TRUCKING in a Cyber World
Could Hackers Target Trucks?
The Cyber Threat
It’s a day like any other for a logistics manager until his phone rings and he hears this from his driver:
“My engine just shut down — no warnings, no indicator lights — it just quit. Traffic was too heavy for me to pull over, so I’m sitting here blocking rush-hour traffic in the center lane of the Cross-Bronx Expressway,” he says. “It’s a nightmare.”
As if that isn’t bad enough, the subsequent text message is worse:
“Send 25,000 in Bitcoin if you want your truck back.”
If you think it couldn’t happen, guess again.
Researchers and industry insiders have known about such vulnerabilities for years, and have been testing systems for weaknesses. What began as a class project at the University of Michigan Transportation Research Institute (UMTRI) in Spring 2016 made it to the pages of WIRED magazine as a follow-up to the widely reported controlled hacking of a Jeep Cherokee as it traveled public highways in St. Louis. The UMTRI exercise was conducted on a closed test track, with the hacker sitting in the sleeper with a laptop connected to the on-board diagnostics of a 2006 Class 8 tractor.
Also in 2016, the University of Tulsa in Oklahoma began research on a ‘truck-in-a-box.’ It was a typical Class 8 — electronically speaking (wiring and electronics without the truck). While the “Truck Duck” was originally designed to monitor operations, “I realized if I can monitor it, I can probably alter what it’s doing,” reported James Johnson, of the Tandy School of Computer Science. “I wrote a very basic piece of malware that changes what the software does without anyone being able to tell.”
For the past six years, the Battelle Memorial Institute and a working group within the SAE have partnered to host an automotive cyber challenge in Detroit, where OEMs can bring their vehicles and a team of students try to hack into the systems.
These and other exercises have all concluded that the vulnerability is real and poses a threat to operations and more.
“It’s no longer a question of if, but when,” stresses Mark Zachos, chair of the TMC S.5 Task Force on Cybersecurity and chair of the SAE J1939 Network Security Task Force. He is also founder and president of DG Technologies and CEO of Dearborn Group Inc. “The OEMs who bring their vehicles to the Battelle challenge certainly do get hacked,” Zachos says. “Those OEMs get a lot of good information from the session, but all of the information gleaned from the attempted hackings stays in the room. They publish nothing; there are no press releases. In fact, everybody involved has to turn in their notebooks at the end and the notebooks are destroyed. It’s designed as a learning experience only.”
Hacking is a real possibility if truck manufacturers, regulators and fleets don’t take steps to protect certain vulnerabilities in the basic electronic architecture of nearly every truck built in the past 25 years.
The Infamous J1939 Data Bus
Playing a significant role in the potential threat is the J1939 Data Bus. As the SAE defines it, “J1939 is a common communication architecture that offers an open interconnect system allowing ECUs associated with different component manufacturers to communicate with each other.” Communications is a good thing, right? Yes and no. While J1939’s open design provides considerable efficiency to the industry, it also leaves it vulnerable.
“We worked, as an industry, to develop the open architecture of J1939 so that we could have this great flexibility, as fleets and as OEMs, to work collaboratively,” says Gary Hunt, vice president of equipment and maintenance at ABF Freight System. Hunt is part of a new task force put together by the American Trucking Associations’ Technology & Maintenance Council to address cybersecurity issues.
The open architecture of J1939 is one of the challenges but, in fact, there are vulnerabilities all the way up and down the truck manufacturing chain.
Manufacturers “buy major systems and components from a lot of large suppliers who, in turn, buy from other suppliers,” said Keith Doorenbos, a system engineer with Paccar, speaking at the inaugural session of the S.5 Cyber Security Taskforce in Nashville earlier this year. “And when we complete our part of a truck, we hand it off to bodybuilders, to telematics providers and to the fleets. Even drivers install or connect their own electronics to the trucks. So every piece that gets connected provides another path into the system and another risk to the system.” Theoretical models suggest even diagnostic tools could be used to spread a virus-like attack from one truck to the next, but so far, Doorenbos says that’s entirely theoretical. “I don’t believe it’s even been demonstrated by any of our white hats [good-guy hackers], but there’s a lot of exposures in different elements. Basically everything that’s ‘smart’ out there creates another opening,” he warns.
To date, all of the projects mentioned have been demonstrations, and they were accomplished with hard-wired connections to trucks. But no one can guarantee that today’s ‘connected truck’ is safe from deliberate intervention. As Doorenbos noted, there are plenty of opportunities for the determined hacker to access the system.
Who Would Want to Hack a Truck?
If you’ve ever been stopped in traffic with a tractor trailer closing in on your rearview mirror, you recognize the potential danger of an 80,000 lb big rig with an untimely mechanical failure. Consider what an effective weapon it would be under the control of a terrorist or worse, a well-funded, sophisticated terrorist state.
But terrorists, in the context we imagine, aren’t the only potential threats. Hackers come in all types:
· cyber guys who want to prove they’re smarter than everyone else
· “tuners” who find ways to modify vehicles for more power or bypass certain legal requirements
· social or political activists with specific agendas
· competing OEMs
· and yes, cargo thieves — from petty theft to organized crime
It’s not hard to imagine what criminals could do. The big challenge is imagining how to prevent any or all of the variety of scenarios. Encrypting data and software to prevent easy access by outsiders is a key tactic being deployed to counter cyber threats.
Ongoing Prevention
Cybersecurity is a concern for nearly everyone in the industry, from OEMs and their suppliers, to fleets, maintenance people and even drivers. There’s a tremendous ongoing effort behind the scenes to get a better handle on the scale of the problem, and solutions are emerging to help slow the ‘black hats’ down — even if they can’t be shut out completely.
Encryption
Encrypting data and software so that it can’t be easily reverse-engineered or accessed by outsiders is common now. Telematics providers are leading the way on some of these mitigation and prevention efforts. PeopleNet, for example, says it has implemented multiple layers of security so that there are no openings for a hacker to exploit. “We ensure this through encryption and data obfuscation,” says Chris Sandberg, vice president of information technology at PeopleNet. “Encryption and obfuscation ensure data is transmitted in a binary format and sent separately from the encryption keys, so there is no way to decipher what the data shows even if it isn’t encrypted. Essentially, this means that we created our own language — and there is no ‘Rosetta Stone’ for hackers to be able to crack the code.”
Partitioning Electronic Architectures
Another strategy is partitioning the electronic architectures on trucks; rather than a single-vehicle network on J1939, there are a number of sub-networks separating the most critical systems from less critical systems. Engineers are also inserting firewalls or gateways between those different networks so they can control the data and the commands moving from one network to another. “Even if somebody can compromise your telematics system, that does not automatically give them the ability to send commands directly to an engine or a brake,” Doorenbos explains.
The Outliers
The strategies mentioned are all modern solutions for modern trucks. What about the 80% of vehicles put into service since model year 2000 that are still registered? That’s a lot of reverse-engineering, partitioning and encrypting!
Another critical component in the cybersecurity fight is technician training. Mechanics and technicians who maintain trucks need to be able to recognize a possible threat. “We have enough occasional hiccups with either the diagnostic software or the data connection that a legitimate threat could easily be mistaken for just another computer issue,” notes Zachos. “The discussion could start with outlining a basic process that could link into an existing vehicle troubleshooting process,” he says.
Cybersecurity as it relates to trucks and freight transportation is a fairly new concern, but in addition to the universities already actively engaged in research on the subject, it has the attention of multiple government agencies as well as leading automotive industry organizations. Auto ISAC is an industry-operated entity created to enhance cybersecurity awareness and collaboration across the global automotive industry. Participants include light-, medium- and heavy-duty vehicle manufacturers and their suppliers.
Watch for cyber updates!
Alkane thanks Jim Park, writing for TruckingInfo.com for the content of this article.
Alkane Truck Company is currently raising capital on the crowdfunding platform StartEngine. Find out more here: https://www.startengine.com/startup/alkane
