By Guest Writer, Michael Glover, Lommen Abdo P.A.
Electronic Logging Devices (“ELD”) are now required for drivers of many commercial motor vehicles (“CMV”) in the United States. ELDs are the electronic equivalent of a paper log used to record a driver’s working and driving time.
The new mandate will result in hundreds of thousands of new internet connected devices and opens another opportunity for hackers to access, expose or destroy critical private or personal information. Hackers can severely disrupt or wholly-disable a motor carrier’s operations if not handled properly.
Wise drivers and motor carriers realizes that each ELD poses a security threat potential not only to that truck and that driver, but all the things that it directly or indirectly connects to. That includes the truck itself and, if not properly configured and secured, the entire outside electronic world. A modern day truck’s wired and wireless electronic systems connect to each other, the ELD, to the manufacturer and, quite often, to the motor carrier. The ELD itself connects to the truck, the motor carrier via cell or wi-fi and to, again at times, law enforcement via USB, Bluetooth, or e-mail. In addition, the ELD might connect to the driver’s own devices, which is, in turn, connected to the internet and its many hazards.An ELD is, directly and indirectly, a new member of the so called internet of things (“IoT”). The best description of an IoT device is something that formerly stood alone, like your home thermostat, which now connects to other things through the internet. Those other things can be good, like connecting to your smartphone so you can turn up the temperature before you get home. Or those other things can be bad, like a hacker using the thermostat as an access point to your home computer network. The same holds true for ELDs. If not properly installed, configured and maintained, ELDs, to hackers, are as enticing as a logging in to the motor carrier’s networks.
From a motor carrier’s perspective, each ELD is another potential access point to company critical information and, perhaps worse yet, access to create company-wide havoc. ELDs contain “on board” information such as identifying personal information about the driver and her whereabouts. They may also contain less obvious information about the truck, the trailer, the refrigeration unit or the cargo. Depending on how they are integrated into other information systems, an ELD may contain, or have direct access to, back office information about company routes, communications, customers, dispatching, billing and costs. Not considering all of these risks subjects company information and private employee data to exposure, damage, and manipulation by hackers.
Carriers must give substantial attention to electronic security when purchasing, installing, securing and maintaining an ELD. Unfortunately, recent cyber-attacks have confirmed that no computer or digital device is completely secure. But motor carriers must take certain steps in the ELD implementation process to minimize the risk of cyber intrusions. Many of these suggestions are offshoots of electronic network and computer “best practices” utilized for office computer and phone networks. Carefully applied, these steps can minimize, but not eliminate, all risks.
Security Steps to Consider
At the equipment evaluation stage, motor carriers should only work with trusted vendors possessing proven reputations Consider engaging a consultant with experience in the industry. Obviously, carriers should only consider devices registered with the Federal Motor Carrier Safety Administration (“FMCSA”). Carriers should also give strong consideration whether the ELD should allow any interaction with a driver’s personal device through any means (wired, wireless or Bluetooth). Many experts say “no” because of the sensitive data those devices may contain and the sometimes woeful security procedures people generally employ on their personal devices. Further, carriers should consult with vehicle manufacturers to better understand what risks may be associated with that type of vehicle and an ELD.
Additionally, carriers should consider whether the device should use wi-fi or bluetooth connections beyond the limited possible communication with law enforcement. This is a particular concern for ELD’s using internal wi-fi or bluetooth capabilities to connect to a smartphone, tablet or laptop. Without robust security protecting that wi-fi or bluetooth network, the ELD may be susceptible to outside hackers. In fact, some experts do not recommend using bluetooth for an ELD other than to transmit carefully limited information to law enforcement. A wired connection between the dedicated input device and the driver is generally the most secure. Communication beyond the truck and law enforcement, over unsecured wi-fi should be avoided. Open wi-fi networks can be notoriously unsecure and, therefore, experts recommend using only cell phone carrier data connections for communications beyond the truck’s cab. Almost no “free public wi-fi” is ever well-protected and, what’s worse, such networks may be constructed simply to bait unsuspecting users for the purpose of hacking.
Purchasing
When purchasing ELD equipment, carriers should carefully review the equipment warranty information to determine if it includes warranties about the ELD software’s security, in addition to day-to-day functionality. Vendors should guaranty their hardware and software should be listed with the FMCSA registry of compliant ELDs for the duration of the device’s life. Carriers should also demand a specific remedy from the vendor if the ELD is “de-registered”. But remember that the FMCSA rules focus on data integrity and driver privacy, not security. Thus, carrier should not assume that an ELD registration with the FMCSA provides any data security.
Installing an ELD
ELDs should be professionally installed. Particular attention should be paid to the physical connection between the ELD and truck, which connection can be easily hacked by someone with the briefest of access to a truck. The connection between an ELD and the truck should be secure and designed to indicate whether it’s been compromised. Additionally, all software utilized to maintain the connection between the ELD and the truck should be current and should be routinely updated. Occasionally, between the ELD’s assembly date and its vehicle installation date, the ELD vendor might issue several software updates that contain important security patches that will not be applied unless the software is updated.
After the initial ELD installation and programming, any remote software diagnostic access to the equipment should be closed or disabled, including access by the manufacturer. It can be opened later, if necessary. Manufacturer assigned default passwords for users and administrators must also be changed. Multiple failed logins should force a device lockdown necessitating an administrator reauthorization process. However, give thought to that process if it occurs to a driver at 2:00 a.m. as the reauthorization process can be completed remotely using appropriate authentication protocols.
Training on ELD Use
Carriers should educate drivers about the importance of proper security when using their ELD. Drivers should memorize their login and password information instead of placing post-it notes on the ELD screen. Logins must be, by FMCSA rule, unique to each driver. Also, to maximize security, passwords should have a raised level of complexity in length and content by requiring the use of numbers, capital letters, and special characters. Carriers should force password changes periodically and prohibit the re-use of old passwords. Experts suggest using a two-step verification process for login to enhance security. Consider adding another item to a driver’s daily or pre-trip inspection checklist to be sure the ELD and its connections are free from any evidence of tampering. Develop a procedure for the driver to follow if anything about the ELD is out of place or doesn’t “look right”.
Day-To-Day Use
First, keep the software current. Vendors should provide frequent and easy software and firmware updates without charge. Those updates can protect ELDs from later discovered security concerns as well as offer feature enhancements. Carriers should also develop a process to regularly install software and security updates for all aspects of the ELD’s operation and make vendors demonstrate the secure update process. Be sure that process does not leave administrator level access wide open between updates. Second, keep back office software similarly up to date. Third, strongly consider using professionally managed offsite storage and back up of all ELD data. Like using well known cell phone networks, well known data storage and hosting services provide increased security and physical separation for stored ELD data.
Again, in the back office, consider whether to connect the ELD network with other business-related computer networks (such as accounting, customer or vendor access) or not. Depending on the ELDs integration into any other in-cab communication capable devices, it may be wise to have no connection between the ELD network and anything else at all. This physical separation may significantly protect the motor carrier’s other networks from hacks coming through the on-road ELDs.
Overall, ELDs demand additional security vigilance which must mesh with a well-designed scheme most motor carriers already have in place. However, if a company’s existing security measures are woefully inadequate, the installation of ELD’s may be just the incentive needed to adopt an enterprise wide data security plan. Don’t think that tens, hundreds or thousands of new ELDs used by only newly trained drivers and back office staff do not increase hacking risks. They do.
Talk with Marsh & McLennan
If you have any questions regarding security concerns in the trucking industry, please contact Mike Glover at 612.336.1269 or Bryan Feldhaus at 612.336.4389 at Lommen Abdo, P.A., Minneapolis (general 612.339.8131). Or contact your local Marsh & McLennan Agency representative for assistance.
You May Also Be Interested In
- Event
02.09.2021
Webinar | Back to Basics: Insurance Program Options
- Blog
12.23.2020
Solarwinds Cyber Incident
- Blog
12.16.2020
Insurance Insights: Digital Health & Emerging MedTech
- Blog
12.04.2020
Winter Weather Safety
- Blog
11.16.2020
Q3/2020 Business Insurance Marketplace
- Event
11.05.2020
Webinar | Auto Liability Strategies When Premiums Soar
- Blog
11.04.2020
Beyond the Pandemic: What your broker should be talking with you about right now
- Blog
10.19.2020
Client Advisory: Increasing Cyber Risks in the Transportation Industry
- Blog
10.16.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Biotech Industry
- Blog
10.14.2020
INSIGHTS Newsletter
- Blog
10.14.2020
Cyber Risk in Our New World
- Blog
10.14.2020
Client Advisory: Dealing with Increasing Cyber Risks in Manufacturing
- Blog
10.12.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Health Care Industry
- Blog
10.09.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Construction Industry
- Event
10.08.2020
Webcast | A Tale of Two Breaches
- Blog
10.07.2020
Cybersecurity: Managing Risk in the COVID-19 Era
- Blog
10.05.2020
Why HR is a Key Stakeholder in Cyber Risk Management
- Blog
10.02.2020
Network Security & Privacy Considerations When Organization Shift from WFH to Office Environment
- Blog
09.30.2020
Elements of Cyber Insurance Coverage
- Blog
09.28.2020
Cyber Security and Privacy Concerns: COVID-19
- Event
09.16.2020
Webinar | Cyber Incident Response
- Blog
09.16.2020
Business Interruption Insurance
- Blog
09.04.2020
Insurance Insights: Real Estate & Hospitality
- Blog
09.02.2020
Insurance Insights: Construction
- Blog
08.31.2020
Insurance Insights: Manufacturing
- Blog
08.28.2020
Insurance Insights: Healthcare
- Event
08.27.2020
Webcast | MMA Q2 2020 Business Insurance Marketplace Update
- Blog
08.26.2020
Insurance Insights: Transportation
- Blog
08.24.2020
Q2/2020 Business Insurance Marketplace
- News
08.06.2020
Charlie Filisko's Article Featured in Properties Magazine
- Event
07.21.2020
Webcast | Senior Care - The New Normal
- Event
07.14.2020
Webinar | Cyber Security-The Complex & Inevitable Exposure
- Event
06.25.2020
Webcast | Navigating the Cyber Liability as Organizations Return to the Workplace
- Event
06.25.2020
Webinar | Paycheck Protection Program- Q & A Town Hall
- Event
06.18.2020
Webcast | Navigating the D&O Market Through Unprecedented Times
- Event
06.04.2020
Webcast | Navigating Challenging Business Insurance Market Shifts
- Blog
05.18.2020
Q1/2020 Business Insurance Marketplace
- Event
04.30.2020
Webcast | COVID-19: Managing the Impact- Weekly Update 4.30.20
- Blog
04.27.2020
Client Advisory: Dealing with increasing retail cyber risks during the COVID-19 crisis
- Blog
04.23.2020
Workers’ Compensation Insurance
- Event
04.06.2020
WEBCAST | Cares Act Overview
- Event
03.26.2020
WEBCAST | COVID-19: Navigating Insurance Implications
- Event
03.24.2020
Webinar | Navigating the Coronavirus and Managing the Impact
- Blog
03.24.2020
MMA COVID-19 Coverage 2020
- Blog
01.15.2020
Business Insurance Marketplace Outlook 2020
- Blog
01.08.2020
The 2020 Cyber Outlook
- Event
10.15.2019
Webinar | New Cyber Privacy Regulations & Risks Affecting U.S. Businesses
- Blog
10.14.2019
Tornado Preparation and Recovery Tips for Ohio Businesses
- Blog
10.09.2019
FDA to Begin Food Defense Plan Inspections on Food Facilities in 2020
- Blog
10.07.2019
The State of Cyber Security
- Blog
09.03.2019
12 Best Practices to Secure and Protect Passwords
- Blog
08.02.2019
Podcast | Choosing Your Broker
- Blog
03.28.2019
Five Trends in the Business Aviation Industry
- Blog
03.11.2019
Protect Your Business from these 5 Cybersecurity Risks
- Blog
02.25.2019
Top Challenges Facing the Banking and Financial Services Industry
- Blog
02.19.2019
How Technology is Impacting the Wholesale Distribution Industry
- Blog
02.08.2019
Businesses Required to Obtain a Spotted Lanternfly Permit
- Blog
01.16.2019
How Technology is Reshaping the Agriculture Industry
- Blog
01.11.2019
Is Ocean Wave Power the Next Big Thing in Renewable Energy?
- Blog
01.08.2019
Five Technologies Impacting Safety and Productivity in the Construction Industry
- Blog
01.03.2019
Four New Advances that are Revolutionizing the Hospitality Industry
- News
12.21.2018
Social Engineering Fraud
- Blog
12.19.2018
Does Your Company Know What To Do After a Cyber-Attack?
- Blog
12.17.2018
Brain Injuries in the Workplace
- Blog
12.14.2018
New Algorithms to Spot Fake Pictures for Insurance Claim Verification
- Blog
12.10.2018
Digital Transformation Unlocks New Opportunities for Financial Services Industry
- Blog
11.26.2018
Five Critical Risks Impacting Public Sector Organizations Today
- Event
10.25.2018
Framework of a Cyber Breach
- Blog
10.19.2018
IoT-connected Devices Are Increasing Cyber Risk Exposure
- Event
10.18.2018
Workers Compensation Red Flags
- Blog
10.17.2018
What's Keeping CEOs Awake These Nights?
- Blog
09.04.2018
15 Best Practices to Protect Your Website From Malware & Cyber-Hacking
- Blog
08.28.2018
Why Manufacturing Companies are Now More Susceptible to Data Breaches
- Blog
07.24.2018
Mid-Year Economic, Insurance and Risk Management Marketplace Update
- Blog
07.05.2018
Construction Industry Employee Engagement
- Blog
06.28.2018
Subcontractors without Workers’ Compensation Coverage May Cost You
- Blog
06.19.2018
2018 Cyber & Data Security Risk Survey Report
- Blog
05.11.2018
Drones: The New Highway in the Sky
- Blog
05.10.2018
Identity Protection: The Right Voluntary Employee Benefit
- Blog
05.09.2018
Flood: Understanding the Risk, Navigating Insurance Options
- Blog
05.08.2018
GDPR is Coming. Are You Ready?
- Blog
05.08.2018
OSHA Compliance Alert
- Blog
05.07.2018
Consider the Fair Labor Standard Act for Internships
- Blog
04.30.2018
Plan Sponsor Quarterly Calendar
- Blog
04.25.2018
Hours of Service Rules for Commercial Drivers
- Blog
04.24.2018
Severe Weather: Why it Matters
- Blog
04.17.2018
Preparing for a Product Recall
- Blog
04.17.2018
Understanding Your Investment Policy Statement
- Blog
04.05.2018
Safety Resources - Excavation Safety Stand Down
- Blog
04.03.2018
Aviation CGL Coverage and Contracts
- Blog
03.21.2018
Recap of MMA Seminar: Employment Law 2018
- Blog
03.13.2018
Understanding Your Aviation Policy: There's More to Consider Than Price
- Blog
02.01.2018
Construction Contracts
- Blog
01.31.2018
Texting While Driving
- Blog
10.06.2017
The 4 Myths of IT Data Security
- Blog
09.25.2017
Got Hail?
- Blog
09.25.2017
Catastrophic Disasters
- Blog
09.15.2017
Cyber Breach - Equifax
- Blog
09.05.2017
Employee Retention
- Blog
02.01.2017
A Gap In Coverage
- Blog
10.17.2016
Drones expand business' horizons - and their liability
- Blog
06.08.2016
2015 & 2016 Cyber & Data Security Risk Survey Report