Lightning like Steve McQueen I'm in a fast lane when the light turns green and I built tough I ain't nothing but grit Cause I made rugged blood sweat and spit yeah like a horse I fly Then to push yourself in for a bumpy ride I like to play hard but I work harder and I weather the storm Because I'm built.
Stronger this episode is brought to you by SPI Logistics, the premier freight agent logistics firm in North America. For over 40 years, SPI has been diligently building the most successful freight agent network to provide first class relationships for our shippers, receivers and carrier partners. We are more than another transportation network. We are a dedicated team of professionals united by one singular purpose and that is to expedite our agent success. All of our agents are set up for success on day one as they are provided with a full suite of support staff that is ready to assist them with everything from after hours emergencies to financial and administrative needs on a no fee basis. This way you can focus on continuing to grow your business. There is no financial risk to start and you have the ability to earn up to 75% in commissions.
If you are looking to take control of your financial future and build your business with the backing of one of the most successful logistics firms in North America. Visit www.spi3pl.com to learn more. Do me a favor and let them know that the Freight Coach sent you.
What is up ladies and gentlemen, we are back for the Freight Coach podcast. We're doing some pre recorded episodes here. I'm out here in Cleveland, Ohio at the NMFTA Cybersecurity Conference. It's their annual thing every. This is the third one here. It's in the month of October and we're really just here to talk about what is going on in the cyber world. I mean so many of us as you know, as much of a digital world as we live in right now, it's kind of hitting at every single corner and it's in most simplest terms kind of how you can protect yourself out there and everything. So I have a repeat guest here. I got Steve with Johansson on the show to talk about this. So Steve, thanks so much for taking the time to join me again.
Thanks Chris. It's good to be here man.
So what's been going on? You were on. We met last year at this time as well. What's been going on in your guys world out there? How are you? Like is there any new themes or anything that people should be on the lookout for?
Yeah, well there's the same old themes, but a lot of those, like ransomware, phishing, a lot of that stuff is actually getting more serious, becoming more targeted. A lot of these companies or a lot of these bad guys so to speak that are doing this are actually becoming full fledged companies. There's actually ransomware brokerages that are out there. A lot of times they will go in and do the initial work, break into different systems and then they'll sell it out on the, on the dark web basically. And someone can come in and say, oh yeah, I've always wanted to get in there and get some espionage or blackmail that company. I already got the key in, so I'll buy the key and get in there and take over from there.
And then a lot of it's some other things that's going on is with AI. So a lot of these, you know, you may have noticed that a lot of the phishing emails they originally when they came out they were very obvious, you know, misspelling, Grant, bad grammar, misspelling, it's you know, XY59333mail.com or something, you know, things like that. But now they're very elegant that it sounds professional. And so a lot of the things that we're doing is we're constantly educating our users and employees where we're giving them examples. When everyone comes in, we'll take a screenshot of it, say hey, here's an example. Note this and this. And if you're not expecting a DocuSign email or something like that, don't click or call and verify. If it's someone that I think this is coming from Bob, but I'm not expecting anything. We'll call Bob.
Yeah, I think that a lot of what I'm seeing out there because I was just at a conference a couple weeks ago and the he was a cyber consultant I believe is what he does now. But like he was in charge of Target or he was like a high ranking guy at Target when they got breached. A few, like I think it might have been like 10 years ago now I don't remember the exact time frame but you know he was up there talking with all of the companies out there and like with the advancements that are going on. And you brought up the multi authentication and stuff like that. And he was bringing up a situation recently. He didn't list company names but he listed the monetary amount and it was over like $20 million.
And what it was is it was an AI, one of these broke farms that you're talking about here, that it must, it had to have been hyper focused and hyper targeted because they had the CFO's voice on AI and he called a controller and had them wire. It was like 20 some million dollars that went out and I was sitting there listening to that and it instantly thought about like when my company gets to that size, like how there has to be. You can't just take one executive for a certain monetary value because how much of that goes on. And, and one thing I learned last year too was it's not just the big fish that a lot of these guys are after. It's actually the smaller, you know, thousand dollar, ten thousand dollar ones that they're really after a lot.
And that's why I think a lot of people are, that they don't really pay attention to this stuff, Steve, because they're like, oh, I'm too small, I don't even have that much. But, but it's not that they're gonna get in there and they're gonna, and it is getting more and more effective in their phishing attempts that are out there. So how do you guys work with your team? Because I mean knowing your guys company, you guys are in multiple different modes and you know, how do you guys work with your guys team to kind of bring this out? Is this like a training that you guys do like on a monthly basis, biannual? How does that work?
It's ongoing, so we have different types of training. A lot of it is as simple as what I said, where we'll take a screenshot of something that someone. Well, first of all, you encourage people to report a lot of this stuff. We do fake phishing campaigns. So a lot of times, and our email provider, we use Office365, they actually have that built in where you can send out fake phishing things. We've also used other companies that have more accurate, you know, ones like that. But we'll send those out and then the people that report them will give them a Starbucks gift card. So just get them thinking about that. And then whenever someone reports it, we'll take a screenshot of it and send it out to the rest of the company and say, hey, here's a good example. This is what is coming in.
You know, don't ever click on this if you're not expecting it, especially don't click on it. And then there's also some software that we have in there as well that will Automatically weed out a lot of those emails from customers coming in, but they still keep coming in. I. I swear I get four or five DocuSign emails a week.
Yeah, where?
Oh, click here. Urgent, past due invoice. And a lot of times I'll have someone call me, hey, you haven't paid the invoice. And, well, I just delete all those because, yeah, I don't know which ones are real, but if I am expecting one, I'll call the person to verify, you know, just to make sure. That kind of thing.
No, and I think that's one thing too.
Is.
Is, you know, like, because I recently, you know, it's probably like two months ago now at this point. It was a. One of the antiviruses, Antivirus software. I think it was like McAfee or something like that. And it said, renew your McAfee. And I had clicked to close out the email and then it like popped right back up right away. And I was like, that's odd. And I was like, I didn't think I. My subscription was becoming due or anything. So then, like, I clicked on it and boom. But the good thing was, is my normal firewall caught everything, so they weren't able to access anything. And it was one of those. If I would have entered in because it was that natural, oh, update your payment info. I was like, wait a second, no, this doesn't seem right. So I caught it there.
And then now it's like I. I upgraded my antivirus software, like, on that time to where now it's like everything gets blocked to come in. Anything with, like, external links and stuff gets blocked at that level. Because you just never know, right? Because it's like you sit there and see. And then after the fact, after I went in and looked at it, antivirus was spelled wrong. It was one word and I just saw anti. Like, but, you know, your brain scans it and you're like, oh, antivirus. So then, you know, so it's like it's getting more and more effective out there in those approaches. And I think running those tests out there, an organization of any size should really be taking that approach to a lot of this stuff, Steve.
Because, you know, I just think, like, at least from my perspective, because, you know, I have a small business, and when you kind of set that tone from day one, it's a lot easier to steer the ship in that direction than it is to change course at some point in time to where it's like, that's when I feel like a lot of that resistance Pops up and then you want to sit out there and think like, oh, it'll never happen to us. It'll never be me. And then until it does, I mean, look at what happened in Vegas. You know, how many of those casinos got popped right there? And you know, so it's like, are you guys using a lot of those examples out there and you, are you guys bringing that down to your team?
Because I think it was like MGM or something like that. It was like 15 million dollar ransom or something that they paid out.
And you got to think too, there's nothing, there's not many businesses that are more secure than a casino.
Yeah, correct. Yeah, they have everything hit.
Yeah. But yeah, and. Well, a lot of the attacks that we've been seeing the last couple years have been on schools, local public works, you know, local government, a lot of these typical industries that maybe don't have the budget or haven't they don't have the budget update on a regular basis or you know, a little behind and, or don't really have a cyber. Maybe they don't have, you know, a lot of those don't have cyber. And so they may not know how to react. Oh yeah, just pay it or, you know, whatever. But those are kind of a lot of the industries that are being attacked. And a lot of them, I've seen several where they get in through personal email accounts.
Oh, wow.
So they'll hack into someone's hot mail or Gmail or something like that and then work their way into the company.
So how would you protect yourself against that? Right, because how many people out there. I know, I'm one of them. That has multiple different email addresses on my phone, right. Where it's like I got one from one company, one from another. And then you might have your personal inbox that's on there. Is there something like your basic iPhone has that kind of protects against that to where? Or is it like you might forward your email? Like what will kind of walk me through that process? How does one get access from a hotmail to like an actual work email address?
Well, so what they'll do a lot of times is they will. So a lot of people don't have secure enough passwords.
Gotcha.
So they'll. Okay, so when they hack, when you find out that such and such company has been hacked or this website's been hacked, they get these massive databases of passwords, usernames and passwords. And what they do is they take usernames and passwords and they know that a lot of people will use the same username and passwords. So they'll take that database and they'll apply it against Gmail, they'll apply it against Hotmail, they'll apply it against all these other companies and then they'll have their list of what actually got them in. And sometimes they'll resell that, sometimes they'll keep it. So if they happen to find out that as they're doing research on a particular company, this person, oh, this CEO or this executive is also on Facebook.
Okay.
And here's their information. Okay. They hack into that. Oh, okay. Oh, their email address is here. Okay, I'm going to go into the personal email address. Well, there's a lot of people that though they may get an email from their boss, even if it's their personal email address, they, you know, there's some story behind it like, oh, I got locked out, can you help me out? I'm, this is my personal, you know, email, blah, blah. And then, oh sure, let me reset your work password. Yeah, reset it. Then they have it and then they're in the company and then they slowly kind of work their way around to try to get access to stuff.
So how would a company like, I mean from your perspective and I mean without giving away any, you know, proprietary things or anything like that. But like, is it, how do you keep that separation to where you're using your personal email for work related messaging or any communication at all like that? Because I feel like, you know, even on your basic iPhone, like I've seen this happen numerous times. If you have multiple different email addresses that are associated with your iPhone, then you go and type in, you know, Steve and then it's going to show up, but it'll come from my personal email and not my actual work email or the one that's like I had uploaded your email address into. So like how does, how do you stop that stuff from having any cross pollination that comes along with it?
Well, one of the things that we try to do at work is, you know, we tell people, okay, so the people that use an iPhone for business email and stuff, we have them use Outlook specifically for the business email on their iPhone. They use the Apple Mail program or whatever for something different. We also over and over as part of our education and training, try to get it across, never use the same username and password, never use the same password for more than one site. Then also we have multifactor authentication for our email systems for web systems For a lot of the different programs for vpn, for getting into the cloud and stuff like that. And it was difficult.
It's not never easy to tell someone to go through, jump through one more hoop, you know, as they're trying to just go about and do their business. But now it's just kind of second nature and people will report it. They're like, hey, I keep getting these prompts to put in my MFA and I'm not doing anything. Yeah, so then we'll dig a little deeper and try to prevent that kind of thing.
Yeah, that's one thing that we have. We have MFA Multifactor Identifier. Is it Authorized Authentication? Authentication, yeah. And you know, it was very annoying at first, but like, I also definitely see the value in a lot of that stuff to keep. I mean, because all your company data is in there. And then I just feel like once some of these high level, I mean probably a basic hacker, for all I know, can get access into one and it's only a matter of time before they can just start jumping from program to program. Because back to the former target guy, what he was saying was, is that all they got? I forget how they got in.
I think it was just a basic phishing emails how they got in, but they attached one thing to one piece and they actually built it out over like six or seven months or something like that. And again, my dates and times might be a little exaggerated or what, but all I know is it wasn't like an instant thing. It was actually very coordinated and they took their time and then they built up. But maybe it was a firewall, I think he said, around it to where they couldn't access any of their data at some point. But then the hackers had access to everything and they were, you know, threatening, if you don't pay us X, we're going to sell it all out there and everything. So, you know, it is, it just, it's so simple at times.
Like every time we sit here and we talk about stuff like that, it is so simple, but it's one of the most overlooked things that are out there. And I feel like that's almost like the new, I don't even want to call it the new black market or anything like that, but where it's getting in there and getting people's data right and then on top of it, because it's like what information, what you can learn about somebody from that perspective. And then again you just get access to their finances and then boom. Because do you think ultimately that's all it is just the money? They just want to be paid a certain amount of things or are they actively out there trying to get something and then they can sell that to like a marketing company who then knows your click patterns?
They know all of that stuff.
There are multiple reasons. So initially a lot of the phishing was they're just blasting, they're trying to hit every single computer they can possibly hit. And the low hanging fruit they get in, they were asking for, they would kind of roughly know, you know, how big the company was and they'd say, okay, this much money and a lot of times it was small enough to where someone would say, you know what, it's better to just quickly pay them. So they were getting these quick payoffs.
Yeah.
And then they were moving on. Now it's becoming a lot more targeted because they know that they spend the time to invest and figure out the company. They know that, you know what, I can probably get 5 million out of these people or 10 million. But what everyday people can do and businesses can do is make sure that you have all your patching, make sure your iPhone has the latest updates, make sure that your, whatever software you use at work, at home has the latest updates.
I don't use our family computer that often because I'm always on my work computer, but I make sure to go there every week or so, make sure all the Windows updates are going, make sure the antivirus is up to date, reboot it a couple times, clear everything out, you know, go in there and see what programs my kids have installed. Yeah, to play Minecraft after.
Exactly.
You know, and clean up a lot of that kind of stuff because a lot of times kids, the stuff that kids do on home computers is it creates attack vectors because they're downloading all sorts of stuff and you know, stuff to get freeware, stuff to get add ons and they're just like, oh, my friend gave me this link and they're clicking on it.
Exactly.
They may have clicked on a phishing email and your computer could be compromised and you may not even know it.
Do you think basic, because I know Windows has Windows Defender. Do you think that does a good enough job to protect the most basic computers? Obviously the more higher level stuff on there you want to have. I'm sure you guys have your own security proprietary stuff that you've built out. But do you think like for, you know, you don't have to use percentages or anything like that, Steve, but do you think like your Basic Windows Defender and maybe antivirus software that catches how much like the overwhelming majority of it. As long as you're keeping that stuff up to date.
Or is this something where even the on the personal level now with as data driven as we are and like literally 99% of our day is done through our phone or email or something like that, is there something additional we should do on top of that?
I would say that for the average person, Windows Defender actually is great. It is actually, if you look at antivirus reviews and things like that, it has come a lot better. I mean when it first came out and actually, I mean it's what maybe the last five, 10 years that it actually came out before then there was nothing. And I would say it is very good. And if anybody that doesn't know what to do, just make sure you have on that on there and that it's getting updates. It's a really good program and it's easy to just make sure that it's running rather than trying to figure out do I want McAfee or do I want this one or do I want that one?
And to add on and a lot of the other ones are, the ones that you buy are more full fledged security endpoints and so they do a pretty good job. But really if you just make sure that your Defender is updating your Windows updates, are getting updated and everything, that's a really good, you know, really good chance.
As we're kind of wrapping up here, what is, what's one piece of advice you could give out to the everyday person And I'm going to use myself as an example, you know, outside of don't click, you know, because I think like that's the like the number one thing. If there's a link in your email, double check everything before you click on it, especially if it is not from somebody. You know, what is something that you would like more people to kind of like a very basic easy thing that hey, this is what we do, this is what everybody else should do from a one step thing. Start here to protect yourself.
I would say on top of making sure you have your updates and everything on your devices. Big thing that people don't think about is maybe they have a laptop that's 10 years old, maybe they have a bunch of software on there that they're not using just to limit your attack surface. Make sure that you're on the latest version of Windows. Make sure that if Your laptop is 10 years old, if you really still need it, either get rid of it, get a new device. I know it can be kind of expensive, but really keeping up on the latest hardware, making sure that, you know, operating systems only have security updates for so many years. Yeah, it's 10 years, but you'd be surprised how many people have computers that are even older than that or. Well, I like Windows XP and it was always great.
If you have Windows XP now, you are, you can be attacked by just about anybody and that's just low hanging fruit for the attackers. So just making sure that you don't uninstall things that you're not using on your machine, making sure everything's up to date and update to newer os, you know, from time to time.
Perfect. Steve, I appreciate your time. And you guys, again, you got to hear it from the experts, you got to hear it from the individuals who are in this every single day. Because ultimately we want to think that we're not a target. But I literally think everybody out there, the more and more digital we get as a society, the more and more advancements of AI and everything else that is out there, I think it's going to increase all of our exposure exponentially. But ultimately it does take just a couple of simple steps to severely minimize your ability to be attacked out there. But Steve, thank you so much for joining me here today, Chris. Absolutely appreciate it. What is up, ladies and gentlemen? We are back. It is another episode of the Foray Coach podcast.
We are live here at the NMWTA Cybersecurity Conference in Cleveland. And this is part two, I think, of the mashup episode that we're going to release out there a little bit later. But I got my good friend Ben back here on the show with the NMWTA and last year was the best part. Like, to me, he hacked a truck right in front of you. And it was like, I'm.
Dude.
I still talk about it to this day on the show. When I'm out there on my live show, I'll tell people about it. I'm like, I saw a truck attacked live. And it's just insane to me though. Like, I remember just sitting there watching it and you releasing the air from the brakes and I'm like, this could be so bad if this was actually like a thing out there at all times.
Yeah, I mean, I like to joke that I like to hack trucks. I do. And I think I just said it like a second ago for sure. But yeah, if this were to happen in the real world and it was like what they like to call weaponized, if it was made really efficient and really fast. It could potentially, like, disable trucks on the road, because if you bleed enough air supply from a truck, then the spring brakes can't release.
Yeah.
And sure, the motor could overpower those brakes, but it's going to be an expensive move. Almost every driver out there knows if the brakes are seized, don't keep rolling, they're going to stop that truck. Right. So imagine if that was done on a bridge or a tunnel or like in downtown cores. That could really mess up a city, not to mention people's bottom line. And yeah, that. That air bleeding thing was done just for the people that, you know, didn't see it last year or whatever. That was done by broadcasting radio frequency signals in a way that doesn't require interaction. It's just a blind transmit of this signal that looks exactly like that power line signal that's. That's standardized to go between the trailer and the tractor.
And it turns out that whole system, the trailer tractor combination, because of all the metal and the long wires, is antenna.
Yeah.
So we can send these radio signals and those systems receive it and then they react. So it's almost not even hacking. Right. Like, it's just abuse of an existing technology. It just does what it was told to do, and it was designed to do that.
Yeah. So how. How does a fleet kind of fight against this? Or is this something that the manufacturers themselves, like, are you bringing a lot of this information to them? You're like, hey, we got it from here. You got to fix this, you got to fix that. Like, kind of walk me through that, because I think any. Anybody who drives that listens to this show is going to be like, oh, great. Is now is that something else that I got to worry about?
Yeah, we. We don't really want to add to the pile of stuff that business own worry about to, you know, run their businesses. The unfortunate thing was that there was really no way for the fleets to take care of this themselves.
Yeah.
We looked at the issue, and we realized that the only way this could get fixed is with an architectural change in how trucks and trailers get plugged together. This power line network was brought about in 1999 to satisfy this regulation that needed to show a trailer fault lamp on the dash if the ABs wasn't working in the trailer. And at the time, all the fleets that were in participation at TMC like, unanimously told the suppliers that they wouldn't accept a new connector between the tractor and the trailer. So the technology providers were forced to add this radio frequency thing to the existing power pin. That's why we have it. Yeah, that's why we have it. So when we realized this was a problem, we also saw that the industry was starting to talk about next generation tractor trailer interfaces.
And this is about three years ago. And so we said we're going to make it public. At the same time that we make it public, we're going to publish ways to fix it. We call mitigations. They're not mitigations a fleet can do. There's some mitigations that bodybuilders can do, trailer builders and equipment suppliers and OEMs, they all can do things to their next generation technologies. And we also said for the next generation tractor trailer interface standard that all diagnostics should be taken off of Powerline, that powerline bus. The only reason it's there is that trailer fault light that you have on your cluster.
Okay.
So we reasoned that should be the only thing left. Take all the other features and just put them somewhere else that isn't susceptible to radio interference. And so that way the next generation tractor trailer interface does not inherit this problem.
Yeah.
And as of about three months ago, yeah, TMC put together their requirements, they've handed them off to sae. And in those requirements it does say no more diagnostics, no more anything on powerline, only the lamp fault message. That's it. So kind of mission accomplished. But only for the future. Yeah, for the past, it's kind of a different problem. These trailers run for like 30 years up to the second market. Right. So one of the things we've asked OEMs to do is to start deploying mitigations on new tractors that will also protect old trailers.
Gotcha.
And we're hoping to see uptake on that. There's nothing deployed yet, but you know, we just heard from one of the OEM engineers on stage 20 minutes ago saying that they're aware of it, they have an interface group thinking about it and they are considering deploying as needed, which honestly is a lot better than where were at like three years ago.
So how does one like are you guys looking at like, you know, you brought up diagnostics and everything like secondary hacking. Is there a way that, you know, somebody could go in and you know, with. Because I like we just got our vehicle serviced and they had a new one where they just had like a baseline, like where all the error codes are and it was just like they just plugged it into our dash. Is there like a vulnerability from that perspective where somebody could, you know, Have a virus or ransomware or something on something like that and transmit it that way, or is it not possible at this point?
I'm sorry to tell you that. Yeah, that is possible.
Yeah. I mean, I could have figured as much because when I heard you say that, I'm like, oh, God, this is that.
Why?
Why is this coming up? And if I'm thinking this, I'm sure the professionals guys. Yeah, the bad guys. I hate to use the term professionals, but, like, that's what they are, right? Like criminals.
People like to call them hackers, but honestly, I think we should take the word hacker back.
Yeah.
You know, hackers do cool stuff. Criminals do crimes.
Yes.
That's hackers do the Robin Hood event.
Right.
Like, they go and steal from the risk to pay for the poor.
Right.
Not the bad guys.
Yes. So diagnostics are a big problem in the sense that the way that they were designed involves this thing called seed key exchange, and it unlocks the ECU. These ECUs, once they're unlocked, they're accessible to everybody on that network. So, like, we also have a report that Jamie Lightfoot put out about how to secure your maintenance laptops, because those maintenance laptops, if they get malicious code on them that knows how to communicate to the truck, they can just wait for a diagnostic session to unlock the ecu, and then that malicious code gets access to other elevated privileges like memory read and memory write on these ECUs, particularly with older stuff. Right.
Like, we know that these trucks because they're so useful and also because some drivers prefer the older trucks for lots of reasons that the ECUs that are really on the road aren't necessarily the greatest, latest super secured ones that the OEMs have put out. It's a lot of them are kind of the stuff that just works and has been a workhorse. But those ones especially don't have any security in mind.
Yeah.
Once you unlock one of these ECUs, you get access to all kinds of features. So, yeah, I mean, particularly with your older trucks, you should really be thinking about, like, what are you plugging into it? And, like, where else is that laptop been? Do you. Do you trust that maintenance laptop? I mean, these are really good questions to ask.
Yeah. And it's also, you know, not even just the maintenance aspect of things, too. Like, you've got to think, you know, telematics providers and ELDs and everything else that are out there right now. Like, is that another form of a way that somebody can gain access to your truck?
Right.
And I think, like, you know, with the advancements in technology that are out there, just on the actual truck manufacturer's perspective, what they're doing to, you know, digitize more and more inside of the truck, it's like those, there's more and more vulnerabilities that are going to naturally come about with that. Right. So it's like, I think, you know, have you heard of anything like, what are those steps? Or maybe through some of the conversations that you've had, that some of the manufacturers are looking at their cybersecurity a lot different now with the advancements of other aspects of the technology that drivers utilize on the day to day.
Yeah, it is changing, for sure. It's changing. And the OEMs are well aware of what needs to change. Like, again, you know, sorry to the people on the podcast that aren't here, but we heard from this Daimler engineer who's telling us about their gen 5 and like their gen 5 architecture is already prepared to have this aftermarket device area.
Yeah.
Because they recognize that fleets and owners want to add on a TPMS or ATIS system, or they want to have their own telematics, or they want to have, you know, trailer pairing systems that are all bolted on and added to the vehicle. And they don't want people just to stick these things on the nine pin or stick these things on, like the powertrain bus. They want to have a home for it. So the new architectures are changing 100%, but we still have the same problem. Right. Like these fleets might have a brand new place on their new trucks to put this stuff. But when fleets buy a TPMS or one of these trailer pairing systems, they're not only adding it to their new truck, they're adding it to all the trucks.
And when they go to their old trucks, they have to put it on the nine pin or they have to put it, you know, behind the, in the doghouse for like one of the other buses. Right. Like, they're not given the choice for all the old trucks. And I think what that ultimately means is you as a procurement person of this equipment, you have to make sure that you're buying things that are of the highest quality. Okay. And the NMFDA has been aware of this problem for a bit. We actually have something called the telematics Security Requirements Matrix, which has a questionnaire.
And you can print out this questionnaire and give it to your potential supplier, have them fill it out, maybe give it to three of them and just see, like, how many no's do you get who actually has the best security posture. Evaluate that before you install it. And if your Truck has an RP1226 connector, the telematics connector, use that instead of the nine pin. The nine pin is for diagnostics. And OEMs will never be able to stop diagnostics on the nine pin because it's just the way it has to work. So the easiest way to like, avoid the risk of telematics compromise leading to something dangerous on ECUs via diagnostics is to take your telematics device, put it on the RP1226 connector, and then the correct architecture of the truck should protect from that attack.
Okay, so, you know, you brought up attack. And I, you know, the opening, the keynote this morning was the gentleman from the White House who was, you know, speaking. Yeah. And you know, he brought up a couple of, you know, obviously China and Iran and North Korea and other countries that, you know, are attacking our critical infrastructure at all times. Right. So how is it that, you know, a truck manufacturer or somebody like that could work towards stopping that from, you know, a complete shutdown of all modes of transportation? Right. Like, I'm going to be interviewing Ayanna here in a little bit as well. And you know, and talking about that. So it's like, it's not just the water system, you know, that is at a threat.
You know, like you brought up trucks, like, what could stop somebody from going in and shutting every truck on the road down or every ship, you know, shutting down the ports. And then all of a sudden we're at a complete standstill here.
What's, what's between us and on complete disaster. Yeah, yeah. I mean, it's a lot of good engineering. It's a lot of threat modeling. Right. So there are standards out there that the OEMs and the suppliers need to adhere to. Most notably, like UN sorry, not UN ISO 21434, which is about how you develop cybersecure systems for automotive. And it dictates things like you have to do threat modeling first. So, you know, the manufacturers need to think about what are the ways these things can be attacked and then in turn, what are the ways that can be prevented with mitigations. All that needs to be done in a traceable way. They need to actually have verification and validation of all the controls they put in place afterwards.
And I mean, in many regions in the globe, UN ECE R155 or in Europe, just the ISO standard itself is required. But In North America we're getting it because the stuff we buy is sold globally.
Gotcha.
So they're doing the work. They're doing the work. And really it's good engineering that stands between us and that the problem is again, the old trucks.
Yeah.
We run a lot of old hardware in North America.
Yeah.
And so the only thing that's standing between like us and disaster for the old trucks is good telematics devices.
Gotcha.
The best thing anyone could do is make sure that the telematics device they buy is of a high quality by using something like that questionnaire or just like don't go to Walmart and buy the cheapest eld. Yeah, like that's just a bad plan.
Absolutely. I completely understand. And yeah know it's like because you know, you're out there thinking and you're probably like, oh I just have one truck, like what risk am I at? Right. So what advice or like what guidance could that one truck or that small fleet, you know, can they go into their local diesel mechanic who they've been going to for years and be like, hey, can you test for threats or is it, you know, because it's like, is it as simple as like if they just run a test on there or are the technicians even set up to find any of these things that might be, you know, already causing a, you know, a potential or you know, a disaster that could be potentially happening?
Is there anything in the current diagnostics that could even show like hey, boom, your truck's been, you know, infected like this like a computer is with the virus. Right.
It's a really good question and I think unfortunately for the owner operators, they're in a really hard place.
Yeah.
Because yeah, they can't necessarily afford to get the higher end telematics devices. In a lot of cases the telematics suppliers won't even sell you a device if you are a single truck fleet.
Yeah.
They just don't even deal with you. So there isn't a lot of options for runner operators, which sucks. And then on the technician side, really unfortunately the technicians are going to be the first people to actually get in contact with a cyber attack when it happens. They're going to be the ones that like actually are scratching their head saying like I part swapped this thing and it's still dying. I don't understand what's going on. But they're also the ones that we can't really seem to train. The NMFDA does have an initiative to try to take some tooling that we're producing with Colorado State University and to start doing some programs to help train technicians into doing some simple security assessments. So exactly what you asked for.
Like, is there a way for someone to go in and do some testing and get some good idea of what the risk level is? The second part of, like, do some testing and see if it's infected? That's a really difficult problem because to do that, you need to have a way to, like, measure what's on the ECUs. And we don't really, as an industry have like, a way to measure what's on an ECU without, like, taking it apart and dumping the flash that's inside it. So, like, I wish there was a better answer. No, ultimately we need to have good prevention because we're not going to have great response.
Yeah, no, I understand, man. And I'm also just trying to think here, like, you know, is there a way that, you know, I'm just like, with your presentation last year, you know, with the AIR systems, for example, is there. Is the truck more vulnerable than the trailer in this situation, or is the trailer more vulnerable and is there a stop that you could put where it's like, hey, the trailer got compromised. We're not going to allow it to affect the truck. And then therefore the driver can still have control or vice versa. Right, right.
Yeah. And I think that exactly that thing you're asking for, like a system that detects that the trailer is under attack and yet. And yet stops it, is exactly what we're asking OEMs to think about deploying new trucks to protect the old trailers. Because right now it's the old trailer equipment that's very vulnerable. They took 1980s code that was written to work on something called J 1708, and they stuck a converter chip in front of it, the intel on SSC P485. And so we have this really old code with a converter chip in front of it stuck into trailers. And those diagnostic systems didn't ask for any authentication mechanism. There's no passwords and there's no replay protection at all. So they just do what they're told.
And even the brand new Role stability controllers that you find on tankers like the one I demoed on, it turns out that those things, even though they do have C key exchange, the C key exchange has like an error and implementation in it that actually brings it all the way back to the replay attack. Anyway, so, like, we've never seen an instance where you can send Powerline and you can successfully get into the tractor, thankfully. But there's definitely a lot of cases where the power line attack does affect the trailer equipment. So the short answer is, yeah, trailer is more vulnerable than tractor.
Gotcha. Okay, no, that's good to know.
Right?
But I also think, like, a lot of these situations that people are going to find themselves in are, you know, it's that constant evolution standpoint of this stuff, you know, where it's like, you finally get to one point, and then it's like, boom, Then there's the next thing, right? And I think that's, you know, ultimately, I think the more people pay attention to their equipment, you know, service, you know, and especially, like, because you got to think the more you would get it serviced or do those preventative maintenance checks and everything on your truck, the more likelihood something will probably pop up right into where you can kind of get ahead of it, possibly to where it's like, hey, we noticed.
You know, we came in, like, you brought up the thing with the technician where it's like, hey, I part swapped and it's still not fixed. Boom. Then you have an idea at least, right? To where it's like, you can't neglect your vehicle, you know, your semi or your trailer or anything like that. And I think, you know, and even if there isn't, like, a modern test that somebody can just, you know, bring it in and be like, all right, man, test and see if this has been attacked. You know, I. I feel like at least if you're.
I'm just trying to think of ways like, what could somebody do, right, to actually ultimately find out is their truck safe or is there something that they can do to, you know, to keep it from, you know, falling victim to an attack by some of these crime criminals.
I think the really disappointing part is that we don't have a way to measure, so we don't have a way to respond. The only thing we can do right now is prevent. And that prevention boils down to maintenance laptop security. So making sure what's on your maintenance laptops doesn't have any malware. And that includes a lot of practices that Jamie covered in her presentation and is also free at the NMFDA site. So securing legacy maintenance software, you know, like, you shouldn't. You shouldn't really browse the Internet forums from your maintenance laptop. Yeah, your maintenance laptop should be just for maintenance software. And you should have a different laptop that you use to go on the forums and, like, download the unlock codes and stuff. Do that somewhere else. Don't even do email on your maintenance laptop.
Your maintenance laptop should like run as a low privileged user, not as administrator. You maybe shouldn't even have your maintenance laptop connected to other USB devices other than your vda. Your maintenance laptop should always be taking security updates, so on and so on. So like the maintenance laptop hygiene is really important and having good telematics devices is really important and that's the only prevention that we have right now because we don't have other controls available to us in the industry.
I think that's perfect Ben. And that gives people an actionable step to like actually look out for and to try and prevent this stuff. So hope so. Ben, I always appreciate your time man. A lot of what you say is like it's so clear but then it's also, you drop some of those acronyms in there and I'm like yeah, I'm sorry for that. Ben, I appreciate your time as always man. Thank you so much.
My pleasure.