IoT ecosystems are replacing legacy telematics solutions to help solve some of the most critical problems commercial fleets face today. In fact, digital transformation in Transport and Logistics (T&L) has significantly improved upstream and downstream facets across the entire industry and created unprecedented efficiencies. However for T&L companies, major corporate assets are both connected online and constantly on the move, shifting the organisations security perimeter to the fleet asset – a distinct differentiator from many other industries going through the same digitalisation process – and exposing organisations to a greater extent to the potential of cyberattack.
There are multiple reasons for the increased threat. For one, the expanded use of technology, which opens new communications and wireless channels that are connected directly to T&L companies’ digital ecosystems, is a soft target for hackers. Another is the fact that T&L suffers from lagging cyber regulations and standards, inadequate cybersecurity awareness – the impact heightened by a shortage of cyber-defence talent. Although other aspects of the T&L industry are highly regulated in many regions, and despite the sector’s global operations (or perhaps because of them) regulators have not been able to agree on a set of suitable T&L cybersecurity standards.
Threats Are on the Rise
More Vulnerabilities
Specialised Security Skills in Short Supply
|
Further, as many of the devices and sensors on connected vehicles are similar to those deployed in other operational industries – commonly termed Operation Technology (OT) – T&L is not immune from the numerous cybersecurity issues plaguing OT across manufacturing, energy and utilities. The impact of a cyberattack can be costly and disruptive to operations, and has the potential to create further liability, particularly when sensitive customer data is breached.
The more connected systems become, the larger the respective attack surface becomes and the more attractive they become as targets for cyberattacks. In 2022 we have seen international cyber security agencies (including Australia) issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of new OT specific malware, as well as the disclosure of a growing list of OT vulnerabilities. A different approach is required to combat these persistent and growing threats.
VeroGuard’s technology maintains network integrity for any devices when connected to open networks. Providing un-phishable MFA for access to networks and devices and strong post quantum level data encryption for device communications, T&L companies can continue to accelerate digital transformation plans by providing a certified virtual airgap between the fleet asset and open internet connectivity. VeroGuard is the only platform worldwide to have Common Criteria certification for access on open networks, meaning it has been verified by the Australian Cyber Security Centre (ACSC) for use in Defence and other government departments with high assurance requirements for online access.
Background
The T&L industry continues to face an expanding cyber threat landscape which presents a substantial challenge to operations. While some industry participants have been working to develop standard practices to bolster cybersecurity among carriers, mechanics and truck manufacturers, there remains a significant gap between proposed standards and any implementation – especially when considering existing fleets.
Moreover, hackers are increasingly attempting to steal data stored in networks that are critical to the T&L industry’s modernisation and growth. These networks enable digital improvements like automated ordering, shipment tracking, and access to account information. While extremely valuable, such customer initiatives require access via online platforms, phone apps, and other mobile devices, which are among the most insecure channels.
But the threat goes beyond data and information. With trucks becoming more modernised, it’s possible to hijack certain processes within them. A study by the University of Michigan highlights the alarming possibilities. Researchers were able to hack into a vehicle’s diagnostic port, manipulate the readouts from the instrument panel, force the truck to accelerate, and even disable part of the truck’s braking system.
There’s a sensor for that
It is common for organisations to track the location of their fleets, and now also the real-time performance of their trucks and drivers. The average truck today is connected to a huge number of devices generating the data needed for logistics companies to run smarter and more efficiently. While this translates directly to cost savings, better governance and OH&S outcomes, the downside to this is that it has exposed a series of technology shortcomings and made the industry extremely vulnerable to cyberattacks. Every sector of the industry—including maritime, rail, trucking, logistics providers, and package deliverers—is affected.
Complicating matters further, “insecurity by design” remains very relevant in OT and IoT systems, which is why a shift in security infrastructure to account for open network connectivity and all the variables it presents is so necessary. Insecure by design vulnerabilities abound evidenced by a recent investigation by Vedere Labs which found 56 vulnerabilities affecting 10 major vendors. Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of devices, bypass authentication, compromise credentials, cause denials of service or have a range of operational impacts. While the devices in this study are not focussed on T&L it is not hard to see how a small change in focus for cybercriminals could lead to similar attacks focussed on this sector.
It is not appropriate to simply embrace the cybersecurity operations from existing IT practices. While IT network and operating system patching and identity management practices are well established, the ability to manage fleet devices and systems in the same manner is not as straight forward. The T&L industry is faced with the need to continue with the rapid adoption of digital transformation and cloud computing to maintain competitiveness in an ever more challenging market. This represents a step change in work practices for the sector, in that trucks and onboard sensors were never originally deigned to be connected to the internet, and new models for cyber security are required.
Some of the key mitigation strategies (aside from patching, monitoring, training and awareness – these are all “after the fact” activities and not prevention) in every advisory are to:
1. Require multi-factor authentication for all access
2. Implement and ensure robust network segmentation between fleet assets and corporate networks to limit the ability of malicious cyber actors to pivot from a compromised supply chain to the fleet asset and potentially to your IT network.
3. Implement strong machine identity and encrypted communications for connected fleet assets over open networks.
It is important to note that without strong Identity and Access management control over any additional tools, the criminals will find a way through. This is on ongoing occurrence online with bad actors simply bypassing second factor authentication (2fa) and detection software. There have been attacks where 2fa applications and VPN’s themselves were used as the vectors for successful breaches.
A New Approach
The VeroGuard Platform offers a unique solution to securing connected environments, by providing secure Identity and Access Management controls, virtual network separation, data encryption and flow control. VeroGuard’s products have Common Criteria (CC) certification (defence level security) and can be quickly and cost effectively deployed to legacy, new and hybrid environments.
The platform was specifically designed for protecting identity, access and data on the open internet and works by inserting an HSM between the device being accessed and the network connectivity delivering an impenetrable defensive layer for online protection. When initiating connectivity, the inline HSM must connect to and verify itself with the platform HSM, which then creates a secure encrypted tunnel using hardware derived keys and encryption protocols for data flows and any user verification needs.
HSM-to-HSM verification and communication is not new – however until now they have been expensive and limited to terrestrial connection. Two-way HSMs are utilised in banking (e.g.: ATM’s, Eftpos) and military systems around the globe for securing critical communications. Typically, the technology is used in guided missile control where it is crucial that command messages cannot be decrypted, or the command plane hijacked. VeroGuard brings this mutual two-way hardware verification for use in OT environments, at scale and without the high cost.
Multifactor Authentication
Robust Segmentation
Secure Communications
|
Form factors include the VeroCard HSM for humans, and the VeroMod HSM for machines/devices.
The VeroCard HSM enables users to be verified to access networks, applications and devices authenticating via the combination of the specific users VeroCard and their secret PIN. Every login attempt is verified by the secure connection back to the VeroGuard Platform.
The VeroMod IoT Shield is a commoditised Hardware security module (HSM) which connects inline and creates a “virtual air gap” between the device and any connectivity.
VeroMod IoT Shield brings HSM-to-HSM technology for verification and encryption to any device. This guarantees access requests to and from all machines and provides the highest level of encryption to all data in transit.
VeroGuard is unmatched for security and scalability as the only online platform that always uses HSM-to-HSM protection time after time, for identity verification, communications, data integrity and switching services.
The rapid adoption of technology presents universal concerns for service providers:
Increased digital services/devices and interconnectivity between systems means an increased attack surface for cybercrime.
Rapid rise in data volumes, flows and complexity of management means increased opportunities for identity breaches
Transitioning from legacy systems and navigating the complexity of hybrid environments
Complex layers for identity and security become more costly with many mixed environments
Expansion of stakeholders and associated integration requirements (suppliers, citizens, 3rd party providers, businesses).
VeroGuard Systems offers a solution that begins with indisputable proof of identity for all online and digital communications. It is the only platform available anywhere in the world that can guarantee defence certified identification security for both people and machines. By providing host connections into the VeroGuard platform the VeroMod effectively provides point-to-point connection over open networks. User access is provided with permission verified by the VeroGuard platform before being able to access networks, devices and data. Machine to machine connections are verified in the same way with the digital identity provided by the VeroMod. All VeroGuard HSM-to-HSM connections are protected using elliptic-curve Diffie–Hellman encryption set for post quantum protection, with a DUKPT (Derived Unique Key Per Transaction) key management protocol meaning that the keys are derived within the HSM and there is no possibility of the keys being intercepted or stolen. Each time a connection is initiated a new set of encryption keys are generated.
There is an opportunity to harness this technology now and build a safe and secure digital ecosystem for T&L companies, their suppliers and contractors.
How can this technology be harnessed to benefit the Transport & Logistics Industry?
Credential compromises remain one of the largest reasons for breaches of systems, as well as one of the most easily preventable with the appropriate system infrastructure. The next generation of IoT systems must be designed with identity and data security at their core – but changing out infrastructure is costly and slow.
To stay ahead of the curve and defend against the threats outlined in the introduction, the next generation of T&L system architecture must include:
A unified platform to reduce the complexity of layers of technology built up over decades
A cybersecurity platform architecture that is identity centric - purpose built for protection over open networks
A digital identity that is robust, tethered to the user, re-usable in many places and can’t be tampered with
Machine/human identity and communications that cannot be breached or compromised
A solution that can be readily retro-fitted to existing networks and fleet assets
An identity layer that facilitates hyper convergence of IT and IoT functions to simplify and reduce costs rather than duplicating across networks and participants
Privacy controls and low friction interfaces for users
Essentially, once deployed VeroGuard creates a virtual airgap for your fleet asset environment. Access is controlled via the irrefutable identity provided by the platform, and communications from devices or nodes are encrypted via the impenetrable security of the HSM-to-HSM technology core to the success of the Platform.
VeroGuard Systems is the next generation of platform to secure connected systems, machines and data. The VeroGuard Platform practically ELIMINATES credential and identity compromise on open networks to act as the core of any zero-trust deployment.
Any company migrating to the Cloud, connecting OT and IT networks, wanting to exploit open networks for machine communications, or looking to secure their supply chain should assess the VeroGuard Platform.