From October 22-25, NMFTA hosted its annual Digital Solutions Conference on Cybersecurity in Houston, TX. The presentations contained powerful information for any company in the trucking industry that’s concerned about cybersecurity for its enterprise and/or assets. Of course, that needs to be the entire industry. This is part of a series of blogs that summarize the information presented for those who could not be there.
If you missed this year’s NMFTA Digital Solutions Conference on Cybersecurity in Houston, TX you’re part of a dwindling group. With this year’s attendance double that of the 2022 conference, it’s fair to say fewer and fewer people miss this conference every year.
But we want you to know what happened, for several reasons. The first is consistent with the mission of the conference, which is to fully prepare and fortify the trucking industry against all cyber threats. That’s why we expanded the conference to the entire industry, and that’s also why we made registration for the conference complimentary.
The second reason is that we’d like you to join us when we do this again next year! The networking and connections we all made will stay with us for a long time, and you’re going to have to show up to enjoy that benefit.
This year’s conference was jam-packed with two days of information and one thing in mind: Giving the trucking industry the upper hand over cyberattackers.
We started by showing a video that laid out the stakes for just how much our nation depends on the trucking industry, and what kinds of calamities we would all face if the industry were ever to be crippled by a mass attack. Imagine running out of food, gas, and hospital supplies in three days. Imagine losing your power within a week. Imagine no trash pickup for weeks on end. And this is just the start.
Those are the stakes.
Then came the presenters:
During her keynote speech Nada Sanders, Ph.D. pointed to two recent events that served as such disruptive forces that the focus of the supply chain industry – and indeed, the world – is still defined by reaction to them. She urged supply chain leaders to invest in people and in new skills, and to be careful about pouring billions into AI just because it seems like everyone else is doing so.
Attendees had the opportunity to see an eye-opening demonstration at the end of the event’s first day – of just what can happen to a truck when hackers take control of it. Luckily the hacker in question was one of the good guys, Ben Gardiner, our own senior cybersecurity research engineer.
With a tractor/trailer on loan from United Petroleum Transports, he put together a simple, low-budget antenna consisting of two wires while the rest of the conference attendees bused over from the main conference site to witness the hacking.
In another presentation, Gardiner considered whether the trucking industry can learn from industrial control systems to help enhance the cybersecurity of individual trucks. Trucking tends to lack some protections that are common in ICS, including telematics firewalls, authentication of remote commands, backup telematics, and logging remote controls. Trucking also tends to lack a data historian, which keeps a history of things like performance, trends, and maintenance on the vehicle. The presentation considered the possibility of an overlay that might see trucking adopt and adapt some of the better practices in ICS.
Staying on the question of cybersecurity for individual trucks, Ivan Granero of Bosch shared some of what’s happening at his company in this regard during this session. Bosch typically applies security measures in five layers, Granero explained, to offer security for the power train, body, chassis, and infotainment systems.
Mike Alvarez of the United States Secret Service shared insight on the latest trends in cybercrime, as well as a look at prominent cyber assets that have relevance for the trucking industry.
Other presenters represented the Federal Bureau of Investigations (FBI), Transportation Security Administration (TSA), and Cybersecurity and Infrastructure Security Agency (CISA). All emphasized the importance of strong passwords, multi-factor authentication (MFA), and extensive training so people don’t help the hackers by clicking links or open attachments that start a malware download.
As an example, one presenter noted that hackers can figure out an eight-character password that consists of only numbers in seven seconds. By contrast, with an 18-character password that consists of numbers, letters (both upper and lower case) and multiple symbols, it takes trillions of years to crack it (see graphic below).
Ryan Gerdes, Ph.D. of Virginia Tech presented to the group on sensor cybersecurity. Sensors allow the truck to see the world, including signs and objects. So as we move toward autonomous vehicles, a compromised sensor might fail to stop for a stop sign or an object. But sensors do other critical things as well, such as providing information on engine coolant levels and temperatures, or the RPM speed of the engine.
Johanson Transportation Services’ Steve Hankel shared his experience developing business continuity plans for various companies, and explained the critical steps that are necessary to make such a plan successful.
A team of presenters also explained the critical issues regarding API security, and urged trucking companies to adopt a no-trust environment when it comes to both enterprise and assets, meaning neither people nor other applications should be able to access an application without going through multi-factor authentication (MFA).
At the conclusion of the conference, a panel was asked a series of questions about their expectations for 2024. Here are some common themes from that session:
- Segmenting telematics devices from vehicle networks is crucial for keeping individual assets secure.
- Attacks will likely get more sophisticated, possibly involving deep fakes and imagery of people you know that appear to be real.
- Training of employees is critically important, especially when it comes to watching for phishing e-mails. They are often very clever, making a fake domain name look real through tactics such as substituting two Vs for a W (vvater vs. water), or a lower-case L for an I (lce man vs. Ice man).
- Companies need to make sure the controls they put in place are implementable and repeatable – and can evolve with the company as it scales.
- EV charger networks will likely be a target for hackers, who could use a vehicle’s connection to a charger to write and inject malware into the vehicle’s systems.
- Ransomware will continue to be a major threat, as hackers seek ways to shut down or encrypt a company’s data and then demand a ransom payment to release it.
- Social engineering – tricking employees into opening attachments, clicking links, or inserting flash drives – will continue to be a fundamental trick of hackers.
- A new cryptocurrency scam called pig butchering sees scammers convincing people to invest their money into seemingly legitimate investment opportunities, only to find that their money has been stolen.
- If there is protracted war in the Middle East in 2024, there will likely be an accompanying cyber war – and the trucking industry should expect that cyber war to extend to the United States.
It was a lot of valuable information. And those who attended were grateful for the opportunity.
“As a new startup, it was fantastic to meet carriers and understand their pain points,” said Hillary Drake, CEO and co-founder of the Minneapolis-based Liminal Network—a company that helps to simplify logistics APIs. “It was great to be with people who are out in the field facing these problems, and to understand what they’re thinking about. That helps me tailor my products to their problems.”
That’s the whole idea. Everyone who touches the trucking industry needs to understand these issues, and the Digital Solutions Conference on Cybersecurity is the only one in North America that focuses exclusively on cybersecurity for the trucking industry.
We hope this summary has been helpful. And we look forward to seeing you in person next year!
To view photos from the conference and the live truck hacking demonstration, access our event photo album.
