The growing threat of cyberattacks and cyber fraud to the trucking industry is very real, FBI Special Agent Regis Billings, during a presentation at Omnitracs’ fourth annual Outlook user conference.
As reported by Today’s Trucking, Billings said the FBI is noticing “a lot of financially motivated hackers targeting the transportation industry.”
“They’re misdirecting funds into other accounts and sending them overseas,” he said.
“The attackers are going after the squishy parts of the organization, the human elements of the organization, and where are the most elements of humans in this industry?” Billings says, referring to drivers.
Virtually any site that appears to offer something for free could create an unwanted pathway into company computers.
“If you are subscribing or using ‘free’ services, they are getting something from you,” said Sharon Reynolds, chief information and security for Omnitracs.
Once an opening is created, criminals being “lateral” moves, shifting through networks on the way to higher-value targets. Then they sit and wait until the time is right, often after monitoring financial transactions.
Poorly designed electronic logging devices could be creating paths of their own. “We’re concerned about the new entrants in the marketplace,” Reynolds said. “You don’t know where they came from.”
“They’re very, very bad. I don’t think I’m overstating this,” said Ben Gardiner, principal security engineer with the ethical hacking team at irdeto. “The risk to drivers that are using bad ELDs is very real.”
Protecting your business involves understanding the threats, and assigning someone to focus on addressing the issues. Then it’s a matter of getting teams to form what’s essentially a “human firewall” in the form of tougher passwords and best practices – like typing URLs into an address bar rather than simply clicking on links.
Business partners of any sort should also be demonstrate a similar commitment to cybersecurity. “Will they protect your data the same as you’ll protect theirs?” he asked. In one case a company lost $850,000 after it embraced a new technology without realizing the weaknesses in a partner’s system.
The cyberattacks could even add a new layer to traditional truck hijackings. Billings refers to a time in the not-so-distant future when thieves could hack into vehicle electronic control modules, triggering something that causes a driver to pull over, or even shutting down a truck entirely.
The traditional J1939 CAN data bus creates vulnerabilities, Carpenter agreed. “I can control the engine. I can control the brakes. I can do that ransomware on all the vehicles.” Emerging DSRC-based communications systems that link trucks to infrastructure can create pathways of their own, like a radio beacon inviting systems to talk to it. One compromised truck could essentially lead to a vendor’s back office, and then tap into other trucks using the same network.
The threats are not being ignored. Working groups with the Society of Automotive Engineers continue to improve standards and testing, for example. “There is a lot of good progress,” Gardiner said.