As trucks become more connected and technology permeates the industry, trucking companies are becoming increasingly vulnerable to cyberattacks.
“Every connected device expands our attack surface,” said Ben Barnes, chief information officer at McLeod Software. He was speaking during a lunch panel on cybersecurity at the American Trucking Associations Management Conference & Exhibition in San Diego, Calif., earlier this week.
Joining him for the discussion were Joe Russo, vice-president, IT and security with Isaac Instruments, and John Paape, chief information officer with Roehl Transport. Cyberattacks are costing the U.S. trucking industry $35 billion annually and the sophistication behind these attacks is increasing.
Why is trucking targeted by cybercriminals?
Paape said the trucking industry is a natural target since it’s moving a tremendous amount of data, from driver files and personal information to details on the critical loads it’s moving. The fragmentation of the trucking industry adds to its vulnerability, with many small and mid-sized carriers that don’t necessarily have the financial resources to sufficiently address security, Paape noted.
The use of third-party vendors makes fleets even more exposed, added Russo.
“Look at your supply chain. You rely on many third parties to supply you with the technology that drives your back office, your front office. On top of this, you layer ELDs, telematics and all of this just multiplies the attack surface,” he warned.
A fleet is only as secure as the weakest link in its chain, panelists agreed, which could be a vendor with insufficient cybersecurity protections in place.
“You can have the best security software within your department, the best people monitoring security, at the end of the day, your weakest link is your vendor that doesn’t have the right security practices in place,” Russo said.
Hold vendors accountable
Carriers are getting better at conducting security audits and asking vendors the right questions about their own security initiatives, said Paape. However, such audits need to be conducted at least annually, and this is where many companies fall short.
“Once you validate a vendor and bring them inside that circle of trust, we often don’t have the time or resources to go back and have discussions with that company,” he acknowledged. “Things can erode within the company you had audited previously.”
Isaac’s Russo agreed. “It is not something you do once, tell yourself ‘last year Vendor X scored high on our questionnaire, so we don’t have to deal with them anymore.’ You need to make vendors accountable.”
Roehl Transport has moved to simplify its tech stack in an effort to reduce the number of third parties it’s working with. It makes it easier to conduct annual audits and decreases exposure to risk.
Carriers that don’t know where to start with a security audit can lean on third party providers to conduct such activities, Paape said. But he encouraged two-way conversations to be a part of any security-related audit or discussion. “It’s more collaborative and less paper-focused,” he reasoned.
Isaac Instruments categorizes its vendor partners as either critical or strategic. Those strategic partners have access to Isaac’s data and therefore undergo more comprehensive vetting. It scores its partners on their cybersecurity posture, privacy posture and then they must complete a questionnaire. The vendor is provided with their overall score and those with a low score are unable to continue their relationship with the telematics company.
Barnes noted the average truck is now equipped with five modems, so a 2,000-truck fleet has some 10,000 rolling attack surface points at any given time.
“On top of that, almost every carrier has services in the could and services likely running locally in their offices or data center,” added Paape. “This offers a ton of opportunities for us to be exploited.”
In addition to the trucks and ELDs, Russo pointed to seemingly innocuous devices such as tablets and even USB keys as potential strike points for bad actors.
AI being used by the bad guys, too
Now, carriers are beginning to utilize artificial intelligence, which gives cybercriminals yet another area to exploit. “We are evaluating a lot of really great AI opportunities for our company but we also have to focus on the security aspects of AI,” said Paape.
He said a recent IBM security paper showed 16% of attacks were AI-driven and estimated that will rapidly increase.
Russo would like to see the industry adopt a security standard so all stakeholders are speaking the same language. He’s also a fan of penetration tests, which can be conducted with the help of AI. Such drills help measure a company’s vulnerability and response capabilities in the event of an attack.
Just how sophisticated are some cyberattacks becoming? Paape spoke of one method that’s been used in which the bad actor used YouTube videos of a high-profile executive to replicate his voice. It then called an employee of that executive and instructed them to open an email that would be coming in a couple minutes. The email was fake, but the employee was certain they’d just spoken to their boss and clicked the link subjecting the company to a phishing attack.
Barnes added technologies like Teams and Zoom, now widely used for employee communication, also introduce new avenues of attack for bad actors.
Where to begin?
For fleets that have fallen behind in their security initiatives, Paape suggested to first make someone responsible for security, create a team around them, and set up a meeting to discuss a strategy.
“Make it intentional,” he said. “As fast-paced as our industry is, it’s easy to overlook. Put it in your calendar and set it up to meet once a quarter and ask questions like ‘What does our security roadmap look like over the next six to 12 months?’ Ask them what keeps them up at night. Ask them about your back-up situation. The first place I’d spend money is making sure you have data backed up in a way that’s truly immutable.”
Russo said companies that are victimized should speak openly about it so industry players can learn from each others’ experiences and processes.
Panelists also spoke of the necessity to carry cyber insurance, despite the high cost. As for low-cost actions, train all employees on cybersecurity, panelists advised, and run simulations to identify staff who required additional training.
Credit: Source link
