{"id":13926,"date":"2022-06-25T10:03:44","date_gmt":"2022-06-25T08:03:44","guid":{"rendered":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/?p=13926"},"modified":"2022-06-25T10:03:44","modified_gmt":"2022-06-25T08:03:44","slug":"fleet-47","status":"publish","type":"post","link":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/2022\/06\/25\/fleet-47\/","title":{"rendered":"Minimize the Threat of Cyber Attacks at Your Fleet"},"content":{"rendered":"

Photo: gettyimages.com\/scyther5<\/i><\/span><\/p>\n

Don\u2019t ignore the threat of a cyber attack just because it hasn\u2019t happened to your fleet.<\/b><\/span><\/p>\n

Cybersecurity. That word alone makes people\u2019s eyes roll back in their heads. Most people are proficient using computers, but understanding how they work? That\u2019s above their pay grade. Most people recognize that certain threats exist, but they haven\u2019t the foggiest idea how to effectively protect against them. Consequently, many of us put off learning about protection or taking the steps necessary to secure their data and limit access to sensitive parts of their network.<\/span><\/p>\n

One part of the problem is that many people don\u2019t know where to go to get the resources or the training to deal with the problem. Another part is that many think the solution is more complicated than it actually is. And a third stumbling block is assuming that hackers couldn\u2019t possibly be interested in such a small company. \u201cI\u2019m just a little guy, I\u2019ve only got 10 trucks. Why would anyone want to attack me?\u201d\u00a0\u00a0<\/span><\/p>\n

\u201cThe answer is that small companies are easy prey,\u201d says Mark Zachos, general manager of vehicle network solutions company DG Technologies of Farmington Hills, Michigan. He\u2019s also the chair of the American Trucking Associations\u2019 Technology and Maintenance Council\u2019s S.5 Cybersecurity Issues task force.<\/span><\/p>\n

\u201cThe big guys are well defended,\u201d Zachos says. \u201cThey have built up their defensive shields and they know the value of strong passwords and two-factor authentication. They have their data encrypted and stored in the cloud. When it comes to the smaller, poorly protected companies it\u2019s a matter of volume. Attackers go after hundreds of companies at a time, and two or three attempts might be successful. To the hacker, that could still mean dozens or hundreds of thousands of dollars in ill-gotten revenue.\u201d<\/span><\/p>\n

In a so-called ransomware attack, criminals will insert some code into a company\u2019s files that on command will encrypt all the data, rendering it inaccessible. The attackers then demand payment, or ransom, to decrypt the files. However, fewer than half of companies ever see their data again, despite paying the ransom, Zachos says.<\/span><\/p>\n

The latest trend in ransomware attacks is potentially even more catastrophic. Attackers seize a company\u2019s private data and threaten to release it publicly or sell it to the highest bidder. Wired Magazine recently reported Apple Computers suffered such an attack launched against a third-party supplier. Thieves stole documents and drawings related to upcoming laptop computers and offered them for sale online.<\/span><\/p>\n

While it\u2019s unlikely a 10-truck fleet would fall victim to such a scheme, you can imagine how a much larger company could be severely compromised by an extortion attack.\u00a0\u00a0<\/span><\/p>\n

Protecting your company from cyber attacks doesn\u2019t have to be expensive or complicated. Windows-based PCs have Windows defender built into the operating system. Aftermarket security products from Norton, McAffee, or Malwarebytes can add additional layers of protection. More sophisticated commercial products are available that offer additional protection or network configuration options. Internet security specialists can help install and configure those products based on fleets\u2019 needs, but basic online security isn\u2019t that complicated.<\/span><\/p>\n

In any case, basic electronic security begins with good online habits and staff training on how to avoid unwanted intrusions in the first place.<\/span><\/p>\n

Click With Caution<\/span><\/h2>\n

The majority, about 90%, of cybersecurity attacks come from phishing emails, Zachos says. You have undoubtedly received numerous emails from what appear to be friends or familiar entertainment streaming services, online retailers, banks, or even government agencies. They urge you to take some sort of action like updating your profile or verifying an account. They usually offer convenient links to follow or include attachments for you to review.<\/span><\/p>\n

\u201cThose attachments are usually malicious viruses that instead of opening a PDF or an image, it opens up and runs a program in the background on your computer that you don\u2019t even know about,\u201d he says. \u201cEven legitimate looking attachments like spreadsheet documents can contain macros that can be used to start a program executing in the background.\u201d<\/span><\/p>\n

It would be easy to imagine a busy employee habitually clicking on such a file and triggering an unpleasant chain of events.<\/span><\/p>\n

These email messages are often nicely packaged and look very much like what you\u2019re expect from, say, Netflix. However, the sender\u2019s email address can be spoofed to look like it came from Netflix, but the senders real address can often be revealed by hovering your cursor over the address, like this example from my own inbox:\u00a0 The address shown was customer.service@netflix.com, but\u00a0the sender\u2019s address was actually e.sinatti@hotmail.it. That\u2019s probably not legitimate either, but it\u2019s clearly not from the popular streaming service.<\/span><\/p>\n

\u201cThose login links are trying to trick you into giving up your login credentials,\u201d says Jane Jazrawy, co-founder and CEO of CarriersEdge. \u201cOne of the easiest ways to break into a system is by tricking a user into giving up their password or some of their login credentials. Sometimes a request will come from a coworker\u2019s email address asking for a phone number or a password.\u201d<\/span><\/p>\n

Jazrawy says new employees are more vulnerable because they want to be seen as cooperative team players and happy to help.<\/span><\/p>\n

\u201cSocial media platforms like Facebook and LinkedIn make it easy for hackers to search out names of people who have just started a new job with a company,\u201d she cautions.<\/span><\/p>\n

During evaluations for its Best Fleets to Drive For program, Jazrawy says a very low percentage of carriers trained their drivers or office staff in cybersecurity best practices.<\/span><\/p>\n

\u201cPeople would say, well, our drivers don\u2019t really have access to our internal systems so it\u2019s not a problem,\u201d she says. \u201cHowever, drivers and internal staff are texting and emailing each other, and those lines of communication are vulnerable.\u201d<\/span><\/p>\n

Zachos urges fleets to teach staff to be wary of every email they open, even from trusted sources.<\/span><\/p>\n

\u201cThere\u2019s usually some tell-tale indicator of fraud, such as misspelled names, odd-looking formatting, and foreign languages, but some of them can be pretty convincing,\u201d he says. \u201cOpening the email isn\u2019t a real hazard, but clicking on links or opening attachments, especially from unfamiliar senders, is risky.\u201d<\/span><\/p>\n

CarriersEdge and others offer courses in cybersecurity and mitigation measures, but Jazrawy says they are not among the company\u2019s most popular course offerings.<\/span><\/p>\n

How Secure Are Trucks?<\/span><\/h2>\n

Trucks are rolling data factories, cranking out gigabytes of information every day. And they are very connected, through cellular and satellite telematics devices, Bluetooth, and various internet-facing platforms. And then there are the peripherals drivers connect to the truck for personal use. It\u2019s safe to say many of those products may not have built-in data encryption and offer only the most basic privacy protection.<\/span><\/p>\n

Even ELDs are a potential source of unauthorized access. A bulletin distributed to the trucking industry by the FBI in 2020 warned that cyber criminals could exploit vulnerabilities in those devices. But it goes much deeper.<\/span><\/p>\n

According to Michael Dick, president and co-founder of automotive cybersecurity lifecycle management platform C2A Security, every connected component on a truck is at least somewhat vulnerable to cyber attack \u2013 including electronic braking and steering systems, navigation systems and automated safety systems.<\/span><\/p>\n

\u201cUntil very recently, there was no definition of who\u2019s responsible for cybersecurity, whether it\u2019s the manufacturers or the Tier 1 suppliers or whoever,\u201d he says. \u201cMost of the components of the truck are outsourced and therefore integration is a big challenge for the OEM. It\u2019s a very complicated supply chain.\u201d<\/span><\/p>\n

Dick says individual components, the networks they are connected to and up-and down-stream components all function as a single system, so any potential infection in one vulnerable component could affect the rest of the network and ultimately have an impact at the vehicle level.<\/span><\/p>\n

Recently United Nations Economic Commission for Europe under a protocol called WP.29 established a chain of responsibility which forces manufacturers and their suppliers to manage vehicle cybersecurity through testing, threat analysis and risk assessment, and data sharing. As with almost every United Nations-based endeavor, the scope of the program is big and hairy, but the outcome of the effort means that vehicles sold in 14 specific countries (and by extension through globalization and at-scale manufacturing) have to be as hardened against attack as they can be for the life of the vehicle.<\/span><\/p>\n

It\u2019s a massive undertaking and it\u2019s due to come into force in June 2022.\u00a0<\/span><\/p>\n

\u201cIn order to get type approval for any new on-road vehicle in any of the UNECE countries, manufacturers will have to be compliant,\u201d Dick says.<\/span><\/p>\n

Not all US-based manufacturers are signatories to this agreement, but because they sell vehicles into those 14 signatory nations, they will have to comply with WP.29 as well.<\/span><\/p>\n

Dick says the threat to safety was the governments\u2019 priority in developing these standards. They weren\u2019t concerned about ransomware or denial of service attacks, the threat to national security of planned attacks carried out by a vehicle, or severe damage to critical supply chain elements \u2013 like electronically disabling trucks.<\/span><\/p>\n

Zachos says Russian hackers are working a feverish pace trying to disrupt global distribution in an effort to stall weapons delivery to Ukraine and curb the flow of vital energy resources to dependent nations. If they could succeed with a zero-day attack that shut down trucks or other critical infrastructure, we\u2019d be in a heck of a mess.<\/span><\/p>\n

\u201cThey\u2019re not going to like hijack a truck and crash it into White House, they\u2019re looking to find a convenient place to disable something at the worst possible time like bringing commercial traffic to a halt on the George Washington Bridge at 9 a.m. on a Monday morning,\u201d he says. \u201cWe\u2019re not talking about common cyber-criminals. We\u2019re talking about very sophisticated and resource-rich nation states whose goals are to shut down or disrupt global supply chains.\u201d<\/span><\/p>\n

The Genie Is Out of the Bottle<\/span><\/h2>\n

That kind of attack is no longer fodder for science fiction buffs. Those types of attacks are carried out on a regular basis in laboratories around the world and in real life, but on a smaller scale.<\/span><\/p>\n

\u201cCars are stolen that way all the time,\u201d Dick says.<\/span><\/p>\n

Given the sheer number of trucks built in the last decade and still in operation, the security vulnerabilities are manifest. Dick says the best way to minimize the changes of a vehicle hack is to avoid plugging anything into the on-board diagnostic port on the truck.<\/span><\/p>\n

\u201cThat\u2019s nice to say that, but it\u2019s not realistic,\u201d he adds. \u201cThere are hundreds of fleets of trucks driving around the US with boxes connected to the OBD port. The real challenge comes from the aftermarket. Even with WP.29, OEMs can take steps to secure the system, but if someone plugs in an unprotected device or something with malicious code embedded, well, that could be a serious problem.\u201d<\/span><\/p>\n

As noted earlier, cybersecurity threats are systemic and there are weaknesses at every level. From office staff mistakenly opening malicious emails to a driver plugging some kind of personal device into the OBD port, your trucks and your operation are probably more vulnerable than you realize.<\/span><\/p>\n

This article first appeared in the May 2022 issue of Heavy Duty Trucking.<\/em><\/span><\/p>\n

 <\/p>\n

\u00a0By <\/a>Jim Park<\/a><\/p>\n

Source: https:\/\/www.truckinginfo.com\/<\/a><\/p>\n

\n

KNOW WHO WE ARE<\/strong><\/a><\/h1>\n

\"\"<\/a><\/p>\n

KNOW THE FLEET MANAGEMENT YOUTUBE CHANNEL<\/strong><\/h1>\n

 <\/p>\n<\/div>\n

\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Photo: gettyimages.com\/scyther5 Don\u2019t ignore the threat of a cyber attack just because it hasn\u2019t happened to your fleet. Cybersecurity. That word alone makes people\u2019s eyes roll back in their heads. Most people are proficient using computers, but understanding how they work? That\u2019s above their pay grade. Most people recognize that certain threats exist, but they…<\/p>\n","protected":false},"author":3,"featured_media":13927,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[361],"_links":{"self":[{"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/posts\/13926"}],"collection":[{"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/comments?post=13926"}],"version-history":[{"count":1,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/posts\/13926\/revisions"}],"predecessor-version":[{"id":13928,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/posts\/13926\/revisions\/13928"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/media\/13927"}],"wp:attachment":[{"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/media?parent=13926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/categories?post=13926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advancedfleetmanagementconsulting.com\/eng\/wp-json\/wp\/v2\/tags?post=13926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}