API Security: It Begins and Ends With People

NMFTA - November 13, 2023

From October 22-25, NMFTA hosted its annual Digital Solutions Conference on Cybersecurity in Houston, TX. The presentations contained powerful information for any company in the trucking industry that’s concerned about cybersecurity for its enterprise and/or assets. Of course, that needs to be the entire industry. This is part of a series of blogs that summarize the information presented for those who could not be there.

TOPIC:           API Security

Presenters:       Dan Heinen, Kleinschmidt; David Samples, Transcard; Michael Oberlaender, Global CISO

Cyber threats against trucking companies are becoming increasingly serious and expensive, with one study showing that companies hit by attacks in 2023 lost an average of $4.45 million as a result.

Kleinschmidt’s President and CEO Dan Heinen emphasized the importance of building a culture of security within an organization, because a trucking company’s greatest vulnerability is human error.

Global CISO’s Michael Oberlaender said constant training is the key.

“You need to have training and regular sessions to make people part of the solution,” Oberlaender said. “They will want to bypass the security controls if they don’t understand why.”

The panelists all urged trucking companies to adopt a no-trust environment when it comes to both enterprise and assets, meaning neither people nor other applications should be able to access an application without going through multi-factor authentication (MFA)

That is especially important when it comes to vendors, who can often be used by hackers to gain entry into a company’s system.

“You don’t just trust your vendor or third party,” Oberlaender said. “You need to verify.”

Transcard’s David Samples said companies need to give people the access they absolutely need to do their jobs, but no more than that.

“What you don’t want is any open gateways, any opportunities for a human being to affect change beyond what you’re comfortable with that human being doing themselves,” Samples said. “If you have a billing clerk that has access to data they don’t need, you need to change that.”

The group also discussed the implementation of segregated networks. Oberlaender said the upfront investment is usually significant but is much less expensive than a breach.

One reward is that segregated networks make the job harder for hackers.

“Hacking is a business, and you don’t want to be the easiest person in the room,” Oberlaender said. “There has to be strategic-level thought to building a structure. As you peel back these onion layers and the hacker sees that it’s getting harder, he starts looking for the next person to hack. You’re looking for a score. You’re not looking for a challenge.”

The group also talked about the value of immutable backups, immutable being the key – those are backups that cannot be overridden.

As a company builds its security infrastructure, the group said, they can get employees involved by staging red team/blue team/purple team exercises. These are games in which one group tries to breach the company’s system and the other team tries to stop them.

The games not only help promote interest in cybersecurity, they also become a matter of pride for each team’s members to do their best to protect the company’s enterprise and assets.

Heinen talked about how Kleinschmidt helps companies with incident response plans, including walk-throughs in which they identify holes and verify that the holes have been covered.

Oberlaender said it’s crucial to create a playbook for each type of attack that could happen.

“This one is for ransomware, this one is for malicious code,” Oberlaender said. “Whichever it is, there is a playbook that tells you what to do. And you have to implement it. Because usually, when it happens, the whole organization runs around and scrambles, and they are not following the incident response plan.”

Samples added that the incident response plan should also include a very locked-in communication strategy, with one person responsible for gathering information from the IT team and communicating it to everyone else.

Finally, the group discussed the importance of SecDevOps, which is simply an approach to software development that puts security first.

“The goal is to make security part of your software solution from the get-go,” Heinen said.

Whatever the requirements up front, Heinen emphasized they are much less difficult and expensive than suffering a breach.

“If you do it right, it will give you peace of mind,” Heinen said.

Samples added that companies should not force themselves to make ambitious security goals happen all at once.

“You don’t have to become the [National Security Agency] NSA overnight,” Samples said. “That’s where you tend to see big interruptions when you swing for the fences in the first round.”

For a 50-person trucking company that might not have full-time people in all of these positions, Samples emphasized it’s more a matter of mindset than it is of people in positions.

And critically, Heinen said, small trucking companies should not make the mistake of thinking they are too small to be a target. As long as they have an IP, a hacker could use them to gain access to the shipper whose goods are being carried on their trucks.

“If you’re a small carrier or a 3PL, you might think, I’m not a Schneider, I’m not a J.B. Hunt,” Samples said. “I don’t have billions of dollars flowing through my networks. But it’s fairly rare for a sophisticated attacker to attack someone directly. You look for their vendors and suppliers. You become an on-ramp for the bigger targets.”

Finally, the panelists warned trucking companies not to think they have no security concerns because they back up their data to the cloud.

“The cloud is not secure per se,” Oberlaender said. “You need to keep your vendor accountable and responsible to make sure of that. You are the data controller. They are just the data processor.”

Systems to secure a traditional network work differently from those that secure cloud-based data, so trucking companies need to know the difference.

And critically, when you run a backup—cloud-based or otherwise—do not leave the backed-up data on your network. And understand, if your network is already breached but you are not yet aware of it, then the backup is likely useless.

It’s a lot to take in, and it makes sense to find professionals who can help. But it’s not an option to ignore these issues. At some point, every trucking company will need to put this into practice. Be proactive today.

To view photos from the conference, access our event photo album.

NMFTA
NMFTA

The National Motor Freight Traffic Association promotes, advances, and improves the welfare and interests of the motor carrier industry and less than truckload carriers operating in commerce, both domestically and/or internationally.