Article written by Cristina Commendatore
According to a private industry notification from the FBI, research into a selection of self-certified ELDs found the devices did “little to nothing to follow cybersecurity best practices and were vulnerable to compromise.”
In a private industry notification, the Federal Bureau of Investigation’s (FBI) Cyber Division warned that cyber criminals could exploit vulnerabilities in electronic logging devices (ELDs). And because the federal ELD mandate does not contain cybersecurity requirements for manufacturers or suppliers of ELDs, commercial trucking operations face greater risks for data breaches.
Jane Jazrawy, CEO of CarriersEdge, a Canada-based provider of online safety and compliance training tools for the North American transportation industry, explained that the good news for commercial truck fleets is that the FBI has done its own internal testing, meaning this private industry advisory doesn’t appear to stem from an actual event.
The ELD rule became law in 2016, with mandatory compliance beginning in December 2017. During the rulemaking process, there was no requirement included regarding third-party validation or testing prior to the ELD self-certification process. And at the time, cybercrime was not as prevalent in the trucking industry.
“In 2017, it wasn’t common for a trucking company to be hacked and when people talked about cybersecurity, it was mostly to do with WikiLeaks, Equifax and Yahoo!,” Jazrawy explained. “Everyone in trucking was still talking about whether ELDs should be mandated or not and trying to get exemptions—not about security. People were really thinking about how to get all their drivers to use electronic logs and how expensive this transition was going to be.”
Now, however, the COVID-19 pandemic has much of the nation hyper-focused on essential workers and businesses, like trucking, where hackers are likely to look for new opportunities to make money.
Take the latest report from Mimecast, for instance, which points out that the spread of COVID-19 has created many new opportunities for cybercriminals. Mimecast offers cloud-based cybersecurity services for email, data and web applications.
The report reviews Mimecast’s detection data at various layers during the first 100-day period of COVID-19. According to Mimecast, the monthly volume of all the detection categories reviewed increased significantly between January and the end of March 2020:
- Spam/opportunistic detections increased by 26.3%
- Impersonation detections increased by 30.3%
- Malware detections increased by 35.16%
- Blocking of URL clicks increased by 55.8%
Other key findings of the report note that transportation and logistics was one of the top three sectors targeted throughout the first 100 days of the pandemic. Mimecast also points out that two of the technologies most vulnerable to attacks are 5G and the Internet of Things—both of which are or will be critical to the transportation industry.
Cyber vulnerabilities and proactive measures
According to the FBI’s advisory, “industry and academic research into a selection of self-certified ELDs found the sample of devices did little to nothing to follow cybersecurity best practices and were vulnerable to compromise. The sample included ELDs that could be purchased off the shelf at superstores and ELDs supplied by well-known companies.”
“Researchers demonstrated the potential for malicious activity to remotely compromise the ELDs and send instructions to vehicle components to cause the vehicle to behave in unexpected and unwanted ways,” the advisory stated.
Jazrawy urged trucking operations of all sizes to take the advisory seriously.
“If the FBI releases an advisory, it is because they think it is likely to happen,” she said. “I would pay attention. I would be talking to my manufacturer today and asking what security they have.”
In Canada, which has an ELD mandate coming down the pike, ELD manufacturers won’t be able to self-certify like they did when the U.S. mandate took effect. However, Jazrawy noted that the Canadian ELD standard doesn’t have much regarding cybersecurity yet—but that could change as a result of the FBI advisory.
“My other real concern is owner-operators who have one or two trucks and are using off-the-shelf ELDs,” Jazrawy said. “How are they going to ensure their security?”
To ensure trucking operations remain protected from cyberattacks, Jazrawy advised fleets of all sizes and owner-operators to hire independent companies to try to breach their systems. Consulting companies will send phishing messages to employees to determine where there are vulnerabilities and where cybersecurity training is needed.
“Don’t wait for someone to attack you, see if you can attack yourself,” she said, referring to white hat hacker services. “I think this is an amazing opportunity for carriers to look at their cybersecurity right now. The FBI has basically given carriers questions to ask. All carriers have to do is contact their ELD providers.”
Jazrawy added that even though putting security measures in place is an added expense for smaller trucking companies and owner-operators, it is still important to have a good understanding of system vulnerabilities. She advised truckers to pay attention to any suspicious activity—no matter how small it may seem.
“If you get hacked, that is a much more expensive proposition. Your cost to help prevent and put in security to prevent a cyber incident from happening could be way less than what someone is trying to get out of you and what you could potentially lose,” Jazrawy warned. “If you do nothing else, think about where the vulnerabilities are and start thinking about how you can block those holes in terms of cybersecurity. Talk to people who understand the technology and start going from there.”
Original Source: https://www.trucker.com/technology/article/21137923/are-elds-at-risk-for-cyberattacks