Research presented at the Society of Automotive Engineers (SAE) conference in Detroit recently suggested a critical imperative to help enhance the cybersecurity of heavy-duty trucks.
And NMFTA is in the perfect position to advocate for diagnostics software security.
Colorado State University Associate Professor Jeremy Daily, a close associate of NMFTA who leads the CyberTruck Challenge each summer, was one of the researchers involved in the paper presented at SAE. The paper advocated a change to the diagnostic systems in heavy-duty trucks to make them less trusting of parties seeking to engage with them.
“The diagnostic systems are typically trusted, but thoughtful cybersecurity says we need to verify those trust assumptions” Daily says. “We demonstrated why and how that trust can be violated during diagnostics sessions.”
If such a violation takes place, a single heavy-duty vehicle or even an entire fleet of them could be vulnerable to an attack that cripples systems or steals information.
Such diagnostic systems are potentially more vulnerable in large rigs like those produced by manufacturers such as Kenworth, International, Mack and Freightliner, because the diagnostics API for Windows gives fleet owners the ability to buy just one device to connect all the vehicles.
“It turns out that device is inherently trusted by most services and maybe it shouldn’t be,” Daily says.
That standardization is driven by an interest on the industry’s part to reduce the number of maintenance tools that are necessary. Depending on just one device means exceptional performance in terms of availability, which is usually one of the industry’s top priorities – but not in terms of security.
The solution is diagnostic systems that are not so trusting, and that require considerably more authentication before outside services can connect to them and potentially cause havoc. That must come from the manufacturers who supply to the OEMs.
“The party responsible for implementing this is the equipment maker for the OEM, the people who write the diagnostic software on both the electronic control unit and the diagnostic tools,” Daily says. “It’s a transition from trusting to not trusting. The tools should not trust the computer on which it’s running.”
This needs to be done by OEMs and their tier suppliers. The NMFTA cybersecurity program has been able to achieve so much in recent years because of the participation of our fleet members. They offer insights into the most important parts of their business, including the details of how the vehicles and the software are used – and most importantly, they offer their time and resources to make the research as accurate as possible.
And fleets are ultimately the customers, which means their wishes carry the most weight when it comes to cybersecurity as a priority feature.
“Customer-oriented priorities are given higher priority than, say, what the engineering team wants,” Daily says. “If the engineering team says they want to make the system more cyber-secure, the decision to invest may be delayed since it didn’t come from a customer. Company leadership might not have any reason to think the customer knows or cares about it.”
But NMFTA’s members are the customers, and they care very much about it. The NMFTA cybersecurity program has a collaboration in the works to examine ways to secure legacy diagnostics software and what the security requirements should be for future diagnostics software.
This is the sort of thing that gets results because companies know their customers are demanding it.
“If the customer is pushing for more security in diagnostics, then it is a customer-facing decision,” Daily says. “The VP of marketing will come down to the VP of engineering and say, ‘Hey, you guys have got to do more on cybersecurity.’ And then the resources flow.”
NMFTA’s Senior Cybersecurity Research Engineer, Ben Gardiner, shared that the association is determined to see those resources flow in the service of greater heavy-duty truck security, which is why NMFTA’s cybersecurity program in recent years has offered a call for collaboration from workshop attendees. The participants in the program have always been a mix of fleets, OEMs, and tier suppliers.
Earlier this year, NMFTA expanded this call for collaboration so it would be open to all, and received submissions through February 15 from experts and vendors – as well as commitments of time and resources from fleet members.
Additional participation from fleets is welcome, and those who are interested should click here or e-mail NMFTA’s Director of Enterprise Security, Antwan Banks, at antwan.banks@nmfta.org.
