National security standards, multiple back-up systems and employee awareness all vital ingredients to protecting trucking industry from cyber attacksBy Kristen Lipscombe
For major industries such as trucking, dealing with potential cyber security threats may feel like an added “thorn in the side,” especially when all companies want to do is move their products from pick-up to drop-off point as quickly as possible in order to keep clients satisfied and business running smoothly.
“Everyone wants to pull that thorn out and not deal with it, but you pull the thorn out and it leaves a mark,” said Victor Beitner, president and founder of Cyber Security Canada, which offers an accredited, federal government-backed certification program designed to help protect Canadian businesses.
But just as it’s necessary to have insurance in case something unexpected happens on the road, it’s also important for trucking companies to be properly prepared and have contingency plans in place in case catastrophe strikes online, Beitner said.
This is particularly important for the trucking industry, which is unusually vulnerable to cyber threats, Beitner said. In fact, “on a scale from one to 100, with 100 being the most vulnerable, I’d say we’re in the high 90s; very high 90s.”
Although safe cyber security isn’t mandated by law like insurance requirements, Beitner said the federal government is taking positive steps forward by creating CyberSecure Canada standards.
“That’s a means of doing an independent third-party audit of your actual cyber practices,” said Beitner, whose company offers those services to provide peace of mind to employers and employees alike.
“Typically, a trucking company will have an IT (information technology) guy, or they’re using an MSP (managed service provider),” Beitner said, “and they do their job; they do it as best they can.”
But no matter how hard your IT team is working to protect your company, with a strong firewall and patching updates, the reality is that cyber criminals are constantly working on new and creative ways to attack the sensitive information stored on business networks, from computers used by individual truckers to your company’s client details that are stored in confidential files.
“Every 15 minutes, a new threat is discovered, or even more often than that,” Beitner said. “When you send out a billion malicious emails, people will click. We know that even with training… about 20 per cent (of people) will click. But it doesn’t matter what that actual number is because all it takes is one (person).”
So why is the trucking industry particularly vulnerable to hackers?
Firstly, truckers from older generations aren’t necessarily as tech savvy, which means they may be more vulnerable to phishing and other discreet tactics used by hackers. Additionally, most companies haven’t hired cyber security leads to ensure they’re fully prepared for possible attacks with expert insight to successfully back up data and lead effective, efficient incident response in case of security breach.
“You have to hope that the people you use for IT have the expertise for cyber,” Beitner said. “Keeping your computers up and running is great… until you have an event – and that’s when things start to happen that aren’t good.”
That’s why awareness training for employees, including truckers, is also vital in creating better comprehension on how to avoid and react to potential cyber threats. “It should be part of the onboarding,” Beitner said, similar to how WHMIS training ensures that employees know how to deal with chemicals.
“Today, trucks are being tracked,” he added. “They have GPS systems to know where they are at any given time. Their cell phones are in use. Truckers… could have their CB (citizens band) radios, or whatever radios they’re using in place – that can all be used against them.
“The location from your phone could be shared with some bad people, and people get access to your tracking system,” Beitner said. “Today, if you want to hijack a truck, you do it electronically, and no one’s going to be aware of it until it is too late. And this is all done through cyber hacking.”
Cyber attacks can be big or small, and may or may not hit mainstream media. “If a trucking fleet is taken down, who’s going to know about it?” Trucking companies don’t always want to admit that they’ve been hacked, Beitner said, because that could very well impact the trusting relationships they’ve built with their clients.
Yet cyber trucking takedowns can have a major impact on supply chain management, which can mean a devastating trickle-down effect from suppliers to distributors to customers.
In May 2021, for example, a ransomware cyberattack “forced the shutdown of a major U.S. pipeline between Texas and New York, causing disruption to the supply of diesel and other petroleum products,” according to www.TruckingInfo.com. “The event even prompted the Federal Motor Carrier Safety Administration to create more flexibility for motor carriers and drivers hauling these products to the affected states.”
The Canadian trucking industry may be even more vulnerable at the moment due to the added national – and even international attention –as a result of recent convoys focused in Ottawa and supported across the country. A prime example is the leaked data from crowdfunding site GiveSendGo, which recently revealed the names and personal details of tens of thousands of donors that financially supported the highly publicized protest amidst pandemic Public Health restrictions.
“When one person (or a group of people) does something… everyone assumes the rest of the group is the same way,” Beitner said, explaining hackers will target people “they think may have been involved; it doesn’t matter whether you were or not.”
“If one of your truckers was involved in that … or if he worked for you five years ago, you’re a potential target,” he explained.
In fact, the pandemic itself makes everyone who is attached to their computers and online presences – so most of us – more vulnerable to cyber attacks and hacks, Beitner said.
Normally, in a business environment, your computers are in an office, protected by firewalls with perimeter and local network protection, he said. “When people are at home, they don’t have the perimeter protection that the office environment has given you.”
That of course means truckers are automatically at a “substantially” higher risk of being hacked since when they’re on the road, they’re not connected to an office network of any sort. “They don’t have the high walls (of protection).”
At the end of the day, just as trucking companies are focused on making money and growing their businesses, particularly during more challenging times such as during a global pandemic, it’s also “all about the money” for hackers who are looking to make the most of their technical skills to get the best possible financial outcomes. The difference is that they’re breaking the law in order to do so.
“If it’s going to cost you $1,000 to intercept conversations or communications, electronic or digital, from a truck that has a very high value cargo in it, then it may be worthwhile,” Beitner said. “The actual threat market… is a business.”
Although the Government of Canada does protect critical infrastructure across the country, and helps mitigate potential attacks, Beitner said it’s up to companies and individuals alike to take thorough and proper steps to help protect their online assets. “It really comes down to the people using the Internet taking ownership of the threat and understanding the threat landscape.”
“The trucking industry is a legacy industry,” Beitner said. “It’s critical to the country.”
That’s why it’s so important that trucking companies not only back-up their data on local drives, in offsite locations and online, and ready for possible attacks with incident response plans, but also provide their employees with the education they need to stay cyber safe on the road.
“If you don’t have the awareness training, it doesn’t matter what else you have in place,” Beitner said. “Education is key.”
For more information on cyber security, check out the Canadian Centre for Cyber Security and the Canadian Institute for Cyber Security based at the University of New Brunswick.