It’s Friday afternoon and you’re on a tight schedule to make a delivery in 20 minutes. Traffic is heavy. All of a sudden your rig just shuts down. You’re sitting dead in the center lane of an expressway, blocking traffic. There was no warning, no red or yellow lights. Your truck just quit. You’re wondering what to do next when all of a sudden your cell phone chirps with a text message “Send 25,000 in Bitcoin and you can have your truck back.”
Think this is a joke? Not at all. This has already happened – in a lab anyway. But it’s likely to happen for real at anytime if truck manufacturers, regulators, owner-operators and fleets don’t take precautions to protect against vulnerabilities in the basic electronic architecture of nearly every rig built in the last 25 years.
How Real is the Threat?
According to the Society of Automotive Engineers, a large part of the potential threat comes from an internal part built into almost every big rig on the road today. The part, J1939, is an open interconnected system built into the internal architecture of the truck that allows the electronic computer unit (ECU) to communicate with other units that have the same architecture. The open design of J1939 enables flexibility and efficiency within the industry, but at the same time makes the truck vulnerable to cyber attacks.
The open structure of J1939 is only one of the cyber security liabilities within the industry. There are vulnerabilities at each step of the truck manufacturing chain. Truck manufacturers, major part suppliers, body builders, telematics providers, and even drivers who install their own electronic devices all introduce susceptibilities for cyber attacks. Even diagnostic tools could theoretically be used to transfer a virus-like attack from truck to truck. Every “smart” device connected to your tractor could expose you to cyber hackers.
Cyber Vulnerability Research and Testing
Researchers and industry insiders have known about the threat and have been working to develop systems that prevent cyber attacks.
· Students enrolled in the University of Michigan Transportation Research Institute were able to control a vehicle using the on-board diagnostics port of a 2006 Class 8 tractor
· Students at the University of Tulsa Oklahoma were able to write a very basic piece of malware that changes the software of the electronics of a typical Class 8 truck.
· The Battelle Memorial Institute, in conjunction with a working group within the SAE, have demonstrated how vulnerable vehicles are to hackers to original equipment manufacturers (OEMs) who bring their parts in for testing. The OEMs have been surprised at how easily the students are able to hack in.
These testers, and other researchers, have determined that the weakness is real. They have concluded that it’s not “if”, but “when” vehicles will be attacked.
Why Would Someone Want to Attack a Commercial Truck?
How would it benefit someone to attack a big rig? Why would someone bother? Here are some reasons it might be worth it for someone to hack into a commercial truck.
· A commercial truck could be a powerful weapon in the hands of a terrorist or political fanatic.
· Some people (truckers even) might be trying to “tune up” their vehicle to get better gas mileage, increase power or try to bypass emission systems
· Some people might think it’s funny to prank hack a vehicle
· An individual or group of hackers might try to prove that they can hack in to the system
· Some hactivists have a specific agenda
· Large organizations like “nation states” are willing to mount large-scale, sophisticated attacks in order to support political goals
· Cargo thieves might find new techniques that might make it easier or more efficient to steal on-board cargo
It’s hard to imagine all of the scenarios that could happen.
What might happen if a political-motivated group were able to shut down all big rigs within a 200 mile radius? They could attack within that area and all of the inoperable rigs might make it impossible for emergency vehicles to get through. Or imagine the outcome if hackers were able to control trucks loaded with hazardous and explosive materials? Or what if the hackers were successful with a denial-of-service attack?
The industry as a whole recognizes the threat. There are cyber security efforts happening as well as task forces and committees working to mitigate the threat. Some of the promising efforts include:
· encryption of software and data
· data obfuscation
· partitioning the electronic architecture on trucks, creating sub-networks
· creating firewalls or gateways to separate the most critical systems from the less critical ones
One of the biggest challenges is the implementation of prevention applications due to the sheer number of trucks that are at risk. The National Motor Freight Traffic Association conducted a survey and found that 4 out of every 5 trucks built in the last 15 years are still registered, making it almost an impossible task to reverse-engineer, partition, encrypt and protect every commercial truck still in use.
Concerned about the risks for your commercial vehicle? Want to save money on quality insurance, both personal and commercial? AAOO can help with coverage for your big rig truck, trailer, home, auto, boat, RV, and more as well as emerging risks for your vehicle. Contact us today to learn more.