The National Motor Freight Traffic Association hosted its Digital Solutions Conference on Cybersecurity in mid-November. NMFTA thanks the media who were in attendance. Here’s a breakdown of coverage:
FleetOwner
Kevin Jones
November 29, 2022:
It’s 11:59 on a Sunday night, and your company’s computer system has been shut down until a ransom is paid. Will anyone even notice before the office opens on Monday? Will anyone know what to do when the doors open but the computer system is offline?
These “ransomware” attacks routinely make headlines, as American businesses, government offices, hospitals, and schools all have fallen victim to cybercriminals, typically based overseas.
And trucking is not immune. Additionally, any business that moves items of high value must always take security measures, and modern technology brings a whole new element to old-fashioned highway robbery. And the coming era of truck autonomy adds even more levels of concern for vehicle security and safety.
So what’s a fleet to do? First and foremost, how do we avoid that midnight crisis in the first place?
The National Motor Freight Traffic Association (NMFTA) hopes to provide some answers. The organization traditionally focused on LTL issues, put out an industry-wide invitation to its annual Digital Solutions Conference on Cybersecurity. Held recently in Alexandria, Virginia, the event drew a range of fleet representatives, cybersecurity experts, and policymakers for a couple of days of presentations that ran the gamut from Ph.D.-level cellular network vulnerabilities to common e-mail scams.
Ben Gardiner, NMFTA’s senior cybersecurity research engineer, bridged the gap between the theoretical and the practical with the opening slide deck of the conference. Specifically, Gardiner outlined his successful remote attack on the hydraulic braking system of a tractor-trailer via the J2497 trailer databus, using about $300 of off-the-shelf electronics.
The good news: Gardiner is a good guy, a “white hat” hacker who looks for vulnerabilities and works to resolve them. (His primer on truck hacking is YouTubed below; similarly, for those unfamiliar with the CyberTruck Challenge, follow that link.)
So, because so much of the conference was so far over my head, I sat down with Gardiner for a few minutes to glean some perspective.
“We’ve tried to tread that line between making it enticing for the experts to participate, and making it practical and actionable for the fleets,” he said. “It doesn’t take a lot to imagine a truck getting ransomwared someday. People are making a lot of money off ransomware and it’s pretty obvious that you could ransom a fleet of trucks.”
Among the challenge for fleets, of course, is that a key asset—the truck—is mobile. But as Gardiner discovered in working to resolve truck security vulnerabilities, today’s trucks feature a lot of technology yet very few people understand both the software and the heavy-duty hardware.
“What I experienced with multiple fleets was either deferring vehicle cybersecurity decisions to their IT department or not really having anyone to deal with cybersecurity vehicle decisions and problems,” he said. “It’s not a stretch to say that a lot of IT people don’t get what the maintenance people get, and maintenance people understand how the trucks work but don’t understand what the IT people do. So both sides need to learn from each other to be able to really secure those rolling assets.
But, as was obvious at the conference, it takes graduate-level education—and/or a lot of time pursuing the dark web—to understand and mitigate the threats. Surely that’s beyond the expertise (and budgets) of even the most tech-savvy folks at many fleets.
“The LTLs are big enough and have enough resources to have their own IT, their own in-house software development, their own access to resources to secure themselves,” Gardiner said. “They need to start taking more of an industrial control system approach, where their maintenance and their IT staff consider both the IT and the things that roll, to give a unified security perspective on their operations. That’s where it’s going to have to go to be ahead of that attack.”
And for the rest of us?
“If you’re small and you can’t spend the money to hire the experts, use cloud services,” Gardiner said. “By purchasing that solution, you’re going to have their security teams working for you. So that’s a big bang for the buck.”
Decision guides
Additionally, NMFTA has developed resources to ease the anxiety for fleet executives looking at tech investments: the telematics security requirement matrix, or TSRM. The solution is open-sourced and available for developers on GitHub as well, he noted.
“It’s a series of cybersecurity requirements in the form of a questionnaire,” Gardiner said. “The fleets can take the questionnaire and give it to two or three telematics service providers that they’re thinking of purchasing from in the procurement phase, and then evaluate who has the better cybersecurity. We’re trying to move that visibility of cybersecurity closer to the wallet to the people that make the decisions.”
Likewise, NMFTA is working on heavy-duty vehicle cybersecurity requirements.
For NMFTA Executive Director Debbie Sparks, the conference was about “building a community” of experts to guide the industry as it faces “new challenges in the digital era.”
“NMFTA is a leader in cybersecurity and digital transactions, so we understand the importance of making sure that the transportation community is aware of what’s at stake and how we work together to make sure that what we do is safe and secure,” Sparks said.
More to come from the meeting—much more—once my brain quits spinning (so yours doesn’t have to).
Commercial Carrier Journal
Angel Coker
November 17, 2022:
Dr. Chase Cunningham, chief strategy officer at Ericom Software, pointed to a slide in his PowerPoint presentation that contained a QR code to access a “free book.” Many people in the audience grabbed their phones and found when they clicked the link to the code that it was a phishing scam.
That’s how easy it is to get hacked, Cunningham demonstrated at the National Motor Freight Traffic Association Digital Solutions Conference in Alexandria, Virginia, where he spoke about cybersecurity.
Cunningham said the human element – at 82% – continues to drive security breaches, and in today’s age of technology – when everyone has a cellphone in their hand, including truck drivers using it to access systems remotely – it is more important than ever to implement cybersecurity measures.
“Mobile is just as valid an avenue for exploitation as your computer … We don’t have a technology problem in cybersecurity; we have a people problem. People click on stuff,” Cunningham said. “We’re talking about 18 wheelers and truckers. I’m not counting on how good I am at driving to not get in a wreck. I wear a seatbelt. That’s a technical control that will keep me alive if things go wrong, hopefully.”
He said it’s best to rely on technical controls to prevent breaches rather than continually performing phishing training and hoping people don’t get it wrong.
Email phishing is one of the easiest scamming opportunities hackers can take advantage of, and such a simple process can lead to big problems for trucking companies, said NMFTA Chief Technology Officer John Talieri.
NMFTA this week opened up its annual Digital Solutions Conference to professionals across the entire industry – not just researchers and tech experts – including carriers, to collaborate and learn about the highest concerns and best practices to protect their organizations from end-to-end.
According to NMFTA’s survey ahead of the event, training and education; vehicle cybersecurity; implementing security by design: build-it in rather than adding it as an afterthought; SOC solutions and services; shift from on-prem to cloud securely; cybersecurity for heavy vehicle electrification and charging infrastructure; enterprise security; and end-to-end security (from customer to office to truck) were among the top concerns and challenges survey respondents had.
“Even if you protect your trucks, if somebody’s front office is down, they can’t send trucks out anyway. So you have to look at it end-to-end. That’s why we have to bring everybody together and focus on the different aspects, not just one area,” Talieri said. “They’re moving from pencil and paper to digital, so we’re expanding the opportunities for bad actors to attack us. It’s a critical time to educate the industry and better protect ourselves, our partners and our customers. It’s beneficial to us to make sure that, as we introduce these technologies, we add security.”
Cunningham said the transportation sector has been low on the totem pole when it comes to hacker demand. According to data from Verizon, he said there have been 305 cybersecurity incidents and 137 actual breaches in the transportation industry this year. By comparison, finance, public administration, manufacturing and information, among others, had more than 2,000 incidents.
Why? Because the industry has been slow to adopt technology. But that’s changing.
“If everyone else gets better and you’re still back here, guess who gets eaten? It’s you. If you’re the slow gazelle in the cyber Serengeti, the lion’s gonna get ya,” Cunningham said. “Trends indicate that they’re starting to target that type of infrastructure. You can expect trucking, logistics, transportation, those types of activities to be targeted more in the very near future.”
And Talieri said the likeliest target isn’t the larger carriers because they’re better at security; it’s the smaller carriers that are more vulnerable to attacks because they lack the capital to invest in solid cybersecurity solutions but they have access to larger systems of companies they contract with, opening those back doors.
“I would attack a couple of small carriers with less security, and I’m not necessarily going to attack them to take them down. I’m going to use them to try to infiltrate their partners or providers,” he said.
Cunningham said, to protect themselves, their customers and their providers, trucking companies should start with the basics: i.e. phishing training.
Here are some things he noted:
• Legitimate companies do not send emails requesting sensitive information.
• Don’t trust the name in the “from” field of an email. If it looks suspicious, don’t open it.
• Hover – but do not click – over links to see what address it takes you to; open a new browser and type the website address directly into the browser rather than clicking the link. Most companies use secure web addresses identified by using https://, not http://.
• Look for obvious grammar or spelling errors.
• Look for strange message structures, such as generic greetings and urgent language.
• Review the email signature for lack of details on contacting the company.
• Don’t click on email attachments.
• When in doubt, click the “reply all” button, which could reveal the true email address.
“That’s coloring with crayons,” he said, but then there’s the dark web and additional ways to extort information.
Cunningham said be mindful of things like social media presence, where hackers can obtain useful information, in-home and in-office cameras, and wireless systems such as printers that were never changed from their default configurations, which could allow a hacker to access your network.
Hackers can purchase jump servers on the dark web for about $10 a pop, he said. Those servers were already owned by some criminal organization and probably have access to other corporate systems via VPN connected to your organization, which leaves you liable during investigation.
He said it’s also important to protect things internally and build segmentation between systems.
“Segmentation is not something that’s too well practiced on those systems that are out there today. If I can get somebody to give me access, especially with the right levels of creds based on the phish, I can move laterally in the system,” Cunningham said. “You don’t have to be a super expert to build phishing emails. You don’t have to be a super expert to do ransomware-type operations anywhere; you can just go buy the service. It’s actually ransomware as a service, phishing as a service on the underground. It costs about $15 a pop.”
He recommends companies use browser isolation, multifactor authentication and password managers and move from VPN to ZTNA, which will provide policy control so things that should be dark are kept dark. He personally uses a password manager and biometrics for identity management.
But he said 80% to 90% of problems occur with the low-hanging fruit like bad passwords and usernames.
“Use the cloud, Google, O365, because they spend more on security than you ever will in your entire life; No. 2, team up with an MSP (Managed Service Provider) or MSSP (Managed Security Service Provider) that can take that stuff off your hands and actually be 24/7 real operations and respond to threats as they are present,” Cunningham said to the smaller carriers in the audience. “Last thing is the basics: the password manager, the multifactor authentication, not using crappy passwords. Go to haveibeenpwned.com, put your stuff in there and see if your stuff shows up; if it shows up, you need to fix that problem. Those basics make a heck of a lot of difference.”
About NMFTA
Since 1956, the National Motor Freight Traffic Association, Inc. (NMFTA) has represented the interests of the less-than-truckload (LTL) motor carrier industry. NMFTA is committed to helping LTL carriers meet the challenges confronting the transportation industry in the 21st century through research, education and the publication of specifications, rules, transportation codes and the preparation and dissemination of studies, reports and analyses. Membership in NMFTA is available to all for-hire interstate and intrastate motor carriers.
Contact
Marli Hall
Director of Communications & Member Services
marli.hall@nmfta.org
703-838-1818
