CLEVELAND—Cyberattacks didn’t make the cut for ATRI’s latest top 10 list of transportation industry concerns in 2024, though it’s unlikely to remain hidden in the shadows for much longer. Experts who spoke at the 2024 National Motor Freight Traffic Association Cybersecurity Conference on Oct. 28 all believe it’s only a matter of time before more and more fleets and their vendors will fall prey to a host of malicious digital predators.
It’s something that keeps those in the know, fleets' cyber security experts, up at night. And any hiccup in the system could mean something sinister.
“Every time there's an alert or one of our systems goes down, my first thought is ‘We're being hacked—it’s ransomware,'” offered Steve Hankel, VP of information at a third-party carrier Johanson Transportation Service. He described it as the opening scene of Scream, where the killer was already inside the house.
For Johanson, they try to outrun the monsters by patching the system, updating servers and applications, and training employees to avoid phishing attempts.
Hankel said he receives DocuSign emails several times a day and now just deletes all of them, figuring someone will call him if it truly needs to be done. Even with due diligence, some things slip through. For instance, he said a few years ago they discovered some outdated network protocols.
With the constant and unforgiving rate of change in digital technology and AI, and all the money crooks can nab via cybercrime—globally, a $9.5 trillion industry in 2024, according to Cybersecurity Ventures—the problem isn’t going away by tucking yourself tightly under the blankets.
NMFTA’s stance is that companies who share their stories should strengthen the industry just by bringing awareness to the issue.
Two fleets, Estes and Saia, appeared at the conference held in the Hilton Cleveland Downtown to share their own experiences with their peers. As it’s a sensitive subject, these sessions were closed to the media. (It also doesn’t help to broadcast your defensive strategy to the opportunistic thieves.)
What can be said is that last year, Estes, a less-than-truckload fleet of more than 10,000 tractors and 40,000 trailers, fell victim to a ransomware attack in which the system network was compromised and drivers could not enter their hours of service on their electronic logging devices. Only after contracting a cybersecurity firm and three weeks of work was the system untangled from the cyber attackers.
They won’t be the last.
During his opening speech, Joe Ohr, the COO of NMFTA, recalled an alert he received about a Michigan trucking company that had a data breach in which a malicious party threatened to steal 80 GB of data which included driver social security numbers. Ohr said he called the company and they “had no idea.”
This anecdote was meant to illustrate cybersecurity isn’t just a scary tale to freak out CFOs at night; there really is a monster hiding under trucking’s bed. And this monster can be anywhere in the world, though probably Russia, Ukraine, or China, the top three bases of cybercrime according to the World Cybercrime Index. The United States finished fourth. But wherever the attacks come from, fleets should not see a cyberattack as a dark secret to hold tight, but rather something to air out in the light.
“Getting hacked happens to everybody,” Ohr noted. “It shouldn’t be seen as embarrassing. We need more people to tell the story.”
The major threats
More stories are sure to come and will become more severe as trucking adds more technology to their daily operations, such as telematics, ELDs, and various sensors.
This technology has greatly helped the industry with efficiency and compliance but has also aided cyberattackers.
“You've increased your productivity, and you've made travel safer but you have also increased your attack surface—you've opened the door to a new vulnerability,” warned the keynote speaker Stephen Viña, assistant national cyber director of Policy Development for the United States White House Office of the National Cyber Director.
Viña noted that current major threats include supply chain exploitation, AI-enabled cyber threats, and an increase in ransomware attacks.
“Last year, more than 2,800 ransomware incidents were reported to the FBI,” he added. “This was an increase of 18% from 2022. Financial losses rose almost 75%, according to FBI data.”
These groups continue to evolve as defenses improve, now leveraging generative AI to better plan and execute attacks. They also revel in attacking the weak and defenseless, going back to the same victims and targeting less fortified companies and institutions, such as local governments, schools, and small businesses.
Even businesses with stout cyber strategies will be impacted via concentration risk, meaning the attackers hit a large software provider. Viña said “tens of thousands” of auto dealerships were impacted when one widely used management platform for sales, scheduling, and work orders from CDK Global was infiltrated earlier this year. Anonymous sources told CNN that CDK likely paid a $25 million ransom to restore the services.
Later at the conference, cybersecurity researcher Jaime Lightfoot offered some practical tips to protect against attacks on legacy maintenance systems. (Editor’s Note: We’ll dive into these in an upcoming story, but for immediate help, you can download NMFTA’s white paper on the subject.)
Other types of attacks
Carrie Yang, SVP at leading cyber insurance broker Marsh Cyber Practice said 252 ransomware events were reported to the company in 2023, with 113 through the first half of 2024. But in Q2 of this year, 88% of claims were related to non-ransomware attacks, including data breaches that cause business interruptions and data breaches.
Read more: Global cyberthreats could target U.S. fleets
Attackers can also steal valuable data and steal money through fraud and deception. “The bad guys look to spoof somewhere in the supply chain, either your vendor, your supplier, your bank, or your boss,” Viña said.
And detecting scams is getting more complicated. They are even harder to detect with the use of AI, which mitigates scammers’ poor grammar and spelling in phishing emails.
“Gone are the days when your users who kind of understand random mistakes and do not click on those emails,” Peeyush Patel, Global Chief information security officer at XPO, told attendees at a cyber trends panel following Vina’s keynote. He mentioned there’s even a dark web tool called FraudGPT to help craft these emails.
Deepfake videos of executives can also be used to get employees to make ACH money transfers. The experts advised executives and employees to use code words or include personal info only they would know to suss out deception.
Fortunately, cybersecurity forces also can leverage AI tools “to level the playing field.” Patel advocated for manufacturers and developers to implement more “security by design” practices, meaning cybersecurity is baked into a product from the beginning, and not tacked on at the end.
The nation also needs to adopt more standards and regulations around cyber activity, as well as grow its talent base by promoting cyber careers at the high school and university levels.
The threat to national security
The risk of cyber crime isn’t just to a specific company’s personnel data, but the nation’s critical infrastructure. In this area, “the People's Republic of China, in particular, remains the most active and persistent cyber threat to the U.S. government, private sector, and critical infrastructure networks,” Viña said.
Any threats from the PRC still remain in the shadows, waiting for if and when the time is right “for future potential disruptive or disruptive attacks,” Viña explained. He said this is being led by a state-sponsored hacker group called Volt Typhoon, which “conducted cyber operations focused not on financial gain, not on espionage or state secrets, but on developing deep access to our critical infrastructure—this includes the energy sector, transportation systems, among many, many others.”
Another threat is Iran, which the U.S. alleges attacked American water facilities by overriding industrial control systems to overflow tanks.
At the extreme end, fleets and cyber experts worry about hacking the trucks. While it has not been reported as a real attack, white hats (cyber good guys) have demonstrated one can hack a CANBus and trick a truck’s engine into a derate mode, effectively shutting it down. Diagnostic adapters and APIs (such as shim DLL for a TMC RP 1210 application) can also be targeted to change engine settings and cycle ABS pressure valves.
Ben Gardiner, senior cover research engineer at NMFTA, questioned, “What happens when these financially motivated attackers stop succeeding so easily with PC-based ransomware, and they start doing the mass derates?”
A fleet may be able to handle a few trucks down due to derates, but on a massive scale, it could cripple their operations, he said.
Gardiner hacked a tractor-trailer's brake controller at the 2023 NMFTA cyber conference.
Causing one truck to slam on its brakes is horrifying enough, but at the 2024 American Trucking Associations Technology & Maintenance Council’s (TMC) Annual Meeting, cyber expert Urban Johnson theorized attackers could strategically shut down trucks at key points like a tunnel or bridge to shut down a city.
This may sound like something out of a horror or sci-fi movie, but could just be some random day in the near future.
“It's not as sci-fi,” Earl Adams Jr., former FMCSA deputy director, told Fleet Maintenance recently. “The ability to control vehicles is a real thing.”
Adams is now a partner at Hogan Lovells, a transportation and logistics practice, where he focuses on autonomous vehicle compliance among other areas, and would not speculate “whether or not China as a country would ever do that,” but “a local person in San Jose who wants to mess with you—that is possible. And I think that's the scary thing.”
One thought is scarier: if fleets continue to think a cyber attack couldn't happen to them and ignore the problem entirely.
