What can the transportation industry do to protect itself from cyber threats? Dr. Jeremy Daily, Associate Professor of Mechanical Engineering at the University of Tulsa, is an expert on cars and trucks — how they’re built, how they work, how they put information at risk. He believes the industry needs to play a bigger role in educating tomorrow’s cybersecurity engineers.
As National Cybersecurity Awareness Month kicks off, Omnitracs CISO Sharon Reynolds spoke to Jeremy about the cyber preparedness and talent generation initiatives in transportation.
Sharon Reynolds: Since it’s National Cybersecurity Awareness Month, we’d love to hear your biggest concerns about cybersecurity in the transportation industry.
Jeremy Daily: My main concern is the danger of hackers exploiting trucks as they become connected to the Internet. Communication and control networks in trucks were designed to be publicly available. Telematics and fleet management tools certainly have had a positive effect on the industry but connected devices can be subject to nefarious activity. We must be diligent about understanding those risks and protecting against them.
In addition to those, I also believe ransomware is a top concern for our industry. What would you say is the trucking industry’s current mindset toward cybersecurity?
When it comes to cybersecurity, companies tend to progress through four distinct phases. There’s the “Denial” phase, where companies feel they don’t have a problem and cybersecurity is not an issue. Then they make it to the “Realization” phase where they realize they have to do something. Then, the “Oh-my-gosh” phase, where they realize they’re vulnerable. Finally, they get to the “Gotta do something” phase.
The transportation industry just made it into the last phase, where it’s working on improving their systems. You never become completely secure. There’s always a newer, more creative avenue someone can exploit. Connectivity is good for the trucking industry, but careless connectivity is not.
I agree that the industry needs to put more of a focus on their security programs. During Omnitracs’ Outlook User Conference back in February, I sat on a panel with cyber experts, including an FBI agent and an ethical hacker. We all agreed that there the transportation industry is a prime target. How do you believe the industry should address this?
For me, the answer is training and ensuring transportation organizations have the expertise — in house or from outside — to shore up these holes that people have discovered. The challenge is that the highly talented cybersecurity graduates are typically going to Silicon Valley with aspirations on working for big tech companies. We have to engage them earlier in their education. We need to do better in both teaching and recruiting cybersecurity-minded engineers to work in the traditional industries like trucking and automotive.
At the University of Tulsa, that process has started as we offer a minor in cybersecurity that is available for traditional engineering disciplines, like mechanical and electrical engineering.
I couldn’t agree more. At Omnitracs, we’re conducting trainings covering areas such as OWASP and Secure Development Lifecycle to make sure our IT team is fully aware of the current security landscape. For those just entering the workforce, what skills are most needed? And how can the industry get the word out that the best and the brightest in cybersecurity should be helping out the transportation industry?
The skills needed are curiosity and perseverance. Security is full of dead ends. A penetration tester will inevitably come to all kinds of dead ends. You have to have a mentality that you will persevere through things and a curiosity about how things work.
Plus, for the transportation industry, we also want to recruit bright people who have an interest in transportation. We want to engage “gear heads” who like cars and trucks to explore cybersecurity.
To get the word out, companies must offer opportunities such as paid internships and cultivate their existing talent. They need to sponsor university programs that include cybersecurity components. They need to promote scholarships to help the transportation industry. These educational efforts will be critical for companies to really embrace the benefits of connectivity.
STEM education is something we’re very passionate about at Omnitracs as well. In fact, our CEO made a big commitment to a program called the CyberTruck Challenge. We were a Gold sponsor this past year. Speaking of programs, you have a couple of interesting initiatives you’re working on. Can you tell us about them?
We’re working with the CyberTruck Challenge, too. Schools from the U.S. and Canada send teams to Warren, Michigan, for a week of lectures and on-equipment learning. The program helps students from different disciplines learn and get motivated. The industry derives benefit from talent recruitment and an idea of some of the design inputs they need to consider when they get back to the office — perspectives that may not be in our traditional design sequence.
The University of Tulsa also has another program that’s making a real difference in the transportation cybersecurity area. It’s called the Student CyberTruck Experience. It’s an externally funded program through the University of Tulsa initiated by the National Motor Freight Traffic Association. We look for seven to ten high-achieving mechanical, electrical, and computer science students to work as summer research assistants, giving them exposure to cybersecurity within the trucking industry. The program consists of designing, coding, hacking, and industry exposure. For example, in the last year we drove down to Dallas to visit Omnitracs and see what data-driven industries look like for the logistics industry. After that visit, we headed over to the Peterbilt plant in Denton (Texas) to see how trucks get made. We even made a trip to EMS Cable in Arkansas to learn how the electronic assemblies get made.
In the summer, we go over projects and learn skills specific to the industry. It’s like an industry internship, but it is focused on learning through a practical research experience. They each do a project and present their results in front of the industry at the National Motor Freight Traffic Association meeting. It gives them a chance to meet representatives in the industry, and the industry learns from them.
How can the industry become more involved in cybersecurity initiatives?
Omnitracs’ sponsorship of the Cyber Truck Challenge is good example of how a company participates in a talent development initiative. Participation like this can help protect the critical infrastructure of the industry.