When the general public sees a semi-truck on the road, most just think about the exterior — a cab, a trailer, a driver and 18 wheels. They don’t often stop to wonder about what else it takes to make the truck run.
Truck drivers, mechanics and other professionals in the trucking industry are well aware of the complexity inside the truck. An engine control unit, telematics devices, a vehicle network, cabin controls and more are all essential components of the larger system that allow the truck to operate.
To IT professionals, it sounds a lot like an industrial control system (ICS), an umbrella term to describe how various control components, systems and instrumentations work together to achieve an objective in industrial automation. Supervisory control and data acquisition systems (SCADA) — a subset of ICS — are used for remote monitoring, typically referring to geographically large systems such as water, power and gas. This is also a lot like the systems within a truck, digitally communicating with a source across vast distances.
“In ICS there are active and passive components as well as inputs and outputs,” said Chloe Callahan, IT operations manager of Peninsula Truck Lines Inc. “This is the same in our networks. In trucking, we have active components that can be and are automated. In order to automate, some logic needs to exist with values triggering some action.”
If unsecured, cybersecurity threats can take hold — and if you don’t know the systems in place, it’s impossible to secure them.
Last year, Callahan was introduced to the idea of ICS/SCADA in the framework of the trucking industry after learning about the topic at the National Motor Freight Traffic Association’s (NMFTA’s) Digital Solutions Conference, which made her want to understand more.
Now, she is encouraging other IT professionals to explore how concepts in ICS/SCADA can be applicable in trucking, joining NMFTA’s Antwan Banks, director of cybersecurity, to share parallels between ICS and trucking during NMFTA’s monthly cybersecurity webinar series, leading up to its October Digital Solutions Conference in Houston. The conference will bring together cybersecurity, trucking and supply chain professionals to discuss emerging cybersecurity threats and related issues faced by the transportation and logistics industries.
Callahan shared insight into how ICS/SCADA concepts can be applied to the trucking industry:
Parallels between ICS and trucking
1. Threat modeling.
A threat model includes the identification and prioritization of potential threats. To defend your assets, you need to know which assets you have, Callahan said. The same is true with trucking: To protect them, you need to know your systems.
“When identifying, think about active and passive components. Keep track of active and inactive assets. Have visibility to your environment,” Callahan advised.
2. Security for unmanned sites.
There are many unmanned sites and devices that are exclusively remotely controlled in an ICS, and this exposes the potential for unwanted input.
Though trucks are “manned” with drivers in the vehicle, they don’t have control over the vehicle networks. Callahan recommends thinking about a truck’s sensors and actuators, electronic control units, ELDs, aftermarket additions, gateways, OEM segments, ports, and HMIs as something that can receive malicious input.
3. Protocols.
Protocols are standards for communication — and ICS protocols are insecure by design as they lack authentication, authorization and encryption. This is because the software development life cycle is not as standard, and the life cycle of the technology is long.
This, too, is true for trucks, as life spans of 10 to 15 years are not uncommon. Callahan recommends IT professionals learn about the common truck protocols, including SAE J1708 and 1587, which are older; J1939, which succeeded them; Controller Area Network; and SAE 2497, bidirectional, serial communication on Powerline Controller.
4. Unique hardware.
The hardware that makes up ICS systems is unique, proprietary and potentially old.
“We keep our trucks on the road for as long as we can eke out. A question you may ask could be, ‘Are there any firmware or security updates for anything computerized on the trucks?’” Callahan said.
While the Cybersecurity and Infrastructure Security Agency provides advisories when vulnerabilities are found in ICS, Callahan said the agency does not yet furnish updates for the trucking community.
“It’s truly up to us to be aware of the parts comprising our fleets,” Callahan said.
5. Standards and guidance.
The National Institute of Standards and Technology (NIST) provides guidelines for many security scenarios. The NIST 800-82 Guide to Industrial Control Systems Security guideline is clearly for ICS. Additionally, the NIST has a cybersecurity framework for IT.
Callahan recommends becoming knowledgeable about both to improve overall security.
“Don’t reinvent the wheel and think so hard outside the box. Think back to threat modeling. The attack vectors still include the simple ones like social engineering as well as more advanced ones,” Callahan said.
6. Safety.
Human safety is paramount in both ICS and trucking. In fact, ICS and operational technology are primarily concerned with safety, Callahan said. There is an entire system called a Safety Instrumented System, which is a redundant system that is only concerned with avoiding failures and maintaining safety.
“In trucking, we are obviously concerned with the operation of a heavy vehicle on roadways with others all around a driver and/or passenger in the cab. What redundant systems or instrumentation do we have? Should we be more concerned?” Callahan asked.
NMFTA’s cybersecurity webinar explores further concepts in cross-training ICS in fleet management, covering the parallels further in depth, explaining the Purdue Model and offering resources to learn more.
To listen to the full “Cross-Training with ICS” webinar, click here.
The post Can industrial control system concepts enhance trucking cybersecurity? appeared first on FreightWaves.
