The Cyber Risk to a Critical Part of Our Economy and Supply Chain: Commercial Trucking

Posted on April 11, 2019
Author: RunSafe Security

12 million trucks, or about 5% of vehicles on U.S. roads, are aggregated into fleets for government or commercial use. About 42% of these are connected with telematics Fleet Management System (FMS) for efficiency and compliance with government Electronic Logging Data (ELD) requirements. Typical FMS data captured includes miles driven, time of day, Global Positioning System (GPS) location, speed, any rapid acceleration, hard braking, hard cornering, and collision detection. Fleets are often early adopters of ADAS (Advanced Driver Assistance Systems) features that promote safety. The unintended consequence of ADAS adoption however is that computers are at the controls.

And when computers are in control, cyber risk proliferates. In fact, the Computer Emergency Readiness Team (CERT) has found that commercial vehicles are vulnerable to the same kinds of cyberattacks that led to the world’s first passenger vehicle cybersecurity recall of 1.4 million vehicles, which took place almost 4 years ago. Flash forward to present day. The mass-connectivity of vehicles has the auto industry at risk of losing over half a trillion dollars during the next 5 years due to cyberattacks, according to Accenture. Believe it or not: this estimate puts the sector higher on the risk scale than the finance, healthcare, and retail industries.

Connection, openness, and global supply chains

Commercial vehicles differ from passenger vehicles in being highly connected and having an open and standardized architecture based around the CAN and J1939 bus standards. These architectures facilitate delivery, servicing, diagnosis, and updating across a wide number of commercial vehicle variants by multiple suppliers. It also means that there is a diverse set of cybersecurity owners besides the OEM. There are 70 to 100 Electronic Control Units (ECU) in modern passenger vehicles. Although commercial vehicles are simpler, they are rapidly catching up, especially with increasing adoption of ADAS.

Such openness offers economies of scale for commercial fleets but also for adversaries to leverage inexpensive hardware and off-the-shelf software to develop attacks. An attack against one or several ECUs can impact safety and security for one truck or potentially an entire fleet.

Adversaries can monitor data, insert control messages, or flood the bus with messages to prevent normal operations, with consequences for drivers, other road users, sensitive routes, and valuable cargoes. Attacks need not begin with physical access to the vehicle but can instead be part of a wider plan (a so-called kill chain) involving many steps and different techniques applied across people, processes, and vendors in the global supply chain.

Reducing risk with legacy and/or new commercial vehicles

A key difference between passenger vehicles and trucks is the age of vehicles. The average age of a truck is almost 15 years. In legacy trucks, it is easier to move from the telematics directly to the bus and between ECUs, with the costs and downtime of retrofitting a challenge. Newer trucks add network protections, making access to buses and ECUs harder with gateways, firewalls, and Network-based Intrusion Detection Systems (NIDS). Unfortunately, the decades long history of those tools has led adversaries to evolve new ways around them with zero-days, computer-software vulnerabilities that are unknown and can be exploited by a hacker.

But better security can be baked in to ECUs directly to protect legacy and/or new trucks alike, without having to rely 100% on bolt-on new hardware, software, and detection services for alerting, triaging, reporting, and updating.

Historically, including cybersecurity in ECUs meant inspection, detection, and re-engineering by leveraging manual, Static, or Dynamic Application Security Testing (SAST or DAST) of source code. It was a heavy lift and was applied only to some new builds. In many cases, that effort was not so much a prevention of attacks as a movement of NIDS agents to Host-based Intrusion Detection Systems (HIDS) agents. Results were typically limited in value, covering only a fraction of source code, missing vulnerabilities hidden within third party commercial or open source frameworks, middleware, and libraries, or present in a different layer of the software stack.

Protecting commercial vehicles with Alkemist

Today, those limitations have been overcome. RunSafe Security’s Alkemist transformation engine protects trucks by leveraging innovative cyberhardening techniques to deny malware the uniformity necessary to execute and propagate. It does so by eliminating an entire class of cyberattacks in ECUs using a patented and agentless process that preserves developers’ intent. RunSafe works with government and commercial organizations to harden critical infrastructure, aligning finite resources with root cause prevention rather than focusing just on the treatment of symptoms.

Alkemist transforms ECU images quickly, easily, and directly. It layers in hardening and diversity with low overhead, leaving functionality unchanged. Alkemist’s patented RASP (Runtime Application Self-Defense) and Moving Target Defense (MTD) techniques were designed to prevent modern cyberattacks that have evolved to bypass IT detection-based approaches — fileless, memory corruption, ROP (Return Oriented Programming), and compromised supply chain attacks.

Alkemist can be accessed from the cloud or on-premises and can be automatically applied to new ECU builds and updates, or to systems already fielded – for example, in Class 8 trucks. Alkemist covers images down to bare metal for AMD, ARM, Intel, and PowerPC platforms, with no changes to source code, compiler, or Operating Systems.

Want to learn more about how Alkemist increases resilience to cyberattack for commercial fleets?

Contact us today to set up a conversation.

RunSafe Security’s 2025 Product Security Predictions

RunSafe Security’s 2025 Product Security Predictions

Product security has come a long way since  the early 2000s to the current iterations we’re seeing today. From CISA’s focus on Secure by Design to the growing emphasis on software supply chain security, software manufacturers, software buyers, and regulatory...

read more