Freight Cybersecurity Resources

The Cyber Threat Landscape in the Trucking Industry

Illustration of padlock composed of ones and zeros

As a key stakeholder in the commercial transportation security and research program, NMFTA works to educate the transportation industry on potential cyber threats to connected commercial fleets. In 2018, transportation became the nation's second-most attacked critical infrastructure area, and it's still a primary target today. The trucking industry has become a top target of ransomware attacks, and many are now leveraging AI to engage in more sophisticated threats.

At NMFTA's Manifest 2024 Panel, CISA Cybersecurity Advisor Donald Hester stated that "Social engineering is probably the number one attack vector for threat actors [...] You have to augment social engineering and understand that...threat actors are now using AI. So that's a huge threat we have to look at."

According to the Department of Homeland Security's (DHS) Cybersecurity Infrastructure Security Agency CISA Insights - Ransomware Outbreak, "Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation's networks, locking up private sector organizations and government agencies alike. ... We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?)."

NMFTA's Resources to Harden Fleet Defenses Against Cyber Attacks

NMFTA created several educational resources for participants to customize for use in their own freight businesses. These templates are being released for public use to maximize benefits to the transportation sector. They are published here as Word documents so that commercial fleet managers may customize each guide to best suit their organization's needs.

Ransomware Playbook

Trucking companies without a mature, documented incident response plan may wish to utilize the Ransomware Playbook as a starting point to build a plan. Others may wish to vet their organization's current plan against the compilation of freight cybersecurity best practices and resources cited in the Playbook.

The Tabletop Exercise package can be used to test the strength and weaknesses in current cyber threat plans and responses. The Facilitator's Handbook and the Participant's Handbook contain all of the materials necessary to conduct a tabletop exercise based on a technology-based business disruption scenario.


The Facilitator's Handbook provides guidance on each event (i.e., "inject") that occurs/is discovered as the interruption to freight operations unfolds throughout the day. There are questions to prompt discussion/decisions by participants and suggested timings for each event to mimic the reality of information flow, pressure to act and resource constraints. Facilitators should read the Facilitator's Handbook thoroughly in advance of the exercise and take particular note of the suggested timing for each session and inject scenario when planning and scheduling the exercise. It may be helpful to designate a time keeper to ensure the participants' experience is as realistic as possible.

Participant's Handbook

The Participant's Handbook should be handed out in sections throughout the day, when triggered by prompts in the Facilitator's Handbook, to create a realistic experience. A copy of the participant view is embedded in each section of the Facilitator's Handbook. Customizations to the Participant Handbook should be reflected in the Facilitator's Handbook too.

After the events conclude, it is important to conduct a debrief to capture the strengths and weaknesses in the fleet operation's response that were identified during the exercise, identify improvements that can be made and, if possible, specify action steps and assign action owners to implement improvements before the participants are dismissed. The goal of the exercise is to identify what went right/wrong in the simulated incident response so the trucking company can continually improve its response and response time. It may be useful to hand out the Playbook as a reference during the Hotwash/Debrief to identify improvement steps. The Facilitator's Handbook contains a link to FEMA's Hotwash/Debrief template, which can serve as a guide to structured discussion to solicit lessons learned.

In the days following the exercise, organizers should translate the lessons learned into an After Action Report/Improvement Plan (AAR/IP). A link to an online template AAR/IP is included in the Facilitator's Handbook. The completed AAR/IP should be distributed to all participants and action owners to ensure proper follow-through and implementation of key action steps.

Incident response is an area that can be improved with practice and experience. Regular exercises can lead to improved communications, better decision-making and reduced response time. These are crucial defenses in limiting the scope and effectiveness of a cyber-attack. NMFTA hopes you will find these templates and below resources useful tools in your organization's cyber-tool kit.

Useful Resources

Listed below are some of the free resources available to the public some of which are referenced in the Ransomware playbook.

The 18 Critical Security Controls to protect your networks

Free Cybersecurity Courses offered by the Federal Virtual Training Environment (FedVTE)

Cybersecurity and Infrastructure Security Agency (CISA) Resources:

US FBI Bulletins This is one of the few places that you can find US FBI Private Industry Notifications (PIN) and FBI FLASH messages posted on a public site

NMFTA Ransomware Top 10 Defensive Tips provides you with our top 10 tips on how to protect your company against ransomware. While nothing is absolutely certain, following these 10 steps should help you prepare and defend against ransomware.

IOActive Threat modeling is a technique for identifying potential issues and rating their risk. Gaining a risk picture for individual systems across the organization affords a solid basis for making risk-based, data-driven strategic decisions. Threat modeling is security culture accelerator. It helps organizations proactively prepare for security challenges, build defenses, and constructively prioritize security needs.

FireEye report: Ransomware Protection and Containment Strategies

FBI: Ransomware Prevention and Response for CISOs

Center for Internet Security (CIS): 7 Steps to Help Prevent & Limit the Impact of Ransomware

Lockheed Martin: The Cyber Kill Chain

MITRE: ATT&CK framework

INFOSEC Institute: Threat Hunting: IOCs and Artifacts