By Robert Martinez, Deputy Commissioner, New York City Police Department
If you are one of those people who, to protect yourself against hackers and cyber thieves, removes your hard drive and smashes it with a hammer when discarding your old computer, you will want to read this. Today, every public leader must contend with the critical role technology plays in the structure and operation of government and the need to maintain the highest levels of cybersecurity.
This is especially true for government fleets and fleet vehicle connections to government data banks and computer networks. Vehicles today have more memory and computer capability than an F-14 fighter jet. All this memory and even a driver’s control of a vehicle can be just one hacker away from a big problem for fleet managers, both government and private alike.
Self-driving vehicles are around the corner, connected vehicles are already here, and vehicles are accumulating and saving more and more data every year. So, what should fleet managers be doing to protect their jobs and their fleet as cybersecurity becomes a bigger and bigger concern? The first step is to educate yourself and your agency about vulnerable data that may be stored in your vehicles and about the entry points of data in and out of your vehicles and networks.
One data doorway is a fleet’s refueling operation, whether in-house or retail. To function, either system must, at minimum, store personnel and vehicle data in order to confirm that the driver is authorized for a transaction. Depending on the system, access could either be wireless or hard-wired, but both are vulnerable to a hacker. Other systems and networks that could be of interest to hackers are telematics, automated vehicle locators, Bluetooth and Wi-Fi connections, wireless diagnostic connections, and more.
All vehicles today save some type of data. Even vehicles with airbags save crash data in an event data recorder. Additional data that may be stored in fleet vehicles are a driver’s phone book, music, GPS traveled locations, and even text messages. Original equipment manufacturers have become aware of the concern and are building in delete data buttons for phones books, music and GPS locations on some vehicles.
With government fleet vehicles, in most cases the vehicle is driven by more than one driver. In shared fleets like these, drivers may not realize that their phone book or text messages are being saved when they connect their cell phone to the vehicle they’re operating. The same thing holds true when you rent a vehicle and connect your phone.
Many government fleets have vehicles equipped with General Motor’s OnStar system, which has both benefits and vulnerabilities. On the positive side, law enforcement uses it every day to gain control of vehicles to slow them down and stop them safely when an operator refuses to stop. Another great use for law enforcement is locating a vehicle that is lost or stolen. But even with systems like OnStar, there is opportunity for hackers to wreak havoc. For example, their voice communications function can be hacked, and no mayor or governor would want someone listening in on government secrets.
Keyless vehicles have helped streamline daily fleet operations, but the feature has also made it very easy for tech-savvy thieves to steal a vehicle. By far, in my opinion, one of the best connected-vehicle features is the automated 911 vehicle call. This feature dials 911 when your airbag deploys, gives your location to first responders and will try to communicate to the operator until help arrives — but it, too, is vulnerable.
The National Highway Traffic Safety Administration has stated that it is focused on strong cybersecurity to ensure that vehicle systems that depend on electronics, sensors, and computers work as intended and are designed to mitigate risks. The agency has adopted a multi-faceted research approach that leverages the National Institute of Standards and Technology Cybersecurity Framework and encourages industry to adopt practices that improve the cybersecurity posture of their vehicles in the United States.
That autonomous vehicles are already hackable was revealed to the world in 2015 when two digital security researchers remotely hacked a Jeep Cherokee travelling at 70 mph on a Missouri highway. In their test, they gained control of the vehicle’s radio, air conditioner, wipers and windshield cleaner system, which led to Jeep recalling 1.4 million vehicles.
Coming soon is V2V technology that connects the data systems of one vehicle to another. This has the potential to achieve a dramatic reduction in accidents around the world. But it also represents another wireless stream of data cyber criminals will no doubt target.
We are currently in the early part of the learning curve of all this new fast-moving technology, but we must learn from the hackers and minimize risk. With cyber attacks on the rise, you have to worry about both internal and external threats, as well as all the unexpected interruptions that put your fleet, your employees, and your operation at risk every day. If you don’t know your vulnerabilities, your fleet’s security can be compromised and your reputation may be on the line.
