Sample Sidebar Module

This is a sample module published to the sidebar_top position, using the -sidebar module class suffix. There is also a sidebar_bottom position below the menu.

Sample Sidebar Module

This is a sample module published to the sidebar_bottom position, using the -sidebar module class suffix. There is also a sidebar_top position below the search.

Hacked or cracked? A practical guide to cyber security for private motor carriers

Details
Category: Issue 5

Heather C. Devine, Partner, Alexander Holburn LLP

Is cyber security a real risk for private motor carriers? The answer is: yes.

Despite being a 10-year customer of a business, at checkout, while handing over my credit card, I was asked to provide all of my customer information again – name, address, phone number, and email. I was surprised and asked: “Why? I am already in your system…”

I learned the business’s computer systems had been hacked and held ransom for approximately $10,000. During the hostage negotiations, while the customer information was held for ransom, the business contacted their insurer, but learned that it had in fact declined cyber liability insurance coverage (they thought they were covered). Rather than pay the ransom, the business decided to purchase a new computer system (same price as the ransom), and to start from the beginning to compile customer information.

First Party and Third Party Losses=$$$
These losses would constitute First Party Losses for the business. In this incident, the cost of the new systems and security was the same as the ransom. However, all private information, data and customer contacts were gone.
As a customer, I wondered: where is my customer information now? Locked in their old system? Is it available to criminals? Do I have redress? And why was I not told when it happened? I questioned: Can I sue?
Had I made a claim or sued, my claim or lawsuit would be a Third Party Claim or Loss.

What would your business do? Pay the ransom and hope to get the customer information back intact? Walk away and buy a new system entirely, but lose all customer information? What about any obligation to tell the customers that their personal information had been stored in a system that had been hacked and ransomed? What about the security for the customer’s new information?
These issues are becoming more prevalent in the transportation industry: the risk is real – so implement practical solutions and best practices to protect your business now, and ensure you purchase the appropriate insurance coverage – before you need it.

Data breaches affect us daily
Data breaches affect us daily, and they pose a unique threat to the trucking industry. There are two areas where cyber security is of interest today: financial risk as exemplified above where a cyber attack affects the security of one’s data – where the data affected could include customer data, business information, and even stored ELD sourced data; and a cyber attack through accessing vehicles through the connectivity of trucks, which is a threat that will likely increase in magnitude in the future.

The First and Third Party Costs of a cyber attack
The financial risk of a cyber attack, and the obligation to enact cyber security protection for stored data are practical risks which threaten private motor carriers: this article focuses first on the financial risks of cyber attacks on stored and accessible data, then considers the more futuristic issue of cyber attacks through connectivity, and ends with proposed best practices and insurance considerations.

Common cyber attacks: malware, phishing, DDos
The most common types of cyber attacks are:
Malware: malicious software that is propagated with link clicks and attachment downloads.
Phishing: fraudulent emails, which steal information or encourage malware downloads.
DDos or Distributed Denial of Services: multiple, simultaneous requests, which bombard a business’ server to prevent it from fulfilling legitimate requests.

Financial risk of common cyber attacks
on customer, trade information or stored ELD data
When business systems are breached or hacked, the business can incur costly containment and repair expenses. Affected third parties can bring lawsuits and exponentially increase unpredictable costs and damages arising from the breach.
In these circumstances, a business must be prepared to act quickly and to follow protocols which provide stability and limit risk – during the attack a business will strive to regain control and certainty which is almost impossible if a business is unprepared.

The motivations for an attacker can be numerous:
Criminal efforts to make a profit from manipulating commercial data or vehicles

Hijacking goods
Adversely manipulating a competitor’s fleet
Extorting fleet owners and drivers
Selling tools and services on the black market
Terrorism.1

Security risk of trucks being accessed while en route
“Easy access for safety-critical attacks”
Before we consider the potential role of ELDs in cyber attacks, be advised that it is not just the software that leads to vulnerability. Several researchers proved that they were able to access, hack and affect the performance of commercial vehicles by attacking the J1939 protocol instead of the software.
In “Truck Hacking: An Experimental Analysis of the SAE J1939 Standard” the authors conclude:
“We show how the openness of the SAE J1939a standard used across all US heavy vehicles industries gives easy access for safety-critical attacks that these attacks aren’t limited to one specific make, model, or industry.”2

(a Author’s note: All modern heavy duty trucks and buses in the United States use the SAE J1939 Standard (J1939) for their internal networks. “While standardizing these communications has proven crucial in allowing various suppliers and manufacturers to work together and cut costs, it also means that all heavy vehicles currently on the road in the US, from semi tractor -trailers to garbage trucks and cement mixers to buses, utilize the same communication protocol on their internal networks.”)

The attacks were not tested on autonomous vehicles: instead, the attacks were tested on a 2006 Class-8 semi tractor and 2001 school bus. These are ordinary commercial vehicles – the risk is real.
The researchers proved they could accelerate a truck in motion, disable the driver’s ability to accelerate, and disable the vehicle’s brake. Given the age of the semi tractor and school bus, it is clear that hacking into commercial vehicles to affect their operations is NOT the future. It is already here.

Heavy trucks increasingly employ systems with electronic control to increase stability and safety: electronically controlled anti-lock brake, anti-slip regulation, and active rollover protection systems are a few. It is not necessary to consider autonomous vehicles on the road to understand the risk of a cyber attack through such every day systems.

Further, heavy trucks are typically part of a larger fleet of vehicles, which are monitored using fleet management systems (FMS). The FMS standard is a worldwide standard developed in 2002, which combines satellite and cellular communications to provide information about vehicle location and status. The FMS standard is designed to allow third party systems to integrate across manufacturers, and these third party devices can be a source of cyber attack. In some cases, the researchers found third party fleet management systems connected to the vehicle’s internal network where the Telnet port was wide open.

The researchers launched attacks on the safety critical systems of heavy vehicles and attained success:
They ‘spoofed’ the status messages originating in various Electronic Control Units (ECUs) of the truck and precisely controlled ALL gauges on the instrument cluster: oil temperature, oil pressure, coolant temperature, RPM, speed, fuel level, battery voltage, and air pressure of the of the foundation brake system.

They were able to override the driver’s input to the accelerator pedal and simultaneously cause either direct acceleration or remove the ability to provide torque to the wheels while the truck was in motion.
They were able to disable the truck’s ability to use engine braking at speeds below 30 miles per hour.

Do ELDs create new vulnerability?
Private motor carriers are well aware of the government mandate to institute the use of electronic logging devices or ELDs. The implementation of ELDs is often tied to safety and hours of service tracking, and the collection and storage of a driver’s hours of service data, which is obtained by connecting to the engine, is commonly made by a connection through a cellular data network.

There are many areas of potential vulnerability: both from hacking into the devices and affecting the operation of the vehicle, and accessing the company’s collection and storage of collected data.
IoActive tested five different ELDs to identify vulnerabilities that could allow attackers to “pivot through the device and into the vehicle” with what is reported to be potentially disastrous results.3 Urban Jonson, chief technology officer for the National Motor Freight Traffic Association, Inc. (NFMTA), reports:
“There is still significant concern regarding the cybersecurity posture of ELDs and their providers… In vehicle components have been found to lack in cybersecurity hygiene features such as secure boot, encrypted communications and privilege separation.”4
To allay concerns about ELD devices, manufacturers advise that ELD devices are not designed to write to the engine’s control module, but are designed to receive and transmit data from it. ELDs reportedly also have various security measures in place.
Nonetheless, AT&T released a press release to announce that AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic joined forces in a new Alliance to innovate in the security space regarding providers of Internet of Things (IoT) devices. This announcement is significant to private motor carriers because ELDs are devices which must be included when examining IoT security challenges.
AT&T advised:
“In the past three years, AT&T has seen a 3,139% increase in attackers scanning for vulnerabilities in IoT [Internet of Things] devices.
More specifically, AT&T Chief Security Officer Bill O’Hern said:
Be it a connected car, pacemaker or coffee maker, every connected device is a potential new entry point for cyber attacks …
Yet, each device require[s] very different security considerations. It has become essential for industry leaders and innovators like those in the founding members of this Alliance to work together to help the industry find more holistic security approaches for IoT”5
One solution, proposed by Jeremy Daily, PH.D., associate professor of mechanical engineering at the University of Tulsa, is a newly developed hardware device called CAN (Controlled Area Network) Data Diode. The CAN Data Diode works by preventing communication from the ELD to a commercial vehicle. This device is yet to be commercialized, so it is not a practical solution for PMCs in Canada at this time.

Best practices are the first step
To manage risk and limit liability, a private motor carrier can implement best practices and insure against the first and third party losses that can ensue. Here are a few best practices collected from a variety of sources.
Assess risks and the nature of identified threats and vulnerabilities through a defined process consistent with the overall risk-management strategy.
Use threat monitoring to understand current and emerging threats and reduce enterprise risk.

Implement routine scanning and testing of the areas of highest risk – evaluate whether you can disable or remove features that enable remote access to a third party such as diagnostic services when not in use.
Establish and follow procedures for identifying, measuring and prioritizing cyber security risks – stay up-to-date with security providers communications and software system updates.
Establish and follow an incident response plan (IRP), which includes processes for identification and containment through remediation and recovery.
Establish an incident response team (IRT).

Conduct and document regular testing and coordinate the testing with the incident response team (IRT) and update and modify the IRP to reflect the results obtained by regular testing.
Establish training procedures, which includes the IRT as well as operations, risk management, and IT personnel.

Locate and purchase applicable insurance, verify coverage, and work with your broker and or insurance provider to ensure that the best practices employed match your coverage.
Consider implementing provisions regarding the impact of cyber attacks into shipper-carrier and broker-carrier agreements to manage risk by limiting liability (first and third party) and avoiding or reducing economic losses.

Cyber liability insurance provides protection:
know your coverage
Cyber liability insurance covers two main areas of risk First and Third-Party Insurance: First Party Insurance provides coverage for direct costs associated with responding to the failure and managing the incident. Third Party Insurance provides coverage for lawsuits or claims that arise as a result of the cyber incident.

Make sure you get a clear explanation of what is covered in your insurance policy and what is excluded; for example, when reviewing coverage assess whether it covers breach assessment and repair; business interruption and/or economic losses; ransom payments; reputation management; third party legal fees and settlements; and perhaps even regulatory fines. Some policies may even include marketing costs to recover a business’ reputation.
However, Technology E&O (errors and omission) coverage does not provide protection against cyber crimes.

Consider too that you must specifically purchase cyber extortion coverage to provide coverage for a consultant or negotiator, or repair costs of the recovered data is locked or damaged.
In summary, whatever the nature of the cyber attack (financial or, more rarely, through connectivity with commercial vehicles), it is important to understand that the attack, when it happens, will cause chaos and potentially significant first and third party liabilities.

In order to limit the potential damages, and ensure that your business retains control during the attack, implement best practices which match your business’ risk management profile, and ensure that you have sufficient insurance coverage.

End notes:
1 Truck Hacking: An Experimental Analysis of the SAE J1939 Standard by Yelizaveta Burakova, Bill Hass, Leif Mllar and Andre Weimerskirch, the University of Michigan, p. 5
2 Truck Hacking: An Experimental Analysis of the SAE J1939 Standard by Yelizaveta Burakova, Bill Hass, Leif Mllar and Andre Weimerskirch, the University of Michigan, p. 1
3 “As the connectivity of trucking grows, so do cyber security risks” posted in General Security on April 10, 2019
https://resources.infosecinstitute.com/as the connectivity of trucking fleets grows so do cyber security risks/#gref
4 “As the connectivity of trucking grows, so do cyber security risks” posted in General Security on April 10, 2019
https://resources.infosecinstitute.com/as the connectivity of trucking fleets grows so do cyber security risks/#gref
5 https://www.overdriveonline.com/hacking-trucks-cybersecurity-and-the eld-.andate/ 2019-12-02; citing “Cyber security alliance formed specifically to address IoT, the Intertent of Tru…um, ‘Things’” Channel 19, Todd Dills, February 13, 2017 at overdriveonline.com