ORLANDO, Florida—There’s never been a known successful cyberattack on a U.S. commercial vehicle, but that doesn’t mean they aren’t vulnerable to cybercriminals. It’s quite possible that some U.S. enemies already have plans to hack trucks and other vehicles but are just waiting for the right time, according to a cybersecurity expert who spoke this week to trucking industry stakeholders.
A recent cyberattack on Expeditors International shut down the company’s computer systems and slowed its global operations days before Russia invaded Ukraine last month—the type of logistics problem that enemy nation-states can cause, John Sheehy, SVP of research and strategy for IOActive, said here during a cybersecurity session at American Trucking Associations’ Technology & Maintenance Council 2022 annual meeting.
While it didn’t affect vehicles, Sheehy called the timing of the Expeditors ransomware attack interesting.
“Suspiciously, it was right in the timeframe when the war in Ukraine was heating up. And what you’ll see, unfortunately, is sometimes these types of attacks—ransomware or distributed denial of service attacks—are used as a distraction, while something more significant is occurring,” he explained. “So, depending on who your clients or customers within your business are, you may be targeted because of the cargo you’re carrying.”
A cyberattack on a single truck could stop the freight on it and the driver hauling it, Sheeny said during an interview after the TMC session at the Orange County Convention Center.
“If you have three trucks in your fleet, that might be a big impact for you and your operations,” he said. “If you have 30,000, it’s not going to have a very big impact—other than pointing out that you’ve got an issue to deal with. The great concern is when a large number are impacted.”
That theoretical mass attack could be levied against trucks from one OEM or commercial vehicles from a telematics provider or all the trucks in a single fleet, Sheeny said. And he gave examples.
“Particularly if they are delivering some type of critical goods that are high value, high risk,” he explained. “If there’s something that people’s lives depend on and getting somewhere at a certain time—those are things that have very significant consequences. Every modern military understands how critical logistics is to operations. It is something they will exploit when they feel it’s appropriate to do so. Unfortunately, that capability does exist.”
Preparing for an attack
At the University of Detroit Mercy College of Engineering & Science, faculty are working with the Michigan National Guard and U.S. Department of Defense to create joint cybersecurity workshops and online training courses on the subject.
This training will replicate what engineers learned in the CyberTruck Challenge, said Mark Zachos, DG Technologies president, who led the TMC session on March 7. The CyberTruck Challenge was created five years ago to show college students the cyber issues that heavy-vehicle engineers might confront in a more connected, high-tech transportation world.
“You all understand that terrible conflict in Ukraine,” Zachos told the TMC audience. “Logistically, some people are aware of this; they’re having lots of problems. We need to make sure that our country is on the forefront of defense.” And this is part of our defensive shield here. We’re training from college students to the actual maintainers about cybersecurity.”
How cybercriminals could disrupt trucking
The food and essential-products shortages that many Americans faced at the start of the COVID-19 pandemic in 2020 was an example of how fragile the U.S. supply chain is and could be something a foreign actor could try to replicate using fleet cyberattacks, Sheehy told FleetOwner.
“That’s a situation that if the right trucks were attacked, that [2020 problem] could repeat,” he said. “And it goes beyond just the trucks because it’s also the operational technology and the warehousing and distribution units—your forklifts, your pickers, your other systems don’t work. It could be as simple as the Wi-Fi in the warehouse—then your operations have stopped. That’s why we often talk about operational resilience.”
An operations director for a major carrier, who asked not to be identified, said fleets are one click away from an attack. And while an attack on one or many trucks still remains a potential threat, ransomware is hurting fleets and logistics companies such as Expeditors International.
Sheehy’s company, IOActive, recently ran a test for a major company to see how much it would cost to breach its cyber walls. Jaimie Riden, an IOActive security consultant, said the exercise showed the weaknesses within most companies’ outward-facing technology services.
In a blog post, “How we hacked your billion-dollar company for 42 bucks,” he wrote the most significant expenditure was on coffee.
“A lot of traffic goes in and out of a normal company’s internet perimeter: email comes in and goes out; web traffic from customers, or potential customers comes in, web traffic for internal users goes out; and lots of necessary services create traffic, such as remote desktop, web authentication (especially password resets), helpdesk services, file exchange, and more,” he wrote in January. “The question is, can we make use of combinations of seemingly minor problems to access internal systems? The answer is mostly yes.”
‘Multiple nation-states capable of attacking trucks’
If there are no real-world examples of successful cyberattacks on commercial vehicles, is all this talk just abstract?
“It’s a very real concern,” Sheehy said. “We have seen threat-actors demonstrate an inherent interest in getting the information they need to attack these vehicles.”
Those actors could just be waiting for the right time. The last time Russia invaded Ukraine—when it seized control of Crimea in 2014—IOActive warned that U.S. satellite communication terminals (SatComs), those used by airplanes, ships, and military units, were vulnerable to cyberattacks. Sheehy said that Russia used that research to devise an operation to attack the small aperture satellites.
Shortly after Russia launched its latest war on Ukraine, the U.S. satellite communications firm Viasat Inc. said it suspected it was the victim of a cyberattack that knocked out residential broadband services in Ukraine and other European countries.
“It was something where someone on the offensive side of cybersecurity—somebody who’s going to go out to produce some type of effect for their sponsor—said, ‘OK, this is interesting. We can do this,’” Sheehy explained. “They went and developed the capability and put it on a shelf until they needed it. The time was right during the invasion of Ukraine. They deployed it because it had strategic value to them. So I would assess that there are multiple nation-states today with the capability on the shelf to attack vehicles.”
Increasing severity of cyberattacks
Recent incidents, such as the Colonial Pipeline attack and the more recent satellite attack, show cyberattacks are getting more impactful.
“That was a situation where we had invested the time and resources to bring attention to the issue, and some organizations responded, some organizations listened very carefully,” Sheehy said. “Other organizations did not make the right decisions at the top levels about investing resources in managing those risks. That’s why the attack did happen.”
Could the trucking industry, responsible for most U.S. freight movement and the backbone of supply chains, be next?
“It’s difficult to say because these types of decision-makers will only do so when it’s in their interest,” Sheehy explained. “If you asked me a month ago, I would have said we’re not going to see that satellite attack for a while. I also didn’t expect the Russian invasion of Ukraine because that was not consistent with past behavior.”
“So something did change in their decision calculus that produced the effect,” Sheehy added. “That’s why that weapon was used.”
After U.S. supply chain weaknesses were exposed this decade, Sheehy said cybercriminals sponsored by shady nation-states could have their eyes on specific organizations and businesses such as fleets. “You might be attacked because of who your client is—or who their client is,” he said.
That’s why sharing information with clients is important if your firm is attacked—because a cyberattack on one company could be a route hackers access another, according to Sheehy. That’s why sharing information about company security breaches can contribute to the common good.
“Empowering them with the information they need to make decisions to protect themselves and their clients is very helpful,” Sheehy said.
How do fleets prepare for cyberattacks?
Sheehy said transportation companies must understand what risks and threats their businesses face. “It’s going to be different if you’re a smaller fleet or owner-operator versus somebody who’s 30-, 50-, 60,000 vehicles.”
No matter the size of the fleet, knowing what assets might be attractive to cybercriminals is important, he added. “That is kind of the basics. From that, you look at what are the typical attack techniques. What do I have? What would a bad guy most likely go after? That’s where you start to invest in protection.”