Imagine losing access to your business management technologies all at once. From back-office computer systems, to dispatch, to mobile communications and shop technologies. Could you continue to operate? If so, how would you do that? And if you couldn’t operate, would you pay anything to get everything back up and running? That’s exactly what hackers hope when they inject ransomware into your system.
News of major hacks against companies, governments and other organizations has become common. No organization, it appears, is immune from cyber threats, and trucking has become a heavily targeted industry.
How do you defend yourself against such attacks? Assume your system will be attacked, understand the kinds of threats you might face, and implement policies, training and technology to prevent an attack from being successful.
What Types of Attacks Should You be Most Concerned With?
“In my experience, most transportation companies are most affected by ransomware and phishing attacks,” says Ben Barnes, chief information security officer, McLeod Software.
The phishing attack is the first step. That’s the strategy hackers use to gain access to your system, which allows them to download the ransomware. When a person clicks a link in a phishing email or text message (smishing), it opens a door into your system.
“A lot of people don’t realize that just clicking on a link or downloading a photo can give the malware a path into your computer,” says Sharon Reynolds, chief information security officer at Omnitracs. Understanding that someone will eventually click on a link is an important first step in protecting yourself.
The consequences of a ransomware attack could be devastating. “Trucking companies should be not just be concerned over cybersecurity, but rather both paranoid and laser focused on it,” says Ben Wiesen, president of Carrier Logistics. Space on a truck is a perishable thing — you can’t fill a truck later, those loads are gone, so any “system outage is revenue lost,” he says.
He adds that system outages are the “biggest interrupters” to trucking company operations — even more so than weather events, traffic or natural disasters. Not all system outages are caused by cyberattacks, but the things that can reduce the impact of such attacks can also help with other types of IT outages.
Scott Bolt, director of product management at Noregon, a provider of vehicle diagnostic and repair software, agrees that ransomware poses a particular risk, particularly for business and shop systems. “Each of these systems deserves equal attention to prepare for cybersecurity threats,” he says. If a company falls victim of ransomware, they could lose “tools and information their business relies on, potentially limiting their ability to diagnose and repair vehicles with their shop devices.”
Another type of threat is known as a “social engineering attack,” according to Lisa Jaffee, assistant vice president, Gallagher Bassett, a risk and claims management company with offices worldwide. In these attacks, “a typical scenario is an organization receives an e-mail that appears to come from a trusted vendor or customer, asking for funds to be wired to a new bank account,” she says. Believing the request is legitimate, a company makes a payment, only to discover later it has been the victim of a fraud.
Social engineering attacks can also be where “cybercriminals take bits of data from many different entities and splice that together to formulate enough information to access email systems, logins and passwords or privileged information for credit applications,” McCloud’s Barnes explains.
What Part of Your Business is Most Susceptible?
In general, criminals will go “where the money is,” so back office systems are often prime targets, because of their access to company banking and other accounts.
“Hackers will frequently target the company’s bookkeeper or CFO, or those who work with them,” Jaffe explains.
While where you might be attacked will depend upon how your security is set up, Reynolds says that “most phishing will hit your back office.” But you must also be aware of any old computers, perhaps in the shop, that have access to your management system. “It is difficult, but always attempt to do an inventory of everything you have. The number one rule is to know what you have,” she says.
“Pinpoint attacks often target accounting and HR because those personnel have control of cash disbursements,” Barnes adds. But he agrees that companies must be aware of attacks from something that doesn’t on the face of it look suspicious — such as spoofed email that appears to come from the president of the company.
While the back office may offer the fattest targets for hackers, all areas of the business are equally at risk, Jaffe points out. “Hackers can induce employees across various business segments to inadvertently click on a phishing email and enter their account credentials,” she says. Once they have these account credentials, hackers may have a way to access confidential information, such as customer files, transactions, or other information that can be used to launch other attacks.
“Most modern hackers are trying to figure out how to create a data stream,” says Chris Sandberg, vice president, information security at Trimble Transportation. “The back-office data is more valuable for that.”
Bolt says hackers often focus on areas that may be the most susceptible to a cyberattack, and that their motives may differ. For example, some want to steal financial information, while others may use ransomware. An emerging threat, he says, are those wanting to take control of the systems onboard a commercial vehicle.
Are Your Mobile Devices Safe?
While most cyberthreats target back office systems, don’t assume your mobile devices and systems are safe.
“Mobile apps and connected vehicles may be less valuable,” to hackers, Sandberg says, but “we don’t know what we don’t know.”
Your mobile systems may be somewhat safe for now, says Barnes, because cybercriminals haven’t figured out how to monetize hacks on mobile devices. But you shouldn’t let your guard down. If hackers could gain access through a connected mobile device to onboard systems and shut trucks down, essentially holding them hostage, the repercussions for a trucking company could be dire.
“We don’t know that they can do this, but we don’t know that they can’t, because those guys are knocking down doors we didn’t expect,” Trimble’s Sandberg says.
Security experts know that a smartphone can be compromised, so mobile device vendors try to keep on top of possible threats, Reynolds says. Some vendors participate in a cybertruck challenge each year in Detroit, where engineering students try to compromise their devices.
Jaffee says that while there has not been a high incidence of cyberattacks targeting telematics or electronic logging devices, there’s still a reason to be concerned. Because of the role the transportation sector plays in the national economy, it could be “a potential target for cyberattacks by nation-states.”
The Perils of Being Connected
For many years, “connected” has been both a buzzword and a goal for the industry: smart vehicles and smart roads connected to smart buildings and other infrastructure. It’s undeniable that this internet of things has proven beneficial, but all of this inter-connectedness poses risks.
“Every new connected technology creates additional cybersecurity risks,” Jaffee says. In recent years there have been reports of all kinds of hacked consumer goods, including smart TVs, baby monitors, and climate control systems. Devices that are widely used in trucking, such as ELDs, smart tags and other electronics, may become targets down the road. “Trucking companies should seek to work with manufacturers who understand the data security risks and are proactive about protecting their products,” she adds.
Barnes doesn’t think manufacturers of many “smart” devices used in a company’s building (thermostats, light switches, etc.) take data security as seriously as they should. ”Very few of those manufacturers care that you are potentially plugging those devices into a corporate network that is critical to a company’s day-to-day operation,” he says.
And it’s not just businesses that have to worry, Reynolds says. Connected devices are everywhere, whether in a commercial building or in one’s own home. “We’ve connected everything, and some things weren’t meant to be connected in the first place.” She feels that trucking has been a bit behind in this area. “A lot of these lessons have already been learned in other industries.”
How Do You Protect Yourself?
The number one thing a company can do to protect itself is to have someone responsible for security, Reynolds says.
That person should spearhead the effort to identify the most critical business processes — what data and systems you can’t live without for one or two hours. Then develop a protection plan that addresses these areas. “It’s irregular warfare. There are many of them coming at once, with infinite amounts of time and resources just to find that one opportunity.”
Reynolds does not believe it is possible to defend your company from every attack. She recommends considering what is the most important and then identifying the technology, processes, or even paper solution that will get you past a problem.
A cybersecurity plan should include physical safeguards, such as facility access control or preventing employees from taking company devices such as laptops home on the weekend. It should include administrative safeguards, including policies and procedures for logging in to company systems — as well as an incident response plan when an attack occurs.
“Since employees are often a company’s weakest link, regular employee training on social engineering and phishing scams is an effective tool,” Jaffee says.
An ongoing education and cyberawareness program should be the first line of defense. “The more visibility everyone has on cybercrime methods, the better everyone is prepared to defend against them,” Barnes says. That means not ignoring things we may have ignored in the past. While you don’t want employees to be totally paranoid, they shouldn’t always assume that a temporary glitch in their computer is something harmless.
Technical safeguards might include firewalls, strong passwords, multi-step authentication, and data encryption. Segment different parts of the company’s network, so if one group is affected, it does not affect the entire company.
Companies also can benefit from conducting vulnerability scans and penetration testing to identify and fix system vulnerabilities before a breach occurs. Another thing to consider is a cyber insurance rider.
And don’t think because you have a plan today that you’ll be all right tomorrow.
“Understand that cybersecurity isn’t something you set a policy for, then never return to it,” Bolt says. Companies have to stay vigilant and up to date with processes and procedures. Once you have a cybersecurity plan in place, continue to conduct regular audits. You can do this internally or have outside experts audit your plan.
Most importantly, you don’t want to be the “low-hanging fruit,” Barnes says. Implement policies and procedures that can help you and your employees protect against cyberthreats. Otherwise, your essentially “leaving your house wide open.”