucks to improve their uptime, safety, fuel efficiency and tracking, among other things.
But every connected technology — from telematics and remote diagnostics to in-cab software and on-board IoT devices like cameras — adds new cybersecurity vulnerabilities. Each of the technologies comes with security risks, and with everything interconnected, the exposure is exponential.
Frost & Sullivan forecasts that 55 percent of commercial trucks in North America will be connected by 2025. As connectivity becomes “the way of the future” for the industry, fleet owners and operators need to consider the implications. How can they control the cybersecurity risks while still embracing innovation?
Hacking connected trucks
There’s been a lot of discussion in the media about the cybersecurity risks of connected and autonomous passenger vehicles. For commercial trucks, or “heavy vehicles,” these concerns are even bigger. Their network architecture is similar, but what makes them more vulnerable is the extensiveness of their connected features, says Urban Jonson, chief technology officer for the National Motor Freight Traffic Association, Inc. (NMFTA), a nonprofit membership association.
“The difficult part of hacking vehicles is gaining access, ideally remote access,” he says. “While passenger vehicles are just now becoming connected through telematics systems, heavy vehicles have been more pervasively connected through satellite and cellular communications linking to telematics, fleet management and engine management applications for quite some time. Consequently, heavy vehicles currently have more avenues for remote access than light vehicles.”
Cybersecurity researchers — aka white-hat hackers — have already shown that hacking big trucks is possible. In 2016, researchers from the University of Michigan were able to send digital signals within the internal network of two rigs to do things like control instrument gauges, disable engine brakes and cause acceleration while the vehicle was in motion.
The two rigs they hacked — a 2006 Class 8 semi-tractor and 2001 school bus — used a standard called SAE J1939 that is common in modern heavy-duty vehicles. While the researchers needed physical access for the breach, they concluded that a remote extension to that type of attack was possible, “given how similar the vulnerabilities are to consumer vehicles and the complexity of management systems already widely employed.”
“We find that an adversary with network access can control safety critical systems of heavy vehicles using the SAE J1939 protocol,” the researchers wrote in their paper. “Similar to cars, semi trucks are designed to protect against safety failures, but the idea of an active attacker does not go into the design of the safety mechanisms.”
NMFTA estimates that of the 3.6 million heavy trucks in use, 59 percent come from seven model years, 2005-2007 and 2012-2016. Since vehicles manufactured during the same cycles share components from the same suppliers, the cybersecurity risks are increased according to the NMFTA.
“With thousands and sometimes tens of thousands of virtually identically configured vehicles, commercial truck fleets have a high level of electronic homogeneity that can enable an adversary to economically develop viable exploits that could attack large numbers of vehicles simultaneously,” Jonson says.
Are cyberattackers targeting truck fleets?
Whether attackers have taken an interest in heavy-vehicle fleets is the subject of some debate, at least for the moment. Most threats have financial motivations, points out Bryson Bort, CEO of SCYTHE (which offers a Red Team platform for risk assessments) and co-founder of ICS Village, a nonprofit focused on industrial control systems security education.
“Fleet operators are not as concerned with privacy as the consumer sector — it’s about safe operations,” says Bort, who’s also the founder of cybersecurity company GRIMM, which specializes in industrial controls, embedded systems and automotive sector. “Because threats are financial today and right now there’s no big financial gain, I don’t think there’s an imminent threat.”
But Bort also points out that the WannaCry ransomware attack underscored what can happen with interconnected systems. He says the attackers didn’t necessarily design the ransomware to cripple hospitals in the United Kingdom or to attack medical devices. Yet it happened.
“When you’re adding another layer of connectivity, it’s not additive but exponential,” he says. “It makes it a lot more opportunistic for hackers. … WannaCry impacted things we didn’t expect because everything is so connected.”
The implications of a cyberattack on fleets could be devastating, considering how the economy relies on ground transportation. Jonson says that as part of the critical infrastructure, the transportation industry could be a target for nation-states.
“Any significant impact on motor freight transportation can have a major impact on everything from groceries, fuel, medicines, raw materials and other key products and services,” he says.
Electronic logging devices add new risks
Research company Markets & Markets estimates the connected truck market to be worth $37.64 billion globally by 2022, doubling 2017’s estimated $18.6 billion market. Government mandates are among the top drivers, the company says.
One example of government mandate is electronic logging devices, or ELDs. The U.S. Congress mandated the so-called ELD Rule with the goal of improving the safety of millions of drivers on the road and reducing crashes. The rule came into effect in December 2017, but fleet operators using legacy automatic onboard recording devices (AOBRDs) have until December 2019 to make the switch.
ELDs automatically keeps track of the driver’s hours of service by connecting to the engine, and most ELDs use a cellular data network connection. While many ELD manufacturers have said it’s virtually impossible to hack the devices because they’re designed to only read data, security researchers have proven otherwise. Testing five different ELDs, cybersecurity company IOActive found vulnerabilities that could allow attackers to “pivot through the device and into the vehicle,” with disastrous consequences.
“There is still significant concern regarding the cybersecurity posture of ELDs and their providers,” Jonson says. “In-vehicle components have been found to lack in cybersecurity hygiene features such as secure boot, encrypted communications and privilege separation.”
Additionally, he says other concerns include secure communications, authentication and other basic security in cloud systems.
A potential solution to ELD security is a hardware device called CAN (Controller Area Network) Data Diode. Jeremy Daily, Ph.D., associate professor of mechanical engineering at the University of Tulsa, developed the technology with help from students as the director of the university’s CyberTruck Experience program (initiated by NMFTA).
The CAN Data Diode enforces the network’s read-only policy, preventing communication from the ELD to a commercial vehicle. With the proof-of-concept in hand, the device is ready for commercialization, and the university is looking for commercial partners to commercialize it.
Ultimately, Daily says, the biggest driver behind overall cybersecurity improvements will be economic.
“The marketplace will decide what’s important,” says Daily, who’s also the co-founder of the CyberTruck Challenge, aimed at developing the vehicle security workforce and establishing a community interested in heavy-vehicle cybersecurity. “The beauty of a marketplace-driven system is that if a producer decides cybersecurity is something they want to offer and the market buys it, other people will get on board.”
Implementing industry best practices
Auto-ISAC (the industry’s Information Sharing and Analysis Center), in collaboration with two automotive associations, has developed best practices for the larger automobile industry. The practices, which also apply to heavy vehicles, use a risk-based approach. They focus on seven principles:
- Security by design
- Risk assessment and management
- Threat detection and protection
- Incident response
- Collaboration and engagement with appropriate third parties
- Awareness and training
Some of the best practices include:
- Assessing risk and the nature of identified threats and vulnerabilities through a defined process that’s consistent with the overall risk-management strategy
- Using threat monitoring to understand current and emerging threats and reduce enterprise risk
- Identifying threats and vulnerabilities through routine scanning, testing of the areas with the highest risk and other means
- Establishing standardized processes for identifying, measuring and prioritizing cybersecurity risks
- Creating and documenting an incident response plan that includes identification and containment through remediation and recovery
- Conducting periodic testing and incident simulations to facilitate the preparedness of the incident response team
- Establishing training programs for internal stakeholders, as well as cybersecurity awareness around vehicle security, IT and mobile devices
Jonson says fleet operators should view their own cybersecurity — and that of their suppliers — in the larger context of business continuity.
“Have an incident response plan; consider what would happen if a telematics provider stopped service; assess what impacts on your business operations cybersecurity incidents in your systems or those of your suppliers could have.”
He also recommends using the best practices from the Center for Internet Security as a starting point, as well as evaluating the cybersecurity maturity of any products connected to fleet vehicles, especially those that provide remote access.
Threats to become more complex
Based on a 2016 survey of 350 transportation executives, global risk advisory company Willis Towers Watson ranked increased security threat from cyber and data privacy breaches as the top risk for the industry. The ranking considered the increased security threats from cybersecurity and data privacy breaches, along with the increased complexity of regulation.
With the dawn of autonomous rigs, those complexities and threats will only grow.
“At some point, the vehicles will become more autonomous and have more (connected) functionality,” Bort says. “The stakes will become higher.”
- Automotive Cybersecurity Emerges as a Strategic Priority in an Era of Connected and Autonomous Commercial Vehicles, Frost & Sullivan
- Truck Hacking: An Experimental Analysis of the SAE J1939 Standard, University of Michigan research paper
- Auto-ISAC Monthly Community Call, April 2018 presentation, Auto-ISAC
- Connected Truck Market worth 37.64 Billion USD by 2022, Markets & Markets
- Hacking trucks: Cybersecurity and the ELD mandate, Overdrive
- IOActive Announces IOAsis Security Talks at Black Hat USA 2017, IOActive
- Medical Devices Hit By Ransomware For The First Time In US Hospitals, Forbes
- Cyberspace protection: Data security, privacy add to list of ELD considerations, Commercial Carrier Journal
- Vehicle security consortium based on TU cyber technology, University of Tulsa
- Industry best practices, Auto-ISAC
- Transportation Risk Index 2016: Navigating risk in the transportation sector, Willis Towers Watson