Reports about vehicle hacking have become more common in recent months, but while consumers worry about their own vehicles being targeted, the owners and insurers of commercial vehicles may actually have the most to lose.
Why are commercial vehicles especially at risk?
Modern vehicles are machines whose functions are being increasingly controlled by computers, sensors, and wireless systems. More and more, functions that were originally completely mechanical are being controlled by electronic and electromechanical components. This shift to electronic controls is not just happening in standard passenger vehicles, but also in heavy trucks with advanced electronic systems such as, for example, active cruise control that will slow the truck if it is closing too quickly on a vehicle ahead.
Commercial vehicles need to communicate over-the-air with the motor carrier’s fleet management. If not protected, this communication could be the hacker’s entrance into the truck’s systems. Once access has been gained to a vehicle’s internal control network, a hacker may be able to issue commands to any electronically connected system such as the GPS, doors, engine, ignition, throttle, brakes, steering, and in the case of heavy vehicles, the engine ECM (electronic control module). While the image of a hacker remotely taking control of a truck might seem like a scene out of an action-thriller movie, it is actually a very real possibility.
Commercial vehicles are designed and built differently than passenger vehicles, and so they are not subject to the same regulations as mass-produced consumer cars, vans, SUVs, and light trucks. The electronic controls and systems of commercial vehicles, including the engine ECM, telematics, navigation, and other additional specialized fleet management tools often differ from passenger vehicles to allow trucks to be customized and optimized for their specific purpose. While the valuable cargo carried by commercial vehicles makes them a potential target for thieves, it is their customizable electronic configurations and connectedness to fleet management systems with GPS tracking which may leave gaps in security that hackers will try to find ways to exploit. Imagine the repercussions to fleet owners and insurance companies if a competent, thieving hacker could tap into information on the exact location of a truck fleet towing trailers with valuable cargo, and if that hacker could subsequently disable the fleet simultaneously.
Can hacking be forensically investigated?
While there may be more financial incentives for hackers to target commercial vehicles and fleets, the data-rich ECMs contained in commercial vehicles would be able to give investigators more puzzle pieces than a regular passenger vehicle when it comes to understanding the sequence of events. Passenger vehicles and heavy trucks both have their own kinds of “black boxes,” but there are important differences between them. The primary function of passenger vehicles’ “black boxes” is to activate the supplemental restraint system by signalling for the airbag(s) to deploy when a collision is sensed and also function as Event Data Recorders (EDRs). Very few commercial trucks are equipped with driver air bags, so their “black box” is not quite the same as that found in passenger vehicles. Heavy truck “black boxes” are their engine ECMs (Electronic Control Modules), and there is no shortage of the type and amount of data they record. These diverse modules contain a lot of information related to vehicle motion, fuel efficiency, hard braking events, and more. In fact, they record multiple events in minutes, not just seconds, prior to a collision. Forensic investigators image this data using specialized hardware and software in order to preserve the recorded information for analysis. Anomalies between reported events, physical evidence and recorded data can then be identified. Moreover, if and when the system does not function as designed, error codes are often recorded in the ECMs, and in some cases, other modules. These error codes or other anomalies could be a sign of a hacker altering a sensor signal or somehow inserting a command or computer code on the vehicle’s network.
What is being done to reduce the risk of commercial vehicle hacking?
Vehicle makers and users of telematic devices are quickly becoming more aware of cybersecurity. The SAE 2015 Commercial Vehicle Engineering Congress was held this past October. Specific to commercial vehicles, this congress also deals with issues of theft, asset protection, secure fleet management, and protection of business models. The congress included sessions on “Cybersecurity for Commercial Vehicles” and “Government and Industry Collaboration on Cyber Security R&D.” Furthermore, the Society of Automotive Engineers and its Automotive Security Guidelines and Risk Management committee are developing a Cybersecurity Guidebook for Cyber-Physical Automotive Systems (SAE J3061) expected to be published this year. With regulators and manufacturers increasing their focus on cybersecurity, we can expect trucks to have more secure electronic systems in the future. As for trucks that are already on the road, owners and fleet managers need to be aware of the possibility of hacking and ensure manufacturer recalls are performed. Research has demonstrated that vehicle hacking is possible, and the stakes may be the highest when it comes to commercial fleets.