Cybersecurity Outlook: Trucking Still Fighting the Ever-Nimble Hacker
This story appears in the March 14 print edition of iTECH, a supplement to Transport Topics.
Trucking companies still on high alert from seemingly endless reports of hacker break-ins last year should brace for even more sophisticated capers in 2016, according to a string of reports released by top cybersecurity firms.
“Cybersecurity should be a key strategic component of any industry, especially trucking,” said Nicholas Then, director of network operations at truckload carrier Celadon Group. “Attacks can disrupt goods and services, divert finances, destroy a company’s reputation or hurt customers.”
Woody Lovelace, senior vice president of corporate planning and development at Southeastern Freight Lines, agreed: “Not only are we concerned for the security of our data, but also the denial of service incidents. The dependence we have on our systems in supporting our customer interfaces and our core transportation network is extensive.”
BEST OF MARCH iTECH: More stories, columns
Security experts say the image of yesteryear’s hacker — the pimply faced teen on a lark for grins and giggles — has given way to organized crime teams, hellbent on stealing and monetizing stolen data.
“Select any economic sector at random, and the chances are high that you’ll find something in the media about a cybersecurity incident or problem,” said Aleks Gostev, chief security expert at Kaspersky Lab, a security software maker.
The evolution of breaches is beginning to take a turn toward real-world effects on enterprises’ bottom lines and people’s lives,” added Raimund Genes, chief technology officer at security software firm Trend Micro.
High on the list of hacks truckers need to watch out for in 2016 will be a spike in ransomware showing up on Apple computers — which previously had been bypassed by hackers in favor of more prevalent Windows machines, according to Kaspersky.
“We expect ransomware to cross the Rubicon to not only target Macs — but to also charge ‘Mac prices,’” said Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab.
Also increasingly vulnerable will be point-of-sale computer systems, according to “Hazards Ahead,” a November report released by security software maker Trend Micro. Unfortunately, many of these systems are still running Windows XP, an obsolete operating system that stopped getting security updates from Microsoft more than a year ago.
More vulnerable, too, will be mobile devices, including those running the Android operating system, according to the Trend Micro report.
Plus, hackers are expected to spend more time plundering computers that workers use at home. Such PCs, smartphones and similar devices can often serve as easy knockoffs to what hackers are really after — easy entry into the corporate networks they’re linked to, according to the “McAfee Labs Threats Predictions Report,” released in November by Intel Security.
Equally vulnerable will be all those wondrous devices connected to the ballyhooed Internet of things — including your company vehicles, according to the Intel report.
Unfortunately, just like any other computerized device, cars and other vehicles can be hacked, as security researchers Charlie Miller and Chris Valasek — who now work for Uber — proved with chilling certainty this past summer, when they wirelessly hacked a Jeep.
Incredibly, Miller and Valasek’s infiltration into the Jeep’s computer systems — which they hacked via the Sprint Network — gave them complete control over the vehicle’s steering, transmission, brakes and dashboard. Chrysler gulped, and within weeks rushed out a software update on a USB drive to 1.4 million Jeep owners to correct the problem.
“Vehicles are now connected devices, confronting manufacturers and suppliers with a whole new world of security challenges,” said Hubertus von Roenne, a vice president at BT Global Services.
Added Glenn Adelaar, senior vice president and chief information officer at airfreight transporter Forward Air: “I am actually surprised that manufacturers have not provided more safeguards, even as they add wireless controls and connectivity to their vehicles. This should be standard practice. Drivers and trucking companies do not have the vehicle system access — nor the knowledge — to properly safeguard these systems.”
Sarah Amico, chairman at vehicle hauler Jack Cooper Holdings, said: “For trucking, ensuring the safety of the rig is paramount. The idea of someone hacking a truck on the highway next to school buses, or in a city center full of people, landmarks and office buildings is truly terrible.”
“We need to leverage all resources at our disposal — including the security industry — to guarantee the technology is safe,” she said. “Failure is not an option.”
Expect the same kind of vulnerability for many of those brand new devices employees are wearing to work — such as activity trackers, smart watches and other gadgets and sensors. Most are long on the gee-whiz factor, but many are short on hacker protection, according to the Intel report.
Meanwhile, hackers are also expected to increasingly drill down much deeper into computers in 2016, bypassing software and operating systems such as Windows, and penetrating deeper into the machine’s BIOS or firmware — systems that until recently were considered completely inviolable, according to the Intel report.
Case in point: Equation Group Malware, which is capable of reprogramming a hard disk, even after the infected computer has had its operating system erased and its hard drive completely reformatted. Such feats, according to the Intel report, were “stunning” to uncover.
Incredibly, the coming year is also expected to give rise to the hacker-as-information-broker, with hackers amalgamating data they’ve stolen about you from more than one database, repackaging it, and then selling the resulting much more dangerous and much more potent invasion of your privacy at a higher price.
For example, instead of simply selling your stolen credit card information, an enterprising hacker could combine that data with other info stolen from your health insurance plan, tax return and company records.
Intel researchers say hackers in 2016 will also be using personal data stolen from major security breaches during the past few years to steal even more data by phone or over the Internet — given that the same data is often used in challenge questions companies use to identify you.
Essentially, challenge questions such as “What’s your social security number?” or “What street did you grow up on?” will be child’s play for hackers pretending to be you, who may already have this information from previous data breaches.
Moreover, would-be hackers without the technical wherewithal to break into a computer at your trucking facility will unfortunately have an easy alternative. There’s already a thriving market for off-the-shelf hacker software, which is specifically designed for the nontechnical criminal — a market that is only expected to grow in 2016, according to “Kaspersky Security Bulletin: Predictions 2016,” released in December.
But even while increasingly sophisticated hacker break-ins appear inevitable in 2016, IT security experts don’t plan on taking the onslaught lying down.
Google, for example, has announced that it will issue regular security updates for its Android software after being repeatedly stung by a series of hacks in 2015.
Plus, antivirus makers such as Symantec, which has candidly admitted that antivirus software is becoming increasingly ineffective against hackers, have added behavioral analytics to their arsenal.
Essentially, behavioral analytics scouts your PC for signs of unusual behavior or the installation of unknown programs and offers you quick tools and advice for how to (hopefully) neutralize the problem.
“Integrating breach detection systems with intrusion prevention systems is fundamental to decreasing the time hackers dwell on their networks,” said Trend Micro Chief Security Officer Tom Kellermann.
And the Cyber Threat Alliance — including Intel — has been formed to foster the sharing of info about hacker techniques and exploits among business, governments and security vendors.
Trucking companies looking to secure their own computer networks would do well to evaluate products like those above to harden their cyberdefenses, according to cybersecurity experts.
Plus, they can establish some basic best practices that can go a long way to frustrate hacks. One good start: Have IT personnel program all Windows computers at your trucking company to run without what’s called “administrator rights” — or rights that give the computer user a great deal of power to add new programs to the machine and change how the computer operates.
Hackers often use such administrator rights to ravage a machine once they’ve broken into it.
“Studies have shown that 97% of the Windows vulnerabilities that surfaced could not be exposed if the end-user did not have administrator rights to their workstation,” said Celadon’s Then.
“Second, ‘zero-trust’ is an alternative way to think about computer security,” Then added. “With this model, there are no default trust levels for users, applications and devices. Access is granted at multiple levels, and again only what is needed.”
Lovelace, of Southeastern Freight Lines, said: “This is a company concern and not just an IT responsibility. There should be an understanding and collaboration between IT, fleet services, operations, safety, et cetera, in evaluating system requirements for data and its accessibility.”
Joe Dysart is an Internet speaker and business consultant based in Manhattan. Voice: (646) 233-4089. Email: joe@joedysart.com.