Have you heard? The Federal Motor Carrier Safety Administration (FMCSA) recently announced that their National Registry of Certified Medical Examiner’s website was breached in a cyberattack last year. While they did not announce the attack until right now, many people reported a period last year and into the first part of this year in which renewing their medical certification or verifying their doctor’s eligibility was impossible.
The FMCSA reports that the hack occurred on December 1st and resulted in a system outage. While the FMCSA did create a workaround utilizing a new search tool, it is still unclear when the CME database will be coming back online. Furthermore, medical examiners are still unable to upload physicals and certification information. For now, they are back to utilizing paper records. The FMCSA has issued guidance that they are to hold on to that information and upload it once the system comes back online.
Fortunately, the agency reports that there was no indication personal information related to truck drivers, medical examiners, or fleets themselves were stolen. Still, this brings up a much larger point, one in which government agencies and trucking industry players must do better, and that is in the area of cybersecurity.
Hacking Vehicles is Now a Thing
In 2016, the University of Michigan announced that researchers from a conference were able to expose the vulnerability of semi-truck electronics systems in a dangerous way. The researchers connected to the vehicle through the vehicle’s OBD II port and were able to successfully take over the truck’s internal network. They could then do everything from change information displayed on the instrument panel to trigger unintended acceleration and disable the brakes. It was a major wake up call to the trucking industry.
Taking over vehicles has been a hot topic of late, as researchers have also shown the ability to take over passenger cars by accessing their infotainment systems. In a separate study, researchers were able to disable acceleration and braking functions on a Jeep Cherokee. As a result of these developments, both manufacturers, fleets, and trucking industry advocates are engaging in a debate regarding a truck’s vulnerabilities.
We now live in an age of the Internet of Things (IoT), and with everything increasingly connected, it is now easier than ever for hackers to gain control of critical aspects of our lives for nefarious purposes. And with the ELD Mandate now hear, many motor carriers and truck drivers are wondering if ELDs are safe from this kind if hacking.
Considering most ELDs utilize an open connection to a cellular network, be it through a tablet or smartphone, this is a necessary question. Are truckers at risk to being hacked now that ELDs are being adopted across the industry?
Cybersecurity in the Age of the ELD Mandate
Ask ELD makers and many of them will downplay the threat posed to their devices. This is partially true. Since an ELD is not designed to write to the vehicle’s engine control module, it decreases the risk that hackers can use the device to infiltrate the truck. ELDs merely transmit and receive data and have built-in security measure to prevent hacking.
Still, hackers have become very adept at finding vulnerabilities in IoT devices. The industry has little doubt that the day will come when ELD hacking becomes a serious threat to the industry. And although ELD manufacturers downplay the threat, systems engineers increasingly have security on the mind.
Unfortunately, there is already an example of a trucker possibly being impacted by issues with cybersecurity. While the manufacturer in this case was not entirely sure whether the problem was a hack, they admitted never having encountered the problem before. The problem lies in the interconnected nature of modern commercial motor vehicles. Data connectors and wiring are all integrated into the functionality of the truck itself.
There are documented incidents where an onboard unit won’t allow a truck to be shut off. Even with the key removed, these situations result in a vehicle that is still running. When this happens, the truck can only be turned off when the onboard communications device is powered down. And while these instances are relatively rare, they serve as stark examples of the importance of taking a hard look at the electronic integrity of large, Class 8 heavy-duty commercial motor vehicles.
Large ELD manufacturers have a staff dedicated to ensuring the security of not only the devices themselves, but to the safety of their over-the-air updates. They are good at engineering devices specifically with security in mind. They also understand that whenever wireless communication is being used, there is a chance for hackers to get involved.
ELDs Are Still Safe
Even as motor carriers and ELD manufacturers operate with security in mind, it is still worth noting that hacking into electronic logs or AOBRDs is virtually impossible, since these devices cannot access the controller area network of the vehicle and are only previsioned to read and display data. Manufacturers specifically do not give applications any write abilities or abilities to make specific requests of the truck. By themselves, they cannot engage or change the code of the vehicle’s electronic control module.
Some believe that in the previous case where the dashboard was lighting up and causing strange fault codes, rather than hacking, that may have been the result of an incompatibility between the protocol the device is reading and the protocol it is broadcasting. A good way around that is to reset the device or change a pin on the plug connecting the device to the vehicle.
Still, even though ELDs are designed to be safe and hack-proof, manufacturers are still designing better safety protocols into their devices. Some manufacturers are designing their latest devices with an encryption chip built in. These chips will be able to authenticate the device within the cloud. This creates a double layer of security within the system.
Manufacturers and software providers are also engaging in continuous security audits and evaluating new improvements to their systems. This means that the biggest risk to a vehicle’s still remains the physical connection into the truck itself. Rather than writing a whole new protocol to design a new set of code into the ELD, it would be far easier for a hacker to simply plug directly into a tractor’s hardware.
What Motivates Bad Actors
For the trucking industry, hackers’ motivations vary from wanting to cause general chaos to stealing protected financial or proprietary business information. They also use ransomware to extract money from trucking companies or engage in other types of data theft.
This can be a major problem for truck drivers, but even worse, it is a potential safety hazard for truck drivers, threatening both their wellbeing and sometimes their life. If a hacker can completely disable a vehicle and strand its driver while they attempt to extract a ransom, this puts the truck driver in a situation of unacceptable risk.
It isn’t out of the realm of possibility to think that a cyberterrorist could cause a truck driver to lose control of their vehicle as the result of an attack. The danger to a truck driver’s life in this situation cannot be overstated.
Beyond safety, such actions can potentially paralyze a fleet, disrupt delivery times and schedules, and expose sensitive business information or commercial details. A smaller fleet caught up in a situation like this can potentially be put out of business.
It’s Time to Future Proof
Since modern commercial motor vehicles are so reliant on technology to perform essential business functions, these technologies represent both an opportunity and a risk. Just as the benefits of advanced technologies are shared across a network, so are the downfalls. New commercial motor vehicles have complex communication protocols built into them, regardless of their make and model. In the modern age, they are largely big computers on wheels.
Once a hacker has figured out a new way to attack a truck’s internal network, it is up to manufacturers and vendors to find a way around it. Yet, problems remain. The industry-wide J1939 standard means that a hacker could come up with an attack that is applicable to every vehicle utilizing that standard. This could potentially make large commercial motor vehicles more susceptible to attack than passenger cars.
With defensive tools at the ready, trucking companies and manufacturers are looking to things like malware defense installations, vigilant operating system monitoring, isolating suspicious programs, and setting up firewalls to prevent network penetration. Still, for every advance they make in preventing attacks, hackers are ready to respond.
The trucking industry – including ELD manufacturers – must learn how to “future proof” their technologies against the attacks of tomorrow. Truck drivers’ lives and business longevity is at stake when a hacker strikes. And while it remains to be seen how successful the industry will be at preventing large-scale attacks in the future, incremental changes will continue to reshape the trucking industry and tractor security. How will this impact trucking as we move into the future? Only time will tell.