Long-Haul Trucking Connectivity Brings Hacking Risks

[kscarbel2]

Trucks.com  /  May 17, 2016

As the long-haul trucking industry enters a promising new era of connected vehicles, it is also preparing to confront the cybersecurity threat that comes with it.

Each gadget that is installed in the cab or under the hood potentially expands the number of targets for a global army of hackers who are increasingly sophisticated and well-funded.

Already, a mind-bending number of features, gadgets, services and applications have come on the market in recent years. There are sensors in the engines to monitor performance and anticipate mechanical problems. Video systems help drivers avoid collisions and provide warnings. Awareness systems look for signs of driver fatigue. 

For long-haul trucking companies fighting to remain profitable, the prospect of new tools to monitor driver behaviors, avoid costly crashes and save fuel is irresistible.

However, these systems are sending more and more data over the air. Each device and service increases the “surface area” for a hacker to find a way into a truck, security experts told Trucks.com.

“As you connect more data centers to long-haul trucks, you create a more attackable system,” said Rod Schultz, vice president of product at San Francisco-based cybersecurity firm Rubicon Labs. “And we’ve found that when you create a platform of that data, it’s very difficult to predict the way that data is going to be exploited. The savvy attacker figures out where the vulnerability is in the system and how to attack it.”

New Risks With New Technologies

To be clear, there has not been a single known hacking incident involving long-haul trucks. But industry officials understand that the adoption of new technologies increases the risk.

The automotive world got a jolt last summer when a team of security researchers demonstrated how they could remotely disable the engine of a Jeep as it was driving down the highway by slipping into its controller area network, or CAN bus, via the vehicle’s entertainment system.

Even more alarming, a security researcher named Jose Carlos Norte recently wrote a detailed analysis of how he was able to find thousands of vulnerable telematics units, one of the trucking industry’s oldest and most commonly used technologies, using a search engine called Shodan that scans for Internet-connected devices.

As wireless networks have become more robust in recent years, telematics have becoming increasingly sophisticated, two-way communications channels. As Norte found by combing through Shodan, which has proved to be popular with hackers, many of them lack the most basic of password protections.

“It is possible to monitor and control float trucks, public bus or delivery vans from the internet, obtaining their speed, position, and a lot [of] other parameters,” he wrote. “You can even control some parameters of the vehicle or hack into the canbus of the vehicle remotely.”

The consequences of failing to take cybersecurity seriously are all too easy to find these days.

Target saw 40 million of its customers’ credit cards compromised in a massive hack back in 2013. More recently, Sony Pictures faced enormous embarrassment when hackers splattered its internal emails and documents across the Internet. In terms of connected gadgets, poor security around so-called Internet of Things devices has allowed hackers to use baby cameras to spy on families and break into a Ukrainian power plant to cut power to 80,000 people.

Leaders in long-haul trucking are racing to get ahead of the problem by commissioning research and hosting industry discussions. But beyond just understanding the risks and establishing best practices, they face the challenge of raising awareness throughout the marketplace and educating companies about the need to take the issue seriously.

The hope is that the long-haul trucking industry can learn from others’ mistakes. The fear is that, well, history has a devilish way of repeating itself when it comes to technology.

“It’s an area we’re just really starting to broach,” said Boyd Stephenson, vice president of international supply chain operations for the American Trucking Associations. “As with all cybersecurity issues, nothing can or will be perfect. But we understand the more integrated our approach, the better we’ll be in the long run.”

So far, much of the conversation about hacking vehicles has focused on passenger cars. But researchers believe that economics will drive faster adoption of connected technologies in long-haul trucking, thus making it potentially more vulnerable to cybersecurity risk.

“In the U.S., the margins for trucking are in single digits, 3 to 5 percent,” said Mohammad Poorsartep, project manager for the Connected Transportation Initiative at the Texas A&M Transportation Institute.

The hope is that connected technology can push profit margins higher by  enabling things like platooning of trucks; avoiding more accidents; alerting companies to the need for preventative maintenance; and reducing stress on drivers to lower turnover rates.

“That translates a lot to your bottom line,” Poorsartep said. “It’s not just a luxury. It serves a purpose.”

Seeking Security on the Front Lines

Karol Smith, safety manager at BarOle Trucking in Minneapolis, has seen the future rumbling toward her since the day she joined the business in 1997. As the pace of new technologies quickens, she’s now also wondering about the security risks that come with them.

Back then, she said, her primary challenge was to move the mid-size company away from using keycards on walls for managing routes and communications toward using devices like Nextel’s two-way radiophones. Now she and BarOle operations manager Paul Gerou are fielding daily calls from new vendors they’ve never met offering a range of technologies to aid the company’s 70 drivers.

For the moment, Gerou and Smith are confident that the technologies they have in place are secure. But they are learning which questions to ask about security precautions and how to evaluate vendors’ claims. They keep an eye out to make sure that their bundle of technologies  doesn’t become so overwhelmingly complex that they can’t spot the vulnerabilities down the road.

“All of these technologies are only as good and as safe as the end users,” Smith said.

Some larger truck manufacturers, such as Mercedes-Benz, Volvo and Daimler, are hoping that customers will decide that the best solution for guaranteeing security is to buy new connected trucks built from the ground up. Their argument is that rather than cobbling together new technologies from multiple vendors, it will be safer to upgrade to new connected trucks that have a single, fully integrated platform.

In the case of the Daimler Highway Pilot Connect system, which uses a Wi-Fi-controlled platooning system to save fuel, security protocols are tight, said Uta Leitner, a company spokeswoman. A hacker would need some inside information and have to access three different systems to trigger the emergency brakes, for instance.

Although the company said it was still examining potential security issues, it currently believes that the chances for mischief are minimal.

“We only transmit data of the vehicle in front that are relevant for braking,” Leitner said. “Therefore, externally controlled malevolent ramming of the vehicle ahead is not possible.”

Still, the National Highway Traffic Safety Administration isn’t taking any chances. It has already begun efforts to analyze the risks for the long-haul trucking industry.

“While we’re aware of theoretical risks, there have been no known instances of this occurring in the real world,” NHTSA spokesman Derrell Lyles told Trucks.com. “The government and industry are conducting research to assess any cyber vulnerabilities in electronic control systems of vehicles today and future vehicles as they grow more connected through vehicle-to-vehicle technologies.”

Last year, NHTSA reached out to the University of Michigan Transportation Research Institute to launch a 14-month study of cybersecurity and long-haul trucks. The project is being led by Dr. André Weimerskirch, an associate research scientist in the institute’s  Engineering Systems Group who had previously founded and sold an automotive cybersecurity startup.

Weimerskirch said his team has been examining what similarities exist between passenger cars and freight trucks. One important difference with trucks is that many are often older, with legacy systems, and components (like the engine) from one company and a cab and chassis from another. That patchwork effect could create potential vulnerabilities that are not readily apparent, he said.

And then there is the question of what types of attacks might be plausible, Weimerskirch said. Would they be aimed at stealing data? Shutting down a truck in a remote area to hijack the contents? Or just a little mischief by rewriting the day’s manifest for deliveries?

As the Michigan study continues, groups like the American Trucking Associations have begun to make cybersecurity regular features of their industry conferences. Stephenson said that last year was the first time the group held an event dedicated to looking specifically at vulnerabilities.

Much of the work ahead is going to be tough. The industry has about 500,000 firms, and 94 percent have six or fewer trucks. When the ATA polled members about top concerns, the most immediate worries remain the traditional ones, such as the industry’s driver shortage and retention rates.

When these companies do start thinking about new technologies, the people handling those decisions are going to be stretched thin.

“It’s a tough issue,” Stephenson said. “You’re talking about companies where the chief technology officer is the chief security officer and the chief executive officer and maybe a driver. There will be a wide, wide disparity in how these things are going to get adopted. And we have to make sure that security is not an afterthought.”