Article written by Eric Miller
[Stay on top of transportation news: Get TTNews in your inbox.]
The FBI issued a cautionary notice warning truckers that cyber criminals could target electronic logging device vulnerabilities as a means of seizing business information, but industry experts note that hackers have as yet not found a way to crack into ELD data.
“Although the ELD mandate seeks to provide safety and efficiency benefits, it does not contain cybersecurity requirements for manufacturers or suppliers of ELDs, and there is no requirement for third-party validation or testing prior to the ELD self-certification process,” the FBI said in a Private Industry Notification dated July 21.
The agency’s warning did not, however, reference any specific attempts to hack into ELDs.
That concurs with information from American Trucking Associations’ Fleet CyWatch program, which assists members with information about trucking-related internet crimes, cyberattacks and cyber threats that may impact their operations.
ATA director of technology and engineering policy Ross Froat told Transport Topics that the group isn’t aware of any ELD attacks, and said vulnerabilities have only been exposed via research and testing.
“There have not been any cyber crime reports of trucks or their technology applications, especially by way of an ELD. The FBI notification is for informational awareness from their industry activities,” he said.
Sharon Reynolds, chief information security officer at Omnitracs, agreed.
An Omnitracs ELD. CISO Sharon Reynolds says, “There are no current ELD hacks that we are aware of.” (Omnitracs)
“There are no current ELD hacks that we are aware of,” Reynolds told TT. “The FBI notice for the industry was a proactive exercise in order to create a better security posture and avoid potential future hacks.”
The FBI said as much in its notice, stating that it issued the warning “in furtherance of public-private partnerships.”
The agency added, “The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber actors.”
The notification said that companies choosing an ELD can mitigate their cyber risk by following best practices tailored to ELDs. “This includes asking the ELD’s supplier specific questions, some of which are identified in this [notification],” it said.
The Federal Motor Carrier Safety Administration’s ELD mandate, effective Dec. 16, 2019, required that most commercial truckers install ELDs on their trucks, and log their hours electronically.
Froat noted that while some research has suggested that ELDs a e easy targets for hackers, this is more true on what he described as “unsecure” electronic logging systems like some that rely on internet of things technology.
“It’s important to know industry accepted ELDs are secure,” he said. “Remember, ELDs’ primary role is to record hours of service and have mandated cybersecurity protocols. They just need to follow these protocols and enhance themselves with industry-recognized best practices.”
Froat added, “We’re happy that the FBI private industry notification was released, but this activity shouldn’t be new to our members. Through ATA Fleet CyWatch and the Technology & Maintenance Council’s cybersecurity task forces and conferences, ATA has been very engaged improving the industry’s cybersecurity posture.”
The FBI notification defined ELDs as devices that electronically send inspection reports to FMCSA, and are required to connect to a vehicle’s electronic control module in order to track date, time, location information, engine hours, vehicle miles, user identification data, vehicle identification data and motor carrier identification data.
“Industry and academic research into a selection of self-certified ELDs found the sample of devices did little to nothing to follow cybersecurity best practices and were vulnerable to compromise,” the notification said. “The sample included ELDs that could be purchased off the shelf at superstores and ELDs supplied by well-known companies.”
Commands passed into the vehicle network through an ELD could affect functions such as vehicle controls and the accuracy of the console display, the FBI said.
“Cyber criminals interested in stealing data such as personal information, business and financial records, location history and vehicle tracking, or other proprietary data such as lists of customers and cargo can use vulnerabilities in ELDs as a way in to access trucking companies’ enterprise networks and databases,” it noted.