By Mark Boada, Executive Editor
Most fleets are unaware that they might be defenseless against a cyber-attack that could disable all of their vehicles, according to a long-time veteran of the cybersecurity industry.
In an extensive interview with Fleet Management Weekly, Dan Sahar, vice president of product at Upstream Security, a cloud-based automotive cybersecurity company, said that the adoption of telematics and the proliferation of other digital connections has created a growing number of “connected” vehicles that are vulnerable to long- and short-range hacks from criminals that could disable every vehicle they operate.
“Fifteen years ago, vehicles weren’t connected, and maybe the worst case was somebody left the car unlocked and it was stolen,” he said. “Today, vehicles are connected, which helps to manage fleets more efficiently, but it comes at a price. The second you introduce that technology, you unknowingly create the ability for hackers to disrupt your fleet if they choose to do so. Nobody knows whether they’ll choose to do so, but they might.”
Sahar foresees a scenario where, through a single hack, every driver of a particular manufacturer’s vehicle model or of any fleet vehicle could be unable to unlock it or start the engine. It would be a major catastrophe, he noted, especially for a sales or a delivery fleet.
“Think of a FedEx or UPS or Amazon on Christmas Eve, not being able make deliveries. It would be extremely damaging to them as well as to the entire country. It’s not a wild dream. It’s totally within the realm of possibility if that fleet is connected.”
Complacency predominates
For the most part, he said, fleet managers are unaware of the danger or lack a sense of urgency because the industry hasn’t yet had its “Equifax moment,” a reference to the theft of the personal data of 147.7 million consumers from the credit rating company’s computers. “Many fleets are aware of the danger, but they think it’s still theoretical,” said Sahar.
But in a report it issued earlier this year, Upstream said the number of automotive hacks doubled last year, more than half of which were malicious (as opposed to events conducted by researchers). One malicious attack involved a hacker who broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.
Fleets the “soft underbelly” of business
While large companies in many industries have become adept at protecting their core business operations against hackers, Sahar said that fleet operations are companies’ “soft underbelly” which, in many cases, have not been given the same level of attention from enterprise computer security teams. He said it’s not unusual for his company to talk with connected fleets that fail to take even the most fundamental security measures, like encrypting the data that flows from their vehicles through devices called “dongles” that plug into an onboard diagnostic port.
“When you talk to some fleets and ask them what cybersecurity they have, they said their dongles are read-only, which means illegitimate commands cannot enter the vehicle’s computer system. What they don’t know is when the software in the dongles is hacked to read-write, it’s no longer secure.”
Upstream’s report counts 12 different automotive systems that can become doorways to hackers. Keyless entry and key fob systems account for the largest single avenue, at some 30 percent of all successful recorded attacks since 2010. The others include company servers, mobile application, onboard diagnostic ports, infotainment systems, sensors, Wi-Fi, electric control units, Bluetooth, cellular networks, OBD dongles and in-vehicle networks.
Looking for data anomalies
Upstream’s approach to vehicle security is based on an understanding of the pattern of normal data flows between a manufacturer’s vehicle models or a fleet of vehicles and a back-end computer system. After Upstream’s computers determine what’s normal, it monitors all subsequent data flows for patterns that lie outside the norm. Sahar said these can be as simple as vehicles being started outside normal business hours, or commands that originate outside a company’s established network.
When such anomalies are detected, the fleet receives an alert that triggers one or more remediation responses contained in a “playbook.” In addition to analyzing the data, Sahar said Upstream can help fleets create and maintain those playbooks.
Upstream offers its software solution to auto manufacturers, telematics companies, mobile security system providers and directly to fleets. Sahar said the 2 million vehicles enrolled in its company’s business is largely split between customers in the United States and Europe. Its direct customers include oil and gas companies, service fleets, car-sharing and car rental companies, and the manufacturers of commercial and consumer vehicles.
Upstream is privately held, Sahar said, but recently took on as partners Volvo, Renault-Nissan, Mitsubishi, Hyundai and Nationwide Insurance.
What fleet managers should do
Sahar said that while fleet managers aren’t experts in cyber security, they need to find out from others how well they’re protected against remote hackers. Experts they should turn to include their own company’s computer security team, if it has one, its wireless technology providers or, specialized automotive cybersecurity consultants.
Questions he said they should ask include:
• What security software is embedded in my vehicle’s dongles?
• Is my data encrypted and, if so, how?
• Show how my data is passed from vehicles to the fleet management platform.
• If the data is stored in a cloud, what does the cloud infrastructure look like?
• How are you making sure my data is private?
• What are you doing for access control?
Sahar said that while some telematics companies do a good job protecting against hackers, not all do. “Let’s say a major delivery fleet that relies on a telematics provider suffers a disabling hack. It can blame the telematics provider, but ultimately the problem is more theirs than the telematics provider’s.”