Everywhere you look in business and society these days, computers rule the world. And, as recent cybercrime statistics show, criminals know it.
Last month, Cloudwards reported in its Cybersecurity Statistics Report that while the COVID-19 pandemic brought much of America to a standstill, cybercriminals were working overtime. The rate of cyberattacks has jumped 600% since the onset of COVID, the site reported, with the total cost of cybercrime damages for 2021 alone reaching $6 trillion worldwide.
Trucking companies were not spared from this threat, as the widely reported attack on Marten Transport in October demonstrates. But experts say that, as an industry, trucking remains one of the least fazed by these threats — which could paralyze their fleets and exacerbate an already-sluggish supply chain.
“Cyberattacks against all businesses have been steadily rising, with trucking one of the most targeted industries,” wrote Mark Murrell, president of online driver training company CarriersEdge, in a May LinkedIn article. “Yet when I bring up the subject, people kind of gloss over.
“In general, the response is kind of, ‘Yeah, that’s too bad,’ like it’s something far-fetched that doesn’t happen often,” he continued. “I think that disconnect is part of why trucking presents such a ripe opportunity for attackers.”
In November, Rep. Peter DeFazio (D-Ore.), chair of the House Committee on Transportation and Infrastructure, conducted a hearing that yielded industry perspectives on various aspects of the nation’s infrastructure and relative vulnerability to cyberattacks.
The event was not above political hackery. In his opening statement, DeFazio took some gratuitous pokes at the trucking industry, saying carriers should “invest more of their robust profits back into their capital programs” to address the driver shortage. Nevertheless, testimony underscored how far the trucking industry, along with the transportation sector as a whole, has to go to meet the challenges of today’s bad actors.
“(Cybercrime is) an increasing problem worldwide and nationally,” said Scott Belcher, who testified as principal investigator for Mineta Transportation Institute at San Jose State University. “Everybody’s got some level of security; the question is whether they really have a good sense of what their potential risks are and whether they’re managing those risks as part of their overall security profile. That’s where we need to get to.”
Belcher said the reason many areas of the transportation sector underestimate cyber threats is because they erroneously think there’s nothing criminals would gain by attacking them. Compared to hacking banking or credit card information, a fleet of reefers hauling cheese doesn’t present that much motivation, goes the thinking.
Not true, Belcher said.
“There’s the tactic of ransomware, and what they do is, they will take control of and have access to the system, have access to public data, and they will hold the city, they’ll hold the transit agency, they might hold a trucking company hostage,” he said.
“They will require a ransom to release the data and return access to the system or to get out of the system,” he continued. “We’ve seen plenty of examples of that throughout the country in which they’ve shut down transportation operations or they’ve shut down city operations for weeks or for months. Or we’ve seen operations pay the ransom or insurance companies pay the ransom. It’s millions and millions of dollars in terms of ransom.”
Combine that with the substandard security practices, lack of adequate IT personnel and general apathy about the issue, and the industry is poised for disaster, Murrell writes.
“Fleets are concerned about road safety and devote considerable effort to preventing problems, but aren’t that concerned about cybersecurity,” he said. “That only makes the risk of attack even more significant.”
Murrell continued, “Many successful cyber-attacks feature hackers who spend months exploring a company’s files before finally pulling the trigger on the attack and if people aren’t concerned, then they’ll be less likely to spot the signs of an intruder … (making them) an easy target to break into, with lots of time to steal files and determine how much ransom the company can afford to pay, with a low risk of getting caught before commencing the attack.”
The irony of the current state of the industry is this: The very things companies have been the most progressive about — investing in new trucks laden with technology — are what’s now producing multiple potential intrusion points for bad actors. Dallas-based consultant Rob Robins, who writes regularly on issues facing companies in transportation, logistics and the supply chain, said the industry in general needs to modernize its back-end IT systems to keep up with what’s being deployed on the road.
“Trucking and logistics businesses are increasingly reliant on technology, which is why it’s more crucial than ever to safeguard these systems against cyber assaults,” Robins notes. “Freight transportation has evolved, and cybersecurity experts are trying to address these issues by providing freight delivery system cybersecurity protections that may reduce the likelihood of this problem.
“System backups, security software updates, data backups and network segmentation are all front-line defenses that the transportation industry needs to look at more closely because ultimately, prevention is the best defense,” he continued.
In response to these growing threats, the American Trucking Associations has partnered with New Jersey-based HudsonAnalytix to provide tools to members for addressing IT security. HudsonAnalytix’s product CyMetrics, a web-based service that provides an assessment of a company’s cyber-maturity, is presented as a member benefit.
CyMetrics assesses current risk management practices and identifies controls that need to be taken to shore up weak points. It also allows trucking company executives to compare themselves against industry peers to ensure they are keeping pace with IT security. Recommendations are made for remediation, be they internal fixes or additional IT products that are needed such as firewalls, without pushing a particular product or service.
Evaluating cyber readiness and analyzing risk is a process that is often outside the expertise and financial reach of trucking companies. This is especially true for smaller firms, which typically have limited dedicated IT staff, if any at all. This makes a product like CyMetrics particularly useful, as it expands the reach of office staff.
“What we see a lot are small, family-owned companies where the balance sheet is not proportional to their office support,” said Max Bobys, vice president of HudsonCyber, a division of HudsonAnalytix. “These companies often find it very difficult to assess their cyber-maturity effectively.
“There’s a shortage of IT security experts and they’re very expensive and as a result, a lot of the market gets driven out from being able to afford to bring in a lot of capabilities, particularly among small- and medium-sized companies,” Bobys said. “These companies are often operating on the cyber edge because they’re trying to maintain existence, they’re often stretched for resources. They’re trying to survive.”
At the same time, the ability of small- to medium-size trucking companies to identify holes and shore up weak points in a way comparable to the big boys is key to the overall health of the industry. Cybercriminals tend to follow the path of least resistance. Even if a small trucking firm doesn’t itself represent a particularly high-dollar payday, it might contract with much bigger clients, such as the government or large retailers. Without suitable IT safeguards, hackers could infiltrate a mom-and-pop trucking company as a way to get to the big fish.
“You may have a small, family-owned business that’s supporting Amazon. They have data that is valuable to threat actors because that data helps them get into a big customer,” Bobys said. “So, these small companies have the same challenges regarding cyber risks that could impact them as they would FedEx or UPS. They need to recognize that.”
Dwain Hebda is a freelance journalist, author, editor and storyteller in Little Rock, Arkansas. In addition to The Trucker, his work appears in more than 35 publications across multiple states each year. Hebda’s writing has been awarded by the Society of Professional Journalists and a Finalist in Best Of Arkansas rankings by AY Magazine. He is president of Ya!Mule Wordsmiths, which provides editorial services to publications and companies.