thumbnail
Alert

New DOT Regulation Poses Cyber Risk for Trucking Companies: Three Strategies to Reduce your Risk

January 24, 2018

On December 18, 2017, the U.S. Department of Transportation announced truckers must install Electronic Logging Devices (ELDs) in order to ensure they do not drive more than 11 hours per day. This has caused concern as it may put trucks at risk of being hacked because many of the popular ELD models lack encryption, which could give cybercriminals the ability to access communication protocols that link sensors throughout the truck. The Wall Street Journal reported that ELD devices have been corrupted in Europe by truckers in an attempt to stay longer on the road.

According to the American Trucking Association, the trucking industry moves more than 70% of the freight transported in the United States. In order to prevent disruption to the industry upon which the U.S. economy relies so deeply, many companies are taking steps to prepare and prevent cybercriminals or foreign states from interfering. ELD manufacturers and trucking companies are building encryption into their system while some are taking a step further by creating a risk management policy to prevent cybercriminals from getting any type of access to a truck’s network.

Experts advise companies to pay particular attention to the Controlled Area Network Bus, or CAN-Bus, system. This system was first designed in the 1970s and allows truck sensors to autonomously communicate; older trucks that rely on this system could be susceptible to cyberattacks.

So what can you do to ensure your trucks - and your company - are protected? Here are 3 strategies:

#1: Ensure proper vendor communication controls.

The ELD is a portal (a network) that talks to the rest of the truck and along with communications back to the company.  While it offers obvious benefits, it introduces a number of risks. Solutions to consider include:

  • Separating the ELD from the rest of the truck using encryption and segregation tools, which will stop a hacker from gaining access to your company’s data and from moving the ELD to other areas of the truck.
  • Requiring ELD encryption using approved standards as part of your vendor solution.
  • Requesting ELD vendors to provide a Service Organization Controls (SOC 2) Attestation Report on security controls.
  • Testing or auditing the actual implementation to ensure controls are operating properly.
  • Monitoring devices to ensure they provide protection from the latest cyber threats.

#2: Revise technology policies.

Policies are typically already in place at large trucking companies for how truck drivers may access their laptops, cellular phones or other devices. Similar policies need to be put in place for how ELDs are installed, activated and used. Action items include:

  • Implementing Policies and Procedures to address third-party devices.
  • Reviewing and revising policies at least annually.

#3: Implement cybersecurity measures and increase awareness.

Trucking company leaders should ensure they are fulfilling their fiduciary responsibility by implementing a reasonable and defensible cybersecurity risk management program to protect company assets. This allows companies to prove that it has taken reasonable steps to ensure the proper infrastructure to prevent cybersecurity issues. Truck/cab environment leadership should consider a review or reporting of their cybersecurity risk management program with one of the following:

  • Review or audit of truck technology.
  • Cybersecurity risk management assessment.
  • Cybersecurity attestation report.

For guidance in navigating through cybersecurity risk management concerns, including SOC 2 attestation reports and documentation of cybersecurity Policies and Procedures, please contact Moore Colson’s Risk Advisory and Compliance Services Director Patrick Daniel.

[team id="9273"]

Source: Stone, Jeff. Wall Street Journal Pro Cybersecurity, New Rules May Raise Cyber Risk for Trucking Industry.