New connectivity technology on commercial trucks has allowed fleets greater efficiency and visibility into their operations, but they also provide a larger attack surface for cybercriminals. Urban Jonson, SVP of Information Technology and Cybersecurity Services at SERJON, spoke at the American Trucking Associations Technology & Maintenance Council’s (TMC) Annual Meeting about the need for fleets to take such cyberthreats seriously and what they can do to protect themselves.
Among the top ways fleets can defend themselves and their vehicles from cyberattacks is through awareness and education. In June 2023, TMC announced that it was working with SERJON to provide cybersecurity training specifically for fleet personnel. And these courses are more necessary than ever, as the damage a single cyberattack can do impact's more than one fleet's uptime.
Trucking’s vulnerability to cyberattacks
Nowadays, fleets aren’t just at risk from ransomware attacks where hackers are looking for a quick payday, as was the case for Estes Express in September 2023. Jonson emphasized that state actors could target the trucking industry to cripple the U.S. infrastructure.
Several U.S. government agencies, including the National Security Agency and the Federal Bureau of Investigation, released an advisory in February 2024 stating that cyber actors from the People’s Republic of China were working to “position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure."
Even worse, Jonson explained that private contractors who help government actors target foreign infrastructures often provide the same services to criminal networks as well, potentially doubling a fleet’s suffering and the contractor’s pay. But even if a contractor does their work without double-dipping in the criminal underworld, Jonson is equally concerned, if not more so, about those who target fleets for motives beyond the money.
“The part that has me more concerned is when you have these actors that want the ability to impact things like government institutions, but they don't necessarily want to execute it [right away],” Jonson warned. “They just want the ability, so in the case of a conflict, I can press this button over here and cause a big impact. And I'm just going to hold on to that for a long time.”
A ’kill switch’ such as that described by Jonson could be as simple as causing a vehicle to break down at the right time and place; for instance, on a bridge, in a tunnel, or at a port. At these locations, a single truck can cause traffic snarls lasting hours that equate to lost productivity valued at hundreds of millions of dollars, he noted. And for smaller fleets, the loss of a single truck could mean closing their doors for good.
“If you have three trucks in your fleet, that might be a big impact for you and your operations,” said John Sheehy, SVP of research and strategy for IOActive, at a 2022 TMC cybersecurity session. “If you have 30,000, it’s not going to have a very big impact—other than pointing out that you’ve got an issue to deal with.”
And the technology for bad actors to launch such attacks is available, too. On Feb. 26, 2024, Jake Jespon, Rik Chatterjee, and Jeremy Daily of Colorado State University published a report called “Commercial Vehicle Electronic Logging Device Security: Unmasking the Risk of Truck-to-Truck Cyber Worms.” The report, presented at the 2024 Symposium on Vehicle Security and Privacy in San Diego, revealed that it’s possible to compromise electronic logging devices remotely, which allows hackers to unleash an attack called a ‘computer worm’ that can spread to other ELDs on the same network from the compromised device.
Read more: White hat hacker shuts down trailer's ABS
“Once you have access to a vehicle, you have access to its CAN network, and I can tell it information that isn't true,” Jonson explained. “For example, if you're driving a truck, and I get access to it, I'll tell you that your DEF is gone. That's going to force the truck to derate.”
With so many options for hackers to target trucks, Jonson emphasized that it’s past time for fleets to defend themselves.
“Given the tempo and how things are changing, the urgency to start to address these issues seriously and systematically is upon us,” Jonson said. “That is one of the reasons why we've been working with ATA TMC to get people familiar with what they need to do to defend themselves. That's why we have on-demand online training available, including a certification component.”
Cybersecurity for fleets
The on-demand, online courses Jonson mentioned are now available through SERJON’s website. Smaller fleets can take advantage of the company’s training series geared toward small- and medium-sized businesses. The series includes lessons, videos, slide decks, self-assessments, and a certification exam and series certification. All of these materials cover cybersecurity terms and concepts, how fleets can identify and protect their assets, detect and respond to incidents, establish firewalls, and select IT providers.
More specifically, Jonson teaches a course on SERJON that covers cybersecurity for heavy-duty vehicles. It costs $99 to enroll and offers an overview of cybersecurity concerns for HD trucks, attack surfaces, risk mitigation, and how to use the NIST Cybersecurity Framework to reduce cyber threats. This course also offers a self-assessment and a certificate of completion.
Additionally, Jonson noted that one of the biggest steps to preventing a cyberattack is to limit access to the truck’s network in the first place. This means being aware of which of a fleet’s assets are most at risk.
“We need to prepare ourselves as an industry, and we need to do the very, very basics of trying to figure out what we what we are protecting and how we are protecting it,” Jonson advised.
Sheehy agreed, stating that fleets also need to understand typical cyberattack techniques that could be used against them, again emphasizing the importance of cybersecurity training. Furthermore, Ben Gardiner, senior cybersecurity research engineer with the National Motor Freight Traffic Association, advised selecting telematics providers with strong cybersecurity features. And for fleets that can’t afford to hire a cybersecurity expert on their own, Gardiner noted that they can use cloud services so that their security works for the fleet as well.
The connectivity and cybersecurity trade-off
There are good reasons to connect heavy-duty trucks and their trailers. In addition to better utilization and diagnostic information, cameras on the dashboard or on the sides and rear end of the trailer can provide fleets with safety reporting.
“These are all things that we want,” Jonson said. “But that extra connectivity then comes with risks that we also have to look at and address.”
