Aaron Marsh/Fleet Owner
Fleetowner 6759 090716 Hacked Real Threat Trucking Web Agm
Fleetowner 6759 090716 Hacked Real Threat Trucking Web Agm
Fleetowner 6759 090716 Hacked Real Threat Trucking Web Agm
Fleetowner 6759 090716 Hacked Real Threat Trucking Web Agm
Fleetowner 6759 090716 Hacked Real Threat Trucking Web Agm

Hacked: The real threat to trucking

Sept. 6, 2016
Criminals have long since figured out that cybercrime and the range of information security breaches that’ve been thought up to date can pay. But are trucking companies and fleets at any real risk?

Come on, it's 2016. Why commit old-fashioned crime in the real world at high personal risk for comparatively small-time gain? That's for the unimaginative. Just be better at technology than some business somewhere—could be anywhere—and there's a world of data and information being exchanged waiting for you to slip in, siphon some off, and use for your own purposes, be they monetary gain or otherwise. You can do it all from the comfort of just about anywhere in the modern world, and if you know what you're doing, it offers your best chance of eluding your victims and very probably any local law enforcement they'll run to first.

Criminals have long since figured out that cybercrime and the range of information security breaches that've been thought up to date can pay. But are trucking companies and fleets at any real risk? Aren't there better targets out there?

Unfortunately, that's the thinking many fleets may have, since the rapidly growing number of cyberattacks and attempts haven't focused on them as much as more obvious targets like financial institutions.

"Yet," warns Rob Rudloff, a partner with accounting and business consulting firm RubinBrown in charge of cybersecurity whose résumé includes working at the Pentagon for the National Security Agency, in a single-word response to that point. "What the bad guys, especially cybercriminals, are after most often is what will get them relatively quick money, so it's things like a wealth of credit card numbers or personally identifiable information.

"At least on the surface, that's not what trucking companies are known for," he continues. "So it's not that trucking companies are secure; it's that they're not the juiciest target to go after." However, as more and more technology continues to make its way into trucks, it brings with it more data exchange and potential touch points to exploit.

"With technology, there will always be another vulnerability somewhere," Rudloff tells Fleet Owner. "And somebody out there is researching that right now."

Attacks on trucking

Though they may not have made the biggest-splash headlines, indeed there have been successful cyberattacks and hacks of trucking companies going back some years. And so far, not surprisingly, many attacks that have happened have followed a pattern that has hit all businesses.

Take, for example, OutWest Express LLC, a truckload carrier based in El Paso, TX, that fell victim to a "phishing"-type email scam in June 2015. Malware—software containing a virus—was introduced into and locked down the company's network server when an employee opened up what appeared to be just another résumé sent to OutWest as a Word document. Or in late 2012, Pleasant Trucking Inc. in Pennsylvania similarly had a virus introduced into its network via an email message an employee opened.

At Truckstop.com, information security is part of the company culture and is something its security department must guard constantly. Truckstop.com has a broad electronic footprint in trucking, offering everything from load boards to fleet management to price negotiation and payment tools connecting freight brokers, shippers and carriers. Sonny Smith, the company's director of assurance services and who acts as a liaison to the security team, says Truckstop.com has to protect not only its information but that of its various clients.

Businesses unprepared, unaware

At its Security Summit in New York City in July, BlackBerry painted a stark picture of the growing cybersecurity threat to all businesses — and their lack of preparedness to prevent and address potential attacks.

Executive Chairman and CEO John Chen pointed to a few eye-opening statistics the company found in conducting a global survey: in cybersecurity breaches, hackers had been inside targeted companies' systems for a median of 200 days, or about six-and-a-half months, before being discovered. And in Europe, fully eight out of 10 businesses have experienced a cyberattack within the last year.

BlackBerry presented more numbers from that survey and across the IT security industry, including these:

• 38% more security incidents were detected in 2015 than in 2014. (PricewaterhouseCoopers)

• 38% of businesses are prepared to handle a cyberattack. (ISACA)

• Nearly 50% of companies do not have a security incident response team. (Global BlackBerry Survey)

• 6.4 billion connected devices will be in use in 2016 — a massive 30% leap from 2015. (Gartner, Inc.)

• 55% of financial companies believe "bring your own device," or BYOD, policies create risk. (Global BlackBerry Survey)

• 47% of business executives believe BYOD policies lead to "major" risks. (Global BlackBerry Survey)

• 75% of apps fail to properly encrypt data. (Hewlett-Packard)

• Nearly 25% of mobile apps include at least one high-risk security flaw. (NowSecure)

• 75% of all mobile security breaches will be through apps. (Gartner, Inc.)

"There are players out there that are diligently searching for that information," he contends. Truckstop.com keeps its security team "elusive" even within the company itself, he notes, since the team works with law enforcement agencies and others such as the U.S. Dept. of Transportation's Office of Inspector General. "We've been instrumental in a lot of big indictments of fraud rings that've been out there just scamming millions out of the transportation industry," Smith says, and that hasn't earned the security team many friends among criminals.

A Truckstop.com senior security officer—let's call him Agent 001—explains to Fleet Owner that many of the cyberfraud attempts the company sees, and in electronic freight booking in general, center on identity scams. "One of our tasks is to protect our clientele from would-be companies or individuals that would like to get in and use our database," he says. "That's part of our domain when we're vetting the prospective client: We determine that we're dealing with a real company or real agent for a company and that they are who they say they are."

So Truckstop.com maintains its own information database on users as well as creditworthiness, performance ratings, and vetting tools for the various parties involved. Thorough vetting is critical, according to Agent 001, because loads are often booked, contracts arranged, and transactions completed entirely electronically—and shippers, brokers, carriers, etc., "will never see each other." 

Fraud attempts

What might a typical scam by fraudsters look like? A phony carrier could try to get into the system and pocket advances on load payments, Agent 001 notes.

"That's where they take advances and you just never hear from them again," Smith explains further.

Or fraud could be attempted from the broker angle, he adds, possibly by assuming the identity of a legitimate brokerage. "They want to move as many loads as they can as quickly as they can, with no intention of ever paying a carrier," Smith contends. The goal: "Line their pockets with a million dollars or more, knowing that their $75,000 bond is going to be eaten up in claims—then they'll sit on a beach drinking umbrella drinks for a year or two on those carriers' hard-earned money" before trying to get back into the system and repeat the process.

Thankfully, Smith says, Truckstop.com's vetting information and user info database can snag and shut down about 90% or more of such attempts by criminals before they begin, and the company also puts out fraud alerts and maintains adjudicated complaint systems to help stop any others. Trucking and freight movement has become much more complex than it once was, he contends, but legitimate parties involved understand that.

"You've got to take these precautionary measures," Smith says. "We have built the tools to give our users access to vetting information to help them make good decisions; we try to educate them on what the latest scams and fraudulent activities are and just how to take those precautionary measures.

"It adds a little bit of time to securing a load, but both brokers and carriers—the good ones—know and accept that as part of the new process."

IoT and cyberdetectives

Those are some of the ways trucking has been touched by cybercrime and fraud already. But the interconnected device and data reality—the frequently discussed Internet of Things, or IoT—is not only making for new possibilities in trucking and many other industries as well as people's personal lives, it's creating new risks of getting you or your business hacked. Meanwhile, in terms of cybersecurity risks all businesses face, criminals' objectives may be changing.

"It used to be that attackers would go after the servers and data centers, where the crown jewels are," says David Kleidermacher, chief security officer at enterprise security solutions and communications provider BlackBerry. "What we're seeing now are the new assets that are being focused upon, which is the users and the endpoints—the devices that users are operating every day to get their jobs done."

That includes things like smartphones and other personal wireless devices people are bringing into work environments as covered by BYOD, or bring your own device, policies, as well as other devices and sensors that connect to wireless networks and perform some IoT function. In a live demonstration at the company's recent Security Summit, BlackBerry's Campbell Murray, technical director of encryption, and Fraser Winterborn, head of R&D for encryption, demonstrated a live hack into a business' wireless network through a very unassuming device indeed: an electric teakettle.

Thinkstock

"It could be anything—could be a fridge, blender, juicer, physical access control systems, data systems, industrial control systems—those all fall into the IoT category," Murray says. "It could be literally any device that is not a personal computing device and can be network-connected."

Thanks to fundamental flaws in security engineering of the kettle and failure of subsequent information security layers, the two "white hat" cybersecurity penetration testers quickly gained access to the device, the Apple iPhone it was connected to and the business network to which the iPhone was connected as a BYOD item.

Cloud computing and over-the-air updates are another part of this equation. Pointing to vehicle security breaches that've occurred in General Motors, Fiat Chrysler Automobiles and Tesla vehicles, global business management consultancy Roland Berger finds this concerning for the trucking industry. The "most pressing threat" in this regard is ensuring the security of over-the-air fleet updates over cellular networks, according to a Roland Berger report.

All these new data and connectivity points—and possible security flaws in them—could help hackers get inside your company's network. And once inside, their objective tends to be to lay low, gain deeper access to the network by impersonating friendly users, and grab the data assets they're after in a manner you may never even notice, RubinBrown's Rudloff explains. That means breach detection and forensic cybersecurity investigation will become more important in addition to attack prevention.

Yet another wrinkle

Even the brick-and-mortar world is providing solid opportunities for data and security breaches in what are known as social engineering attacks. These can involve scams like imposters calling on the phone and impersonating a business' client needing some information to make a change to an account.

"Cybercriminals can usually get a human to give them the information they want that will give them access," Rudloff says. "Social engineering takes advantage of our human weaknesses. I've never seen a foolproof way to get around it; we all want to be helpful and generally trust a little bit from the beginning."

The safest thing for fleets and trucking companies is to assume they are indeed being targeted by cybercriminals, Truckstop.com's Smith advises, in addition to properly vetting business partners. Training employees and making cybersecurity part of company culture is also wise, he adds, and BlackBerry's Murray notes that "obviously, number one, don't put poorly engineered devices on your network," even benign-seeming devices you might not think to suspect.

"I always tell people it's okay to be a little paranoid, and then I hold up my fingers apart about the size of a quarter—about that much is okay," Rudloff says. "Know your environment and know what you've got going on. What are the technology integration and control points, whether they're the end points where your trucks are or your core environment where all your users have computers? What could they be interfaced with?

"How would you know if some [attack] has occurred?" he continues. "How could you isolate it to whatever layer or link in your environment?" Rudloff offers this cybersecurity mantra: Prevent what you can, detect what you can't, and prepare for the worst.

"Because then you're ready," he contends.

About the Author

Aaron Marsh

Before computerization had fully taken hold and automotive work took someone who speaks engine, Aaron grew up in Upstate New York taking cars apart and fixing and rewiring them, keeping more than a few great jalopies (classics) on the road that probably didn't deserve to be. He spent a decade inside the Beltway covering Congress and the intricacies of the health care system before a stint in local New England news, picking up awards for both pen and camera.

He's written about you-name-it, from transportation and law and the courts to events of all kinds and telecommunications, and landed in trucking when he joined Fleet Owner in July 2015. Long an editorial leader, he's a keeper of knowledge at Fleet Owner ready to dive in on the technical and the topical inside and all around trucking—and still turns a wrench or two. Or three. 

And he's never without a camera, or so rumor has it.

Sponsored Recommendations

Stop Sweating Temperature Excursions

Advanced chemical indicators give you the peace of mind that comes from reliable insights into your supply chains. Compromised shipments can be identified the moment they arrive...

How Electric Vehicles Help You Prolong the Life of Your Fleet

Before adopting electric vehicles for commercial/government fleets, prioritize cost inquiries. Maintenance is essential; understand the upkeep of EV fleets. Here’s what you need...

How to Choose the Right Route Planning Solution

This free buyer's guide will help equip you with the knowledge and insights needed to analyze route planning software and vendors in the market and, ultimately, make an informed...

How to Put Your Trucking Data to Work

How fleets can overcome data overload to optimize operations and get ahead.

Voice your opinion!

To join the conversation, and become an exclusive member of FleetOwner, create an account today!