Ahead of an all-hands meeting, the information security team at Werner Enterprises (CCJ top 250, No. 14) combined all video archives of CEO Derek Leathers and, using a cheap AI tool, created a deepfake message announcing to employees that the company was removing all vacation time for cost cutting measures.
Many employees bought it until Leathers walked into the meeting an hour-and-a-half later, reporting that it was a fake AI-generated message. Daragh Mahon, executive vice president and chief information officer at Werner, shared this story last week at the National Motor Freight Traffic Association’s annual cybersecurity conference hosted in Cleveland, Ohio.
He said it was his team’s effort to further educate its employees on the importance of cybersecurity. Cybersecurity, he said, is the biggest thing that keeps him up at night because “that’s the one thing that can shut us down.”
[RELATED: Trucking industry experts fear AI is an emerging cybersecurity concern]
The infosec team – not the corporate training team – at Werner hosts quarterly mandatory cybersecurity training for all employees, including drivers. The team also broadcasts cybersecurity messages across TVs throughout its terminals and regularly performs its own phishing testing on employees, who after three failures (by clicking on a link in a phishing email) must take additional training. If there’s another failure in the next three months, you get written up.
“We've taken a very hard-fisted approach to it. Employees don't enjoy it. Yes, it scares them. Yes, it makes them worried. But that's sort of the goal. We want them to understand the risk … and it's not just the company; it's their own jobs,” Mahon said. “We're one of the biggest carriers in the United States. If we were down for a couple of weeks, that is an impact on the supply chain... It's an impact on their jobs. It's an impact on the prices they and their family pay at the store. So we try to get that message across and say, ‘Hey, we're not doing this because we're trying to be assholes. We're doing this because we want you to understand the gravity of the situation.’”
While newer technology like AI is a rising cybersecurity concern, Mahon said he’s still most worried about older technologies, especially email because 90% of all attacks on corporate America last year came through email, yet companies use it every day.
Bare metal attacks
While internal attacks via methods like phishing (the top method of ransomware) and even piggybacking into the building with a fake employee ID are more common, he said bare metal attacks are coming.
“It’s never happened but it will. Ransomware never happened until it happened … These are the types of things we have to prepare ourselves for. We have to start thinking like the bad guys,” Mahon said. “I really do believe the bad guys who are targeting the U.S., but in general are targeting trucking, think about how to get onto the truck and utilize the hardware on the truck to cause problems. Not steal the software, not steal the data. How do we take the truck, shut it down, so we can shut down transportation? Or even weaponize it in the worst-case scenario in the case of terrorists.”
[RELATED: Ransomware remains top cybersecurity concern for trucking industry]
Werner is working with all the top providers in autonomous trucking, and he said he has been impressed with their level of focus on securing the operating systems that run robotics and data on the trucks, but he wasn’t impressed with their lack of focus on the possibility of bare metal attacks.
“If somebody were to get on the CAN (Controller Area Network) bus hardware, install their own primitive OS and take over the robotics, they can weaponize the truck to say run into a school bus,” he said. “Do that with a couple hundred thousand trucks across the U.S., which is what autonomy will bring to us at some point, and our enemies have a very easy way to get ahold of us. Let alone just taking over the truck and shutting it down and shutting down transportation in the United States.”
Playing defense
Mahon said he met the founder of a company called Fleet Defender, which offers a hardware device that plugs into the CAN bus to monitor anomalous traffic on and off the truck. Fleet Defender, which is deployed on Platform Science, provides real-time cyber threat detection before security is compromised. Mahon said Werner is working to deploy that across its entire fleet and its network and technical operations centers.
Werner is also moving away from the use of email.
“What does everybody do before Valentine’s Day? They break up,” he said. “We’re doing a campaign (called) ‘we’re breaking up with email,’” when the company rolls out its new corporate media platform in February.
The platform will provide alternatives to email like secure chat channels and secure file sharing through systems like Sharepoint and OneDrive.
“I feel like we don’t need email anymore; we just perpetuate the use because it’s something we’ve gotten used to even though it is the single most dangerous thing we have in our toolbox,” Mahon said. “It will kill us, and every one of us at some point are going to experience a phishing attack.”
Like many others, the company is also on a tech journey, transitioning from legacy systems to cloud-based platforms.
“We’re in this sort of weird place where I have to have perimeter security around the old on-prem stuff … and then as we transition into SaaS space … we have to be ready there as well,” he said.
Though he’s more concerned about on-prem security, he said the shift to the cloud has its own cybersecurity challenges.
NMFTA COO Joe Ohr said a company is only as strong as its weakest link, and oftentimes the weakest link is a third-party vendor. Many breaches come via a third-party avenue.
Mahon said as Werner moves from SaaS to the cloud, his team evaluates third-party providers for things like sales and back-office software not only based on functionality but also reputation. While a carrier can’t abdicate responsibility for their security to those platforms, he said they should still choose vendors that are know for being secure.
“The second thing is vet the hell out of them,” he said. “Every single vendor we sign up, they go through a security assessment … We have anywhere from, depending on the type of company, from 40 to 80 to 100 questions that they must answer, and we go through them line by line and make sure that they have the security we would expect them to have, that they have the controls in place.”
Werner then monitors its vendor platforms and assesses them quarterly for security.
“You have to watch it all day every day because you never know when somebody's in there,” he said. “In fact, you just have to assume that (a bad actor) is in there.”
