.webp)
Connectivity Opens the Door to Cyberattacks
Increasing connectivity between operational and informational technology (OT and IT) to enable these enhancements has created more cybersecurity vulnerabilities, slowly leading to more regulation. Jennifer Tisdale, the CEO of cybersecurity research firm GRIMM Cyber, notes the risks faced by industrial vehicle fleet managers vary significantly depending on the vehicle's purpose, level of connectivity, type, and whether it is a software-driven or autonomous system.
In broad terms, industrial fleet managers might face a range of cyberattacks, including data theft, ransomware, Distributed Denial of Service (DDoS) attacks, and supply chain vulnerabilities. These threats can lead to operational disruptions that could cost hundreds of thousands of dollars, if not more, to recover from and secure, says Tisdale.
Beyond financial loss, the disruption of critical safety functions could result in serious physical harm or even fatalities, making cybersecurity an essential consideration in industrial environments.
Matthew Luallen, co-founder of CYBATI and then Dragos Security and a research scientist at the University of Illinois' Information Trust Institute, states that the more connectivity an industrial vehicle has, the more vulnerable it is to cyberattacks.
When more connectivity and more capabilities are added, additional gateways into the wireless control system of the vehicle are created. All of these overlapping layers of architecture have been built up over time, many of which are probably cyber vulnerable because that wasn't an initial consideration, he says.
Among the most vulnerable entry points are GPS and SCADA, a system of software and hardware used to monitor, control, and automate industrial processes in real-time, often across multiple locations.
Scott Shackelford, executive director of Indiana University Bloomington's Center for Applied Cybersecurity Research observes:
Satellite and communication systems are pretty vulnerable, and GPS is pretty dated as well. Many of those satellites were launched more than a decade ago. They weren't designed with cybersecurity in mind—that's a problem that could be exploited.
Luallen adds that these vehicles' commercial availability and associated hardware and open-source software (OSS) allow cyber attackers to identify and exploit vulnerabilities. The proliferation of generative AI tools only makes this exploitation faster and easier.
Identifying and Addressing Vulnerabilities in Industrial Vehicles
Tisdale says there is no one-size-fits-all approach to identifying cybersecurity vulnerabilities in industrial fleets. However, she adds that her team is often deployed to help customers identify cyber risks through
- regular assessments,
- security architecture reviews,
- penetration testing,
- vulnerability scanning,
- incident response planning, and
- tabletop exercises.
Shackelford believes fleet managers should work with manufacturers and vendors to identify vulnerabilities. Resources like Information Sharing and Analysis Centers (ISACs) help manufacturers and clients discuss cyber threat information and best practices.
After vulnerabilities have been identified, the first step is determining who will be responsible for overseeing cybersecurity. According to Luallen, it's also essential to understand the hardware and software systems operating within an industrial vehicle and how they interact. Resources like Common Weakness Enumerations (CWE) and Cyber-Informed Engineering (CIE) should be regularly consulted.
Cybersecurity Starts with Software
Indeed, software design, validation, verification, and maintenance are the cornerstones of cybersecurity in connected industrial vehicles. Mohammad Reza Mousavi, a professor of software engineering at King's College London, says
A major part of the contemporary innovations in vehicular technologies are improving mostly due to software-implemented features. Vehicles increasingly rely on over-the-air updates of their control software. Safety and security are becoming intertwined. If there is an issue with security at the connectivity level, that could have safety implications.
Therefore, industrial vehicle manufacturers must work with software developers and fleet managers to ensure that proper validation and verification processes are undertaken.
That could be at many different levels, says Mousavi. It could be at the requirements level, taking security early in the requirement elicitation process and then building safety into the system all the way.
Fleet managers also must have rigorous contractual security requirements and ask manufacturers and their software vendors for a software bill of materials when purchasing industrial vehicles. Mousavi explains that software is constantly evolving, so fleet managers, manufacturers, and software developers need to work together to identify the most critical areas where software and cybersecurity intersect and ensure that any patch or update does not have an unintended impact on that intersection.
This is especially important when considering the system's UI, where many vulnerabilities can be created by improper or uninformed use. The UI is not only at risk due to uneducated users but also serves as an easy entry point for malicious actions, such as exploiting entry fields to manipulate code.
These threats can be mitigated by writing secure code during development.
Very often, you do your best to build a secure system, but because the user doesn't know how to operate it, they may misuse the system in ways you haven't anticipated, Mousavi says
Moreover, manufacturers and fleet managers working with software providers can assist customers in improving cybersecurity by maintaining transparency regarding third-party software integrations. This openness enables more efficient risk assessment and the identification of dependencies, which are crucial when pursuing cybersecurity certifications.
Opting for extended long-term support enables fleet managers to benefit from the latest updates and critical security fixes without upgrading to a new software version. This saves the end user time and money compared to common alternatives such as using OSS or backporting security patches or other fixes.
Some see benefits in the availability of an OSS ecosystem in addition to the commercial offering, arguing that if a broader community has access to it, they can test for a wider range of security breaches. Mousavi agrees:
You will never gain security by obscurity. Open source is not necessarily a bad thing in terms of security. The main point is having a proper quality assurance process around open source. That is what you need.
Cybersecurity as a Business Basic
Companies need to start thinking about cybersecurity risks as they do about other business risks, argues Luallen.
Apply the same logic that you're using to manage financial risk down to how you're managing cyber risk
While there are examples of industrial vehicle fleet managers taking the proper steps to identify and address cybersecurity risks, experts are hesitant to provide specific examples. Until recently, many jurisdictions did not have legal reporting requirements regarding cybersecurity. However, this is beginning to change with the European Union’s Network and Information Security Directive 2 and the Strengthening American Cybersecurity Act of 2022 in the United States. Another is that a company may excel in one area but have more pronounced vulnerabilities in another.
We are seeing steps toward improvement for cybersecurity in many industries, including heavy vehicle and agriculture and for industrial vehicle cybersecurity for use cases such as autonomous industrial vehicle use cases on airport premises, Tisdale says. Cybersecurity is ongoing and must be prioritized and budgeted for appropriately and for the long-term.
