By: NMFTA’s Senior Cybersecurity Research Engineer Ben Gardiner and NMFTA’s Director of Enterprise Security Antwan Banks
In the current environment of cyber threats, it is commonplace for trucking companies to have their enterprise systems penetration-tested. It’s a simple enough proposition, in which a cybersecurity expert (pentester) tests the potential weaknesses of your systems and demonstrates the existence of vulnerabilities by exploiting them.
This need is especially true for larger companies, many of whom develop their own software and thus have a critical need to see it tested for vulnerabilities.
It is less common for these companies to pentest their trucks, but we would argue it is becoming an increasingly important quality step for the fleets since all these assets are also connected to the internet. But a common mistake among companies that do have their trucks pentested is to have the pentesters focus mainly on telematics hardware interfaces or on IoT-type testing (both of which should certainly be included), rather than considering the whole vehicle and the overall impacts a successful attack there could have on an enterprise.
As much as we describe trucks as assets, in today’s market, the most precious asset any trucking company has is its drivers. They’re in short supply and high demand, which makes it important that penetration testers be mindful of attacks that could negatively impact drivers.
For example, certain attacks can cause systemwide problems that lead to engine derates, which are functions by which the engine self-limits its output when an operational fault is recorded. These may be annoying for car drivers but can be absolutely devastating for truck drivers.
This is one of the differences between security testing for fleets versus doing it for the OEMs and suppliers. The latter tend to view derates as part of life because, under certain circumstances, the EPA mandates them. Trucking companies can’t afford to view derates in that way, so any penetration test that doesn’t treat them as an attacker goal is not the right choice for the trucking industry.
When preparing for pentesting, here are some basic dos and don’ts that can help trucking companies get it right for enterprise pentests. Many are relevant to testing the trucks too:
Do: Be clear with your pentesters about the scope of the testing you need done.
Don’t: Limit the testers by cutting out parts of your network and telling them not to look at them. That will limit their effectiveness at finding and addressing vulnerabilities. Let them do their job.
Do: Allow the pentesters as much time as you can afford to let them do their work. Remember, the hackers have unlimited time to break into your system.
Don’t: Give short timelines!
Do: Give your pentesters access to the previous year’s reports so they can verify that you implemented the prescribed mitigations correctly. That will keep them from repeating previous tests and finding nothing useful, since they would unknowingly be repeating what you’ve already paid for. Let them see the history. It will help them do a better job for you.
Don’t: Force your pentesters to do the initial compromise phase, starting from your public IP addresses and having them scan, do an initial break-in and then escalate up. This is not the best use of their time or talents.
Do: Consider the social engineering and physical aspects of pentesting. A motivated attacker could use social engineering tactics like Spearphishing to breach a network. At the same time, a clever hacker could leave thumb drives with interesting labels sitting around to tempt curious employees.
Don’t: Overlook the impact of the company’s culture when briefing leadership. Some employees will be skeptical of what the pentesters find, thinking they had an advantage over outside hackers. Make the test realistic and silence the doubters.
Do: Assume attackers will eventually breach your systems. So give the pentesters access to your internal systems as a starting point. This will help give you a picture of what a hostile attacker would do.
In addition to pentests, consider additional approaches like purple team exercises. In the language of cybersecurity, the red teams are the pentesters trying to break into your system, while the blue teams are the defenders of the system. The purple team, which doesn’t actually have to be a team at all, integrates the results of both teams’ efforts into a strategy that takes both into account.
In reality, both the red and blue teams are on the same side. So when they come together to see the results of their efforts, the outcome should be that cooperative purple team dynamic.
NMFTA is available to help you with additional insight on all of this. Contact us if you’d like to learn more or ask questions before you engage in pentesting. It’s one of the most important things to defend your enterprise.