The first connected vehicles started appearing in the mid-90s, alongside the development of the first commercial cellular networks. To begin with, they had very basic functions, such as direct voice connection with emergency services. Later on, one of their key functions was added: GPS tracking in order to share the exact location of the vehicle.
Nowadays, they are more widespread than ever. Statista estimates that by the year 2020, there will be 83 million connected vehicles in existence. Although more and more private vehicles have some kind of online technology, it is businesses and their fleets that most benefit from these technologies, thanks to the telematic data provided by OBD (on-board diagnostics) ports in vehicles.
Attack vectors: from OBD ports to management platforms.
OBD ports were originally designed to monitor emissions, but nowadays they provide all sorts of data, from the vehicle’s location and driving parameters (speed, acceleration, etc.), to weight and type of freight, and the state of the vehicle’s mechanical components. Using cellular networks and a SIM card, this data is generally sent to a centralized platform that the company’s fleet manager operates using some type of interface. This way, the manager controls the real time position of their vehicles, their status, as well as the status of the freight and their routes. This means it is possible to optimize routes in order to save time and fuel, as well as making decision that can improve the operation of the fleet.
However, these ports, telecommunications, and centralized platforms pose several important questions in terms of the security of these fleets. Who needs to have access to this data? What about to the devices? Are the communications safe? What about the platform? If the vehicles are transporting valuable goods, finding out the location and route of each vehicle, as well as what it is carrying, is a desirable goal for potential thieves. For example, if the thieves managed to gain access to data belonging to a cash-in-transit company, they could find out the exact time that the van was going to deliver the cash to the bank, and find out the most vulnerable points of the route, in order to rob the vehicle.
In any case, it isn’t necessary to picture movie scenes of spectacular heists on armored cars in order for cybercrime to endanger a company with a fleet of vehicles. In Texas, a former employee at a car dealership sought vengeance against the company, and managed to disable 100 clients’ cars simultaneously, using the fact that the vehicles were connected to a central control system that allowed them to be blocked in the event of nonpayment. What’s more, malicious software affecting the platform could in itself seriously endanger the company’s operations with its fleet of vehicles: it could result in delays or mistakes in the vehicles’ routes, generating economic losses or even put the drivers’ safety at risk.
Measures to protect your fleet of vehicles
So, how can we protect our fleets of vehicles from cybercrime? NAFA, the Fleet Management Association, has several recommendations, which we have summarized here:
- Securing access to vehicle ports: This is the main way into each vehicle’s data, and so access to it should be restricted to trusted professionals and a guaranteed telematics provider.
- Encryption on telecommunications: the telematics solution provider mustn’t leave data security exclusively in the hands of the telecommunications operator, and should guarantee that all data that is sent has point to point encryption.
Protecting platforms: The software of fleet management platforms must be up to date and protected against all kinds of external malicious attacks that can put the fleet of vehicles’ data at risk, using effective cybersecurity solutions and measures.
Of the four recommendations, the most critical is probably protecting the platform, since the whole fleet of vehicles depends on it, as do their information, routes, and freight. In this context, companies must seek advanced cybersecurity solutions that have the full capacity to prevent, detect, and respond to any kind of risk, and that acts quickly to mitigate the damage in case of problems.
I totally agree when you said that the access to the vehicle ports and etc. should be exclusively done by professionals and certain telematics providers only. I will share this tip with a friend of mine since I heard that he will be getting this type of technology once they have established their courier business. From what I know, it will be open next year, and they are already checking out trucks that they will buy this week.