CLEVELAND, Ohio—As the world moves toward more advanced driver-assistance systems (ADAS) and connected vehicle technologies, the trucking industry is expected to realize added safety and efficiency benefits. But with those benefits come new opportunities for cyber-attacks.
In more traditional trucks, the driver has typically been considered the single point of failure for the vehicle’s safety and security while on the road, noted Wally Stegall, technical fellow and director at The Morey Corporation, during the American Trucking Associations’ Technology & Maintenance Council’s 2021 fall meeting. Moving forward, however, ADAS and automated systems are creating multi-points of failure for cyber safety and security.
“The important thing to note is cybersecurity is extremely important,” Stegall, a participating member of ATA’s cybersecurity taskforce, said. “In our future world it’s not about a driver having a bad day because something went wrong from a maintenance standpoint; you’ve got an entire fleet having a bad day, week, or month. As we look at cybersecurity, safety, condition-based maintenance, and integrated vehicle health management, we need to tear down the institutional and operational divisions between design, enterprise, maintenance, and IT.”
Stegall stressed the importance of including cybersecurity and safety in the design of all commercial vehicle systems.
“It will take a significant amount of energy for the industry to change because instead of having a 10-year design cycle for a vehicle platform, we’re now looking at a much shorter design cycle and newer technologies coming at us,” Stegall pointed out. “While we advance cybersecurity, we also need to be proactive in our recommended practices to give feedback to the rest of the industry in a timely manner, so that we’re part of the design process as well as the recommended practice process.
During the TMC meeting, ATA announced it is updating Fleet CyWatch, a TMC and Transportation Security Council program that assists fleet members in reporting information about trucking-related cybercrimes and attacks. According to Dan Horvath, ATA’s VP of safety policy, a benefit of the program is intelligence sharing.
“Instead of you being responsible for tracking cybersecurity incidents and threats and trying to figure out how it could impact trucking operations, Fleet CyWatch is a subscription service where we do the work on our end and get it over to you,” he explained. “It helps you stay aware of the issues and offers training solutions and awareness in how to prevent vulnerabilities to particular attacks.”
ATA has also ramped up talks and involvement with the Transportation Security Administration to share the issues fleets are experiencing on the cybersecurity front. One potential issue that Horvath mentioned is cybersecurity vulnerabilities with electronic logging devices. Horvath also pointed out that acceleration to 5G networks is a concern.
“While this isn’t necessarily a cybersecurity issue, there are a number of ELD providers out there that rely on 3G to transmit ELDs,” he said. “This is becoming problematic on the ELD front, and we have an ELD taskforce talking about that issue to see how we can rectify that problem.”
ATA has also partnered with Hudson Analytix to deliver CyMetrics, a cyber-risk management program for the trucking industry. CyMetrics aims to help trucking companies enhance the oversight and management of their cybersecurity program by identifying factors contributing to and determining the company’s overall risk. The program assesses a company’s cybersecurity preparedness and evaluates whether preparedness is aligned with cyber risks. CyMetrics then helps fleets determine risk-management practices and actions to be taken to achieve the desired state of cybersecurity preparedness.
William Elkins, CTO for Hudson Analytix, was quick to point out that one solution does not solve all the cybersecurity issues that the trucking industry faces. He emphasized the importance of creating a bridge between a carrier’s IT department and management team to better identify where cybersecurity gaps exist in practices, technology, controls, or incident management.
“It’s not just an IT problem, but it typically falls on IT and technical departments within your organization to identify these gaps,” Elkins said. “Management sometimes struggles with why it’s important to do these things. Our goal here is to create the path to closing those gaps.”
