The transportation industry, where a lot of money changes hands every second, is becoming a big target for cybercriminals. If a fleet isn’t prepared for an attack, it might already be too late.
Cybersecurity is like the COVID-19 virus, according to CarriersEdge CEO Jane Jazrawy. “If you’re not protecting yourself, you can get it. You won’t know it right away, and it’s going to be really detrimental when it happens. You’ll wish you could turn back the clock—but you can’t,” she said.
COVID-19 isn’t the only pandemic the world will face this decade, stated Christopher Krebs, former director of the federal Cybersecurity and Infrastructure Security Agency. “Considered a low-dollar, online nuisance crime only a few short years ago, ransomware has exploded into a multibillion-dollar global racket that threatens the delivery of the very services so critical to helping us collectively get through the COVID pandemic,” he said in testimony before the U.S. House Subcommittee on Cybersecurity in May. “To put it simply, we are on the cusp of a global pandemic of a different variety, driven by greed, an avoidably vulnerable digital ecosystem, and an ever-widening criminal enterprise.”
Cybercrimes have been around since the early days of computer networks in the 1970s. While these crimes have steadily increased in the decades since the U.S. Defense Department’s Advanced Research Projects Agency Network (ARPANET) led to the internet, cybercrimes have reached a torrid pace since the COVID-19 pandemic changed the office work landscape in the U.S. Just last spring, the FBI reported a 300% increase in cybercrimes between March and May 2020. The transportation industry has seen similar surges in attacks this year, according to Ben Barnes, McLeod Software’s vice president of IT services and chief information security officer.
Sources: FBI, Cybint, Travelers
“We didn’t see a lot of attacks in January and February, but in March and April, the ransomware attacks have escalated in our industry, and we don’t know why exactly,” Barnes, whose company provides transportation and trucking software solutions, told FleetOwner. “But if we can map these patterns and know the same thing happened last year in March and April when we saw attacks go up, we’re starting to see a pattern.”
The May 7 ransomware attack on the Colonial Pipeline Co., which supplies 45% of the East Coast’s fuel, is one of the latest examples of a cyberattack’s power. The breach forced the company to shut down its four main pipelines between Texas and New Jersey, leading to fuel market concerns. Shortly after the attack, Colonial said it was breached through its corporate computer system.
The transportation industry has become a high-value target, Barnes said, because it is so big and “there is so much money changing hands every second of every day.”
If cybercriminals gain access to a fleet’s IT system and install ransomware, the company will face some complex decisions, Barnes noted. “A ransomware attack in our industry can easily shut down your business for three days. You can’t dispatch loads, you can’t pay drivers or conduct financial transactions of any sort, and you may not be able to use email,” he said. “Companies that don’t have an incident response plan in place may be looking at one or two weeks of inactivity. The impact on the business can be severe and lasting.”
Human error
More than 90% of cybersecurity problems originate from human error, according to Cybint, a firm that offers cybersecurity education and training for businesses. “That is human error on emails, people that left open or misconfigured their router or firewall and essentially left holes for attackers to come in,” Barnes noted as examples. “Human error can come from all over the place—it’s not just one area. It’s not just email. Education awareness can go a long way.”
Cybercriminals, he said, are like most other criminals: They are looking for an easy way in. He compared businesses to a bunch of homes on a cul-de-sac. “You don’t want to be the house with the doors open, no guard dog, no cars in the driveway,” Barnes said. “You want to be the house that has a security system and locks its doors. They are going to move on to attack the easier target. You don’t want to be the low-hanging fruit.”
How hackers use ransomware is evolving, according to Scott Hellberg, director of information security governance, risk and compliance for Sentry, an insurance provider for long-haul fleets and owner-operators. “At one point, ransomware was simply malware loaded into a phishing email,” he told FleetOwner. “With that, [the hacker] will gain access to the machine and encrypt it.”
Now, he said, cybercriminals are taking more of a “shotgun” approach where they don’t have a specific target. The goal is to get the malware on as many networks and machines as possible. Then, once the hackers have access to a network, they decide when to activate the ransomware. Cybercriminals are “betting on the fact that most people don’t do a good job with backups and have put themselves in a position where their data is one of the most important aspects of them being in business,” Hellberg explained.
Businesses without good data backup plans are most susceptible to being held at ransom, Hellberg said. If businesses do not have a good backup system in place, cybercriminals could force the organization to pay a ransom in whatever cryptocurrency the attackers want. A cybercriminal can lock up an IT system until the victim company pays for a “cyber key” to regain access to the data.
Sometimes this malware lies dormant in a company’s network or an individual computer. Barnes said it could become like a “pyramid scheme” for hackers once they gain access to a system. Along with selling access to various criminal networks on the dark web, cybercriminals like to go after the same organizations more than once.
“We’ve seen some midmarket and smaller transportation firms get hit multiple times,” Barnes said. “That is as baffling to me as any of this because if you got hit once, you’re on a list. Suppose [a hacker] has credentials to get into your system. In that case, that attacker can sell those credentials to another attacker—and that attacker will go and map out your network and find everything you have, and they will sell it to another attacker who will run ransomware on it. Well, each one of these sales puts that information out there for public knowledge, and that can be resold yet again.”
Companies that don’t tighten up their cybersecurity, make changes, or learn from the past are the companies most likely to get attacked multiple times, Barnes said.
“If a fleet hasn’t started thinking about cybersecurity yet, then they’re probably being targeted right now,” Jazrawy told FleetOwner. “It’s just too late now. You should be immediately starting something now if you haven’t done it because someone has probably found you. It’s crazy not to be doing something, and that something has to include both your backend systems and your people because that is how they are getting to you.”
Print a plan
Chris Sandberg, vice president of information security for Trimble Transportation, said that larger fleets tend to have better cybersecurity plans than smaller carriers. But no matter the business size, a company’s cybersecurity plan should start with examining its critical workflows, he said.
“Figure out what workflows are actually critical to your system,” he told FleetOwner. “Then make sure you document those workflows. I always encourage people to make sure that you print them out and redo this at least annually, if not quarterly.”
The printouts should include workflows and who has access to what information and network systems. The hard copies should also include procedures and phone numbers to call if there is a system breach. Sandberg suggests putting all of this critical information “in big red binders and put it everywhere.”
Sources: FBI, Cybint, Travelers
While creating these documents of company workflows and information, Sandberg said, fleet managers and executives will learn more about their critical processes, such as who has access to what within the system. “From there, make sure only the people that need access have access,” he suggested as a way to tighten control.
Most importantly, Sandberg said, have an offline system. “It can be something as simple as somebody writing a little [computer] script, copying the files to another file share that the main users don’t have permission to [access], which is what we call an offline backup,” he explained. “So, if someone gets infected with something like a CryptoLocker virus, they can’t screw up the backup.”
How often a company backs up its system depends on the business, Sandberg added. “It depends on the criticality,” he said. “If the business can accept losing a day’s worth of data, back it up once a day. If they can accept losing five minutes of data, copy it every five minutes. The criticality of the data is what drives the backup schedule.”
McLeod’s Barnes said it’s important for fleets to have a playbook ready in case they are attacked so they’re “not reacting in a panic.” He also suggested that fleets get cybersecurity insurance, which only 55% of U.S. businesses have, according to a 2020 study by Travelers.
Training and education
CarriersEdge’s Jazrawy said the most common risk to fleets right now is employees clicking on the wrong links in emails that look legitimate but lead to “a nasty website or downloads some sort of malware.” She said employees in her company had received emails mimicking Jazrawy that ask those employees to do a task for her, such as buying gift cards and relaying the gift card information back via email.
“Another time, I had a staffer get a fake email from me asking them to email back their phone number, claiming I needed to call them,” she said. “This was ridiculous because I already have everybody’s numbers. But if they send back their number, then [the phisher] tries to call you and take it further somehow.”
McLeod’s Barnes said he’s commonly asked how many clicks of a bad email link it takes to infect a company’s system. “One. It only takes one click if you open something bad,” he said.
All of this is done by cybercriminals who are trying to infiltrate companies through employees. “People are by far the weakest link,” said Jazrawy, whose company creates training programs for drivers and fleets. And a newer “people target” is truck drivers.
“The biggest risk that I see right now is that companies aren’t training their drivers because they think that the only people who need to be trained about cybersecurity are the people in the office because those are the people who are using the system,” Jazrawy said. “I think that’s a very dangerous way to think because the drivers might not be using your systems directly, but they are certainly talking or sending messages back and forth to the people who are using your system. What are they forwarding or doing without understanding?”
Barnes said companies are looking for a 100% guarantee that cybercriminals won’t get into their systems. “I don’t think that exists. You have to do the right things. Getting more preventative is like how you eat an elephant—you take one bite at a time. If you’ve done that and you look up and half the elephant is gone, then you’re into some really good, multiple phases of your security approach.”
He added that those “first few bites of the elephant” aren’t going to cost a company a lot in their cybersecurity journey. Just having data backup systems can go a long way. “If you can’t 100% prevent an attack and an attack happens, what do you do?” Barnes said. “Having a good backup is No. 1. That doesn’t cost a great deal of money to set up, but you would be amazed at how many transportation companies don’t have reliable backups.”
Jazrawy said it doesn’t make sense just to train some employees on the dangers of cybersecurity. “It’s not just the company’s security; it’s people’s personal security,” she added. “They should all be educated on how to protect themselves—even when it has nothing to do with the company they work for.”
Most drivers, unlike office workers, are not spending much of their time online, and that can make them susceptible. “If no one explains to them what a phishing attempt looks like, they can get tricked,” she explained.
This can be a particular problem for drivers whose first language isn’t English, Jazrawy said. Since many attempted cyberattacks come from other countries, a native English speaker might more easily pick up on a scam because of poor grammar or spelling. “I’ve noticed that when there are issues, it tends to be non-native English speakers who fall for it because words are what is being used in a lot of these phishing emails. I think that is something to watch out for.”
Jazrawy said this is something she has noticed more recently and has been working it into the onboarding process for new employees. “I have had to show my staff pictures of phishing email examples and explain why I would never actually send an email like that,” she explained.
She said this is important for companies to explain to employees. “If you’re the owner of a 200-person company and you don’t talk or email with everyone every day, if someone sends a fake message from your account, an employee might not know it’s not from you,” Jazrawy said. “Because they don’t know how you sound in a day-to-day email, they might just automatically respond because they think it’s actually a message from the owner of the company.”
So Jazrawy created a graphic that shows new employees what type of emails she would send, including how she would greet the recipient (“I would never start a message with ‘Dear so-and-so’”) and even how she would sign an email. “So, they can very clearly see what I will say and what I won’t say.”
CarriersEdge offers a cybersecurity course for drivers that the company also uses internally for its own employees. “Everybody from developers to customer service goes through that course,” Jazrawy said. “And what we also do is when we get scam messages, we talk about them. We’re constantly sharing information about fake messages going around because they’re definitely increasing.”
Preparing for cyberattacks
According to most information technology experts, fleets should have a standard set of operating procedures before a cybersecurity incident event occurs.
The Cybersecurity Unit of the U.S. Department of Justice (DOJ) put together a set of best practices for victim response and reporting of cyber incidents. This includes steps to take before, during and after a cyberattack.
Before
According to the DOJ, these are the most critical practices for fleets to put in place to help secure their data and protect their networks.
Have an actionable plan in place
“Organizations should have a plan in place for handling computer intrusions, data breaches, and other cyber incidents before they occur,” the DOJ noted. “The plan should be ‘actionable,’ meaning it should provide specific, concrete procedures to follow in the event of a cyber incident; be up to date; include timelines for the completion of critical tasks; and identify key decision-makers.”
Engage with police before an incident
Establishing a relationship with local law enforcement before a cybersecurity incident occurs will create a point of contact for any future assistance necessary. It will also aid in creating a relationship of mutual information sharing, which would be beneficial to both fleets and law enforcement.
Ensure legal counsel is familiar with cyber-incident management
If a data breach should occur, it could be beneficial for fleets to talk with an attorney who is knowledgeable about laws regarding electronic surveillance, communications, data privacy, and information-sharing to understand the potential legal repercussions of the incident.
Establish relationships with data information-sharing and analysis organizations
The government created Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) to ease staying up to date.
“ISACs share analysis of cyber threat information within their respective sectors, with other sectors, and with the government. Depending upon the sector, they may provide other cybersecurity services as well,” the DOJ said.
ISACs exist for what is considered the 16 “critical infrastructures” of the U.S., but because not every industry falls within these 16 sectors, organizations have created ISAOs. ISAOs are intended to provide the same benefits and information as ISACs for specific industries or markets.
The vehicle industry has its own ISAC, where intelligence is shared on developing cybersecurity risks to vehicles. As vehicle cybersecurity capabilities are improved, information is posted at automotiveisac.com.
During
During a data breach, the DOJ recommends the following steps:
- Make an initial assessment
Assess the situation and first determine the cause of the incident. Was the incident a malicious act, human error, a technological glitch, or some combination of the three? From there, fleets should be able to ascertain what action needs to be taken.
- Implement measures to minimize continuing damage
After a data breach, a fleet should do whatever possible to mitigate the corruption to their systems.
Robert Vogt, chairman of IOSiX, a manufacturer of electronic logging device (ELD) hardware and high-end automotive data acquisition systems, recommends a few preventive measures that can also help to avoid further damages from a cybersecurity incident.
“[Fleets should] be extremely careful about vetting any devices they add to the vehicle,” Vogt said. He suggested disabling any wireless communication features or functions that the fleet doesn’t use, including Wi-Fi, Bluetooth, and/or an OEM telematics system. “If you’re not using it, it’s using you,” he added.
- Record and collect information
In the event of a cybersecurity incident, fleets should keep logs, notes, records, and any data possible that may help in analyzing and investigating the breach.
The DOJ recommends these forms of information be recorded and retained;
- A description of all incident-related events, including dates and times;
- Information about incident-related phone calls, emails, and other contacts;
- The identities of people working on tasks related to the intrusion, including a description of each individual’s role or responsibilities, the amount of time spent on the tasks, and the approximate hourly rate for each person’s work;
- Details on the systems, accounts, services, data, and networks affected by the incident and a description of how these network components were affected;
- Information relating to the amount and type of damage inflicted by the incident, which can be crucial in civil actions by the organization and in criminal prosecutions;
- Information regarding network topology or the arrangement of a network comprised of nodes and connecting lines through the sender and the receiver;
- The type and version of software being run on all affected systems; and
- Any irregularities in the organization’s network architecture, such as proprietary hardware or software.
- Notify
Lastly, when handling a cybersecurity incident, the proper people must be notified of the situation. Within a fleet’s standard operating procedures for a data breach, a point of contact (POC) should be included. Senior management, incident response firms, local law enforcement, and legal counsel are critical POCs.
“The first thing to know is what your state laws are regarding security breaches, noted attorney Patrick McGuire.
State laws will provide details such as who needs to be notified, how quickly they need to be notified, and depending on the situation, whether notification is necessary at all.
After
Even after a cyberattack seems to be resolved, fleets must stay vigilant. The DOJ warns that intruders often try to regain access to the system or even retain access to the system through an entry point not previously discovered. Fleets should continue monitoring their systems for any suspicious activity that could lead to another attack.
Fleets should also take this time to review how well their cybersecurity incident response plan worked. What were the strengths and weaknesses? How can the plan be improved for the future? Steps must be taken to address and fix these issues to prevent future similar attacks against the fleet.
—Emily Markham, Vehicle Repair Group
By Josh Fisher
Source: https://www.fleetowner.com/
CUT COTS OF THE FLEET WITH OUR AUDIT PROGRAM
The audit is a key tool to know the overall status and provide the analysis, the assessment, the advice, the suggestions and the actions to take in order to cut costs and increase the efficiency and efficacy of the fleet. We propose the following fleet management audit.