The trucking industry has always been a vital link to helping populations across the globe thrive, but the current COVID-19 pandemic has shown the world just how critical fleets and drivers are to our survival. Transporting essential goods to grocery stores, hospitals and medical facilities in particular, fleets are operating round the clock, with drivers on the front lines alongside healthcare professionals. Recognizing that protecting both cargo and driver are essential to the supply chain, fleet operators have never been more dependent on telematics. Providing invaluable insight into nearly every aspect of their fleets—from vehicle location to driver health—securing the lines of communication and data transfer has taken top priority.
Because telematics generates a vast amount of data, it is important to understand how the data is handled and protected. Expansive and multi-tiered, these systems are a combination of physical hardware and software that can be complemented by an ever-expanding list of third-party integration options such as Bluetooth beacons, temperature and tire pressure sensors, collision avoidance systems, in-vehicle cameras and verbal feedback to name a few. With so many components involved, protecting telematics data requires a comprehensive, proactive approach that is defined by strong policies and processes, as well as a company culture not only dedicated to following best practices but also ensuring security at every stage. Key considerations and questions include:
1). Security in Design and Manufacturing - Platform providers with full control of design, manufacturing, assembly and testing offer a competitive advantage in ensuring security has been prioritized from the start. Without the need to rely on any other party, they can quickly and efficiently respond to manufacturing defects or potential hardware vulnerabilities internally. The important question to ask: Who manufacturers the telematics hardware, and will the device be the same across my entire fleet?
2). Firmware Security - A telematics device will receive many updates to its firmware over the course of its life, with these updates introducing new features or resolving issues after it has been installed in a vehicle. Because the device automatically receives over-the-air (OTA) updates and performs them without disrupting the user, hackers have a potential opening enabling them to replace the firmware on a telematics device with malicious firmware of their own. To prevent an attack like this, the device can be secured by controlling firmware installation at the manufacturing stage and requiring digital signing to OTA updates that verify they have come from a trusted, authentic source. Without both steps, it is impossible to know if the device is under the control of a malicious party. The important question to ask: Is the firmware signed to prevent outside parties from changing the code on the device?
3). Secure Data Transfer - The telematics device sends and receives data to and from the storage and processing servers, over a cellular connection. Although varying by territory, provider and infrastructure, cellular communication is commonly done over 2G, 3G and 4/5G networks, which researchers report each have their own unique vulnerabilities to hackers. By using strong, end-to-end encryption, the security of data between a telematics device and the destination server is ensured. The important question to ask: Do you encrypt the data as it is sent over the cellular network?
4). Security in the Cloud - Telematics devices relay their data to storage and processing servers. While physical servers can be protected by restricting access to authorized personnel, and the data by securing the cloud environment through industry-standard firewalls, access control and activity monitoring, even the most secure systems are not perfect. In the event of a security breach, it is critical to have effective incident response and business continuity plans. Responding effectively and efficiently to a breach event helps reduce data manipulation or theft and increase recovery times and will ensure valuable customer information or internal information is kept safe and secure. The important question to ask: In the event that your servers are compromised, what sort of response and mitigation strategies do you use to protect the data?
5). Corporate Culture of Security - An organization that is serious about security will protect against security issues by continuously monitoring and regularly updating their systems, training employees, refining processes and proactively searching for and identifying potential vulnerabilities. At the very core of the telematics system is a team of engineers and technical staff that keep everything running smoothly. It is essential that an organization maintain vigilance at all levels, especially at an employee level. This can be accomplished by controlling and monitoring access privileges, creating and monitoring log records of important operations and making sure all employees are aware of the risks related to their actions. A strong culture of security should instill confidence in employees and their ability to respond to security threats without creating anxiety about attacks that may or may not come. The important question to ask: Do you have security documentation that covers your hardware, your servers, the transmission of data, as well as policies for employees?
Building Security Confidence
A great way of building security confidence and safely exposing a telematics system to threats is by performing penetration tests, which are sanctioned hacking attempts performed either in house or by a company specializing in computer security. In a penetration test, attempts are made to find vulnerabilities in hardware and software. The attack methodology will then be documented, with a detailed report that provides the following actionable steps and recommendations to bolster security:
- Implement secure data transfer
- Digitally sign updates
- Enable hardware code protection
- Assume your code is public so you do not rely on secrets
- Use cryptographically strong hashing algorithms that cannot be reverse engineered
- Individualize security critical data
- Use different keys for different roles
- Monitor metadata to detect hacks
- Do not forget to disable debug features
- Perform third-party auditing
- Limit server access
- Apply secure design practices
- Implement support for software/firmware updates
- Verify and test
- Develop a security culture
Finally, and perhaps most important, while driving a truck can be stressful in the best of times, drivers have reported an increasing sense of isolation on the road as the coronavirus unfolds. Subject to long hours, closures on their routes (rest stops, restaurants and more) and strict health and safety regulations, they need support more than ever. In addition to a brief video check-in from operations and fleet administrators, knowing emergency services can be reached in real time goes a long way when the miles between destination and home seem endless. Secure telematics platforms not only keep the lines of communication open for drivers but also the data that keeps them moving forward.
About the Author:
Alan Cawse is the Chief Security Officer and Executive Vice President of Technical Services at Geotab. A member of the team since its inception, Alan has over 28 years of information technology experience. With a strong passion for information technology and software development, Alan oversees Geotab’s Security programs; technical support and its team of engineers; IT operations, including all internal, networks, servers, hosting services and security for Geotab; and all ERP and reseller portal systems.
