By: NMFTA’s Senior Cybersecurity Research Engineer, Ben Gardiner, and Director of Enterprise Security, Antwan Banks
For as much work as the National Motor Freight Traffic Association (NMFTA) does to help LTL trucking companies achieve cybersecurity, imagine: What if a fleet achieves all that, only to fall under a cyberattack anyway because it contracts with a telematics vendor that has left itself unprotected?
It’s a real threat, and is becoming all the more so as the industry is increasingly digitized. Most fleet/vendor relationships involve some sort of digital connectivity, and that means fleets are vulnerable to every potential attack that could befall the non-secure vendor.
The time for fleets to protect themselves against vendor vulnerability is before contracts are signed, and NMFTA is working on new tools to help fleets make this happen. One such tool is an offering of RFP contract template language free for use by fleets.
When truck fleets are working up contracts with new vendors, it is critical to know if the vendors and their systems comply with essential cybersecurity requirements. In order to evaluate their vendors on the basis of cybersecurity readiness, fleets can access several tools to help.
One is called Security Scorecard. This site aggregates the various passive scanners available online and gives the fleet a scorecard to assess the prospective vendor. More advanced systems, such as Blue Voyant, can give you a lot more detail. For example, if the prospective vendor has a lot of web browsers that haven’t been updated, BlueVoyant.com can detect that by looking at DNS data. It’s the sort of detail that can indicate cybersecurity vulnerabilities.
The federal government’s Cybersecurity Infrastructure and Security Agency also offers Cyber Security Evaluation Tools on self-assessment, ransomware and vulnerability scanning, available here.
Along these lines, NMFTA has developed a template that motor freight carriers can use when procuring telematics services – ensuring the systems fulfill cybersecurity requirements.
Hosted on GitHub, we have kicked off this initiative by working with cybersecurity experts within both fleets and telematics providers. The template makes it easy for fleet managers to address all the issues that would indicate a vendor’s cybersecurity readiness, and when complete, will be easily downloaded and freely available. Both large and small fleets can use it as the basis for vendor contracts.
Fleets can also provide the template to their existing vendors and ask them to respond to the issues listed – so that everyone can be sure cybersecurity concerns are successfully addressed.
This is needed also for the trucks themselves, as well as for telematics. The NMFTA has started a project to create comprehensive cybersecurity requirements for trucks. We have kicked off this initiative by working with cybersecurity experts within both fleets and OEMs.
This project is still in the early stages and has been very well received by fleets at this phase of the process. As we have put together the cybersecurity requirements for vehicles, we are setting up a system that will make it easy for fleet managers to go through the template and get a clear sense of their own cybersecurity.
The template is not coming out soon because we need to get this right. Indeed, it may take two years to perfect it. That is for a lot of reasons, one of which is the fact that we could roll out a questionnaire with as many as 200 questions on it. We know how unwieldy that would be, so we have to refine it so it’s both comprehensive and easy to use.
One solution to this problem is to make the questionnaire machine-readable using ReqIF, an exchange file format for exchanging requirements, attributes and additional files such as images across a chain consisting of manufacturers, suppliers, sub-suppliers and so forth.
In the meantime, we encourage fleet managers to use existing tools like Security Scorecard and Blue Voyant to assess their telematics vendors. It’s critical to make these assessments. And as they do, we are working hard to finalize a system developed just for truck fleets, easy to use and effective in delivering the information they need about their telematics vendors.