Ever since the Federal Motor Carrier Safety Administration opened up its self-certification registration system for mandatory electronic logging devices, there have been a number of new-entrant companies offering ELDs – but how confident can you be that those devices are safe from hacking or data breaches?
The National Motor Freight Traffic Association, an organization of primarily less-than-truckload carriers, issued a bulletin expressing its concern about the results.
“As far as NMFTA has been able to ascertain, the current ELD rule, as written and implemented, requires both two-way CAN bus connectivity and internet connectivity. This creates some genuine concern regarding the cyber security posture of the ELD devices themselves as they create a bridge between the internet and the CAN bus network of the vehicle. If the ELD devices could be exploited to send malicious traffic to the vehicle CAN bus, it could have serious consequences to the safe operation of the vehicle.”
IOActive’s general conclusion was that all the tested devices did little, if anything, to follow cybersecurity best practices and were open to compromise, with shortcomings such as devices being shipped with debug enabled firmware easily accessible for analysis, and lack of encryption.
“IOActive’s findings presented at Blackhat USA 2017 and DEF CON 25 echo our concerns,” said Sharon Reynolds, chief information security officer at Omnitracs.
She explained that FMCSA does have some security standards. “FMCSA regulations outline security controls like encryption at rest, encryption in transport, and any time you try to send it somewhere.”
What are the FMCSA standards?
NMFTA reported in the bulletin to members that in the FMCSA ELD Test Plan and Procedures document, it could not find many details about what ELD providers must do to ensure cybersecurity. “NMFTA has been unable to find any recommendations or guidance for cyber security for the actual ELD devices in this document with the exception of sections 4.10.1.1 and 4.10.1.3, which refer to encryption when communicating with FMCSA servers or sending data via email. No specific requirements for device cyber security were discovered during our investigation.”
Indeed, security does not appear to be included in FMCSA’s published Frequently Asked Questions.
When asked to comment on the NFMTA’s bulletin, an FMCSA spokesman directed us to page 78329 of the Federal Register December 2015 publication of the final rule on security.
That section noted that the proposed rule had “proposed incorporating by reference several industry standards for privacy and encryption, including NIST standards.” Responding to comments on the proposal regarding security, FMCSA said the agency “follows all DOT security guidelines, which includes NIST standards for access to any FMCSA system or network,” and that it “believes that the security standards of ELDs have appropriately balanced industry standards, privacy, the need for accurate HOS monitoring, and the cost of security measures.”
FMCSA did note in the rule that “it has only established minimally compliant standards in this rule, and there could be a market for more security features on an ELD. ELD providers are not prohibited from using additional security measures, so long as the data can still be transferred to authorized safety officials as required by the … rule.”
In addition, FMCSA said, “Security on mobile devices is well understood. Banks, governments, and retailers all provide apps which require security. There is no reason to believe that consumer mobile devices cannot be an adequate platform for ELDs. FMCSA believes the specifications and privacy standards and protocols are sufficient to respond to reasonable concerns about hackers.”
The cybersecurity question is right in line with previously expressed concerns about the self-certification process for ELDs and the need for carriers to do their homework, said consultant Avery Vise.
Now doing research for FTR, at the time we spoke Vise was president of TransComply, which helps primarily small trucking operations with safety and compliance programs and with business best practices.
“Malicious hacks of ELDs to affect vehicle operations certainly seem feasible and could be disastrous, but they also seem very unlikely,” he said.
“We have previously advised carriers to seek clauses in their ELD vendor agreements to provide for carrier compensation in the event of an ELD’s registration is revoked. Based on this credible evidence of a cybersecurity risk, carriers also should try to add language covering that potential as well. However, even if the carrier cannot secure such language, it is possible that general product liability law would allow it to recover damages in the event of a cybersecurity breach that a vendor could have reasonably anticipated and guarded against.” Read more…