Cybersecurity in the 21st Century Transportation Industry
- Written by: Dan Eness
Avoiding the “Cyber-Highwayman”
As technology in the transportation and logistics sectors grow increasingly interconnected, the risk of cyber attacks rise. Transportation companies are being forced to find new ways to defend against ever-evolving threats.
On the morning of September 1, 2022, dozens of fleet taxis converged on one of the busiest streets in Moscow, halting traffic. Yandex Taxi suffered a successful attempt by hackers to disrupt their transportation system by ordering a hundred vehicles to a single pick-up point. With the advent of new transportation technology comes a host of new vulnerabilities. In the past ten years, cyberattacks have increased exponentially, with a staggering increase in numbers. Since 2010, cyberattacks on both individual vehicles and fleets have increased by 344%. Attacks like these can compromise, cripple, or even destroy a fleet business. Transportation companies must evolve their traditional loss-prevention concepts and develop a comprehensive approach toward a company-wide cybersecurity mindset.
Attacks on the Road: Then and Now
Before the combustion engine, a bad actor who robbed people on the road was referred to as a “highwayman.” But as technology has evolved, so have criminals. Years ago, a criminal had to break a window or door and then hot-wire the ignition to steal a truck and its accompanying cargo. Nowadays, once thieves hack into the vehicle’s interface, or access one of its mobile apps, there is nothing stopping them from simultaneously unlocking the doors, and remote starting the vehicle. Technology can be used to remove all physical barriers to access. That’s only part of the problem. Theft, which used to be the primary outcome stemming from a truck trespasser, is now not even the worst thing that can happen. Although outright vehicle theft is an obvious risk that can be mitigated with good cybersecurity, modern trucks hold information that is even more valuable than the cost of the truck or its cargo. They store enormous amounts of proprietary business data.
Fleets are first at risk of having intellectual and business information property stolen, which can then be used to commit broader crimes against the company or others. An individual who hacks into a vehicle can gain access to specifications, maintenance records, operational data, route information, and even personal information. The cyber-highwayman can discover a vehicle’s travel history, the home address of the driver, inventory and routes and vulnerabilities in both the physical and digital network. Once inside the network, the attacker will find a target-rich environment.
Vehicles don’t need to move an inch for ransomware to create massive problems for a trucking business. A delivery fleet hacked during the Christmas rush doesn’t need to be physically commandeered to disrupt the holidays. A hacker who can disable the locks can either hold packages hostage or make those packages accessible to looters. The scale of the threat is huge and limited only by the imagination and skill of the cyber-highwayman performing the attack. Fleets are highly tempting targets, and due to the complexity of physical and digital security, potentially have numerous vulnerabilities.
Anatomy of a Truck-level Breach
Enemy nations can attack supply chains at the transportation–level, but there is also incentive for criminals, both foreign and domestic, to take advantage of transportation network vulnerabilities.
While hackers may begin an attack with a specific goal, the more likely attack is one which seeks the first, fastest or easiest opportunity available once a system has been breached. In most cases, they are simply looking for easy money. Bad actors are flexible: even if they had an original goal, once they have hacked into a system, they can easily pivot to richer or more available targets. That makes it harder to defend against their attacks.
There are many actions hackers can take at this point, and it is not limited to outright truck or cargo theft. The odometer mileage can be rolled back when making warranty claims, or rolled forward for making individual mileage claim reimbursements, for example. A lessee could roll back the odometer and not pay for the miles they drove/leased. You could even disable exhaust after-treatment systems, avoiding diesel exhaust additive costs, for example.
Managing the Complexities of a Fleet
At the Fleet Data Management & Cybersecurity Conference hosted by the American Trucking Associations’ Technology & Maintenance Council, Mark Zachos, regional chairman at SAE International said, “What I don’t think that we pay enough attention to, frankly, is that data, equipment, the laptops, the interface device, the maintenance tools, maintenance equipment, that too needs to have security and privacy provisioned into it.” Zachos mentioned that location and performance data of vehicles is tracked remotely, but that is just the beginning of a fleet’s security vulnerability. Competitors or other spies can gather intelligence, but – more than that, they can also potentially compromise trucks.
“Maybe they de-rate the engine,” Zachos said, “Maybe they drain the DEF or all the sensors. Maybe they turn the seat heater up so the driver doesn’t want to sit there anymore. And finally, the safety issues like disabling the brakes.“
Hackers can target telematics systems and application servers or take advantage of mobile apps. The hacker pretends to be someone else and pairs the hacked-in app with a vehicle they do not own.
The threat is evolving constantly.
Taking Advantage of the Human Factor
Vehicle security should be approached by vehicle operators as if it is a new computer network. Yes, it will have robust cybersecurity systems built in, but as with all security technology, the most crucial element is a well-trained human with a cybersecurity mindset. Truck operators should be trained in and understand their company’s cybersecurity approach starting on Day One. Just as cyber-aware individuals will buy software and commit to practices that go beyond the technology built into their new personal device, cyber-aware transportation employees will be active contributors to the security of vehicles and the supply chain overall. No matter how good the built-in proprietary cybersecurity system is for a truck, or an entire fleet, extra protection and participation is critical.
Dan Murray, senior vice president of the American Transportation Research Institute makes it clear that, whether modern technology is promising autonomous vehicles or other AI-features, the human operator will continue to be the main actor. “When you get to Level 4, even potentially 5, the driver is still going to be king.” The same applies to cybersecurity. The driver must be equipped with the right technology, but that must be accompanied by the correct training and an understanding of the company’s robust approach to cybersecurity.
So, it isn’t just about technological defenses, it is also about training drivers to better understand their own trucking tech in order to be cybersecure.
Securing the supply chain against bad actors and technological failure requires complex, strategic planning but the first line of defense can – and should – be developed at the operator level. Transportation companies need a trusted advisor who has the experience, expertise and ability to help the fleet manage risk end-to-end.
For transportation cybersecurity planning and execution, contact the experts at HBS today.