Truckers don’t leave the keys in their truck unattended. Mechanics lock up shop at the end of the day. And trucking companies often install fences around their yards. It’s all part of physical security.
Cybersecurity is just as important, said Artie Crawford, director of cybersecurity at the National Motor Freight Traffic Association. He said there are just as many, if not more, risks to a trucking company’s electronic footprint as their physical footprint.
Smaller fleets tend to think bad actors are more likely to target larger fleets, but Crawford said that is a common misconception, and smaller fleets need to take action to secure their electronic footprints.
“The size of the organization doesn't really matter,” Crawford said during an NMFTA webinar last week. “Ransomware as a service looks to exploit any size of organization, from the 100 million dollar-plus organizations or billion-dollar organizations for that matter all the way down to possibly the single owner operator who's making $120,000 a year.”
The NMFTA is hosting a series of webinars called Roadmap to Resilience in which it recently focused on owner operators and small carriers with five to 50 trucks.
While smaller companies may not make the news when breached, that doesn’t mean it isn’t happening. Crawford said they are oftentimes greater targets because they’re easier to breach.
Ben Wilkens, cybersecurity principal engineer at NMFTA, said it’s important to understand that everyone is a target.
But he said there currently is no tailored set of cybersecurity controls specific to trucking, which has some unique risk surfaces compared to other industries.
“Trucking is a complicated industry. There's a lot going on. It's fast paced. The minute you think you know what's going on, the economy changes, the rates change, fuel changes, regulation changes,” Wilkens said. “It's hard to keep up with all of that and also a constantly changing cyber landscape.”
That is why the NMFTA is working to build out the bones of a cyber security framework specific to trucking – a roadmap that boils down some of the more complicated cybersecurity standards for easy digestion for smaller legacy fleets. He said many of the frameworks available, like Transported Asset Protection Association for example, are extremely complicated because they are tailored for cyber professionals, which most small fleets don’t have on staff.
NMFTA is taking a step back from those guidelines to look at how these controls relate to the trucking industry and how they can be done in uncomplicated and cost-effective way.
“How can we bring a list of core best practice controls to start small and then build incrementally on that,” Wilkens said.
The first step, he said, is identifying the keys to your kingdom. Pinpoint your most important assets: what critical information or systems you need for business continuity in the event of an attack. You need the keys to your truck, access to fuel, broker/shipper contacts, insurance documents and contacts, etc.
“If you store all of those things online, and then suddenly you can't access those systems, how are you going to maintain continuity in your business?” Wilkens said. “It's really important as we start to craft a plan of action for securing our business, we need to understand how secure we are now or how vulnerable we are now.”
Then determine how a threat actor could access, destroy or misuse those assets. Wilkens said run “what if” scenarios to help determine those. Risks could be a fire in the building, a hacker, ransomware as a service, theft or loss.
Then establish how best to protect those assets.
[RELATED: Werner's tech leader talks cybersecurity]
Wilkens said some may choose to use an MSSP: managed security service provider.
“Not everyone has the time, the resources, the expertise or, quite frankly, the interest in managing their own cybersecurity internally, especially if you're a one-person, two-person shop where you're driving, you’re booking loads, you're doing the accounting, or maybe you have a business partner or spouse to help,” he said. “You don't need to add cybersecurity as one of those hats that you wear. Sometimes it can be a lot more cost effective to contract out the tactical day-to-day cybersecurity concerns to a managed security service provider.”
But he said be mindful of who you choose. Ask important questions:
• How is the provider going to address specific risks to ensure sufficient coverage? What is your incidence response plan?
• Do you know who CISA is and all the resources they provide? Do you understand security as it applies to the trucking industry? If they do a lot of work for financial institutions, their approach to cybersecurity might be different than what a trucking company needs.
• How many trucking companies are you supporting?
• What type of remote management tools do you use?
“It's really important to understand that outsourcing to a service provider never is going to replace the need for your cybersecurity awareness and your ongoing education about the threats to your operation,” Wilkens said.
He said many fleets think cybersecurity is too expensive, but that isn’t the case.
“There are a lot of things you can do first – practices you can enact. Practicing good cyber hygiene is free,” he said. “I think it's easy to say that the lack of cybersecurity is too expensive not to invest in.”
