Dive into the unique cybersecurity challenges and innovative solutions within the trucking industry, as host Sean Martin and a panel of distinguished guests from various sectors explore how safeguarding our supply chain is more critical than ever. Discover the intersection of technology, strategy, and community efforts required to defend against sophisticated threats, making this episode a must-listen for anyone interested in the forefront of cybersecurity practice.
Guests:
Chloe Callahan, IT Operations Manager at Peninsula Truck Lines [@PeninsulaTL]
On LinkedIn | https://www.linkedin.com/in/chloe-callahan-36822995/
Antwan Banks, Director of Enterprise Security at NMFTA [@nmfta]
On LinkedIn | https://www.linkedin.com/in/antwan-banks-cissp-cciso-cism-cisa-29465314/
Dr. Jeremy Daily, Ph.D., P.E, Associate Professor of Systems Engineering, Colorado State University [@ColoradoStateU]
On LinkedIn | https://www.linkedin.com/in/jeremy-daily-646750103/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this installment of the Redefining CyberSecurity Podcast, host Sean Martin dives deep into the intricate world of trucking (large vehicle) cybersecurity. Sean brings together a panel of distinguished guests, each contributing unique insights from their respective positions in the trucking and cybersecurity realms. Attendees include Chloe Callahan, Operations Manager at Peninsula Truck Lines, and Antwan Banks, Director of Enterprise Security at NMFTA, alongside Jeremy Daly from Colorado State University, where he teaches systems engineering at the graduate level. The conversation uncovers the specialized cybersecurity challenges faced by the trucking industry. Despite the sector's pivotal role in maintaining the supply chain, it emerges that the requirements and threats it encounters are significantly distinct from those in more traditional IT environments.
Callahan shares her journey towards recognizing the importance of cybersecurity through her engagement with NMFTA conferences, which fueled her dedication to educating her community about cybersecurity basics and beyond. Banks offers a compelling perspective from his experience in cyber defense and warfare, emphasizing the strategic implications of securing the trucking sector against potential nation-state attacks that aim to disrupt critical supply lines.
The episode further explores the technological complexities inherent in the trucking industry, particularly concerning the integration of operational technology (OT) with information technology (IT) systems. Daly adds depth to the discussion by highlighting the evolving threat landscape and the importance of considering the entire lifecycle of trucking assets from a security standpoint. He also sheds light on initiatives like the Cybertruck Challenge, designed to foster talent and awareness in tackling these unique cybersecurity challenges.
The panel also addresses the vital role of education and proactive cybersecurity practices, underscoring the significance of comprehensive incident response planning, which extends to responding to cybersecurity incidents affecting the physical operation of trucks. Through their dialogue, the importance of community, information sharing, and collaboration across industries to enhance cybersecurity readiness emerges clear.
Overall, the episode offers an enlightening exploration of cybersecurity's critical place within the trucking industry, stressing the necessity for vigilance, preparedness, and community cooperation to safeguard vital supply chains against sophisticated cyber threats.
Key Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
CyberTruck Challenge: www.cybertruckchallenge.org
Posters and presentations by Dr. Daily: https://www.engr.colostate.edu/~jdaily/presentations/index.html
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Rolling Safely to Feed the Nation: The Cyber Frontline of Trucking Safety | A Conversation with Chloe Callahan, Antwan Banks, Jeremy Daly | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Hello, everybody. You're very welcome to a new redefining cybersecurity podcast. I am your host, Sean Martin, and I think I have to do the obligatory horn horn pull to get the, uh, the truck horn signal going here. Uh, if you might guess, uh, if you listen to the show, you know, I get to talk about all kinds of cool things, cyber related to business and policy and governance and all the fun stuff that, uh, organizations have to deal with.
And when you dig down deeper, you realize that. Different organizations have different needs based on the industry sector they operate in and the consumer base that they reach with the products and services. And, uh, we look at cars, we look at space, we look at finance, you name it, we're looking at it today.
We're looking at trucking. And, uh, the world of, uh, World of cybersecurity in the trucking sector. And I'm thrilled to have Chloe Callahan and Antwan Banks on. Thank you both for joining me.
Chloe Callahan: Thanks for having [00:01:00] us.
Sean Martin: Yes. Thank you. It's going to be fun. And a shout out to, uh, Marley and NFTA to, uh, hopefully I got the acronym right for introducing us.
And I'm excited for this conversation before we get into kind of the state of. Security and trucking a few words from each of you. Chloe, what's your role? What are you up to? And why cybersecurity and trucking?
Chloe Callahan: Yeah, so I'm the operations manager at Peninsula truck lines. It's a, um, Pacific Northwest, uh, trucking company and I started going to the NMFTA conferences way back when I first got this job.
And, um, I wasn't, I didn't have this cybersecurity bug. I didn't, I didn't, I cared about it, but not so much. And, um, the NMFDA really inspired me to, um, dig deeper into cybersecurity and how we can work together as a community [00:02:00] to protect, uh, ourselves and enhance learning and My particular passion is to, um, educate everyone, everyone, users, the end user, especially the more people that know about, um, cyber security, just basics, and then even getting in deeper into the weeds with, um, the people that, you know, need to know that.
Sean Martin: And, uh, Antwan, what about you?
Antwan Banks: Well, I'm Antwan Banks.
I'm the, uh, director of enterprise Security over at the N-M-F-T-A, uh, retired military. I did cyber, uh, in the military, cyber welfare, cyber defense, and cybersecurity is my passion. Uh, before joining the, uh, N-N-M-F-T-A, I was the, uh, director of cybersecurity at the rail system here in Atlanta. Uh, better known as mata.
Uh, and so I got into, um. Uh, IOT devices because we had a, uh, skater, that's what control networks. Um, and I just [00:03:00] love, uh, cybersecurity. Um, I enjoy this job because I understand, uh, cyber warfare. And I know that, uh, our next war will be fought in cyberspace and our supply chain will be, um, in a high value target to, to, uh, to a nation state.
And if they can figure out how to stop our, Uh, food supplies, our, uh, lifeline, then, you know, they can bring pain on, on our society, uh, in our lively, uh, in our way of life. So I enjoyed this mission. I see it as a, uh, for me, it's kind of like a, uh, a chess game. Um, you got to move all the right pieces around, uh, to defend against the enemy.
And so over at the NMFTA, we're doing research on the, uh, heavy truck network on how to, uh, protect. Uh, I never started from hacking in and taking over a truck and, and do things that they're not authorized to do. Uh, we've recently, uh, announced a, uh, reorg, [00:04:00] uh, I used to be over the heavy truck and the enterprise.
Uh, we're going to bring in a, uh, an additional person to come in to focus solely on the, uh, the trucking network. And I'm gonna focus solely on the enterprise so we can put a little bit more horsepower behind the game. Uh, but that's pretty much me and, uh, MFTA in, in, in a nutshell. Yep.
Sean Martin: Fantastic. And I mean, I know we want to get into kind of the current state of things, but I, I think what might help at least me and presumably the audience as well is I'd like to paint a visual picture of what a, what the world of trucking looks like.
You just described too. So I knew large, uh, Large vehicles would be one, but you mentioned enterprise. I don't know if that's the enterprise for random FTA or if that's, uh, enterprise trucking for like back office systems for trucking organizations. So I don't know. So that's why I'm asking who can paint a picture [00:05:00] of what all the elements are in the world of trucking.
Antwan Banks: Well, I'll take a stab at it and I'll turn it over to Chloe. Cause you know, I'm, I've been in trucking for over a year and I took trucking. Uh, Chloe has been doing it for a while. When I speak to enterprise, you know, I speak of the back office, the, the, your outlook, your, your desktop, the laptops, your servers.
And when I speak of trucking, uh, you know, I'm talking about the, uh, truck itself, the, the network that's on the truck, uh, that whole ecosystem from the, from the, uh, the warehouse updating the, uh, firmware, uh, inside the truck, inside the, uh, maintenance, uh, laptops, things of that nature. So when I say enterprise, I'm talking to office back office.
Um, and when I say trucking network, I'm talking about the truck, the trailer, that whole ecosystem.
Sean Martin: And is logistics part of the, the truck network or does it connect back to enterprise?
Chloe Callahan: So we [00:06:00] actually have to consider both, um, the, the trucks are what are on the roads delivering the freight, but. All of us, all of the trucking companies have that back office part too.
So, uh, our job as cybersecurity administrators at the trucking companies is to, um, to understand and, um, and defend both aspects.
Sean Martin: Got it. Got it. All right. So the other thing I want to do kind of to level set, I think we talked briefly about this before we started recording it, I think. At least from my perspective, uh, there's been a lot of attention on automotive, the world of automotive and certainly autonomous cars and things like that.
Uh, my expectation and at least the limited understanding [00:07:00] is that there are autonomous trucks, right? And a lot of the same technologies in, in the standard car world. If you will, uh, apply to trucking. Um, so who, who wants to paint a picture of what a truck looks like? And are there any differences there between a truck and a car that we should be aware of?
Chloe Callahan: Um, I'm not entirely sure about. The network part of the car versus truck, but the truck will have, um, will have, uh, the controller area network with all of the different systems that have to talk to each other. And, um, when. You compare that to a car, it's probably somewhat similar, but the difference with regard to cyber [00:08:00] warfare between the 2 is that if the supply chain is.
Attacked and trucks aren't running on the roads, it would take 3 days before shelves are completely empty and, um, different things about our society would be. Extremely like devastatingly impacted if trucks can't run. So when I answer that question, I'm thinking in terms of what are the effects of trucking versus heavy vehicles versus the automobiles?
Sean Martin: Yeah, I presume, uh, I'm thinking refrigerated trucks. Uh, the truck might get there, but if all the food is spoiled, that could be a problem as well. And I want to take this moment. Um, So Jeremy Daly has joined us. Jeremy, thanks. Uh, thanks for being on from, uh, Colorado state if I'm not mistaken. Yes, my pleasure.
[00:09:00] Thank you. Perfect. And I'm glad, glad you can make it. Um, both Chloe and Antwan have given a few words about their role and what they're up to with respect to trucking cybersecurity. So if you could do that for us, that would be fantastic.
Jeremy Daily: Yeah, fantastic. So my name is Jeremy Daly and I teach systems engineering at the graduate level at Colorado State University.
And one of the things systems engineers look for is a property called emergent behavior. And this is the idea that when you have separate systems that by themselves are fine, when they get put together, new behaviors emerge, things that may not have been either noticed or planned for, and cybersecurity is an emergent behavior.
So a lot of issues happen when these potentially safe systems get [00:10:00] combined. Right. One of our. More recent, um, explorations is in the concept of the electronic logging device. And so this is a mandated technology that the government requires truckers to use to track hours of service. And so this device by itself is programmed, you know, fine and can interact with a CAN bus and so forth.
Uh, and then the truck itself doesn't have any sort of wireless access. And so when you put these two together, there's now a potential for wireless access to a truck, uh, through this device that controls the network. And so what we'll, what we'll see then is any vulnerability, um, that, that ELD exposes could then potentially affect the operation of a truck.
And so our focus has been on you mainly assets, right? So heavy vehicles, the things that are actually rolling on the street and making sure that [00:11:00] our manufacturers and the OEMs understand some of the security concerns that we have. And so we've started some initiatives, uh, probably the most successful that we have is called the cyber truck challenge, uh, where we meet for a week in the summer, bring in a bunch of students.
Last year, we had 25 different universities represented and all the major heavy truck makers and we learn about cyber security and then go hack on trucks for a few days. Uh, and really try to develop our community of interest and develop talent to solve some of these problems.
Sean Martin: Super fun and hats off to all those researchers doing that work.
Well, we'll spend a few more minutes on the Cybertruck Challenge a little later in the episode. One thing I asked both Chloe and Antwan, I'd like your perspective on this is I think As I noted earlier, my perspective is a [00:12:00] fair, decent understanding in the world of regular automotive. Infrastructure and and technologies and research being done there.
Um, to me, it seems a little less on the on the trucking world. So I was wondering what differences might exist between the automotive and the large vehicle world. One thing that comes to mind, you mentioned one in that in that device, perhaps the other thing that comes to mind is the inclusion of Strong mechanical devices that are probably controlled on these on these trucks.
But, uh, in the in the broad picture of trucking and trucking cyber security, where might there be differences between regular automotive and large vehicles?
Jeremy Daily: Yeah, it's a good question. Um, So when I first started looking at this, we tried to answer this question and we came up with a couple of things. The first was the idea of a horizontal [00:13:00] integration where you have trucks that appear with a badge, a brand badge on the outside, but have critical components from many different companies.
And so, you know, the example I give is our Kenworth truck. Runs a Cummins engine with Bendix brakes, and you could have the same outside facing Kenworth truck, but a PACCAR engine with Wabco brakes, right? So there's a lot of specifications, and that horizontal integration leads to standardization, and we use J1939 for those standardized messages.
So that was the story about 10 years ago. Uh, arguably though, a lot of the companies have become more vertical. And, uh, even to the point where the passenger car technologies are showing up in the heavy trucks as well. So. Uh, auto SAR, for example, is a, it was mainly [00:14:00] targeted for passenger cars, but now we're seeing it implemented in the heavy trucks and companies like Volvo have, uh, an interest in both.
And so they kind of homogenize their approach towards electronics and try to borrow from, from each other. Um, what the, the difference nowadays, though, I think is in the customer base. In the trucking industry, you have, uh, purchasers who are responsible for large volumes of purchases, right? So hundreds of trucks at a time.
And that purchasing power gives the The trucking company is a lot of influence over the specifications about how those trucks are built. And, um, you know, for example, adding additional RP 1226 connection points for ELDs is something that's customer driven, where in a passenger space, if I go to a, you know, a [00:15:00] Chevy or a Ford dealer, I probably can't just ask them to add more wiring.
Um, for my special case, so you have, as a trucking industry, the ability to influence builds through your requirements and your purchasing power. So that's kind of an interesting thing. And then the other part is the regulation environment, um, heavies versus passengers are regulated differently and passengers aren't required for hours of service.
And so you don't have these, uh, you know, self certified devices that are required to be installed in passenger cars. Um, so I would say those are kind of the two big differences between passenger and heavies.
Sean Martin: Got it. Perfect. So I want to, um, I mean, I could probably spend the rest of this time digging deeper into those.
Uh, maybe we can spend more time on that and another other point, because I think, [00:16:00] uh, yeah, I was looking back to when Antron introduced himself, the, uh, the SCADA work and the IOT work. All the, all the elements within the truck make it difficult to kind of get the system of systems, right? So different components from different makers combined to pull together a big, a big truck system.
Makes it challenging. So I want, Chloe, I wanted to kind of go to you. Um, I mentioned that my, my naive view is that it doesn't get a lot of attention, at least in media, from my perspective. What's your, What's your take on the understanding of the need for cyber security from, from the people buying the trucks, from the people running the trucks?
Chloe Callahan: Um, that is a really excellent question. The, the need for everybody to understand cyber security concepts from a basic level all the way up to as far as your [00:17:00] interests will take you is, is great. I agree with Antwan in that, uh, the next war is going to be cyber warfare. As an included aspect of the, the tactics used and, um, so it's not a matter of if it's a matter of when and being prepared is never a bad thing.
So, from, from, for me and peninsula truck lines, I have taken on the project of. Educating every employee, including drivers who have to take mandatory cybersecurity video training, because I think it's very important for just awareness, um, understanding from a driver's perspective, understanding what your truck should look like.
And is there an extra device attached to it? For [00:18:00] instance, um, it's, it's. Just being aware.
Sean Martin: Can you, can you Chloe describe what the inside of that truck looks like, or I don't know, does somebody look at it through their phone as well? I can only imagine a tablet because I, not, not many of us get to sit, uh, sit up high in that nice bouncy chair.
Uh, in front of a cool display with certain things. So describe that to us.
Chloe Callahan: I can tell you that we do have, you know, the, uh, Dr. Daly, uh, mentioned the electronic logging devices and we do have to have a device that will connect, um, With an app to our routing and dispatch provider, and, um, that's where all of those logs are ingested.
And then you can, you know, the driver will clock in and out for lunch or in and out for their shift. And they'll do their reports on whether the truck is in good [00:19:00] working order or not. And, um. So the, the, the driver definitely has to be aware of, of interacting with, um, with a device and, and understanding what is connected in their vehicle.
And, um, we're constantly adding stuff, you know, we're, um, We're talking cameras and we're talking, you know, other things that need to get added into the vehicle. Um, so, you know, it's just really important that everybody has a basic level of understanding. And that, uh, I think social engineering is a really big one.
Um, I heard it said once that, um. You can defend yourself by being rude and don't, don't just take somebody at their, at their word and, and, um, demand that, uh, you get more explanation or, um, find that, find the explanation in a [00:20:00] different way. If you're, if you feel like, um, You're getting told a story
Sean Martin: and, and Antwan or Jeremy, I, I'd like to get a view and we'll, we'll talk about some of the threats targeting this stuff, but the, the attack surface.
And I don't know if that's. Presented in, in the context of what a truck can actually do. Does it, does it have sensors? It must have sensors for refrigeration and load weight and whether the load is balanced properly or I don't know what, what, what are all the things technically that a truck can do?
Antwan Banks: Well, you know, from a, from a hacker's perspective, uh, and I let Jeremy go into some of the research that they're doing, um, There are many different ways you can, uh, attack a truck. Uh, I believe based off my, my experience in the military and how pen testers work, [00:21:00] that they're going to, uh, attack the enterprise system, the back office system, uh, and potentially get to a system that the truck.
Trust and take advantage of a trust relationship. Uh, so maybe, uh, some type of a dispatch system or something that goes through the, uh, telematics, uh, device to the truck and from a, uh, nation state, they want to try to, to, uh, attack multiple trucks because you really can't hurt our economy, uh, or hurt our way of life.
If you attack one truck or two trucks, you want to hit multiple trucks. Uh, a lot of trucks, uh, at the same time you want to attack and scale. So they use something called pivot, uh, attack the enterprise network, trick somebody to click on a, uh, a link in an email or some kind of social media posting, compromise that machine.
Take advantage of the trust relationship and then hop out, uh, to, to potentially multiple, uh, trucks and maybe D rated or, uh, shut it [00:22:00] down or understand the geo location so they could, you know, maybe hijack and things of that nature. Uh, Then you have some other physical attacks that you got to be in close proximity, uh, to attack the truck.
But, uh, that's what I think a nation state would do. I'll let Jeremy talk about some of the things that, uh, they, they, things that they're not going to talk about in our Chatham House Rules session. Uh, things that they, uh, they, they've seen and some research they've done.
Jeremy Daily: Yeah. Thanks Antwan. Uh, so I, I like to, Address this question by introducing the concept of the life cycle of the, of the vehicle.
And so oftentimes we have this vision of just the truck driving on the road or picking up cargo or or whatnot, but the reality of it is these are 20 year, 30 year assets that have a lot of considerations throughout their entire life cycle. So we start out. You know, kind of, and even in the conceptual [00:23:00] or the design phase, there's proprietary, uh, intellectual property that's tied into these engine control modules.
And so those need to be protected to maintain the competitive advantage for those companies. Um, then you have, you know, then you have the initial provisioning and the, uh, and the registration. So the truck rolls off the factory, but then as soon as, you know, they show up at a, at a, um, at a fleet, they get adapted to comply with the regulations, right?
With the ELDs and the cameras and, and other types of safety features that are, uh, third party provided. And so the truck that we thought you were looking at actually isn't the same truck that's actually on the road. Um. And then if something breaks down, you've got to do a repair and replace and you have a diagnostic tool and that diagnostic tool uses windows and hopefully your windows is updated and passion.
So, the reality of it is for some of the life of a truck, [00:24:00] you actually do have to worry about the Internet and the windows updates and the device drivers. And some of our research groups is, has shown how we can transparently. Uh, in fact, a windows computer that then changes the firmware settings on a truck.
Um, and then there's a forensics case at the end, right? What happens at the end of a truck's life? And sometimes they crash. And so now you have a significant amount of effort going into figuring out what happened. Um, and sometimes these, you know, the lawsuits associated with truck crashes are in the, you know, eight figure range.
And so there's a significant financial incentive for, uh, you know, smart people to really dive deep into some of these, uh, devices, uh, and, and uncover some of the digital data and or secrets that are in there. Um, so, so it's, it's not quite as [00:25:00] straightforward as just a device or a sensor, uh, but there's a whole life cycle.
That exists that really addresses or that that need kind of special security considerations for those particular phases
Sean Martin: and uh I know when I when I look at the The the trucking or not. So the trucking the tractor sector, um, not tractor trailer, but farming tractors They uh, I think the general gist of it is one one doesn't really own The tractor anymore.
They they You They'd lease it with the, with the rights to, to use it, but you can't, you can't repair it. I think maybe some of this has changed in recent months or years, but, um, who can describe kind of that whole thing? Just, just the ability to. To change the way the truck operates, you don't just tighten the screw or bolts anymore.
It's, it's [00:26:00] tuning through computers and may or may not be able to do that now.
Jeremy Daily: Well, in order to operate in California, it has to be satisfied through the clean air check. And so there's a consistent certification process that goes through. Uh, the OBD port and some of them are live and connected, right? So it's a, it's a perpetual connection.
That's feeding the back office or the state of California's back office. So something that's completely out of control of both the fleets and the drivers and the manufacturers. And so those are going to generate new threats, uh, from a cybersecurity perspective and, uh, and also, you know, the notion of, uh, what is a false positive and what's a false negative.
And if you can induce false positives and false negatives on emission compliance, um, then you can [00:27:00] either run illegally. Without consequence or you can subvert your competition. So they get fined and you don't uh, and and uh, so there's some Consequences some second order effects from imposing these types of regulations that require a cyber aspect to it
Sean Martin: and I'm picturing this world of of a state controlling the the speed limit of Certain trucks with certain loads because they get better better mileage and less, uh Less pollution.
So from the, from a dial, they can control all the trucks.
Jeremy Daily: Yeah. So the state might want to do this for altruistic purposes. Um, but the, you know, without due consideration for the security consequences of that, that means other states and let's say nation states may also be able to do this and cripple the economy, right?
So I [00:28:00] think that there is a, um, like I said, Unintended consequences from some of this. And we've already seen those unintended consequences manifest themselves with the electronic logging devices, where the trucks that use these are, are no longer safe on the road.
Antwan Banks: Yeah. One of the things that I like to include in my briefing, uh, you know, to keep it plain and simple when they, you know, trucks were never designed to be connected to the internet, you know, when they first start building trucks, it was mainly the, the, the haul cargo.
And because of various regulations and compliance, we've They started throwing devices and networks and trucks, uh, for compliance reasons. And now vendors want to, uh, keep up with the health of the truck and the health, the health of the devices on the truck. And so they want connectivity to the truck. So all these need, all these needs to, uh, remotely manage, remotely monitor.
What's happening in the truck is creating attack vectors. Um, you have drivers [00:29:00] with cell phones, smart devices that go out and plug into all these stations that could get juice jack and if their phone get compromised and they plug into the truck, they can also introduce a vulnerability. So you just got to remember, uh, a vehicle that wasn't designed to go to the internet and as you throw things on it, the rush to put it in there.
Without security considerations, create vulnerabilities as it is up to people like, uh, Jeremy and, uh, being Gardner to go out and do the research to try to find those vulnerabilities before the bad guys find them, it's just a race against time, basically.
Sean Martin: And Chloe, how, how do you go about defining success for your IT?
Slash security program. And, and how do you communicate that to, uh, to your executive leadership team? That this is what's important and here's how we're managing to that.
Chloe Callahan: I think I'm, [00:30:00] I'm very lucky in the fact that my executive leadership team is very invested as well in security. That's not always the case at every, at every company.
Um, so they're very, very supportive. And I, I, to measure success. I, I tend to be pretty hard on myself and I don't think, I think that, um, continuous improvement. Is more of the order than success. We need to continually reevaluate. We need to make sure that we're updating our incident response plans. We need to make sure that we're, you know, doing all of the right basic security things for both the enterprise and then also educate ourselves on the, um, the, the truck networking aspects of it.
I, um, [00:31:00] Things like, uh, Antwan was saying about the, the SCADA networks, and I think that, um, we can learn a lot from other industries that have already overcome certain challenges and apply those, um. Lessons learned to our own industry as well. Um, so success is maybe we didn't get hit today. Um, but, uh, but more, it's more of a continuous improvement, continual, um, Vigilance.
Sean Martin: I appreciate that. And I, I want to go to the point of learning from other industries. Cause what I find in the cybersecurity space is there, there is a large community. [00:32:00] That want to do good things for many and some move from regular it into OT into different sectors. And so, Antwan, I want to use this moment to maybe kind of transition to the, the conference that you hold every year and the value of bringing the trucking industry together.
But perhaps to Chloe's point, others from other industries, certainly across cybersecurity to help drive awareness and help help each other learn in new and exciting ways. Yeah,
Antwan Banks: I mean, the conference when, uh, last year when I put the conference together and this year, uh, what I had in mind was to, uh, Introduce the carriers to resources that they had available.
Um, SISA, uh, which is the, uh, operational arm of Homeland security. We brought in the FBI, uh, secret service. We even brought [00:33:00] in, uh, cyber insurance, uh, uh, people. Uh, we had Jeremy Daly and his team, you know, uh, showing some research and training that they were preparing. Cause it's all about resources, uh, to help them to defend, uh, their, their assets.
Uh, and the enterprise, um, we talked about cyber insurance. We talked about what we expected to see in 2024. Uh, what we saw in 2023. Um, and then we did some updates on on projects. Uh, and so we're going to kind of sort of do the same thing again. Instead of having two tracks, uh, this year, we're just going to have one.
Um, but we're going to talk about some research we've done. We're going to bring in some, some carriers who've experienced, uh, compromises in 23, uh, and talk about some case studies of what they went through, how they were able to recover. Um, and then, uh, I enjoy, you know, being ex military doing tabletop exercises where we inflict pain on a, uh, Fictitious company, uh, and kind of walk through with [00:34:00] recovering, uh, from that, that attack, you know, the incident response, the, um, talking to the public, dealing with customers, dealing with, uh, partners, um, dealing with payroll, why, why are you down?
And your systems are not working. How do you communicate with your employees? Oh, by the way, if everything's electronic, how do you do your incident response plan? If it's everything's electronic and you can't get to it. So we're going to walk through that, um, in an abbreviated period, two and a half hours, uh, normally I would like to have four hours or a whole day, but we're going to kind of squeeze it in.
But the, the, the conference is really designed to just. Make you aware of what resources you have to augment, uh, your security programs, uh, some best practices that are out there, uh, and, and, and, and, and ways that you can share information with other, other fleets.
Sean Martin: And Chloe, your experience, I know you spoke at last year's conference.
Um, what's your experience as a, as a speaker and also as [00:35:00] an attendee?
Chloe Callahan: It's the 1st time I ever did any public speaking, and it was absolutely terrifying. Um, but, uh, I think it was really valuable. Um, I spoke, I actually spoke about the ICS, um, aspect and learning what they do in order to prepare an incident response plan for.
If there is a cyber event on the heavy vehicles, as opposed to just the enterprise, because a lot of people are like, okay, I have an incident response plan. If we get hit with this type of attack, then this is what we're going to do. And you have a playbook and a response planned out, but I don't think I, I did a poll, not, not one person raised their hand.
When I said, do you have an incident response plan prepared for if your trucks are incapable of driving due to a cyber event? And, um, [00:36:00] so I think it was, it was very valuable. Um, I hope I got people thinking anyway, and I, and I think that's the purpose I go so that I can think about things that maybe I haven't been thinking of again with the continuous improvement and just knowing that the trucking industry is a community where competitors, but we're also, uh, we also need to be there for each other.
Um, because we have common enemies. So,
Sean Martin: well, well put and to reach more people. I know you're Antwan, you also said that, uh, you're trying to do a lot in a short amount of time, but I, I believe there are also webinars that will be hosted if I'm not mistaken, keep things going throughout the
Antwan Banks: year, right?
Yeah. We used to do a once a month, we've kind of slowed down a little bit. Uh, our next webinar is going to be. April the 11th, if I remember right. Um, and we're going to bring in a dynamite speaker to come in and talk about [00:37:00] third party risk and, and risk management, um, normally leading up to those, uh, webinars, either shortly before or shortly after I will put out a paper.
Um, I've already written, uh, a couple of papers on, uh, third party risk management and risk management. And also, uh, security language that need to go into, uh, uh, to contract. So April 11th is the big day. Uh, and then after that. I'm entertaining the idea of the bad guys are using AI to attack us. Uh, we can use AI to defend.
Uh, I've been kind of working on that, uh, as a paper and potentially a webinar as well. So, but we do them, uh, uh, about every other month now, every two months.
Sean Martin: And, uh, the, the date for the conference, it's October. What, what date?
Antwan Banks: Uh, last weekend in October, I think it's October the, uh, just had October the 27th through the 29th.[00:38:00]
Sean Martin: There we go. Very good. I'll put a link in the show notes for everybody, uh, to, to access that as well. And I, I want to take a moment now with you, Dr. Daly, on the, the Cybertruck Challenge. Um, can you share a little bit more about that? I've, I've seen, I've been to, uh, it was in a conference, Infrasecurity Europe held in London.
And I met for the first time a gentleman who walks around with a car and a box and it basically It's a simulation of everything that a modern car has in terms of all the electronics, then with all the sensors to say the wheels turning, the brakes are pumping, the windshield wiper, all the stuff in this box.
Um, and it was really, really cool. So, uh, and then the idea was that people can come in and hack it. So, um, tell me a bit about the cyber truck challenge. What do you, what do you have going on there?
Jeremy Daily: Yeah, so it was probably around [00:39:00] 2015, um, NMFTA kind of had a theory that, uh, trucks had some security challenges and I was working in, um, at the University of Tulsa at the time and came up with this and attended the meeting and kind of confirmed a few, um, a few ideas because I had been working in forensics.
And understood how the trucks worked. And so one of the key takeaways from some of those initial meetings was that the industry really didn't have the right people in place to help solve the problems. And at that time, and even today, hiring great cybersecurity talent with And understanding of the operational technology and physical needs for trucks is actually quite challenging.
And, um, so what we did is we started the [00:40:00] Cybertruck Challenge in 2017 to fill two missions. One is, uh, generate the talent that the industry can, um, hire to work on these problems. And number two is to build a community of interest that really helps engineer to engineer, to engineer. communicate some of the concerns that exist.
And so it's, uh, uh, arguably we've satisfied that mission. And I think we're the only event for heavy trucks like this, where the OEMs will bring their brand new gear, uh, to the event and let the, you know, the students with some mentors essentially hack on it for a week
Sean Martin: and actually functioning, rolling.
Jeremy Daily: Absolutely. Yeah. So some of them, um, you know, our, our test vehicles. Right. So like Cummins, for example, is one of our sponsors. Well, they don't make trucks, but they have a truck. And so they bring that with their engine in it. [00:41:00] And, um, and the students have the opportunity, you know, with, with, with, uh, industry guidance, you know, to go, you know, look at it and explore and get onto the CAN bus and see what messages are there.
Uh, other pieces of the truck, right? Telematics devices, uh, trailers, um, sometimes diagnostic software and those types of, uh, devices are also in scope. And so the students will, uh, you'll learn about software reverse engineering, for example. And then actually pull the firmware from a telematics device.
It's connected to the truck, right? And that's one of the activities that they learn how to do in the process of doing that. It really opens up the eyes of the industry to realize that just because it's in a nice, shiny metal box mounted to the side of the engine doesn't mean the firmware stays there.
And so then there's a Different way of thinking about some of these [00:42:00] attack vectors, based off of what the industry has seen at the cyber truck challenge. And the other side effect, of course, is, and this is the desired side effect is that the students who go there and realize how interesting and challenging and satisfying working.
With these big rigs are, um, they end up staying in the industry and making good relationships with those industry mentors and ultimately land jobs there down the road.
Sean Martin: So, so important. And, um, yeah, my co founder Marco and I always say, if we can make security cool, we can get so many more people involved and be part of something like that is awesome.
Jeremy Daily: Yeah, exactly. We're looking forward to, um, the brand new architecture, uh, I think from Volvo this year, right? So they've got a brand new truck model and we'll be one of the first groups to see it in person. They brought the European version [00:43:00] last year and so we get to see the North American version this year.
Sean Martin: Nice one. And what, uh, I'm going to put you on the spot like I did, Antwan. When, when is that happening?
Jeremy Daily: Yeah, so let's go to the last week of June. So the week of June 24th, Through 28th, but it is by invite only. Right? So it's a, it's a sponsored event and the students have to apply in order to attend and bring recommendations.
Sean Martin: Well,
this has been fun. I think I marked down, I have to look at eight things that I think I could dive deeper into, uh, for further chats. But, uh, at this point, I think we're gonna, we're gonna say we've had enough fun with the trucks and, uh, we're going to leave everybody thinking a little bit, uh, hopefully a little bit more about their, their, their, their, their, their Their own state of security in, in their trucking, uh, ventures, wherever, wherever that may be in the truck or in the, in the [00:44:00] enterprise, in the back office.
We didn't even touch on the fact that The stuff all connects to things flying in space, right, for GPS and all kinds of other stuff. But, um, I really appreciate your time and, and, uh, for your insights here. I encourage everybody to attend the events that you are allowed to, get invited to, um, the webinars, uh, That you can continue to learn from, and of course, most importantly, uh, contribute, get engaged, get involved, um, the more the merrier, the more the fun everybody can have.
And ultimately I think both Antwan and Chloe pointed out very, very pointedly that if we don't pay attention, the, uh, the supply chain of stuff we care about most, me, I love food most importantly for me is food, uh, is, uh, is at risk and, uh, to think it's not is, Kind of silly. So, um, [00:45:00] any final words from from each of you?
Chloe Callahan: No, just agreed. Um, I think it's very important to get involved, even if you're a little bit reluctant, just come to the conference, meet some people, um, go to the go to the things that you can and get involved. It's it's not something that we can hide under a rock and ignore. Perfect.
Sean Martin: Dr. Daly.
Jeremy Daily: Yeah, thanks for the opportunity to share some of our.
Ideas and thoughts with the community and, um, I, I guess I want to, I want to feel inspired at the end. Like, like, we have not seen a large scale cyber attack against the trucks as they roll down the street. But, you know, just make sure that as as new things are brought on board as a technology, um. The [00:46:00] temptations to embrace that technology, uh, pop up that, uh, you've got good consideration about what the potential consequences are.
Sean Martin: Well put, well put. And Antwan, bring it home for us.
Antwan Banks: Yeah, well, one, I want to thank you for the opportunity, uh, to speak. I really enjoyed it. I want to echo what, uh, Chloe said, come to the conference, learn, network. Uh, we all in this together. We're not competing. Um, coming from a military, uh, perspective, we're not competing.
You really don't have to be afraid and cower down, uh, to the cyber attackers. Uh, just take little small low hanging fruit type steps, train your users, uh, and be a little bit, uh, proactive, uh, have a incident response plan, uh, do tabletops, make sure you have good, uh, backups, uh, but again, most of all, train your users because you can spend tens of millions of dollars on the latest and greatest.
Cyber, uh, tools, cybersecurity [00:47:00] tools, but 90 percent of the attacks take place through, uh, through phishing, through social engineering, and so your people are your, your, your biggest asset. So let's be proactive. Let's network. Let's, uh, we are, we all, we're in this together, uh, and, and, and we can, uh, defend because it's not if, it's when.
Sean Martin: Agreed. Yep, I agree. And, uh, I also think it's exciting to, uh, to have the technologies there to help us do great things. And if we, if we use it wisely. We can accomplish so much. We just have to think about it. And I want to thank everybody for joining me here. I'll put a few links into the notes for resources that the group wants to share and hope to see everybody at the conference.
And do please subscribe, share with your friends and enemies, I like to say, and stay tuned for more Redefining Cybersecurity here on [00:48:00] ITSP Magazine. Thank you all.