Even with the best network equipment and top cybersecurity protection, fleets can still fall victim to cyber attacks. And the cost of a network breach can be quite devastating - ranging anywhere from hundreds to hundreds of thousands of dollars - or even worse, it could damage a carrier's reputation with its customers.
Over the years, Donald Frazier, senior vice president of information technology at Arpin Group, has found that a fleet’s strongest and weakest link when it comes to cybersecurity defenses is its employees. Since 2009, the household goods moving conglomerate has been conducting yearly network penetration tests in which it hires a third-party company to send spoof emails to employees and “hack” its network.
Basically, Arpin found that employees would give up their personal bank information, Social Security numbers, and log-in access to the company’s system because the emails were convincing enough and looked like they came from the IT department. And the employees, busy with their work, didn’t even remember releasing the information. After that initial test eight years ago is when the company decided to bolster a few of its defenses.
“What we’ve been trying to do is educate [employees] on what looks like a suspicious email,” Frazier told Fleet Owner. “If you don’t know the person you got it from, don’t open it. If you don’t know what the invoice attachment is, don’t open it. The hack is coming in from an individual coming in through the organization. And the majority of it is social media and email. So we found that the only way to really remedy this is through education over and over again.”
James Scott, who is the co-founder and senior fellow of the Institute for Critical Infrastructure Technology, explains that at a bare minimum, trucking companies and other organizations should ensure that each and every Internet-enabled device that connects with their network or with a device on their network features layered security and hardened default credentials.
The institute is also referred to as The Cybersecurity Think Tank, and a major part of Scott’s job is advising Congress on cyber warfare. The biggest mistake he’s seen organizations make is not making cybersecurity efforts a higher priority, and allocating only the last dregs of the budget to cybersecurity.
“Cybersecurity should be the primary consideration, and it needs to be incorporated comprehensively throughout the business model and developmental life cycle; otherwise, there will be misalignments between policy, implementation, practice, etc., and adversaries will exploit those vulnerabilities,” he explained.
Scott stressed that companies should regularly scan software and software updates for malicious codes. In practice, any inconsistency or odd operation could be an indication that a malicious code has infiltrated the system and every suspicion should be investigated, he adds.
“Ransomware attacks against fleets are probable, as are attacks that ‘brick’ or divert systems,” Scott explained. “A sophisticated attack might even infect a system that migrates and leverages its mobility, open ports, etc., to spread malware and automatically laterally infect other devices.”
And because IoT devices are vulnerable to cyber attacks and can laterally infect a network, Scott urges organizations to only invest in IoT devices that are produced by reputable vendors, incorporate security-by-design throughout the developmental life cycle according to NIST 800-160 guidelines, and have hardened layered security.
Warren Westrup, director of IoT Engineering/Architecture at Verizon Wireless, recently shared some of his insights during a Fleet Owner webinar on cyber threats. Every year Verizon conducts an investigative report that analyzes more than 2,000 confirmed data breaches and looks at global contributors. According to Verizon’s Data Breach Investigations Report, more than 90% of breaches fit into nine incident classification patterns. The top pattern is web attacks, such as hacking, which comprise 40% of reported breaches, and point of sale intrusions, which make up 23%.
Noting that threats and security challenges go hand-in-hand with IoT devices, Westrup suggested businesses ensure network security by verifying that their encryption process is secure, determine whether their application is vulnerable, and confirm they can access data securely.
“When it comes to security, the more layers you put on, the more protected you are,” Westrup said. “We do a penetration test and see if we could actually penetrate your system, then put safeguards and securities in place.”
Keith Lewis, vice president of operations at CargoNet, said one thing to watch out for is fraudulent carriers manipulating the Federal Motor Carrier Safety Administration’s (FMCSA’s) Safety and Fitness Electronic Records System (SAFER) MCS-150 form by changing carriers’ profile information.
“We believe suspects are mailing in the MCS-150 forms and successfully getting FMCSA to change carrier information without verification,” he explained.
This type of cyber breach can lead to what is known as a fictitious pickup, which is among some of the more advanced cargo theft trends. Say you’re scheduled to pick up a load, but because of a cyber breach—unbeknownst to you—cargo thieves beat you to the pickup location and take off with that load. In this case, the thieves have learned who picks up where, where the best cargo is, and how to manipulate your SAFER MCS-150 form, allowing them to pose as you, a professional carrier.
“Sometimes you don’t know [cargo’s] being stolen until it’s halfway through the process of the event because you think you’ve made a deal with a legitimate person,” Scott Cornell, second vice president at Travelers Insurance, noted.
Cost of a breach
Arpin manages national accounts for customers who are military personnel and work for the FBI, CIA, and Dept. of Homeland Security. A data breach of any kind could be really devastating for the company and its customers.
Arpin Group’s senior vice president Donald Frazier said employees are a fleet’s strongest and weakest link when it comes to cybersecurity defenses.
Arpin’s Donald Frazier explained the cost of going back and checking customers’ accounts after a breach to make sure important information is protected comes directly from the company that has been hacked.
“The moment you have a breach like that, they suspect everything,” he said. “The cost could range anywhere from a couple of thousand to several hundred-thousand dollars. And you could even be talking about millions.”
“It isn’t going to go away,” Frazier added. “No one is immune. If you have not done some preparation, you’re setting yourself up because you will be penalized on the fact that you haven’t taken any steps to try to protect the information.”
In addition to monetary costs, security breaches will likely become a burden on productivity and overall fleet operations. As with most companies in business today, Arpin depends on email as 85-90% of its business transactions with customers. So a breach that spams customers and employees could bring business operations to a halt. To strengthen its network security, Arpin asks that its employees use dual-password authentication—one password to log into the system and another to get into the application both in and out of the actual facility.
“We have a lot of people working from their homes and working from their trucks,” Frazier noted. “We do a lot of authentication to make sure it’s who we think it is. It minimizes the hacking risk because when you’re looking at who’s in your system at a given time, it should be the people who have passed two-level authentication.”
To ensure its units stay protected out in the field, Arpin conducts what it calls equipment lockdowns. During a lockdown, equipment—electronic logging devices, for instance—is made inert and removed from the trucks, so potential thieves don’t have access to it.
In addition to not properly protecting equipment and devices, one of the most common mistakes Frazier said he has seen other businesses and trucking companies make is completely handing off cybersecurity responsibilities to a third-party company.
“Hacking isn’t something that can be put off to a third party,” he explained. “They should be partnering with you to create protection. It’s about continuing education and keeping things current. I understand the hurt in the wallet. I’ve been in this business for almost 40 years. And the truth of the matter is it’s just like a truck: Pay for it and maintenance the eyeballs out of it to keep it on the road. This is no different.”
As Frazier pointed out, employees are still the strongest and weakest link when it comes to securing fleet operations. And for this carrier, regular training sessions and educational seminars have become invaluable, which is why it doesn’t look like Arpin will be cutting those yearly tests anytime soon.