National Cybersecurity Awareness Month (NCSAM): Own IT. Secure IT. Protect IT.
Every October, the Cybersecurity and Infrastructure Agency (CISA) and National Cyber Security Alliance (NCSA) collaborate “to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats. This year’s overarching theme is ‘OWN IT. SECURE IT. PROTECT IT.’ NCSAM [emphasizes] the role each individual plays in taking proactive steps to enhance cybersecurity at home and at the workplace.”
NMFTA has customized this year’s NCSAM messaging to offer the below analysis specifically for LTL and TL motor freight carriers. Our focus is on fleet data: Who owns it? What is being generated? Where is it being stored? When is it at risk? How can fleets protect it? We hope the information below will help fleet managers make informed business decisions about vehicle data generation, storage, protection and sharing.
NMFTA’s NCSAM Analysis, Applied to LTL Motor Freight Carriers:
Today’s connected truck generates a great deal of detailed vehicle data, which can include personally identifiable information (PII), fuel performance metrics, placement/location of a fleet’s physical assets, origin/route/destination, maintenance needs, etc. The data may be warehoused temporarily while it is in transit by telematics service providers (TSPs), fleet management software providers or owners of other “smart” infrastructure services (e.g. smart weigh stations). It may also be warehoused more permanently, aggregated, mined, anonymized and resold by any of those parties. Much of this information is critical to the fleet’s business and could damage that business if it fell into the wrong hands, e.g., being exposed to a competitor. On the other hand, electing to share data can contribute to a large data set with valuable benefits to the public and to fleets, such as real-time traffic conditions and longitudinal studies of traffic congestion, which enable fleets to optimize route planning and minimize idling time and fuel costs.
“Own IT. Understand [your fleet’s] digital profile.
Internet-based devices are present in every aspect of our lives: at home, school, work, and on the go. Constant connection provides opportunities for innovation and modernization, but also presents opportunities for potential cybersecurity threats that can compromise [your fleet’s] most important […] information. Understand the devices and applications [your fleet uses] every day to help keep […] information safe and secure.”
- Understand the Applications Used Every Day
- Review the Privacy Settings
- Review all Devices in a Bring Your Own Device (BYOD)
- Review all Internet of Things/Smart Technology Devices
- Don’t Let Your Tech Own You/Your Fleet A digital profile is the aggregate of all data that can be assembled from public and private (e.g., marketing databases) sources to create a picture of a person or business entity. Through the course of normal business operations, fleets are likely to generate:
- A digital profile of the fleet, e.g., how many branded trucks traveled on a given road during a given period of time and how much IFTA tax does this company owe, etc.
- Individual fleet assets, e.g., where did this truck get on and off the interstate and have they paid the correct amount of tolls, etc.
- Driver profiles, e.g., which driver is driving which truck, where are they and how many hours of service remain, etc. Drivers may contribute to the creation of this data set when they bring their own devices, such as personal cellular phones, with location services enabled. Who owns the data that comprises the digital profiles? NMFTA’s view is that our members, the fleets, own the data generated by their vehicles. The reselling of anonymized data by service providers may be occurring by-default, requiring the fleets to opt-out. We recommend that fleet managers understand the risk: even in large-scale anonymized data sets or high-precision location data sets, de-anonymization is a real possibility and can be achieved with uncomfortable ease by a skilled data miner with access to multiple sources of aggregated data. Understand the Applications Used Every Day – Today’s telematics service providers, “smart” infrastructure providers and fleet management service providers may aggregate, mine and/or anonymize and store a fleet’s data to be provided as other ‘data products’ which are offered to 3rd parties to gain perspectives on traffic patterns, trends, etc. There is a risk that these data products could be exposing fleet details through data re-identification, or de-anonymization, when combined with other data sources. “Secure IT. Secure your digital profile. Cybercriminals are very good at getting […] information from unsuspecting victims, and the methods are getting more sophisticated as technology evolves. Protect against cyber threats by learning about security features available on the equipment and software [your fleet] uses. Apply additional layers of security to […] devices – like Multi-Factor Authentication – to better protect [your fleet’s …] information.”
- Creating Strong Passwords
- Consider Opting-out
- Use Multi-Factor Authentication
- Practice Safe E-commerce
- Review Links Before Clicking, Protecting Against Phishing
- Practice Safe Social Media Posting Consider Opting-Out – Understand what data is being generated by fleet assets and how it is collected, where it is stored and how it is used outside of your proprietary systems. Consider asking the fleet’s telematics provider if there are opt-outs required to avoid aggregation in their data analysis product. Weigh the risk of not opting out against the cost-benefit to the business. Given the risks of exposing your fleet’s sensitive information through a service provider’s data products that are made broadly available. NMFTA recommends that the fleets consider opting-out of having their fleet information aggregated, mined, anonymized or otherwise included in these data products. “Protect IT. Maintain [your fleet’s] digital profile. Every click, share, send, and post […] creates a digital trail that can be exploited by cybercriminals. To protect [your fleet] from becoming a cybercrime victim [your fleet] must understand, secure, and maintain [your fleet’s] digital profile. Be familiar with and routinely check privacy settings to help protect [your fleet’s] privacy and limit cybercrimes.”
- Researching and Assessing Your Fleet’s Digital Profile
- Practice “Cyber Hygiene”
Treat Cybersecurity as You Would Your Fleet’s Physical Security
Researching and Assessing Your Digital Profile – The data products of concern are those that are made widely available. We recommend fleets capitalize on this fact and investigate the data products for themselves to find signs of whether or not your fleet’s sensitive information is being included.
For more tips on cyber safety from National Cybersecurity Awareness Month (NCSAM), please read the toolkit https://niccs.us-cert.gov/sites/default/files/documents/pdf/dhs_ncsam2019_toolkit_508c.pdf?trackDocs=dhs_ncsam2019_toolkit_5 08c.pdf.
For more on NMFTA’s Heavy Vehicle Cyber Security (HVCS) program and resources for fleets, please refer to the NMFTA website //biz.nmfta.org/pages/HVCS.
The National Motor Freight Traffic Association, Inc. (NMFTA) is a nonprofit membership organization headquartered in Alexandria, Virginia. Its membership is comprised of motor carriers operating in interstate, intrastate and foreign commerce. NMFTA publishes the National Motor Freight Classification® (NMFC®) and ClassIT®, the online version of the NMFC. NMFTA also assigns the Standard Carrier Alpha Codes (SCAC®) and the Standard Point Location Codes® (SPLC). For more information on NMFTA, the National Motor Freight Classification, SCAC or SPLC, contact us at 800- 539-5720, firstname.lastname@example.org, or visit //biz.nmfta.org.
For more information, please contact Urban.Jonson@nmfta.org.