What you need to know about the FBI notification on electronic logging

On July 21, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (PIN) on the security of electronic logging devices (ELDs). The document, titled “Electronic Logging Device Cybersecurity and Best Practices” outlines key information on ELDs and cyber risk, as well as advice on managing risk.

Why was the notification issued?

The aim of the FBI notice is to alert businesses to the importance of ELD cybersecurity and the potential for cyber criminal activity. No specific cybersecurity requirements for ELD manufacturers or suppliers is prescribed, however, the FBI encourages businesses to reach out to their suppliers for security information.

How can fleets mitigate their cybersecurity risk?

To mitigate cyber risk, the FBI recommends that businesses follow ELD best practices. They also encourage businesses to talk to their ELD provider about cybersecurity. Here is the list of questions to ask from the FBI notice.

Questions to ask your ELD provider:

• Is the communication between the engine and the ELD enforced?
• Were current technical standards or best practices followed in the device’s development?
• Does the component [ELD device] protect confidentiality and integrity of communications?
• Has the component [ELD device] had penetration tests performed on it?
• Does the device have secure boot?
• Does the device ship with debug mode disabled?

The FBI states that taking an “active approach to vetting ELD options” is a worthwhile measure. Taking the time to critically evaluate an ELD before rollout can help minimize risk, but also verify quality to avoid costly disruptions due to performance issues.

The U.S. ELD mandate does not require third-party validation or testing of ELDs before self-certification. This makes it even more important for fleets to practice due diligence on ELD research.

Fleets can also reference the cybersecurity guidelines for telematics systems from the National Motor Freight Traffic Association (NMFTA) for guidance on rating cybersecurity considerations. Read more about NMFTA and cybersecurity.

Geotab’s answers to the FBI questions for all Customers

While the FBI has not provided detailed answers to the ELD questions, we have outlined below what we believe are acceptable minimum responses from an ELD provider. Geotab meets all of these cybersecurity considerations noted below.

Is the communication between the engine and the ELD enforced?

NMFTA document SCP-060 section is: "The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network." The GO device is designed to minimize the number of commands or data transmitted into the vehicle on the CAN Bus.

Were technical standards or best practices followed in the device’s development?

Geotab publishes its Software Development Life Cycle. In addition, please see the Geotab Product Integrity White Paper for information on international standards compliance.  Finally, Geotab actively contributed to the NMFTA Cybersecurity Requirements for Telematics Systems linked in the FBI PIN notice.

Does the component protect confidentiality and integrity of communications?

Geotab provides one of the most secure telematics solutions available on the market today. Geotab uses encryption to protect data at all times during collection, transmission, storage, and use. The GO devices use AES 256 to encrypt all Data At Rest (DAR). DAR AES 256 keys are generated and stored within the GO device microcontroller. 

Each GO device creates their own unique random AES 256 keys. AES 256 keys are generated on the GO device by a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). Getoab’s cryptographic module has achieved FIPS 140-2 validation. The certificate is number #3371. Geotab is the first telematics company to achieve FIPS 140-2 validation.

Data transmission from the GO device to the MyGeotab solution uses a rolling AES 256 encryption key scheme to encrypt all Data In Transit (DIT). The DIT keys are securely stored by the GO devices using the DAR keys. The DIT keys are also stored by the MyGeotab solution. The DIT AES 256 keys are generated using a CSPRNG by the MyGeotab solution. All servers in the MyGeotab solution are configured to run in “FIPS mode” so the keys will be generated by a FIPS 140-2 validated cryptographic library.

Customer data in the MyGeotab solution is encrypted at rest using AES 256 disk encryption provided by Google. More information on Google disk encryption can be found at https://cloud.google.com/security/encryption-at-rest/. Customer data transmitted inside the MyGeotab solution is encrypted in transit with TLS 1.2.

Customer access to their data stored in MyGeotab is through one of two ways — via web browser or via API. The MyGeotab web application and API access is over HTTPS with TLS 1.2. Customer access is controlled through either username and password, or by SSO with SAML 2.0.  Password complexity rules are set up by customers within the MyGeotab application.

Has the component had penetration tests performed on it?

Yes. Geotab performs at least annual hardware penetration testing on the GO device.

Does the device have secure boot?

The GO device uses firmware that has been cryptographically signed by Geotab and the encryption keys are securely stored in on-board microprocessor memory.  This ensures the firmware used by the GO device is authentic when the GO device goes to boot up.

Does the device ship with debug mode disabled?

The GO device ships with debug mode disabled.

What additional cybersecurity measures does Geotab have in place?

Geotab takes a proactive approach to information security. As a global leader in connected vehicles and IoT, Geotab has developed a rigorous and comprehensive cybersecurity program. We work with industry associations and universities to develop security technologies and practices, and create awareness around best practices.

Last year, Geotab was the first telematics company to achieve FIPS 140-2 validation from the National Institute of Standards and Technology (NIST) for the cryptographic module in our Geotab GO vehicle tracking device. FIPS 140-2 validation is the benchmark for cryptographic modules protecting sensitive information in computer and telecommunication systems for government and military applications in North America.

Read more about FIPS 140-2 validation in this blog post and the related press release.

Visit the Geotab Security Center for more security resources

We invite you to go to the Geotab Security Center for more details on Geotab’s policies and practices. The Security Center includes information about the Geotab security policy and leadership team, customer data privacy, learning resources, and a contact form.

Read Geotab’s response letter to the FBI notification

More Geotab learning resources on fleet cybersecurity

The following Geotab resources provide an overview on important considerations and best practices for telematics security. Additionally, you can see more best practices and guidelines in the FMCSA’s Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems into Heavy Vehicles.

Blog posts:

• Four questions about cybersecurity every fleet executive must ask
• Cybersecurity basics — how to protect your business
• 15 security recommendations for building a telematics platform resilient to cyber threats
• Federal fleet manager cybersecurity considerations for telematics

White paper:

• Best practices for cybersecurity management in telematics

Conclusion

Cybersecurity is a key consideration when it comes to any technology or device for your business, including ELDs. The FBI notification on electronic logging is a reminder that along with safety, productivity and efficiency, fleets and solution providers alike need to be ever mindful of security in their organization.