Three men sitting at a table, addressing a room

Four questions about cybersecurity every fleet executive must ask

Published on May 29, 2019 in Productivity by Dirk Schlimm |  3 minute read


Cybersecurity is an executive responsibility. Dirk Schlimm discusses four principles that should be top of mind for fleet executives.

Is cybersecurity for connected fleets a “nerdy” topic that is best left to the computer scientists and other IT experts, or do fleet executives have a direct responsibility to understand and ensure the security program for their fleet?

 

This was my opening question at a panel on cybersecurity for connected fleets at the recent Connected Fleet Conference in Brussels, Belgium. I had a chance to discuss this and related questions with two eminent experts in the field: Dr. Dan Massey, Director of Technology, Cybersecurity and Policy at the University of Colorado Boulder and part of the Neutral Vehicle Consortium (and formerly program manager for the Cybersecurity Division at the U.S. Department of Homeland Security) and Ted Guild, Connected Vehicle Lead at W3C and Research Staff at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL).

 

See also: What you need to know about the FBI notification on electronic logging

 

Their answer was clear and unequivocal: Cybersecurity is an executive responsibility; it cannot be abdicated or blindly delegated — be it to an inside department or outside provider. This was their analogy: Senior executives must not and will not leave a firm’s finances to the accounting department (alone) or people development to the HR department (alone); the same way, fleet executives must have a grasp of cybersecurity at the concept level and must ask the right questions of their IT departments and vendors to satisfy themselves that a robust program is in place.

 

At the same time, cybersecurity is of course a highly technical subject matter and fleets must rely on experienced and specialized technical experts both inside and outside the firm. Thus, taking responsibility does not mean becoming a cyber expert; but it does mean understanding the fundamentals. So the answer to our questions is actually not “either or” but “both.”

 

See also: Podcast: Data privacy with Dirk Schlimm

The follow up question was: “How do executives take responsibility?”

The answers here were very practical. With all the technical sophistication and often enormity of detail in cybersecurity there are four principles that should be top of mind for fleet executives:

  1. Cybersecurity for connected fleet starts with a standards based security program that is then tailored towards the specific context of connected fleets. An example of a *fleet specific* set of security recommendations that can be implemented in the framework of a broader standard such as ISO or NIST is the telematics cybersecurity primer for agencies prepared for the U.S. Department of Homeland Security by the U.S. DOT Volpe National Transportation Systems Center. Such a specific set of recommendations will ensure that fleet related risks, threats, and vulnerabilities are appropriately addressed. The Neutral Vehicle Consortium at the University of Colorado is actively engaged in bringing forward fleet specific security recommendations and advance their adoption in the fleet industry.
  2. Fleet executives must appreciate that it will always be hard for “insiders” who have designed the system to take on the mindset of an outside intruder. The “bad guys” just think differently. Therefore, while it may sound counter-intuitive, “open systems” — those that are fully disclosed and documented — are actually more secure than closed systems that are only known to insiders and adversaries looking for vulnerabilities. In closed systems, the defender is on their own whereas in an open system the defender can enlist their system users as allies. Companies should also employ outsiders to assess the security system and look for weaknesses — this outside perspective and testing is crucial.
  3. Security is always a journey and never a destination. Adversaries will constantly always look for new and creative ways to break through; there simply is no such thing as a flawless system. Those who say otherwise either suffer from ignorance and hybris or are willfully lying. The key therefore is to start with a sound architecture, detect flaws early and patch them immediately. That’s why over-the-air patching using digitally signed updates is the third crucial component of any fleet security program.
  4. Finally, connected fleets do not exist in isolation. They typically rely on systems and components supplied by third parties who must follow the above principles in their systems.

Thus, fleet executives should be asking four critical questions:

  1. Does our fleet follow leading cybersecurity standards and is their implementation geared towards the fleet and transportation industry?
  2. Do we use outside experts to test/challenge our security program?
  3. Do we disclose security vulnerabilities and do we have a reliable system for over-the-air patching?
  4. Do our strategic partners have good answers to the above questions?

Asking these four questions — not just once but on a regular basis — and insisting on answers that are clear, unequivocal and understandable is a concrete way that fleet executives can and must take responsibility for managing cyber risks.

More from this author:

Securing the future of connected mobility

Open cars — The future of ransportation?


If you liked this post, let us know!


Disclaimer

Geotab's blog posts are intended to provide information and encourage discussion on topics of interest to the telematics community at large. Geotab is not providing technical, professional or legal advice through these blog posts. While every effort has been made to ensure the information in this blog post is timely and accurate, errors and omissions may occur, and the information presented here may become out-of-date with the passage of time.

Get industry tips and insights

Sign up for monthly news and tips from our award-winning fleet management blog. You can unsubscribe at any time.

Republish this article for free

Other posts you might like

Geotab Connect illustration image

Geotab 2024 discussion recap: A Data-Driven Journey in Fleet Maintenance

This session at Geotab Connect 2024 highlighted best practices to use data for an effective fleet care plan.

March 11, 2024

Construction worker looking over at something

Routes to riches – Geotab Routing and Optimization drives operational efficiency and cost management

Geotab's Routing and Optimization software blends economic intelligence with operational strategy, reshaping fleet management for improved cost and resource efficiency.

February 15, 2024

multiple vehicles on the road

What is ADAS?

ADAS are in-vehicle technologies designed to enhance vehicle safety and assist the driver in better controlling the vehicle.

January 12, 2024

No idling sign on

A complete guide to fleet idling: Understand, detect and stop true idling

Idling increases fuel consumption, CO2 emissions, and maintenance costs. Learn how to control it to lower your fuel spend and make your fleet more sustainable.

December 15, 2023