Editor’s note: Written by Jorge Valdivia, chief technology officer at Fleetio, a fleet maintenance software company. This is one in a series of periodic guest columns by industry thought leaders.
When we think of cybersecurity and associated risks, we typically conjure up images of such connected devices like smartphones, tablets, and laptops — often forgetting that many vehicles today fall into that same category. As connected vehicle technology improves and expands, cybersecurity risks only increase, and it’s a growing concern. In fact, “hacked vehicles” has become a trope in thriller and suspense genres in pop culture from films and television to novels. So what exactly are the real-world risks associated with connected vehicles and how can you mitigate them?
Determining Access Points
Whether you operate a fleet of light-duty service pick-ups or Class 8 big rigs, your truck could be at risk. It’s hard to understand and prepare for cyber threats without knowing how they target your fleet assets, and connected trucks have a number of options to choose from. One target, for example, is a truck’s electronic control unit (ECU), which controls a majority of a vehicle’s functions, including steering, braking, and lights. In-vehicle wireless connections control tamper-able functions such as locking, unlocking, and starting a vehicle, as well as diagnostic monitoring. Additional targets include infotainment and telematics systems, tire pressure monitoring systems (TPMS), light detection and ranging (LiDAR), advanced driving assistance systems (ADAS), onboard Bluetooth and Wi-Fi, and USB and diagnostic ports.
All of these connections are points of entry through which an attacker can gain access to the truck and download stored data or control critical systems, depending on the type of attack: passive or active, respectively. Passive attacks are more difficult to detect, as they intercept and listen to communications to and from the vehicle, while active attacks compromise the vehicle’s functions. Regardless of the attack type or means, once attackers gain access to one vehicle system, they can quickly access them all. Vehicle systems are the backdoor to business systems. If your vehicles are not secure, your business is not secure.
Understanding the Risks
Fleets are at higher risk of cyber threats because it’s easier to hack a group of the same vehicle than an individual vehicle. After exploiting a 2016 Mitsubishi Outlander plug-in hybrid electric vehicle (PHEV), cybersecurity consultant company, PenTestPartners, discovered that “once they knew a vehicle’s SSID (Service Set Identifier) any vehicle of the same make and model could be found and connected to a mobile device in order to determine its geolocation.”
Cyber threats to connected fleet vehicles go beyond data collection — which is already a costly issue. Cybersecurity risks threaten the health and safety of your assets, but also your drivers and anyone on the road around them. On top of that, if you can’t prove you’ve taken proper safety precautions in the event of an accident, you could be held liable. A remote cyber attack on your truck can cause it to immediately shut down or brake harshly, no matter where it is or what it’s doing, which can lead to serious accidents.
Cybersecurity experts Chris Valasek and Charlie Miller gained remote access to a 2015 Jeep Cherokee through Uconnect. This allowed them to toggle the vehicle’s ignition, reduce its speed, engage and disable its brakes, measure its speed, distance, and direction, and control its heating and radio systems.
Valasek and Miller discovered additional ways an attacker could access the vehicle, including through the MP3 parser of the radio, the Bluetooth stack, and the vehicle Wi-Fi network (either by cracking the passcode or gaining access to a device that was paired to the network), and by using a USB with a malicious software update. While the example used here is a Jeep, this could easily happen in any connected truck as well.
The amount of control a hacker can exert over your truck and the numerous means by which it can be done make countermeasures seem difficult. While vehicle manufacturers are taking steps to reduce cyber threats as they scale up connectivity, such as hiring cybersecurity consultants, it’s important to take measures of your own to help mitigate such risks.
Mitigating Cybersecurity Risks
By better understanding the security risks that come with connected fleet trucks, you’re better able to reduce the risks and protect your business. The biggest principle to keep in mind is that security should never be static. When it comes to mitigating risk and developing more secure processes, consider adopting these strategies:
● Limit truck access to authorized personnel only: To help ensure the safety of your truck and reduce compromising fleet data, limit vehicle access to authorized individuals. Make sure anyone with vehicle access knows to park in a secure location and to keep the vehicle locked any time it’s unattended. Make sure vehicle operators are knowledgeable regarding evidence of tampering, including looking for unknown devices connected to the OBD port, spliced wiring or tampering with the dashboard.
● Get support from OEMs: Manufacturers can help you reduce cyber threats at the physical access level in several ways, including “installing a network traffic monitoring and tampering alarm in the vehicle that detects unusual CAN messages […] and transmits a warning signal to fleet managers and [the] manufacturer cybersecurity team [and] implementing firewalls, whitelisting, and blacklisting ECU messages to prevent unsafe commands,” according to a report from the federal National Renewable Energy Laboratory. Talk with OEMs to determine what all support they can offer to help improve your fleet’s security.
● Keep software up to date: It’s important to keep software updated when it comes to maintaining security. Oftentimes, these updates correct for discovered security holes in the device or software. Devices that are not updated leave the fleet more vulnerable to attack. Technology can be buggy, as most people know, and some updates can fail or actually exacerbate flaws in previous versions, so it might be worth looking into incorporating the ability to revert to the prior firmware version should an issue like this take place.
● Train and communicate with employees: We mentioned above to ensure your fleet’s operators were educated about the signs of physical tampering, but communication and training around cybersecurity should go beyond that. Cybersecurity is constantly evolving to combat the evolution of cyber threats, which means consistently revamping your cybersecurity processes. Provide periodic training for employees to make sure they know what is expected of them as these processes change over time. It’s also important to explain why specific measures need to be taken and what the repercussions of cyber attacks look like in order to get buy-in and vested interest from employees.
While cybersecurity risks may seem like some devastating yet intangible thing that could “never happen to my fleet” — kind of how most people think of identity theft — it’s a very real and very persistent threat, especially with the rise of connected vehicles and the increasing use of software among trucks. With so many methods through which attackers can gain access to your truck and business systems, it’s hard not to think about what can happen during or after a cyber attack. When it comes to security, it’s best to be proactive, not reactive.
Trucks.com welcomes divergent thoughts and opinions on transport technology and trucking industry issues. Use the comments section to cite yours. Qualified opinion leaders are welcome to offer suggestions for opinion columns. Contact [email protected]