Trucking Stakeholders Tackle Biggest Cybersecurity Concerns
[Stay on top of transportation news: Get TTNews in your inbox.]
CLEVELAND — Trucking is dealing with an evolving cybersecurity environment that raised concerns among industry experts during a panel discussion Oct. 28.
The National Motor Freight Traffic Association hosted the session as part of its annual Digital Solutions Conference on Cybersecurity.
The panelists were asked what issues concerned them most. Unclear regulations, new criminal methods and risks being too concentrated were common responses.
RELATED: White House adviser urges fleets to be aware
“Ambiguity and types of regulations without clear guidelines behind it is something we are really worried about,” said Peeyush Patel, global chief information security officer at XPO. “I wish there was a sort of a global effort around standardizing some of these things, even within the U.S. itself.”
Patel
Patel also echoed a major point of discussion throughout the conference: There needs to be security by design — systems that are developed around security as opposed to being tacked on afterward. He is particularly concerned with large-scale applications, such as web services, that many others rely on.
“How do you make sure that those firms are implementing proper security, and how do you protect your data, which is in those enterprises?” Patel said. “Now that your data resides in the cloud, it’s not a bad thing; it’s necessary because of the evolution of where the technology is. Just make sure that the third-party risk is managed appropriately, because many times what’s happened recently, is it’s not a breach of the company itself, but it’s the third parties which have been breached.”
Patel also expressed concern over whether there will be enough cybersecurity experts to tackle these challenges. He noted that part of the problem is most college-level training mainly applies to master’s and doctorate programs.
XPO ranks No. 5 on the Transport Topics Top 100 list of the largest for-hire carriers in North America.
NMFTA Senior Cybersecurity Research Engineer Ben Gardiner agreed that more training needs to be available to undergraduates and high school students.
Gardiner
“I think we do need to worry about the vectors into the trucks for sure,” Gardiner said. “We see ransomware at the fleets. We’re definitely even seeing them in the top 10, and I’m left wondering what happens when these financially motivated attackers stop succeeding so easily with PC-based ransomware and they start doing the mass derates that we’re worried about.”
Gardiner added that attacks on trucks can turn into derates, meaning a truck is experiencing a reduction in the output of an engine due to operating conditions. He noted fleets usually can deal with a handful of these issues, but it can go beyond that in an attack, including fleetwide.
“Every time there’s an alert or one of our systems goes down, my first thought is, we’re being hacked,” said Steve Hankel, vice president of information technology at Johanson Transportation. “Some of the key issues in cyber this year have really gone back to basics. Are you patching your systems, are you updating your servers, are you updating your applications, are you updating your training and education of your employees, are you doubling down on fighting phishing?”
Johanson Transportation has focused on updating its servers and bolstering security over the past couple of years. Hankel recalled how the previous servers already were a decade old by that point. He also said that the company recently conducted a penetration test to check for vulnerabilities.
“In our latest pen test, they identified that we had a couple network protocols that should not be being used anymore,” Hankel said. “Well, they were on, but were we really using them? So just kind of focusing on the basics, but then also looking at the trends that are coming.”
Yang
Carrie Yang, senior vice president at cybersecurity insurance broking firm Marsh Cyber Practice, noted that insurance underwriters are most concerned about concentrated risk. This occurs when one point of vulnerability could cause multiple problems across companies and networks when it is attacked, such as a vendor with multiple carrier customers.
“That’s an aggregation issue for underwriters,” Yang said. “They’re concerned with what if one incident, then millions of e-policy holders will be impacted. It’s a huge loss added up. Second concern is about our privacy regulations.”
Yang added that the problem with privacy regulations is the patchwork of laws between countries and states. She noted that this complicates the issue, especially in terms of non-breach privacy violations, such as collecting data without prior consent.
Want more news? Listen to today's daily briefing below or go here for more info:
