Cybersecurity for Smaller Trucking Fleets and Owner-Operators

Ben Wilkins

Heavy-duty trucking is a complex and varied industry. Anyone who has worked as an owner-operator or in a small to mid-sized trucking company knows that nearly everyone wears multiple hats, and there is no shortage of work to be done.

It’s no wonder cybersecurity is often overlooked amidst all the other fires to put out when running a small trucking fleet — until it’s too late.

Cybercrime is growing in the trucking industry, whether that is in the form of ransomware as a service (RaaS), data theft, or cyber-enabled cargo theft.

While there are many cybersecurity frameworks and standards available, they are typically written with an experienced cybersecurity professional or team in mind. And they don’t directly address some of the unique challenges in the trucking industry.

That’s why the National Motor Freight Traffic Association’s cybersecurity team has produced a series of guidebooks to give trucking companies concrete, practical steps to boost cyber-resiliency in an easy-to-read format. Learn more about these guides and get some immediate practical tips in this article.

NMFTA’s Roadmap to Resilience for Trucking Cybersecurity

A strong cybersecurity program relies on key controls that are important no matter the size of the organization. But in many cybersecurity standards, these essential controls can be hard to identify, especially for those without technical expertise. And they’re often presented in a way that feels overwhelming or too complex for smaller organizations to put into practice.

NMFTA’s Roadmap to Resilience resources identify these critical controls, simplify the way they are presented, and tie them directly to the operational needs of trucking owner-operators and small to mid-sized heavy duty trucking fleets.

These resources are broken down into three separate guides, each one targeting trucking operations within a specific size range.

A Cybersecurity Guide for Truck Owner-Operators

As an owner-operator, there are a lot of different duties that must be handled by one person: finding freight to haul, driving the truck, handling invoices and payments, coordinating or performing maintenance, filing legal documentation and taxes. The list goes on and on.

Too often, cybersecurity doesn’t even make the cut. This is not intentional, but simply because the impact of cyber-threats on an individual owner operator is often underestimated.

Even when the owner-operator is aware of cybersecurity concerns, they often don’t have the time, resources or training to design and implement a good cybersecurity plan.

The NMFTA Owner-Operator Core Controls guide provides 10 clearly worded, specific steps that make up the foundation of a solid cybersecurity program for the single owner-operator.

This guide consists of simple behaviors, and free or low-cost controls that can be put in place by anyone, with or without technical training or experience, to dramatically lower their risk of falling victim to a successful cyberattack, or cyber-enabled fraud.

While no security program can remove all risk of a cyberattack, being prepared and implementing the core cybersecurity controls listed in this guide will significantly reduce risk. In the event of a successful attack, they also ensure that the owner-operator is able to recover quickly and experience as little business disruption and financial impact as possible.

5 Cybersecurity Tips for Owner-Operators 

• Regularly monitor your credit and all financial account statements. This will allow you to quickly spot signs of fraud and identity theft. Freezing credit when not actively needed for securing new financing is a great preemptive step as well.
• Understanding your risk exposure is extremely important. Knowing what assets you have (physical and digital), and what risks those assets are exposed to is critical to developing ways to protect against those risks.
• Taking the time to configure settings like strong, unique passwords and multifactor authentication (MFA) on all accounts is a free/extremely low-cost control with a very high return on investment.
• Being aware of what you share online is important. Cybercriminals are very good at taking lots of little bread-crumbs and building a comprehensive enough profile on an individual to effectively social engineer them, extort them, or commit identity theft.
• Develop a security strategy and make sure that it aligns with, and supports, your business strategy.

Cybersecurity for Small Trucking Fleets

Many small, independent trucking operations straddle the line between an owner-operator and a fleet. These organizations may have one truck or 50. They are often in a transition or growth phase as they add more staff and assets.

The cybersecurity requirements to protect these organizations can vary widely based on their scale and operational complexity and so can their available staff and resources with which to address these cybersecurity concerns.

There are a range of different approaches to cybersecurity roles and responsibilities in this segment.

On the smaller end, operations often will have an owner or small team who handles all their own information technology (IT) and cybersecurity needs on top of additional duties.

At the larger end there will often be either a dedicated IT staff member who handles both the operational information technology needs and cybersecurity, or a third-party managed services provider or managed security service provider who handles IT and/or cybersecurity.

To access free resources, visit www.nmfta.org/cybersecurity.

With this range in mind, NMFTA’s Owner Operator and Small Fleet guidebook provides a multi-tiered approach to cybersecurity. This guidebook begins with cybersecurity prerequisites that every organization should put in place as the foundation of their program, and progresses up through initial, intermediate, and advanced controls.

This progressive approach is presented in a way that a non-technical reader will be able fully understand the impact of each control. That will allow them to prioritize their efforts to implement controls internally or to have well-informed conversations with their external service providers to design and implement a robust, right-sized cybersecurity program.

Each tier in this guidebook builds on the controls laid out in the previous tier, allowing organizations to grow and mature their cybersecurity program over time.

3 Cybersecurity Tips for Small Trucking Fleets 

• Understand the various business units in your organization and how the cybersecurity threats they face differ. Some will be universal, but many times different areas of the business will have different threat exposures. Training and cybersecurity controls should be specifically tailored to address those risks in a meaningful way for each business unit.
• Involve business unit leaders in incident response, disaster recovery, and business continuity planning and practice. Do not leave these tasks to IT or cybersecurity alone. The business insights these individuals bring are critical to creating an effective plan or response.
• Ensure that your employees are trained and empowered to report cybersecurity threats that they encounter. Humans are a vital component of your cybersecurity program, and all the technical controls in the world will fail if employees are not properly trained to detect and appropriately respond to phishing, social engineering and fraud.

Cybersecurity for Mid-Sized Trucking Fleets

By the time a trucking operation reaches more than 50 trucks, it’s likely their operational complexity will exceed the scope addressed in the Owner Operator and Small Fleet guide. To create a well-designed and robust cybersecurity program for trucking companies in this range, additional and more technically sophisticated controls must be discussed.

NMFTA’s Mid-Sized Fleet guidebook in the Roadmap to Resilience series is designed with this in mind. This installment speaks directly to the complexity of operations with anywhere from 50 to 3,000 assets.

It is important to note that the variety of different operating methods, business structures, and staffing levels across this segment of the trucking sector is extensive.

Many organizations in this range will have internal IT teams and may even have one or more employees with specific cybersecurity responsibilities. However, other organizations in this range will have little to no internal IT or security staff and will rely extensively on external vendors for their IT and cybersecurity needs.

Similar to the Owner Operator and Small Fleet guidebook, the Mid-Sized Fleet guidebook is divided into four tiers: prerequisites, initial, intermediate, and advanced.

The prerequisite expectations at this scale encompass much of the first two tiers found in the guidance for smaller fleets. Once these controls are in place, the heavy lift begins in earnest.

The initial tier of controls for mid-size fleets focuses heavily on mitigating common attack vectors to the organization’s networks and devices, as well as ensuring comprehensive logging across all systems.

By the time an organization has deployed all of the controls in this section, they are solidly out of “low hanging fruit” territory, and well on their way to becoming a cyber-resilient operation.

Out of Low-Hanging-Fruit Territory

The intermediate and advanced tiers for this guidebook introduce ways to create and maintain a mature cybersecurity program through advanced technical controls, comprehensive cybersecurity policies and documentation, and a holistic approach to cybersecurity and risk management that is aligned with the business goals of the organization.

This in-depth guide to creating a cybersecurity program in a midsized trucking company also addresses the elephant in the room — even with good cybersecurity practices and programs in place, successful cyberattacks are still possible.

That’s why this guidebook provides a roadmap to designing and implementing incident response plans, business continuity plans, and disaster recovery plans. This is a critical phase of cybersecurity planning to ensure that the business impact of any successful cyberattack is minimized.

Done right, managing continuity of operations during and after an incident or attack is a choreographed and well-rehearsed activity including cybersecurity teams, operations teams, and business leadership.

3 Cybersecurity Tips for Both Owner-Operators and Fleets 

• Stay educated about the cybersecurity risks that are relevant to the transportation industry.
• Patch and update all software and systems regularly. This is a common Achilles heel in many organizations. Unpatched vulnerabilities are open doors waiting for threat actors to walk in.
• Prioritize a proactive approach to cybersecurity. Understand that during an incident is not the time to start response planning or to start mapping out what you have for systems and software in your environment.

More Cybersecurity Resources Coming from NMFTA

These three resources represent the first phase of the Roadmap to Resilience project and will be followed in the coming months by two additional resources.

The Cyber-Enable Cargo Theft Prevention Guide will discuss the relationship between cybersecurity, fraud, and strategic cargo theft.

Cargo theft is a widespread issue in the trucking industry and the wider transportation and logistics sector. This resource will provide trucking companies of all sizes with concrete steps that they can take to begin to mitigate their risk from these types of losses.

The Third-Party Vendor Security Checklist will provide clear, concise cybersecurity questions that can guide the process of selecting security conscious, reliable vendors to partner with.

It is important to remember that onboarding any vendor means that their cybersecurity risks add to the existing cybersecurity risks already present in the organization. Ensuring that vendors take the appropriate security measures is a critical step in managing supply chain vulnerabilities present in an organization.

No matter what size trucking company you operate, NMFTA’s Roadmap to Resilience resources will help you design, implement and maintain a robust and holistic cybersecurity program to protect your business from cybercriminals.

There is a common saying in cybersecurity: “You don’t have to be faster than the bear, you just don’t want to be the slowest one running from the bear.”

Lace up your running shoes, grab your NMFTA cybersecurity Guidebook, and put some distance between you and the bear!