[Stay on top of transportation news: Get TTNews in your inbox.]
WASHINGTON — The trucking industry is exploring numerous cybersecurity standards as advances in technologies increase the risk of attack.
“There’s privacy and security issues,” Mark Zachos, a regional chairman with SAE International, said during the Fleet Data Management & Cybersecurity Conference. “What I don’t think that we pay enough attention to, frankly, is that data, equipment, the laptops, the interface device, the maintenance tools, maintenance equipment, that too needs to have security and privacy provisioned into it.”
American Trucking Associations’ Technology & Maintenance Council (TMC) hosted the conference.
How can trucking companies persuade new drivers to stay? Host Mike Freeze brings in onboarding expert Anthony Pellegrino of Ag Energy Transport. Tune in above or by going to RoadSigns.TTNews.com.
Zachos highlighted the importance of keeping competitors or other unauthorized parties from spying on drivers or internal data. Many fleets track the location and performance of their trucks remotely, for instance, which would be information they would want to keep secure. But the threat goes beyond data and information. With trucks becoming more modernized, it’s possible to hijack certain processes within them.
“They then control and compromise the vehicle,” Zachos said. “Maybe they de-rate the engine, maybe they drain the DEF or all the sensors. Maybe they turn the seat heater up so the driver doesn’t want to sit there anymore. And finally the safety issues like disabling the brakes.”
TMC and its industry partners have been working to develop standard practices to bolster cybersecurity among carriers, mechanics and truck manufacturers. SAE International and the International Standards Organization (ISO), for instance, have been developing a process for addressing cybersecurity threats for vehicle connectivity called ISO/SAE 21434. It has become increasingly common for modern trucks to communicate with dispatchers and each other with the use of digital components and sensors.
“This is the world’s best experts getting together over several years to create this document,” Zachos said. “Once you engineer a new truck or engineer a new piece of software, all the way through the maintenance phase and commissioning phase. Section 13 specifies operations and maintenance. You got to find this, you got to read this to understand these principles.”
Zachos noted that cybersecurity policies are a process. It’s not just about figuring out what works. It also involves building upon that and being able to evolve as technology and threats change.
“SAE is developing something called the secure charging [electric vehicle] ecosystem,” Zachos said. “So this is the future. What we’re trying to do today is create a common method that is verifiable compliance verification testing for EV charging security, which is applicable to heavy commercial vehicles. SAE J1939, we continue to advance that standard.”
SAE J1939 is a series of recommended practices for a serial control and communications vehicle network. Zachos doesn’t believe the standard is done being developed, but it’s getting close. There are a few proposals being considered to help strengthen the standard. J1939-91A deals with in-vehicle network security. J1939-91B has to do with telematics interfaces. J1939-91C deals with secure data transfer. Zachos noted having support from the government in this area has helped.
“If we didn’t have the enforcement and regulation authority, it would take us a lot longer to converge on a compliant one way of doing things,” Zachos said. “Because you can have standards that are great, there’s so many to choose from and so many different ways to interpret them.”
SAE J1939-91C is another proposed standard to improve upon the current process in Controller Area Network procedures to modernize cybersecurity techniques. Zachos is also looking into improving reporting standards for anomalies that appear within vehicle systems.
“What I’d like to share with you is an opportunity to craft a new recommended practice,” Zachos said. “I think the TMC should create some recommended practice for when you have an anomaly, what do you do with it and then take action on that according to each fleet and their unique situation.”
Zachos also pointed to the National Institute of Standards and Technology (NIST) for working to create a cybersecurity paradigm that moves defenses from network-based perimeters toward a user-, asset- and resource-focused approach. The NIST Zero Trust Architecture is a guideline for industrial and enterprise infrastructure and workflows that assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.