• Subscribe
  • In Print
    • iStock
    I Stock 873055760 5e3ca3da7e368
    1. Shop Operations
    2. Shop Management

    Planning ahead for vehicle cybersecurity threats

    Feb. 11, 2020
    The before, during, and after of protecting your fleet against a vehicle data security breach.

    Let’s talk data protection policies – why fleets should have them, how to put them in place, and what happens if a fleet finds they are unprepared in the face of a data breach.

    Every fleet is at risk of a potential breach when it comes to their vehicle’s data security. Without operating procedures in place on how to proceed in the event of a cyberattack, fleets risk potential vehicle damage and/or sensitive information being leaked. In order to understand and implement a data protection policy, fleets must first understand who owns the data, who has access to that data, and their responsibility to protect that data.

    Data ownership and access

    Though it would make sense that the vehicle’s owner is also the owner of that vehicle’s data, vehicle owners do not necessarily have the means to access all of this data. Access and control of a vehicle’s data actually falls in the hands of the vehicle manufacturer, at least currently.

    “Vehicle owners have access to only the data the vehicle manufacturers allow them to have,” says Sheila Andrews, director of heavy duty programs at the Auto Care Association. “This is typically limited to the standard diagnostics data.”

    The Auto Care Association is a trade association that serves the collective interests of its members within the vehicle service industry.

    Considering the amount of data coming from fleet vehicles – location information, tire pressure, load balancing, engine health, etcetera – having the data contained on singular servers controlled by the OEMs sounds like a hacker’s dream, Andrews notes. If hackers are able to breach those systems, that could mean chaos on the roads as they take over large groups of vehicles all at once.

    Andrews explains the Auto Care Association’s solution to this issue is to incorporate an added layer of security for the vehicle data, known as the secure vehicle interface (SVI).

    “[This] refers to a set of data security ISO [International Organization for Standardization] technical specifications that can be implemented on all vehicles in order to approve the access to data from a vehicle. SVI is implemented on each vehicle, independently of other vehicles. Therefore, hackers would need to infiltrate each vehicle, one by one, to cause any damage,” Andrews says.

    An SVI would also enable the owner of the vehicle to have access to all of the vehicle’s data as well as give them the power to choose who has access to this data.

    As it stands, though fleets do not have control over all their data, they still need to be prepared to protect that data from those who may try to misuse it.

    Preparing for cyberattacks

    The very definition of being prepared means fleets must have a standard set of operating procedures in place before a cybersecurity incident event occurs.

    The Cybersecurity Unit of the U.S. Department of Justice has put together a set of best practices for victim response and reporting of cyber incidents. This includes steps to take before, during, and after a cyberattack.  

    Before

    Below are some of the most important practices for fleets to put in place to help secure their vehicles’ data, according to the U.S. Department of Justice.   

    Have an actionable plan in place

    “Organizations should have a plan in place for handling computer intrusions, data breaches, and other cyber incidents before they occur,” explain officials from the U.S. Department of Justice. “The plan should be ‘actionable,’ meaning it should: provide specific, concrete procedures to follow in the event of a cyber incident; be up-to-date; include timelines for the completion of critical tasks; and identify key decision makers.” Fleets should consider the following when creating a process to address these incidents, including: 

    • Who has decision-making responsibility for different elements of an organization’s cyber incident response, including public communications, implementing security and mitigation measures, engaging with law enforcement, and resolving legal questions;
    • How to contact critical personnel at any time, day or night, and how to proceed if critical personnel are unreachable or unavailable;
    • What mission-critical data, networks, assets, or services should receive prioritized attention during an incident;
    • Determine who has decision-making responsibility for different aspects of your company’s cyber incident response, including public communications, implementing security and mitigation measures, engaging with law enforcement, and resolving legal questions
    • How to contact the organization’s retained incident response firm or otherwise obtain incident response assistance, if needed;
    • When and how to restore backed-up data, including measures for ensuring the integrity of backed-up data before restoration;
    • What criteria will be used to determine whether data owners, customers, or partner organizations need to be notified if their data or networks may have been illegally accessed; and
    • When and how to notify law enforcement and/or other government entities.

    Engage with law enforcement before an incident

    Establishing a relationship with local law enforcement before a cybersecurity incident occurs will create a point-of-contact for any future assistance necessary. It will also aid in creating a relationship of mutual information sharing, which would be beneficial to both fleets and law enforcement.

    Ensure your legal counsel is familiar with technology and cyber incident management

    If a data breach should occur, it could be beneficial for fleets to talk with an attorney who is knowledgeable about laws regarding electronic surveillance, communications, data privacy, and information-sharing in order to understand the potential legal repercussions of the incident.

    Establish relationships with data information-sharing and analysis organizations          

    Another preventive measure fleets should take when protecting their vehicle’s data is staying up to date on new and emerging cyber threats. Though this task may seem a bit daunting, the government has created Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) to ease the process of staying up to date.

    “ISACs share analysis of cyber threat information within their respective sectors, with other sectors, and with the government. Depending upon the sector, they may provide other cybersecurity services as well,” explain officials at the U.S. Department of Justice.

    ISACs exist for what are considered the 16 “critical infrastructures” of the U.S., but because not every industry falls within these 16 sectors, organizations have created ISAOs. ISAOs are intended to provide the same benefits and information as ISACs for specific industries or markets.

    The vehicle industry has its own ISAC where intelligence is shared on developing cybersecurity risks to the vehicle and vehicle cybersecurity capabilities are improved across the industry. For more information, fleets can visit  automotiveisac.com.    

    During

    While in the midst of a data breach, the U.S. Department of Justice recommends the following steps to handle the situation: make an initial assessment, implement measures to minimize continuing damage, record and collect information, and notify.

    1. Make an initial assessment

    Assess the situation and first determine the cause of the incident. Was the incident a malicious act, human error, a technological glitch, or some combination of the three? From there, fleets should be able to ascertain what action needs to be taken.

    2. Implement measures to minimize continuing damage

    After a data breach a fleet should do whatever possible to minimize the corruption to their vehicle’s systems.

    Robert Vogt, chairman of IOSiX, a manufacturer of ELD hardware and high-end automotive data acquisition systems, recommends a few preventive measures which can also help to avoid further damages from a cybersecurity incident.

    “[Fleets should] be extremely careful about vetting any devices they add to the vehicle,” Vogt says. He suggests disabling any wireless communication features or functions that are not being used by the fleet, including Wi-Fi, Bluetooth, and/or an OEM telematics system. “If you're not using it, it's using you,” he adds.

    3. Record and collect information

    In the event of a cybersecurity incident, fleets should keep logs, notes, records, and any data possible that may help in analyzing and investigating the breach.

    The U.S. Department of Justice recommends these forms of information be recorded and retained:

    • A description of all incident-related events, including dates and times;
    • Information about incident-related phone calls, emails, and other contacts;
    • The identities of people working on tasks related to the intrusion, including a description of each individual’s role or responsibilities, the amount of time spent on the tasks, and the approximate hourly rate for each person’s work;
    • Details on the systems, accounts, services, data, and networks affected by the incident and a description of how these network components were affected;
    • Information relating to the amount and type of damage inflicted by the incident, which can be important in civil actions by the organization and in criminal prosecutions;
    • Information regarding network topology or the arrangement of a network comprised of nodes and connecting lines through the sender and the receiver;
    • The type and version of software being run on all affected systems; and
    • Any irregularities in the organization’s network architecture, such as proprietary hardware or software.

    Having these records on hand will also benefit fleets in the event they are needed as evidence or for rebutting claims in potential legal proceedings stating that evidence has been tampered with.

    4.  Notify

    Lastly, when handling a cybersecurity incident, the proper people must be notified of the situation. Within a fleet’s standard operating procedures for a data breach, a point of contact (POC) should be included. People such as senior management, incident response firms, local law enforcement, and legal counsel are critical POCs.

    Additionally, if as the situation progresses, other victims of the cyberattack are revealed they must be notified as well.

    “The first thing to know is what your state laws are regarding security breaches, notes Patrick McGuire, attorney, Law Office of Patrick McGuire.  

    State laws will provide details such as who needs to be notified, how quickly they need to be notified, and depending on the situation, whether notification is necessary at all.   

    After

    Even after a cyberattack seems to be resolved fleets must stay vigilant. The U.S. Department of Justice warns that often intruders will try to regain access to the system or may still have access to the system through an entry point not previously discovered. Fleets should continue monitoring their systems for any suspicious activity that could lead to another attack.  

    Fleets should also take this time to review how well their cybersecurity incident response plan worked. What were the strengths and weaknesses? How can the plan be improved for the future?  Steps must be taken to address and fix these issues to prevent future similar attacks against the fleet.

    Think of the consequences

    If a fleet doesn’t take the time to plan ahead, the results could be potentially disastrous. A data breach could mean not only stolen or tampered with information, but a dangerous situation for the driver and anyone within the driver’s vicinity, should the vehicle be controlled by a hacker with malicious intent.

    It’s also worth noting that with the movement toward autonomous vehicles, it is even more important to keep fleet’s vehicles protected from cyberattacks.

    “You simply can’t allow unauthorized access to a vehicle whose safety relies on cameras, sensors, and systems like collision avoidance,” says Ben Osborne, marketing communications manager, Noregon, an IoT company specializing in connected vehicle solutions, about autonomous vehicles.

    When it comes to fleets keeping their vehicle’s data safe, everyone must do their part. “Improper protection of a vehicle from being hacked can have deadly consequences,” Osborne says, “so fleets, OEs, aftermarket manufacturers, repair facilities, and everyone else who is authorized to work on or modify the vehicle must carry the responsibility of ensuring it is protected.” 

    About the Author

    Emily Markham | Assistant Editor | Vehicle Repair Group

    Emily Markham is an assistant editor for the Vehicle Repair Group.

    With an education based in writing and editing, Markham uses her knowledge to assist with the creation of content for Endeavor Business Media Vehicle Repair Group’s publications—Fleet Maintenance, Professional Tool & Equipment News (PTEN), and Professional Distributor—as well as their website, VehicleServicePros.com. 

    Email

    Continue Reading

    Sponsored Recommendations

    Fleet Maintenance E-Book

    Streamline your fleet's maintenance and improve operations with the Guide for Managing Maintenance. Learn proven strategies to reduce downtime, optimize in-house and third-party...

    Celebrating Your Drivers Can Prove to be Rewarding For Your Business

    Learn how to jumpstart your driver retention efforts by celebrating your drivers with a thoughtful, uniform-led benefits program by Red Kap®. Uniforms that offer greater comfort...

    Guide To Boosting Technician Efficiency

    Learn about the bottom line and team building benefits of increasing the efficiency of your technicians in your repair shop.

    The Definitive Guide to Aftertreatment Diagnostics

    Struggling to clear aftertreatment fault codes? Learn more about different aftertreatment components, fault codes, regen zones, and the best maintenance practices to follow.