Carriers Face Growing Cybersecurity Challenges

(Getty Images, Orbcomm)

[Find the latest in equipment & maintenance: Explore this quarter's issue of Calibrate]

Increasing vehicle connectivity and automation is making cybersecurity an even more important subject for fleet maintenance executives and managers. No longer just the concern of information technology experts and back-office systems, cybersecurity threats are an important consideration when assessing the effectiveness of commercial vehicle maintenance and telematics programs.

For some time now, American Trucking Associations and its Technology & Maintenance Council have recognized these threats and taken steps to help ensure a robust cybersecurity environment for motor carriers. For instance, in conjunction with TMC and ATA’s Transportation Security Council, the federation has developed the Fleet CyWatch program, which assists fleet members in reporting information about trucking-­related internet crimes and cyberattacks, and shares information with fleets about cyberthreats that may impact their operations. Fleet CyWatch coordinates with private and federal efforts to provide motor carriers with information and recommendations in the areas of cybersecurity awareness, prevention and mitigation methods. These efforts complement industry best practices produced by the Auto-ISAC with the common objective to demonstrate the industry’s proactive collaboration to protect consumer safety through vehicle cybersecurity.

Additionally, TMC’s S.5 Fleet Maintenance Management Study Group has taken an industry leadership role pertaining to various aspects of cybersecurity through its Cybersecurity Task Force. The task force’s mission includes:

• Addressing cybersecurity issues and how they can be dealt with when they happen.
• Creating recommended practices to be combined with research from multiple other expert sources, such as the National Science Foundation, U.S. Department of Homeland Security, U.S Department of Transportation, the FBI, National Motor Freight Traffic Association and SAE International.
• Reaching out to universities, government agencies and coordinated fleets related to cybersecurity guidance.

Image

More Q4 Calibrate

►Military Vets Fill Technician Roles
►Freeze: Spotlight on Technicians
►Buses Leading Race to Electrification
►What's Next for Alternative Fuels?
►Baxter: Confronting Climate Change
►TMC Corner: Cybersecurity Issues
Explore the Issue!

Since its inception, this task force — in concert with other TMC task forces/committees — has developed:

• RP 544, Cybersecurity Insurance Guidelines. This recommended practice offers guidelines for cybersecurity awareness, prevention and risk mitigation through insurance for commercial on-road vehicle operations for vehicles weighing more than 10,001 pounds. It also lists resources fleet managers can use for more information on managing cybersecurity risk.
• TMC RP 537, Disaster Recovery Planning for Fleet Maintenance Operations. While not directly addressing cybersecurity, this RP offers guidelines for developing a disaster recovery plan covering pre-evaluation, planning, and duty assignment of assets, property and personnel. The plan is designed to keep critical business functions operating, minimize the duration of service disruption(s), limit additional damage and/or loss, establish management succession and emergency powers, facilitate all recovery tasks, and identify critical lines of business and supporting functions. It provides a methodology to assess and plan for a catastrophic cyber event.

Image

Braswell 

The task force also is working on a proposed RP for cybersecurity and contract considerations, which will provide guidelines for cybersecurity awareness, prevention and mitigation with a focus on contracts and purchase order documentation used in the acquisition of equipment for fleet business and operations for security measures, as well as a proposed RP for cybersecurity planning that would cover general considerations for fleet maintenance operations.

TMC’s S.12 Onboard Electronics Study Group also has developed RPs and materials that aid in the maintenance and security of vehicle electronic systems. Some of its work includes:

• RP 1225A, General Guidelines for Security Risk Analysis of Electronic Driver Log Systems. This RP defines a guideline for identifying security risks associated with an electronic driver log system. The suggested risk analysis approach serves to identify potential vulnerabilities for which to consider whether appropriate security controls have been effectively implemented.
• TMC RP 1226B, Vehicle Accessory Connector Guidelines. This recently adopted RP offers specifications for a standardized, non-­original equipment manufacturer, specific vehicle accessory connector to interface aftermarket vendor electronics with a vehicle. The intended purpose of the vehicle accessory connector is to make it easier for an aftermarket vendor to connect a device to the vehicle while at the same time ensuring the integrity of the vehicle’s electrical or network/­communication systems and following appropriate industry specifications. The task force responsible for reviewing and updating this RP is currently assessing the potential modifications to the pin allocations as well as a parallel project in messaging standardizations across RP 1226-connected devices to ensure and enhance authentication and protection of the on-board network. This task force is in active discussions with the California Air Resources Board regarding recognition and certification of the RP 1226 connector as a means to securely transmit emissions compliance data to regulators.
• Application Programming Interfacing. Through TMC’s S.12 On-Board Vehicle Electronics Study Group, TMC RPs have enabled standardized API for Windows-based systems, mobile iOS and Android systems and is addressing provisions for CAN-FD for revisions to these recommended practices. TMC recently successfully balloted a proposal for a new RP that provides a secure interface protocol for handheld diagnostic devices. TMC is in continuing dialogue with other organizations, such as the National Motor Freight Transportation Association, to provide a standardized Open Telematics API to allow sharing of data across and among telematics service provider platforms, such as communications, location data and load security, to various commercial, governmental and enforcement “customers” that have a need for this data, while at the same time preventing unauthorized external access to on-board vehicle systems.
• Health-Ready Componentry. TMC, via a task force in its S.5 Fleet Maintenance Management Study Group, is working actively with SAE International’s Health-Ready Component Systems Consortium to create a standardized templating for interfacing data messaging being produced by “smart” vehicle components through use of TMC Vehicle Maintenance Reporting Standard codes in developing data sheets for health-ready componentry in conjunction with SAE International Health-Ready Component Signaling practice.

Moreover, TMC’s series of summer conferences has focused on ­cybersecurity matters. Most recently, issues pertaining to electric commercial vehicle and electric power grid security were discussed, in concert with the Electric Power Research Institute. TMC also has raised awareness of the importance of cybersecurity among fleet managers and service technicians by instituting and improving a cybersecurity skills station as part of the council’s annual national technician skills competitions (TMCSuperTech). TMC also is helping fleet personnel prepare themselves and their organizations for the rising tide of cyber concerns. This summer, TMC and Serjon announced a collaborative effort to bring commercial vehicle cybersecurity training to TMC, ATA and other ATA council members. The collaboration provides their members access to the certification training at a discounted price.

Serjon designed the module-based cybersecurity training program to better enable practitioners and decision-makers to secure and defend their business-information technology systems, equipment and companies against threats and attacks, as well as to build incident response-­capable and resilient organizations.

“In response to increasing security threats and attacks on businesses of all sizes, Serjon built the program to be an informative, practical and affordable online resource for small- and medium-­sized businesses,” said Urban Jonson, Serjon senior vice president of information technology and cybersecurity. Serjon leveraged Jonson’s cybersecurity expertise in the transportation sector — especially heavy-duty vehicles — to create a special module within the series called Defending Heavy-Duty Vehicles, which will help students understand the unique cybersecurity threats against trucking companies and heavy vehicles, such as bring-your-own-devices, USB drives, HD radio, Bluetooth, telematics/ELD devices, general radio frequency attacks, maintenance system/tools and service providers, general concepts and strategies for risk mitigation, and how to get help if your heavy vehicles experience a cyberattack.

TMC, ATA and ATA council members can register for the cyber­security training and certification program at a discounted rate.