Defending the Heavy-Vehicle Cyber Domain

Cybersecurity experts explain how they’re preparing the next generation of thwarters to protect increasingly electrified, connected and automated trucks.

A person gaining physical access to a single vehicle is bad, but nefarious actors gaining wireless access to a fleet of vehicles is far more worrisome. (CyberTruck Challenge)

The COVID-19 pandemic has served as a stark reminder of trucking’s essential role in keeping the economy moving. Hacking commercial vehicles poses grave risks that should not be ignored; therefore, adequate cybersecurity measures should be considered and implemented upfront in vehicle and system-development programs. That was the consensus of industry experts participating in a Cybersecurity panel at the recent SAE COMVEC 2021 conference in Chicago.

CyberTruck students have access to various technologies such as diagnostic tools, mobile apps, telematics systems and driver-assist components. (CyberTruck Challenge)

“Transportation is critical infrastructure. It’s central to our supply-chain philosophy of just-in-time,” stressed Karl Heimer, senior technical advisor for cybersecurity to the Michigan Economic Development Corp. (MEDC). To drive home the point, Heimer referenced a study that evaluated what would happen to a locality – be it a city, region or the country – if the trucking distribution system was interrupted or stopped for a period of time. “At the end of a month, literally we’re preindustrial,” he warned.

To help ensure the industry has enough talent to combat cybersecurity threats, the CyberTruck Challenge was created in 2017 to give college students and postgraduates a taste of the high-tech issues confronting heavy-vehicle engineers and ultimately to entice them to join the effort once they graduate. Students are paired with industry and government professionals, as well as actual hackers – or white hats – to learn about these large “networks on wheels.” This year’s challenge saw participation from 18 universities (compared to six in its first year) and featured seven trucks, three testbeds and one trailer on which students could gain hands-on experience.

Cyber is a ‘contact sport’

Future CyberTruck courses will increasingly address electric and autonomous vehicles and the unique cyber threats they pose. (CyberTruck Challenge)
Mark Pope, product specialist at DG Technologies and the SAE COMVEC session’s moderator. (SAE/Ryan Gehm)
“Regulations are definitely coming for cybersecurity,” said Chris York, director of electronic system cybersecurity at Cummins. (Ryan Gehm/SAE)
“At the end of a month [without trucking distribution], literally we’re preindustrial,” said Karl Heimer, senior technical advisor for cybersecurity to the Michigan Economic Development Corp. (Ryan Gehm/SAE)
“Cybersecurity tends to not be a profit generator,” said Dr. Jeremy Daily, associate professor of systems engineering at Colorado State University. (Ryan Gehm/SAE)

The training program emphasizes that a fusion of skillsets is required to combat cyber incidents. “If you could grab an electrical engineer who has lots of patents and is extremely good and say, ‘I want you to go into this role as a cyber guy,’ that’s a great start, but it’s insufficient because cyber is different – it’s a contact sport,” Heimer said, who cofounded the CyberTruck Challenge along with Dr. Jeremy Daily, associate professor of systems engineering at Colorado State University.

Electrical engineering, mechanical engineering, computer science or programming – all solid backgrounds to have, Heimer added: “But you must move beyond that and fuse them in a way that you can understand what the cyber effects are against your transportation system.”

Hardware and software reverse engineering without schematics, networking with actual “live” ECUs, and the basics of cryptography are some of the areas covered. “Wireless interfaces are a big deal,” Daily said, who has written several SAE technical papers on heavy-vehicle cybersecurity and digital forensics. For example, experts from Argo AI and Dragos gave an in-depth presentation this year on Wi-Fi, Bluetooth, cellular, GPS and software-defined radio (SDR) and their vulnerabilities.

“Our products are at cybersecurity events. They’re being poked and prodded,” said Chris York, director of electronic system cybersecurity at Cummins, who provided an industry perspective on the Challenge and how it can promote continuous product improvement within a company. Among the components available for hands-on discovery are engine controllers, brake controllers and telematics units.

“We find things out every year and we go back and we’ll fix it, make it better,” York said. “My perspective is that people are going to learn how to hack this stuff regardless. People are hacking embedded products, IOT products, there’s nothing unique or special about our industry that makes us not a target. You’re better off to engage, meet the hackers where they are and learn how to make your products more robust to these kinds of attacks.”

Everyone who attends the CyberTruck Challenge must sign a nondisclosure agreement (NDA). “Ultimately this event succeeds based on trust,” Daily said. “We want the industry to trust that we will handle those discoveries in a responsible way.”

Threats and opportunities

A major challenge facing the industry is that cybersecurity is not mature and it’s rapidly changing, York said. And hackers are becoming more sophisticated. “The lack of maturity is baked into things like our industry standards,” he said. “We’ve got things like [SAE] J1939 that is fundamentally not secure. You can send a command to the engine or the transmission requesting more torque, and it’s very simple to do and it’s published.”

The issue spreads throughout the entire supply chain. “Things that we can do as product developers are limited by the microprocessors we have to work with and their capabilities,” York said. “And there’s only a handful of micros that all of us can use that are suitable for an automotive environment, particularly on engine. So, getting things that have the crypto-capability and resources to do the things that you need to do are challenging. It’s coming along – the things that we’re developing today are a lot better than the things we had 10 years ago.”

CAN FD (flexible data rate) can help with the growing need to exchange more information in a secure environment. “It provides a larger payload,” Daily said. “With a larger payload, you can better implement cryptographic primitives, [but] you can screw up protocols and solve the wrong problem just as easily with CAN FD as you can with [traditional CAN]. It’s very much an implementation issue as opposed to an underlying technology.”

“What CAN FD provides is the capacity to solve the problem,” York added. “If you look at CAN FD and Ethernet, you have a lot more space to work in than a CAN with an 8-byte frame.” With CAN FD, the message payload size has been increased to 64 bytes of data in each CAN-frame/message.

The experts agreed that nefarious actors gaining wireless access to a fleet of vehicles, for example, is more worrisome than a person gaining physical access to a single vehicle. “Is it possible to create havoc touching a vehicle? Certainly. But the scope of it is onesies, twosies,” Heimer said. “Threat actors tend to go for longer range, greater bandwidth.” From a risk perspective, that is the greater concern for manufacturers and fleet owners.

Telematics vendors such as Geotab and Omnitracs have participated in the CyberTruck event and offer some perspective on potential threats. “Students always ask me, ‘what keeps you up at night?’ Remote attacks and attacks at scale,” York said. “If you can shut down an entire fleet or an entire brand of telematics, that would be a Colonial Pipeline type of thing.”

Attackers chain things together, so physical access could initiate a snowball effect, York explained. “You can learn things with physical access and then go find a vulnerability in a telematics system that lets you get access to the truck and CAN to send messages that cause an ECU to stop working or reset. And then if you’ve got a vulnerability in the wireless carrier that allows you to enumerate the serial numbers of all the vehicles, then you can scale it.”

Service technicians can serve as unwitting accomplices who provide access. “You should probably be drawing your system boundary around that service technician, which makes your attack surface that much bigger,” Daily said. “You’re not compromising an ECU anymore, you’re compromising their Windows computer. If I were advising a nation state on how to go attack trucks, I would say leverage your cyber insider, which is the technician.”

Protecting electric and autonomous trucks

Electrification and autonomy are driving increased vehicle complexity, which will undoubtedly complicate efforts to combat cyberattacks. “I’d say it’s going to go to a whole new level, especially through your wireless communication vulnerabilities,” said Mark Pope, product specialist at DG Technologies and the session’s moderator.

Electric and autonomous trucks will have a lot more electronic controllers and networks. “There are more operating systems involved probably than there have been in the past; therefore, there’s more variety of networks,” York said. “So, we might have CAN and CAN FD and Ethernet or LIN all turning up on a vehicle. As the vehicle gets more complicated, it does increase the attack surface and the old adage that ‘security is only as strong as its weakest link’ is very true.”

Another challenge is that many autonomous system providers are in startup mode, so the products are not necessarily mature – these companies are just trying to make their systems work. “I hope that they’re considering cybersecurity at the forefront and don’t try to bolt-on a solution after the fact,” Daily said. “But my fear is that somebody’s going to underspecify a requirement for cybersecurity on those and you’re going to have to retrofit.”

York likened the situation to engine manufacturers in the recent past placing all their engineering energy on meeting increasingly stricter emissions regulations; cybersecurity efforts took a back seat. “We have to spend a lot of time squirting fuel, to get the emissions just right,” he said. “The treadmill that we were on for a long time with the vehicle electronics was pretty challenging for all of us, and cybersecurity [suffered].”

Industry standards must evolve and provide a better platform for addressing these advanced technologies and vehicles, York said. Even the infrastructure to support electric trucks – the charging systems – pose a challenge, Daily added. “Everything communicates and everything’s got data flowing, so I can see that being a huge challenge in the near future,” he said. The U.S. Department of Energy (DOE) and its National Renewable Energy Laboratory (NREL) are actively evaluating the potential cybersecurity impacts of EV grid integration, panelists noted.

“In the more general case where you’re talking about inter-vehicle communication with modules using wireless, certainly cryptography is a major thing that we have to look at,” Heimer said. “I think the industry is actually looking at the design from an informed, adversarial point of view and making sometimes hard choices on how you’re going to put your system together and passing security requirements down your supply chain, and then having a few agencies that can validate your requirements in a way that might be more robust than it is now.”

Cyber regulations, beware

With the very real possibility that security could be an afterthought in the development of electric and autonomous systems, could cybersecurity become more regulated in the coming years? Daily flipped this question on its head, giving an example where “regulation is actually creating cybersecurity issues.” He was referring to the electronic logging device (ELD) mandate from the Federal Motor Carrier Safety Administration (FMCSA) that synchronizes an ELD with a truck’s engine to automatically record driving time, for more accurate hours-of-service recording.

“Now you have direct, mandated network access through your own device,” Daily said. “Basically, every truck now has an IP address. One of the things we have to fight against is the notion that, ‘Of course everybody’s going to be secure.’ It’s a race to the bottom for a mandated technology – whoever sells it for $99 as opposed to $109 is going to get most of the sales. Cybersecurity tends to not be a profit generator.”

The National Highway Traffic Safety Administration (NHTSA) has not stated anything specific but has indicated it would treat cybersecurity events as safety events, York said. “Basically, they’re declaring that cybersecurity is within their domain, and if you have a cybersecurity event, they can force a recall. That’s exciting.”

“What I’ve found as an engineer in product development is deciding what regulations apply to your products is more of a lawyer issue than a technologist issue,” York continued. “There are regs now for IOT devices, like in California, that you can’t have an IOT device with a default password. Well, at what point does vehicle-autonomy stuff become an IOT device?”

“Regulations are definitely coming for cybersecurity,” York asserted. “They introduce issues and hopefully they will solve some issues as well.”