This week is National Truck Driver Appreciation Week. We will be reviewing how to protect your road and ensure safety with ELD cyber security considerations.
The U.S. Census in 2019 revealed that more than 3.5 million people worked as truck drivers driving large tractor-trailers and delivery trucks. Trucking is an integral part of the nation’s critical infrastructure, with more than 70% freight being transported by trucks. Cybercriminals have noticed this, unfortunately. Cybercriminals have targeted numerous trucking companies over the years, including B&H Transfer, J&M Tank Lines and Roadrunner.
The United States Department of Transportation (USDOT) implemented the electronic logging device rule (ELD), which meant that every truck in the country was now a connected truck. These devices use the vehicle’s ECM data to track vehicle telemetry, including engine hours, vehicle mileage, and diagnostics. It is also of interest to cybercriminals who can steal data like PII, location information, sensitive cargo information and other sensitive business information in order to attack the critical infrastructure of a country.
ELDs must have the ability to transmit data via Wi-Fi and Bluetooth to law enforcement in order to verify driver logs, driving hours, etc. Researchers at the University of Michigan’s Transportation Research Institute have shown that these devices can be accessed remotely and can compromise vehicle safety and security. Researchers were able use the J1939 open standards used by HD vehicles to manipulate vehicle diagnostics data, disabling vital security alarms and even disabling the truck’s engine brake, resulting in potentially catastrophic situations. It is also very useful for cybercriminals, who can steal sensitive data like PII, location information, or business information to attack the critical infrastructure of a country.
Cyber security concerns for ELD
Interestingly, the mandate did not contain any cyber security requirements–instead focusing on vendors to self-certify their ELDs. The ELD market today is fragmented, and vendors offer different levels of security. Trucking companies must choose ELD vendors that have robust security and vulnerability management processes to reduce the risk of cyber incidents.
Numerous transportation and logistics companies have been hacked over the past few years. In 2020, several federal agencies, including the FBI as well as the USDOT, released cyber security best practice guidelines for ELD solutions. The FBI’s recommendations were made to warn businesses about the importance of ELD cybersecurity. However, FMCSA best practices provide detailed technical considerations to trucking companies when purchasing new devices. They also focus on managing risk and vulnerability for the software supply chain. We will provide key information about cyber security best practices and advice on how to reduce risk in the ELD ecosystem.
Design
Security must be considered as part of larger architectural designs. Security is often overlooked in the software-development life cycle. Therefore, architectural analysis and risk modeling should be used to assess potential security risks. To discover potential vulnerabilities on production systems, it is important to combine architectural analysis with threat modeling . It is crucial that developers use safe programming practices, such as providing backups and preventing shut downs that could pose a risk to the safety of other vehicles.
Despite the fact that there may appear to be similarities in the SAE J1939 protocols’ use, implementation and controls are dependent on design. Therefore there is no set of recommended solutions. The most common attack vector against the vehicle is telematics devices, which can be remotely accessed using either data networks or SMS. The controller area network bus (CAN) poses the primary security problem. Any device on the bus can send any message to any recipient. Trucks face a unique problem due to the large number of points of entry. Therefore, filtering out unwelcome signals should be an integral part of the design. This restricts CAN bus access, and whitelists specific ports that can receive CAN messages. The attack can then be directed at multiple sources, including the ELD device. It is connected to the internet via satellite or cellular, and also to the vehicle ECU that uses the SAE J1939 standard CAN bus.
Incorporating the principle of least privilege into the design should be done in conjunction with authentication and access control between applications and services using common design principles like role-based access controls and two-factor authentication for ELD Mobile apps. To assess and improve their security and risk posture, ELD vendors should evaluate their existing software security measures such as the Building Security In Maturity Model (BSIMM), 2020).
Management of supply chain risks
The 2022 ” Open Source Security and Risk Analysis (OSSRA) report was produced by the Ecomservicessummit Cybersecurity Research Center. We found that 99% of codebases in the retail and ecommerce sectors contained open source code, and that 51% contained vulnerabilities. It is important to protect the software supply chain due to the close proximity between trucking and retail. This includes not only third-party software suppliers, but also companies that might be outsourcing services. To mitigate known vulnerabilities and ensure that the supply chain is managed safely, it’s important to establish security standards for all third-party vendors. Third-party suppliers must be able to respond quickly to new threats in order for business continuity and risk management.
Management of vulnerability
To operationalize DevSecOps, respond quickly and efficiently to exploits, vulnerabilities, and incidents, vulnerability management must be a core part of the SDLC’s DNA. Secure over-the-air updates (SOTA), are essential to quickly fix security vulnerabilities and not expose additional attack vectors. ELD vendors and trucking companies need to adopt a proactive approach to cyber security. Organizations need to develop a culture that instills the right values–transparency, openness, and a desire to improve–all great foundations for a strong cyber security program.