FBI Warns Cyber Criminals Could “Exploit Vulnerabilities” of Electronic Logging Devices
Washington D.C. – The Federal Bureau of Investigation (FBI) is warning trucking industry stakeholders and America’s 3.5 million professional truckers that electronic logging devices (ELDs) could be comprised by cyber criminals.
In a Private Industry Notification (PIN), the Bureau says, “Cyber criminals could exploit vulnerabilities in ELDs.”
The PIN addresses the ELD mandate by pointing out what many critics of the mandate have been arguing for years.
“Although the mandate seeks to provide safety and efficiency benefits, it does not contain cybersecurity requirements for manufacturers or suppliers of ELDs, and there is no requirement for third-party validation or testing prior to the ELD self-certification process,” the PIN states. “This poses a risk to businesses because ELDs create a bridge between previously unconnected systems critical to trucking operations.”
The FBI warns, “ELDs with more advanced telematics functions and a connection to functions such as shipment tracking or dispatching can allow a cyber actor who gains access to an insecure ELD to move laterally into the larger company business network.”
This can lead to the theft of personal information, business and financial records, location history and vehicle tracking, or other proprietary data such as lists of customers and cargo, the PIN states.
But it gets worse.
The FBI says once a cyber criminal gains access, he can install malware, such as ransomware, to prevent the ELD, the vehicle, or connected telematics services (such as dispatching or shipment tracking) from operating until the ransom is paid.
“Potential indicators for this kind of malicious activity include unusual traffic or unusual file sharing on the network, which could best be detected by establishing a network baseline and monitoring network loads and traffic, as well as restricting user and device access privileges to only what is needed for their job,” the FBI says.
The PIN recommends companies choosing an ELD mitigate their cyber risk by following best practices tailored to ELDs which includes asking the ELD’s supplier specific questions, such as:
1) Is the communication between the engine and the ELD enforced?
2) Were technical standards or best practices followed in the device’s development?
3) Does the component protect confidentiality and integrity of communications?
4) Has the component had penetration tests performed on it?
5) Does the device have secure boot?
Further, the FBI states, “Insecure devices, even if not specifically targeted by cyber criminals, can experience issues in stability or performance resulting from interference or opportunistic infection.”
Critics such as the Owner Operator Independent Driver’s Association (OOIDA) and the Small Business in Transportation Coalition (SBTC) voiced many of these concerns in the debate leading up to the adoption of the ELD mandate, but those concerns were largely dismissed.
Since then, U.S. lawmakers and the Department of Transportation have yet to offer a comprehensive strategy to repel such potentially dangerous and destructive attacks.
The companies blamed the widespread outages on “rebooting” and “software service failures,” but many truckers expressed concerns about their safety and protection of private data at the time.
It’s clear the FBI is also concerned about the growing dangers as well.