Richard Wilding, co-founder of ShieldsUp
Fleet operators are at the nexus of the digital and physical realms.
Whilst more business is done online than ever before, just in time logistics help keep modern supply chains lean and profitable, and form a critical part of many business operations transporting materials from A to B.
Internet of Things (IoT) technologies are improving vehicle and driver safety, finding more efficient routes, and delivering great customer experiences.
These connections, which will soon benefit from 5G networks, power the modern economy but can also be exploited for unintended purposes.
Essentially, as more devices and systems connect to the internet, the greater the amount of targets threat actors (hackers) have to exploit.
Indeed, the attack surface of a modern vehicle has never been larger: infotainment systems; OBD II dongles needed for telematics and insurance; GPS navigation systems; digital key fobs; fleet management systems; dashcams etc. plus connected apps offering tracking and remote unlock services - these are all connected devices or systems that have the potential to be exploited by threat actors.
Heavy vehicles have connected more widely through satellite and cellular communications for quite some time.
Consequently, heavy vehicles currently have more avenues for remote access than light vehicles.
Coupled with a high level of electronic homogeneity within commercial trucking fleets, an adversary could easily develop viable exploits that could attack large numbers of vehicles simultaneously.
The benefits that connecting fleets brings must be balanced against cyber, safety and continuity risk to ensure a resilient business.
2019 blackhat threats on auto overtook whitehack threats for the first time (Source: Upstream).
Currently, ransomware is the preferred tactic used by threat actors with Check Point Research reporting a 50% increase in the daily average of ransomware attacks during 2020.
It's taking its toll on businesses globally; this year the Australian logistics giant Toll Group suffered two ransomware attacks within three months and they have yet to disclose the full cost impact to the business.
Ransoms and unplanned costs can be hefty; IBM Security X-Force has reported seeing ransom demands of more than $40 million this year.
Although, that is a snip compared to the $400 million expenses Fedex faced in the first 12 months following the NotPetya malware incident in 2017.
Cyber-threats to connected fleets are not just limited to actions within a company’s own networks either, as the cyber threat may affect a manufacturer directly, and subsequently it’s customers.
With more research being conducted and the number of cyber attacks increasing, there may be additional disruption to connected fleets due to maintenance cycles and vehicle recalls.
In 2019 security researchers found Teletrac Navman, Global Telemetrics and LoJack smart tracker app APIs had authorization vulnerabilities, allowing a hacker or thief to take over the account, track individual vehicles in real time, suppress theft alerts, and extract personal data.
If a vehicle was alerted as stolen, the thief could also delete the alert and prevent any further action being taken.
One tracking device could be remotely triggered to immobilize the vehicle, stopping it from being driven (Upstream 2020).
Threats come in other forms; using a vehicle as a weapon is a popular tactic for terrorists and extremists.
Lone actors and small cell operations don’t require large financial support when they can hire, or hijack, a vehicle and use it in an attack.
In recent years, individuals have driven vehicles as weapons into crowds of pedestrians in fatal attacks in major cities including New York, Edmonton, Toronto, London, Berlin and Nice, France.
The Global Terrorism Database recorded 12 incidents where vehicles were used as the weapon in a terrorist attack between 2015-2018 in the US alone.
There is a risk that threat actors with extreme political beliefs could utilise technology like connected vehicles to conduct an attack.
So what is being done?
Manufacturers are responding to threats by hosting bug bounty programs whereby white hat hackers try to identify any potential weaknesses.
These programs indicate a growing awareness of the vulnerabilities and potential damage, should they be exploited.
The Hackerone bug bounty platform hosts public vulnerability disclosure programs for both Ford and General Motors and shows the large number of vulnerabilities that existed before the programs launched.
Security by design principles are slowly becoming the standard for all IoT devices, yet with the myriad of devices that will be connected to the internet, let’s not forget the responsibility organisations and individuals have to ensure their devices, systems and networks are properly patched, updated and backed up safely and regularly.
Other measures can include encrypting data and systems, using multi-factor authentication (MFA) and even Intrusion Prevention Systems to prevent entry to vehicles and onboard systems being hacked.
With this type of security in place, it can also help to minimise operational risk and the business impact by including cyber insurance as part of an overall risk protection strategy.
Traditionally, cyber insurance has been an ‘add-on’ to existing commerical policies or only provided third party cover in the event of a breach, potentially leaving businesses woefully underinsured and without specialist expertise to remediate the short, medium and long-term impacts of a cyber attack.
It's worth utilising tailored cyber insurance services as part of a comprehensive defense strategy against threat actors.
Connectivity, automation and electrification will continue to be the most dominant automotive technology trends in the next decade; Frost & Sullivan forecasts that by 2025, 55% of all trucks in North America will be part of connected fleets.
As technology advances, the potential for vulnerabilities to be exploited also grows, so fleet owners and operators need to consider the implications; how can they control cybersecurity risks while still embracing innovation?
These are questions that ShieldsUp is exploring and is seeking participants to take part in simulated cyber attacks.
Participants will receive a free Incident Response Plan that they can utilise within their own company.
If fleet operations and security is an area that you’re responsible for in your business, please visit https://www.shieldsup.io/ to find out more.