Okay, so the title might be a little over the top, but we are at a very critical stage in the balance between government regulations and cybersecurity. With fifteen years in the transportation industry, I am seeing an important trend in transportation regulations, especially pertaining to heavy vehicles and trucking. This trend is also observable across other industries but it is in trucking that we are seeing clear and immediate issues.
The purpose behind most government regulations is to try to improve safety, protect the environment, reduce pollution, and in general make the world a better place. We can argue that the intentions of these regulations are actually good. I mean, we really don’t want to pollute the environment or have massive safety issues. Right? Well, as has been pointed out to me repeatedly, the road to hell is paved with good intentions. Unfortunately, the technocrats who create regulations are usually not qualified in computer science or more specifically cybersecurity. In the case of cybersecurity, we have seen a lot of unintended consequences over the past few years.
When the original vehicle Controller Area Network (CAN bus) was designed, it was to be a closed and trusted system. Therefore, security concerns like authentication, authorization, secure software development lifecycles, etc. were not considered. Let’s be honest, in the 1980s when the CAN bus network was unveiled at Society of Automotive Engineers (SAE), cybersecurity was not much of a thing anywhere. (This is the time I was getting into computers and I can attest to the lack of computer security…. never you mind how.) We are now in a technology transition period where we are taking systems which were designed to be closed and trusted and adding internet connectivity with little forethought. This is true with many CAN-based systems found on, planes, trains, trucks, automobiles, water treatment plants, power stations, etc. This transitional period is fraught with risk as we bring these old system designs online and the pace is accelerating.
The first wave of connectivity came in the form of productivity and enhanced performance. For example, telematics was a thing in trucking long before any regulator thought to mandate direct connectivity to trucks. Some of these telematics systems connected directly to the vehicle and some did not. Some were read-only and some were not. Some were outright terrifying from a cybersecurity perspective. That being said there was a choice to what to connect to your truck and how to do it.
Most people who are familiar with my work at NMFTA with the Commercial Transportation Security Research Program are probably familiar with the work that I and IOActive have done bringing attention to the cybersecurity issues regarding the rollout of the US Department of Transportation (US DOT) Federal Motor Carrier Safety Administration (FMCSA) Electronic Logging Device (ELD) regulations. Yeah, that’s a lot of acronyms! Corey Thuen did some presentations on the topic including at DefCon, and I have written and talked about it a lot. What made the ELD regulations so novel and problematic was that they mandated an electronic logging device without any material cybersecurity controls be connected to the vehicle CAN bus with read and write capabilities (at the time no OEM broadcast engine hours, so it had to be requested by sending a message on the bus) and that it be connected to the internet. What that really meant was that a read-write internet bridge to a system, that was originally designed as a trusted and closed system, was now required under the force of law. Yeah, I know. What could possibly go wrong?
Since the original regulations came out, there have been addendums and follow-ups including references to cybersecurity which were missing from the original regulations. Many people in the industry worked tirelessly to implement the required functionality in existing ELD systems and make sure they were as secure as the provider could manage. A large number of smaller providers popped up as there was a relatively low-cost barrier to entry. Some of these new, low-cost providers had interesting solutions that included almost no security at all. Think hardware with debug enabled, registration links with passwords in clear text. A total mess. So as a result, some of the new ELD systems are great and some of them are nothing short of terrifying from a cybersecurity perspective. While I was at NMFTA, we developed a whole matrix to evaluate the cybersecurity posture of telematics systems. OEMs have started broadcasting engine hours so write capabilities to the CAN bus are not needed to have a compliant ELD device. Telematics providers have started migrating from being connected directly to the on-board diagnostics (OBD) port—many times as spliced-in connections—to being connected to a connector intended for permanent and semi-permanent aftermarket equipment installation (RP 1226) that is increasingly being firewalled in truck designs.
So, that’s it right? We learned our lesson and we won’t do this again. Yeah, that would be wishful thinking. The trend for regulations mandating real-time vehicle information is increasing at a rapid pace. In the EU, they are working on the next set of vehicle emissions regulations, Euro VII, which will reportedly include real-time connectivity and reporting requirements for heavy vehicles, including information such as emissions readings and so forth. China, who generally follows the Euro standards, expanded on Euro VII to include a China 7b which includes real time connectivity and monitoring of exhaust information for trucks. In the US, the California Air Resource Board (CARB) is finalizing a new set of Heavy-Duty Inspection and Maintenance (HD I/M) regulations. The full details regarding this regulation effort can be found at https://ww2.arb.ca.gov/rulemaking/2021/hdim2021. These regulations include the concept of a Continuously Connected Remote On-Board Diagnostic (CC-ROBD) device which is to be semi-permanently installed into heavy vehicles operating in California. The purpose is to get more frequent and accurate vehicle emissions information to encourage vehicle operators to fix malfunctioning trucks quicker and to improve maintenance programs to avoid faults. The idea is that fixing faulty trucks and improving their operating efficiency will reduce emissions overall. Most of the fleets and OEMs that I work with already have extensive predictive maintenance capabilities and are already incentivized by fuel costs to ensure their trucks are in good working order. The regulations do not expand on what is already expected from an OBD port, but regulators would like the data reported remotely with a much higher degree of frequency. So, at the surface, everything should be aligned. Well… due to what is, in my opinion, a lack of overall industry and regulatory coordination and facilitation, the CARB regulations specify that the CC-ROBD needs to be connected to the OBD port and have read/write access to obtain the necessary emissions information.
Hey, CARB invented and regulated the OBD port into existence. Why shouldn’t they be using it? My friends at Geotab have an excellent history of the OBD port. Ever since the OBD port was put in place it has been reused for a number of different use cases apart from just emissions. It’s how we diagnose vehicle trouble codes, upgrade firmware, and even add optional features. It has become an all-powerful connection which bridges many vehicle networks. Now, I am not saying that you can’t connect to the OBD port in a secure and responsible manner. All I’m saying is that it is very hard to do, and requires significant organizational commitment to cybersecurity and investment in technology and processes. I’ve seen telematics providers who do an excellent job. (Hint: the $50 ELD device at Walmart or the “free” dongle from your insurance company are probably not of that caliber.) The HD I/M regulations do reference some basic cybersecurity requirements for the CC-ROBD devices, including SAE 3005-1 and SAE 3005-2, but there is a lot of wiggle room in there for issues to develop. For example, SAE 3005-2 specifies that only diagnostic messages should be allowed but it is commonly known that diagnostic messages can be abused. Just look at the research done by Ben Gardiner, et. al. on J2497. At least CARB is not allowing self-certification, so maybe we are learning after all.
So, as the trucking industry is moving from OBD and spliced-in wiring harnesses to the RP 1226 connector, they are being pushed back onto the OBD port. Given that this new regulation is scheduled to become effective in 2024, this could cause some serious problems. It takes most large fleets about two years to find, select, test, and deploy a new telematics device to their fleets. The engine designs for 2024 are already pretty much set in stone, so there is not much time to affect any changes to new tractors, never mind the existing ones. Add to this a global supply chain which is completely out of whack and we have the potential for a rather interesting convergence of events. And by interesting, I mean a total disaster.
As we introduce regulations to improve air quality, we may be setting ourselves up for bare shelves if we can’t field compliant trucks in California, which receives most of the inbound freight from China, Taiwan, etc. Remember, trucks move most goods from ports to inland destinations. As we are fond of saying, “If you bought it, a truck brought it.” If we can’t field compliant trucks in California this is not just an issue for California, but for the nation as a whole. Remember, trucks are a critical part of the supply chain delivering food, fuel, parts, raw materials and practically everything we need to keep everything running.
Obviously, my hope is that by raising awareness, the industry and regulators can come up with a solution that works for everyone and keeps our nation’s freight moving. While I am frustrated at our inability to learn our lessons, I am also hopeful and confident that the ever creative and resilient transportation sector will find a way to manage. Organizations such as IOActive are helping telematics vendors and vehicle OEMs assess the cybersecurity of their products. I am working within the industry to help them understand their cybersecurity posture, upcoming regulations which may impact their operations, and to help them come up with plans to reconcile conflicting requirements and mitigate risk. More importantly we still have time…but not much to avoid this potential disaster.
Regards,
Urban Jonson