In-cab technology, particularly ELDs, vulnerable to cybersecurity threats

Jason Cannon:
CCJ's 10-44 is brought to you by Chevron Delo heavy duty diesel engine oil. Now there's even more reasons to choose Delo.

Matt Cole:
How secure is in-cab technology from cyber threats? Not very, according to new research

Jason Cannon:
You're watching CCJ's 10-44, a weekly webisode that brings you the latest trucking industry news and updates from the editors of CCJ. Don't forget to subscribe and hit the bell for notifications so you'll never miss an installment of 10-44.

Hey, everybody. Welcome back. I'm Jason Cannon, and my co-host, right over there, is Matt Cole. Cybersecurity is not a new thing in transportation. We've seen a number of trucking fleets on the wrong end of a cyber attack due to phishing, ransomware, and other avenues that affect the back office, but with technology continuously being added to the truck, how secure are those devices?

Matt Cole:
New research from Colorado State University details cyber security threat vectors surrounding one of the most used devices in the cab of a truck, the electronic logging device, Stephen Ritzler, transportation and Logistics Manager at Insurance Broker Aon and CoverWallet joins us this week to talk about the threats identified in the CSU paper and what it means for the trucking industry.

Stephen Ritzler:
I believe it was an associate professor and two of his students that conducted this research across a number of different devices, and what they uncovered was that a number of them, and I think, really, the predominant number of them are by and default wirelessly enabled, and from the manufacturer that was intentional for the purpose of what they call OTA or over-the-air updates, so they could, in real time, distribute software firmware updates to these devices that are installed in these vehicles. What this Colorado State Paper is addressing is that that does bring some vulnerability to the table, because these are relatively easy for a cyber attacker to code break and get into these devices with these default wireless settings already enabled. So a compromised vehicle could have its records susceptible to being tampered with, like hours of service records, and that could put a compromised vehicle's operator at risk for a DOT sanction.

Jason Cannon:
If an ELD does get hacked, there are numerous issues a fleet could face, ranging from tampered logs, to cargo theft, and a lot more.

Stephen Ritzler:
According to their research, and they are a bit vague in terms of what vehicle systems an ELD can be used to manipulate, but you could get broader access to a vehicle's systems. To the best of my understanding, unless it's an autonomous vehicle or it has autonomous braking systems, there isn't as much of a hazard risk that we would see from the ELD itself being compromised. But the data that a bad actor might be able to glean from accessing the ELD is really the broader concern, and their ability to manipulate that data. Even if they're not tampering with hours of service, let's say they take more of an observant approach, a bad actor, they might be able to kind of quickly learn when a vehicle is likely to stop if it's reaching its daily hours of service limits, and if it has a high value load, then that's a vehicle that's now at risk of being commandeered or even robbed.

Matt Cole
The vulnerabilities of ELDs are mostly out of a fleet's control. Steven explains how fleets can be proactive with their ELD vendor after a word from 1044 sponsor, Chevron Lubricants.

Speaker 4:
These past few years have been less than easy. We've encountered challenges we never imagined we'd ever have to deal with, from makeshift home offices and video meetings, to global supply chain uncertainty, price instability, market disruptions, and everything in between. Delivering the level of services and products our customers had come to expect was difficult for all of us. We can't change what's behind us, but we can definitely learn from it. We can adapt, evolve, and take steps to reset our thinking, adapt our strategies, and restore your trust in us to better meet your needs now and in the future.

That change begins today. Today we break with convention and introduce a rebalanced line of Delo heavy-duty engine oils. We've reduced our product line from four categories to two. Consolidated and simplified, this lineup removes complexity from the manufacturing processes, enhancing price stability and supply chain reliability, so you can trust you'll have the premium products you need to keep your business always moving forward. Our break with convention optimizes the Delo lineup to allow you to provide your customers with the best synthetic blend and synthetic heavy-duty engine oils in the market, fully available at prices you can rely on. It's your assurance that you'll be well positioned to be their trusted source for proven engine protection that keeps equipment on the job, giving your customers even more reasons to choose Delo.

Stephen Ritzler:
It's really important to understand what cybersecurity protections your ELD vendor might already have in place, and we have a tendency, I think, today to really skim and click through things like terms and conditions, and this is one of those areas where you really want to be mindful and be cognizant of what exactly they have in place for conditions if there is a breach event and what they'd be willing to do, so I would really say it's really the vendor's responsibility to safeguard that data that they're helping steward from their customers, and I would encourage fleet operators and owner operators of the ELDs to be very mindful and aware, to research, and even contact their ELD vendor to ask them what they have available for solutions in the event of a breach.

Jason Cannon:
Just as a truck owner's auto insurance is important to a financing firm, Stephen says an ELD vendor's cyber liability insurance should be equally important to the fleet.

Stephen Ritzler:
So cyber liability insurance is a really wonderful product. It is really on the bleeding edge of innovation in the insurance industry today. In terms of this particular scenario and this risk, it's more of a concern about what kind of cyber liability protection the ELD vendor might have. If you were in the business of financing trucks, you're going to want a certificate of insurance that explains what kind of coverage the person purchasing that truck has so that you know that your risk is covered, and in the same regard, if you're an owner operator or fleet manager today, I think it would behoove you to take a healthy curiosity about what kind of cyber liability insurance your ELD vendor has. It really concerns two primary areas, it's response and then recovery. So cyber liability, in a nutshell, and I'm more of a trucking expert just to level set. Cyber liability in a nutshell, my understanding is the response element is, what are they going to do to make whole in the event of a breach, and the other component is what can they do to stop or mitigate an active breach?

Matt Cole:
Beyond the ELD, Stephen says the more technology that's added into trucks, the more vulnerable they could become.

Stephen Ritzler:
So ELDs, I think, in this paper in particular, are very interesting. Aside from this, the more tech enabled trucking becomes in terms of two-way facing cameras being a part of a network, in terms of loads being distributed, now predominantly really online. Any of those systems are vulnerable to compromise as much as anything else. This could cause mass disruption in the supply chain, really throughout not just the United States, but North America in general if a system is tampered with, loads are misaligned, or location data is skewed, or especially hours of service data, so those are the really big vulnerabilities I see today.

Jason Cannon:
This really doesn't have to be all that complex. Stephen says, even simple cybersecurity practices can prevent a cyber attack.

Stephen Ritzler:
Some of the simple, best practices for technology are decades old, right? Make sure you have an sophisticated enough password that it's more difficult to breach. That's where the key vulnerability is here in these devices, their default wirelessly enabled pass codes, so it would be something like a username as username, password as password. I'm sure it's a touch more sophisticated than that, but when you access your device, key into it and look in the network settings, and find what fields you're capable of changing.

If you find you're not capable of changing the default network settings, it might be time to consider a different device or a different vendor. If you're a fleet manager or owner operator today who's shopping for an ELD device, this should be one of the things that really drives your search criteria, is the cyber security of the solution they're willing to offer you. In addition to that, multi-factor authentication is a great solution to help with your cybersecurity, and what that means simply is it shouldn't just be a matter of plugging in the password to the device. It should also hit your email or your cell phone or some other additional form of communication so that you can really authenticate your identity.

Jason Cannon:
That's it for this week's 10-44. You can read more on CCJDigital.com. While you're there, sign up for our newsletter and stay up to date on the latest in trucking industry news and trends. If you have any questions or feedback, please let us know in the comments below. Don't forget to subscribe and hit the bell for notifications so you can catch us again next week.