What can the trucking industry learn from the cybersecurity experiences of industrial control systems (ICS)?
Ben Gardiner, National Motor Freight Traffic Association’s (NMFTA) senior cybersecurity research engineer, recently encouraged Chloe Callahan, IT operations manager at Peninsula Truck Lines, to take some classes that explored ICS so she could recognize the similarities between ICS and trucking.
“I said yes because I love to learn,” Callahan said.
And learn she did. Callahan took a number of classes that introduced her to the cybersecurity issues and protocols that are present in ICS. As she went through the process, Callahan was looking for specific parallels to trucking.
“What I wanted to think about when taking these classes was the comparison between active and passive components, and also inputs and outputs,” Callahan said.
She presented what she learned in a recent NMFTA webinar on June 25, titled Cross-Training with ICS.
One of the key similarities Callahan noticed was that both share the vulnerability of sites without security staff. The parallel to the unmanned ICS site would be the truck itself.
“A truck is an unmanned site as far as security is concerned,” Callahan said. “There’s a driver, of course, but the driver doesn’t have direct access to the network on the truck.”
Another similarity is that operational technology (OT) devices in ICS are designed to receive input telling the device what to do but are not designed to filter out unwanted input. That is very similar to sensors, actuators, vehicle gateways and human machine interfaces on trucks – all of which can also receive unwanted input.
“We can apply these lessons,” she said.
One such lesson can come from the models ICS uses for network segmentation, particularly the Purdue Model, which identifies different levels including cell/area zone, industrial security zone, industrial demilitarized zone and enterprise security zone.
“The purpose of all these different levels is segmentation,” Callahan said. “If you can isolate all these different levels you can achieve segmentation and be that much closer to a secure environment.”
Another similarity between the two industries is the importance of threat modeling.
“You can’t protect what you can’t understand,” Callahan said. “We can learn about our own industry by learning about what those in ICS have already implemented. It thinks outside our IT box and into the OT world.”
One familiar example in trucking is the white-hat hacker attack, one of which will be demonstrated at NMFTA’s upcoming Digital Solutions Conference in Houston, TX.
Some of the other protocols that can help the trucking industry learn from ICS include:
Standards for communication. ICS protocols are insecure by design, lacking authentication and encryption because their life cycles are not as standard as in IT, and their systems are around for many years – much like a truck.
Unique hardware. ICS systems have unique and often aging hardware – also very much like trucks. And since resources like CISA don’t offer specific information about heavy vehicle vulnerabilities, it’s essential for the trucking industry to be aware of the threats it faces.
Standards and guidance. Both industries benefit from the availability of extensive standards and guides, much like the standards established by NMFTA.
Safety. “Human safety is paramount in both industries,” Callahan said. “It’s a redundant system in ICS that’s only concerned about safety. In trucking we’re obviously concerned about the operation of a heavy vehicle on the roadways. What are the redundant systems and instrumentation we have in trucks, and should we be more concerned? Is there anything we can do to ensure safety?”
Callahan ended her presentation by asking participants to consider the question: “What can I do?”
The key answer:
Don’t ignore the basics of security only to reach for complex mitigations. Keep studying and learning so you can apply the parallels of the two industries.
If you missed the webinar and would like to view it, you can do so here.
If you would like to attend our Digital Solutions Conference in October, you can register here.