During this National Truck Driver Appreciation Week, we review how to ensure security on the road with ELD cyber security considerations.
According to the U.S. census in 2019, more than 3.5 million people worked as truck drivers, driving large tractor-trailers or delivery trucks. Given that over 70% of all freight is transported using trucks, trucking is a key part of the country’s critical infrastructure. Sadly, this has not gone unnoticed by cybercriminals. Over the past few years—as reported by several news outlets—trucking companies including B-H Transfer, J&M Tank Lines, Roadrunner, Total Quality Logistics, and Tom Berkowitz Trucking Inc. have all been targeted by malware or ransomware attacks.
In December 2019, the electronic logging device (ELD) rule was implemented by the United States Department of Transportation (USDOT), meaning that each truck in the country became a connected truck. Using a vehicle’s ECM data, these devices can track various vehicle telemetry including location information, engine hours, vehicle miles, and vehicle diagnostics. Further, it is also of great interest to cyber criminals who can steal data such as PII, location intelligence, sensitive cargo information, and other sensitive business information, attacking the critical infrastructure of a nation.
As part of the mandate, ELDs must be able to transmit data using Wi-Fi or Bluetooth for law enforcement to check driver logs and driving hours. Hence, these devices can be remotely accessed and vehicle security and safety can be compromised as demonstrated by researchers at the University of Michigan’s Transportation Research Institute in 2016. The researchers were able to use the J1939 open standard used by HD vehicles to manipulate vehicle diagnostics data disabling vital security alerts or even disable the truck’s engine brake leading to potential catastrophic circumstances. Further, it is also of great interest to cybercriminals who can steal data such as PII, location intelligence, sensitive cargo information, and other sensitive business information, attacking the critical infrastructure of a nation.
Interestingly, the mandate did not contain any cyber security requirements—instead focusing on vendors to self-certify their ELDs. Today the ELD market is largely fragmented and each vendor has taken different levels of security considerations as part of their ELD offerings. Hence, it is key for trucking businesses to choose ELD vendors with robust application security and vulnerability management practices to mitigate the risk in the event of a cyber incident.
With several transportations and logistics companies getting hacked in the past few years—in 2020 several federal agencies including the FBI and the USDOT released cyber security best practices for ELD solutions. While the FBI recommendations were meant to alert businesses to the importance of ELD cyber security, the FMCSA best practices focus on providing extensive technical considerations for trucking companies when acquiring new devices, focusing on risk and vulnerability management for the software supply chain. Below, we will describe key information on cyber security best practices for trucking companies, as well as advice to mitigate risk across the ELD ecosystem.
First and foremost, security needs to be part of the larger architectural design. Very often, security is overlooked as part of the software development life cycle, hence architectural analysis and threat modeling should be leveraged to evaluate potential security risks. It’s also important to complement architectural analysis and threat modeling with penetration testing to discover vulnerabilities that may be introduced inadvertently on production systems. For developers, it is important to instill safe coding practices including designing safety into the operations of the device offering backups and preventing shutdowns that could impact the safety of the driver as well as other vehicles on the road.
Even though it may seem there are similarities due to the usage of the SAE J1939 protocols, implementation and controls depend on design; therefore there is no standard set of recommendations that can work. Telematics devices provide the most common attack vector for the vehicle, as they can be remotely accessed either using data networks or SMS. The primary security challenge with the controller area network (CAN) bus is that any device on the bus can send messages to any recipient. The large number of ingress points present a unique challenge for trucks, so filtering out unexpected signals as part of the design should be a key component to consider. This limits CAN bus access and whitelists CAN messages that specific ports can receive. Hence, the attack can be focused on several sources including the ELD device, which is linked to the internet via cellular and/or satellite and to the vehicle ECU using the CAN bus using the SAE J1939 set of standards.
The principle of least privilege should also be incorporated into the design in combination with authentication and access controls between applications and services using common design principles such as role-based access controls, two-factor authentication for ELD mobile apps, and appropriate levels of encryption protection. ELD vendors should consider an evaluation of their existing software security initiatives such as the industry-recognized Building Security In Maturity Model (BSIMM, 2020) analysis to measure and improve their current security practices and risk posture.
In the 2021 “Open Source Security and Risk Analysis” (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), we found that in the retail and e-commerce sector 92% of codebases contained open source, while over 71% of the codebases in that sector also contained vulnerabilities. With the close adjacency between trucking and retail, it’s important to secure the software supply chain focusing on not only third-party suppliers of hardware or software but also other companies that may be providing outsourced services. It’s also important to mandate key security measures across all third-party vendors to mitigate known vulnerabilities and have control systems in place to manage risk across the supply chain. For business continuity and risk management, it is critical that third-party suppliers can respond to emerging threats so that software or firmware updates are made timely when a new vulnerability emerges.
Finally, vulnerability management needs to become a key part of the DNA of the SDLC to operationalize DevSecOps and respond appropriately, quickly, and efficiently to incidents, vulnerabilities, and exploits. It is important to implement secure over-the-air (SOTA) updates to quickly patch security vulnerabilities, while not risking opening additional attack vectors, while loading updates, configurations, or other data packets from the internet. Both trucking companies as well as ELD vendors need to take a proactive approach toward cyber security. Organizations need to develop a culture that instills the right values—transparency, openness, and a desire to improve—all great foundations for a strong cyber security program.
Debrup Ghosh is a Senior Product Manager within the Synopsys Software Integrity Group. His prior experience includes working at Verizon to launch IoT products that brings together embedded IoT sensor data into a seamless user experience on web and mobile platforms. Debrup is the author of one patent that focuses on bringing together computer vision processing to aid federally mandated Driver Vehicle Inspection Report (DVIR), simplifying the life of millions of truck drivers in the United States. He holds an MBA from The University of California, Irvine, and takes great pride and honor in mentoring students at his alma mater.