Automotive Fleet, October 2017

2 The ELD Mandate Na onal Motor Freight Traffi c Associa on Inc 1001 North Fairfax Street Suite 600 Alexandria VA 22314 703 838 1810 As most people in the industry are aware the FMCSAs ELD mandate becomes mandatory for most carriers as of December 18 2017 In general NMFTA does not take an adverse posi on on the ELD mandate itself but NMFTA has iden ed some concerns regarding the implementa on of the ELD mandate Contrary to some repor ng in news media as far as NMFTA has been able ascertain the current ELD rule as wri en and implemented requires both two way CAN bus connec vity and internet connec vity This creates some genuine concern regarding the cyber security posture of the ELD devices themselves as they create a bridge between the internet and the CAN bus network of the vehicle If the ELD devices could be exploited to send malicious traffi c to the vehicle CAN bus it could have serious consequences to the safe opera on of the vehicle While exis ng and proven device manufacturers hold the majority of the ELD market the new mandate has brought a number of new entrants into the market hoping to capitalize on the opportunity NMFTAs concerns focus mostly on these entry level device manufacturers whose solu ons at mes are to simply connect a consumer cell phone directly to the J1939 diagnos c port or to use a very basic hardware solu on with built in cellular capabili es At Blackhat USA 2017 and DEF CON 25 IOAc ve released a summary of their ndings while analyzing three entrylevel Electronic Logging Device ELD providers that were listed as self cer ed from the Federal Motor Carrier Safety Administra on FMCSA website Their general conclusion was that all three devices did very li le to nothing at all to follow cybersecurity best prac ces and were open to compromise They noted the following speci c shortcomings in their report Devices shipped with debug enabled Firmware easily accessible for analysis o Development strings present o Use of banned func ons Lack of secure boot Lack of encryp on for communica ons Basically a general failure to follow cybersecurity best prac ces It was also noted by IOAc ve that the FMCSA ELD Test Plan and Procedures document contains Insert the Quality Assurance program here in the content of sec on 111 Quality Assurance This document is described by FMCSA as FMCSA provided these speci ca ons to con rm compliance of an ELD with independent tes ng and valida on NMFTA has been unable to nd any recommenda ons or guidance for cyber security for the actual ELD devices in this document with the excep on of sec ons 41011 and 41013 which refer to encryp on when communica ng with FMCSA servers or sending data via email No speci c requirements for device cyber security were discovered during our inves ga on We would therefore strongly recommend that before you deploy any type of ELD device you contact the manufacturer supplier of the device and obtain speci c and detailed informa on regarding the cyber security posture of the device Speci cally ask about the technical standards or best prac ces followed if any as well as if adversarial tes ng or 3rd party security evalua ons were performed as part of their product development lifecycle Awareness of the issue is a cri cal rst step in protec ng your eet and or equipment Given the security quality issues described by IOAc ve in their report NMFTA also feels that there is a risk that malfunc oning or poorly designed and implemented ELD devices could create an increase in vehicle maintenance issues due to faulty or erroneous CAN network data transmissions The types of issues that could arise could be diffi cult to diagnose and reproduce and maintenance departments and OEMs should prepare themselves as need to handle the poten al for these types of problems NMFTA will con nue to monitor the cyber security issues surrounding the ELD mandate and work to iden fy risks and as much as possible work with industry and government to mi gate and reduce the risks Contact the NMFTA Customer Service Center at 866 411 NMFC 6632 email customerservice@ nm a org Heavy Vehicle Cyber Security Update SUBJECT Electronic Logging Device ELD Cybersecurity and Maintenance Issues