Cyber Defenders: How Fleets Are Preventing Hackers From Disrupting IT Systems, Stealing Data
Cybersecurity threats are growing in both number and sophistication, forcing transportation companies to take additional steps to prevent these attacks from crippling their information technology systems, compromising proprietary data or potentially even disrupting trucks’ electronic controls.
One has only to look at last year’s outbreak of a strain of malware known as NotPetya, which caused widespread service delays for FedEx Corp.’s TNT Express unit in Europe and also disrupted operations at A.P. Moller-Maersk, the world’s largest shipping line. FedEx reported a $300 million hit to its earnings while Maersk estimated losses between $200 million and $300 million as a result of the cyberattack.
Those incidents reinforce the notion that in today’s Internet-connected world, it’s all about upping the game of prevention and defense. That starts with aggressively training and educating employees as the first line of defense, and having tested and validated response plans in place to react and recover swiftly when incidents occur.
“I follow the old adage that an ounce of prevention is worth a pound of cure,” said Kim Littlejohn, vice president and chief technology officer at USA Truck. “The more proactive you can be [with training and prevention], the better your position to protect against attacks.”
Littlejohn said a culture of awareness, and an attitude among employees that everyone is responsible for keeping the company’s network safe, is paramount.
“We have a ‘no fear’ culture,” when it comes to reporting suspicious activity, she said. “Our practice is we train, we test, and for those who don’t pass, we train and test again. And we continually update the training.”
Most cyber breaches are due to a breakdown at the employee level: an employee clicks on a link or downloads a document believed to be from a trusted source. Littlejohn emphasized that training employees to know what to look for and providing a quick and easy process for them to report suspected threats are the best prescription for prevention..
Experts also recommend constant monitoring of new cyberthreats through services such as Fortinet or Symantec and upgrading IT systems and networks with the latest security patches.
Cybersecurity starts with buy-in at the boardroom and extends through every level of the business, including the driver, said Nathan Johnson, senior vice president and chief information officer at Omaha, Neb.-based Werner Enterprises, which ranks No. 16 on the Transport Topics Top 100 list of for-hire carriers.
Like many large companies, Werner has a dedicated team of specialists focused on information and network security. Headed by David Elfering, associate vice president of information security services, the team is separate from, but constantly collaborating with, Werner’s traditional IT department.
That separation of duties is important, said Elfering. The governance model provides overall visibility and a checks-and-balances process that ensures those responsible for information security, and those running the physical IT network, are in lockstep. This helps Werner protect the integrity of its network while efficiently supporting core business processes and driving value for customers at the same time, he said.
Werner regularly provides updated training for employees and continuously measures its exposure to cyber risk. Elfering echoed the emphasis of others on the importance of training and education — and employees as the first line of defense.
“The threat landscape is constantly changing,” with e-mail-based attacks still “one of the primary threat vectors today,” Elfering said. “Training [and communication] has to be ongoing; you can’t teach it one time.”
It’s also important for employees to be proactive and err on the side of caution.
“There is no bad question from employees,” Johnson said, adding that it’s far better for employees to flag a suspicious e-mail to make sure it’s OK rather than clicking through and finding out the hard way that it’s something bad.
USA Truck’s Littlejohn said phishing attacks, where a hacker creates a bogus e-mail that looks authentic, are typically the most common sources of cyber intrusion, but there are many other types of threats as well.
“We also are seeing more ‘weaponized’ attachments,” or seemingly innocuous-looking documents attached to an e-mail, she said. “We are seeing a lot more sophistication with fake domain names that pose as websites of legitimate businesses. Once you click on it, the attacker can try to get access to your credentials,” such as the username and password to a bank account or credit card.
Finally, Littlejohn said her company is increasingly on the lookout for what she called “social engineering” attacks. An example: A fleet executive goes to a conference and posts his attendance on a social media site such as LinkedIn. A cybercriminal then poses as the executive by sending an e-mail or text to an employee, saying he’s at the conference but lost his debit card and phone and needs the employee to send money.
“Both the volume and the sophistication of attacks is increasing,” Littlejohn said.
Her last piece of advice: utilize a third-party service for network penetration testing, and conduct regular event simulations, then update business continuity and risk mitigation plans with the results. “You have to be prepared for a myriad of potential threats.”
As cyberthreats continue to evolve and expand, the industry is taking additional steps to improve security.
In February, American Trucking Associations launched Fleet CyWatch, a cybercrime reporting tool available to carriers belonging to ATA or its councils.
Fleets that subscribe to the service can use it to report cyberattacks and receive information about threats that may affect trucking operations.
Fleet CyWatch was jointly developed by ATA’s Technology & Maintenance Council and Transportation Security Council in cooperation with the FBI.
“As the industry responsible for delivering America’s food, fuel and other essentials, security is of paramount importance, particularly in an increasingly technologically connected world,” ATA President Chris Spear said. “Fleet CyWatch is the next logical step in our association’s and our industry’s commitment to working with law enforcement and national security agencies to keep our supply chain safe and secure.”
Jason Kerner, vice president of solutions for network connectivity provider Project 44, said cyberthreats tend to fall into two categories: passive and active.
“A passive attack could be a vulnerable plug-in or an open port on your network where someone is just listening,” he said. “It could be a bad actor on a scouting mission, or someone collecting data to support a more active attack,” such as a denial-of-service attack on a website.
A “brute force” or “injection” attack is a more active attempt at incursion.
“In a brute force attack, the bad actor is using an algorithm to crack encryption or passwords, hammering the system to find a way in,” he explained. An injection attack is where a hacker attempts to insert a piece of code into a webpage or an app, which then runs behind the scenes to give the hacker control or access. Such attacks also can be launched through phishing e-mails.
It’s important for companies to develop and define a baseline of activity with respect to data, transactions and other information flowing through a network, Kerner said. “If you know what normal activity looks like, then you can identify anomalies, and act upon them.”
With the spread of Internet-connected devices, the biggest fear for companies today, outside of a network being taken down, is customer data being compromised, Kerner said. However, the increasing sophistication, capabilities and scope of encryption technologies is helping to alleviate this threat, particularly with communications based on application programming interfaces, he added.
With Project 44, “for any carrier we connect with, the data is encrypted in transit [and at rest]. We don’t allow unencrypted data into the network,” Kerner said. He emphasized that companies also need to be intimately familiar with the practices and security capabilities of vendors and partners. “Liability does not end with your network. You are only as secure as that of a connected partner or vendor. So even if you are doing everything right, you are exposed if your partners don’t have sufficient processes, practices and tools in place.”
Cybersecurity threats have become commonplace, according to Ben Barnes, chief information security officer for McLeod Software, a provider of transportation management systems. “On average, McLeod assists with one ransomware attack per week in which a customer has experienced a significant outage,” he said.
While companies need to focus first on securing and protecting their networks, the development of autonomous trucks also will require a lot of cybersecurity attention, he added.
“Security and privacy is a paramount concern in the trucking industry right now,” said Karen Sage, chief marketing officer for MercuryGate International, another TMS provider.
The proliferation of electronic logging devices under the federal ELD mandate, which went into effect in December, also requires an eye toward cyber protection, she said, adding that the onboard ELD must be secured to prevent it from being a gateway for hackers.
Beyond data security, protecting the interests and privacy of the data owner also is a key requirement, particularly with the advent of ELDs, Sage said.
“For example, an owner-operator may not want carriers or freight brokers to have real-time visibility of their logbook data,” she said. “On the other hand, that information becomes beneficial to identify drivers with time remaining on their clocks to make an extra pickup or delivery.”