As technology evolves, especially with the use of artificial intelligence (AI), cyber threats are on the rise. Most recently, threats are even coming from family members, friends and coworkers – or so the use of AI for voice spoofing would have a victim believe. That begs the question, for example, what if a cloned voice of a driver or customer calls your load planner, who then provides information that leads to cargo theft?
While there are greater threats to a trucking company’s cybersecurity, this is one of the many trends on the rise, according to the National Motor Freight Traffic Association’s (NMFTA) 2024 Trucking Cybersecurity Trends Report. The report states that Seattle-based WatchGuard Technologies expects an increase in vishing, which is when a scammer calls a person pretending to be a reputable company or organization, or even a co-worker or someone’s boss, and urges the person to provide personal or sensitive data or send money to a fraudulent account. Voice cloning is the next level of vishing attacks.
AI and machine learning risks still only account for a fraction of attacks expected this year, while phishing remains atop NMFTA’s list. Approximately 90% of hacks occur through phishing and misconfigured networks/devices.
Phishing is when attackers send bulk emails to massive lists of unsuspecting contacts, usually with the aim to trick people into clicking links or opening attachments. The next level of that – and an even greater concern to trucking companies – is spear phishing: targeted and personalized emails to a specific individual, group or organization. The report states that it’s one of the most effective tools attackers have to breach networks, and WatchGuard predicts an emerging market for automated spear phishing tools on the dark web.
Hackers frequently use phishing scams to gain access to a carrier’s enterprise system at which point they can launch ransomware attacks. The report suggests that trucking companies’ best preparation for and defense against these attacks is to thoroughly train employees on how to spot a phishing attack.
While the world of cybersecurity can often feel overwhelming to many, the best form of preparation and defense against these attacks is for companies to thoroughly train employees on how to spot each threat and securely configure both on-prem and cloud environments,” according to NMFTA Director of Enterprise Antwan Banks.
“Last year, the industry was directly faced with an aggressively evolving cybersecurity environment,” he added. “Trucking companies experienced attacks that disrupted their operations … which is why we urge the industry to take the matter seriously and establish the proper procedures in advance to be prepared for not if it happens but rather when it happens.”
As trucking companies continue to invest in cloud-based transportation management systems, telematics and automation tools to help improve operational efficiency, they’re expanding their risk for cybersecurity attacks. Those TMS and telematics systems integrate with other applications, which is why NMFTA is giving a specific focus to API (application programming interface) security on both the host and mobile side.
While almost all trucking companies have host-side integration, which is a critical part of the workflow plan, mobile-side integration and telematics providers also play a crucial role throughout the supply chain.
According to the report, cybersecurity experts cite several concerning API security issues, including the vulnerability of old, deprecated APIs known as Zombie APIs; denial-of-service attacks that can overwhelm a website, server or network; APIs that make it too easy for hackers to bypass authentication requirements; accidental leakage of sensitive data or exposure of stolen data; and undocumented back-door APIs known as “shadow APIs.”
NMFTA recently hosted a webinar with Liminal Network’s Chief Technology Officer Josiah Carlson and CEO Hillary Drake to talk about some simple ways to improve API security. This is some of their advice for trucking companies:
Use API keys. API keys are unique identifiers used to authenticate and authorize the user, developer or calling program to an API. Carlson recommended 12-plus character API keys, randomly generated.
“We want to use API keys because it partitions what we do as people versus what we let computers do,” Carlson said.
He said it is also important to have an API key page with a show/hide button mitigate the risk of password theft, but what’s even better than that is storing that data fully encrypted on a server so it has to be decrypted explicity by punching in a password a second time.
“Because no password should ever be stored in plain text on a server anywhere on any database. That’s a recipe for disaster,” Carlson said.
Even better is storing a verification hash, which he said makes it easy to rotate API keys.
“In this context, key rotation is the act of replacing a secret access or encryption key with a new secret key, and why we do this is for all the same reasons why we change our passwords,” he said. “If someone gets in, having the ability to rotate your key, especially to your customer and or incoming shipment enabling carriers … would be great. Just like you’d like to change your front door keys sometimes, it’s great to change your API key.”
He said it’s also important to have more than one – but better to have two or more – API keys with different access levels.
“You may want to have specific keys that only have access to a single carrier,” Carlson said. “If you have some shipments that are moving goods like weapons or rocketry or other defense-related or aerospace-related items, maybe you want to have those in a more secure location … or a different API key than the things that are being shipped like toys or PlayStations. But to be fair, PlayStations are expensive goods nowadays and are being stolen left and right.”
Additional advice Carlson gave is to be wary of JWTs or JSON web tokens, a proposed Internet standard for embedding data with optional encryption. Encrypt everything, he said, adding that using a UUID (universally unique identifier) is best.
He said always use two or more factors for hashing and encryption. Logging into a system with a username and password is two factors. Multifactor authentication – adding something like a six digit code for verification – is better, but still not great. Add a UUID cookie location into your factors, he said.
“This is important because so many goods are transported on a daily basis – things that are vitally important to our national security, to our food reserves, fuel reserves, medicine, medical equipment, everything … and it goes out over trucks across the United States every single day,” Carlson said. “So security is important at every level because we do not want to have any of these things not make it on time.”
Drake said carriers should implement security measures based on what makes sense for their risk profiles. Carlson said attack and infiltration software is easy to find and inexpensive, but remediation in the event of an attack on a trucking company is not easy or inexpensive.
Drake said one retailer recently lost $1 million in apparel when the shipment was stolen. The attacker obtained the information from API data that enabled a spear phishing attack.
“They can use the data that’s traveling in your APIs to build really good customer profiles, and they can build spoofed domains; they can do a lot of things that will convince someone to do the wrong thing,” she said. “This is data that no carrier wants out there because this is confidential and important to the business, on top of the fact that this is important your customers, and your insurers are more concerned with this every day.”