FBI bulletin says ELDs did ‘little to nothing’ to follow cybersecurity guidelines
July 23, 2020
Industry and academic research into a selection of self-certified electronic logging devices found those in the sample did little to nothing to follow cybersecurity best practices and were vulnerable to compromise.
That’s the takeaway from a cybersecurity bulletin issued by the FBI’s Cyber Division earlier this week. The sample included ELDs that could be purchased off the shelf at superstores and ELDs supplied by well-known companies.
The agency warns that cyber criminals could exploit vulnerabilities in ELDs, which became required equipment in most commercial trucking operations in December 2017. Last December was the deadline for companies using an AOBRD to switch to e-logs.
“Although the mandate seeks to provide safety and efficiency benefits, it does not contain cybersecurity requirements for manufacturers or suppliers of ELDs, and there is no requirement for third-party validation or testing prior to the ELD self-certification process,” the bulletin states. “This poses a risk to businesses because ELDs create a bridge between previously unconnected systems critical to trucking operations.”
The FBI bulletin notes that the ELD mandate contains no cybersecurity or quality assurance requirements for suppliers of ELDs.
“As a result, no third-party validation or testing is required before vendors can self-certify their ELDs,” the bulletin states.
The agency recommends businesses conduct their own due diligence when choosing an ELD to mitigate their cyber risk and potential costs in the event of a cyber incident. The bulletin notes that the Federal Motor Carrier Safety Administration issued a best practices document in May with questions for carriers to ask when choosing a device.
Doug Morris, security operations director for the Owner-Operator Independent Drivers Association, echoes that advice.
“The advice I would give (drivers) is, hey, get the best one you can, and you’ll have to live with it until DOT comes forward and takes a role in this …Truckers have to buy these things knowing there was no third-party certification, and it’s really made the country vulnerable. It really has,” Morris said on Land Line Now.
OOIDA led the fight against an ELD mandate, arguing that the devices do not improve highway safety. Preliminary numbers released last summer by the National Highway Traffic Safety Administration show that truck-involved fatality crashes actually increased by 3% during the first full year the mandate was implemented.
Listen to OOIDA’s Doug Morris talk about the FBI bulletin on electronic logging device cybersecurity
IV. ELDs a hacking risk, FBI says
Even though ELDs are only intended to log data from the engine, researchers “demonstrated the potential for malicious activity to remotely compromise the ELDs and send instructions to vehicle components to cause the vehicle to behave in unexpected and unwanted ways.”
Because the devices are connected to a truck’s electronic control module, they can be used to pass commands to the vehicle network.
The agency also warns that “ELDs with more advanced telematics functions and a connection to functions such as shipment tracking or dispatching can allow a cyber actor who gains access to an insecure ELD to move laterally into the larger company business network.”
“Cyber criminals interested in stealing data such as personal information, business and financial records, location history and vehicle tracking, or other proprietary data, such as lists of customers and cargo, can use vulnerabilities in ELDs as a way in to access trucking companies’ enterprise networks and databases,” the bulletin states. “With that access, financially motivated cyber criminals would also be positioned to install malware such as ransomware, preventing the ELD, the vehicle, or connected telematics services such as dispatching or shipment tracking from operating until the ransom is paid.”
The FBI wants carriers to report information concerning suspicious or criminal activity to a local FBI field office or the FBI’s 24/7 Cyber Watch. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.
Read the full bulletin here.