On July 21, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (PIN) on the security of electronic logging devices (ELDs). The document, titled “Electronic Logging Device Cybersecurity and Best Practices” outlines key information on ELDs and cyber risk, as well as advice on managing risk.
WHY WAS THE NOTIFICATION ISSUED?
The aim of the FBI notice is to alert businesses to the importance of ELD cybersecurity and the potential for cyber criminal activity. No specific cybersecurity requirements for ELD manufacturers or suppliers is prescribed, however, the FBI encourages businesses to reach out to their suppliers for security information.
HOW CAN FLEETS MITIGATE THEIR CYBERSECURITY RISK?
To mitigate cyber risk, the FBI recommends that businesses follow ELD best practices. They also encourage businesses to talk to their ELD provider about cybersecurity. Here is the list of questions to ask from the FBI notice.
Questions to ask your ELD provider:
Is the communication between the engine and the ELD enforced?
Were current technical standards or best practices followed in the device’s development?
Does the component [ELD device] protect confidentiality and integrity of communications?
Has the component [ELD device] had penetration tests performed on it?
Does the device have secure boot?
Does the device ship with debug mode disabled?
The FBI states that taking an “active approach to vetting ELD options” is a worthwhile measure. Taking the time to critically evaluate an ELD before rollout can help minimize risk, but also verify quality to avoid costly disruptions due to performance issues.
The U.S. ELD mandate does not require third-party validation or testing of ELDs before self-certification. This makes it even more important for fleets to practice due diligence on ELD research.
Fleets can also reference the cybersecurity guidelines for telematics systems from the National Motor Freight Traffic Association (NMFTA) for guidance on rating cybersecurity considerations. Read more about NMFTA and cybersecurity.
GEOTAB’S ANSWERS TO THE FBI QUESTIONS FOR ALL CUSTOMERS
While the FBI has not provided detailed answers to the ELD questions, we have outlined below what we believe are acceptable minimum responses from an ELD provider. Geotab meets all of these cybersecurity considerations noted below.
Is the communication between the engine and the ELD enforced?
NMFTA document SCP-060 section is: “The vendor shall enforce controls integrated into the telematics device to limit the possible commands and data transmitted to the vehicle network.” The GO device is designed to minimize the number of commands or data transmitted into the vehicle on the CAN Bus.
Were technical standards or best practices followed in the device’s development?
Geotab publishes its Software Development Life Cycle. In addition, please see the Geotab Product Integrity White Paper for information on international standards compliance. Finally, Geotab actively contributed to the NMFTA Cybersecurity Requirements for Telematics Systems linked in the FBI PIN notice.
Does the component protect confidentiality and integrity of communications?
Geotab provides one of the most secure telematics solutions available on the market today. Geotab uses encryption to protect data at all times during collection, transmission, storage, and use. The GO devices use AES 256 to encrypt all Data At Rest (DAR). DAR AES 256 keys are generated and stored within the GO device microcontroller.
Each GO device creates their own unique random AES 256 keys. AES 256 keys are generated on the GO device by a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). Geotab’s cryptographic module has achieved FIPS 140-2 validation. The certificate is number #3371. Geotab is the first telematics company to achieve FIPS 140-2 validation.
Data transmission from the GO device to the My Geotab solution uses a rolling AES 256 encryption key scheme to encrypt all Data In Transit (DIT). The DIT keys are securely stored by the GO devices using the DAR keys. The DIT keys are also stored by the My Geotab solution. The DIT AES 256 keys are generated using a CSPRNG by the My Geotab solution. All servers in the My Geotab solution are configured to run in “FIPS mode” so the keys will be generated by a FIPS 140-2 validated cryptographic library.
Customer data in the My Geotab solution is encrypted at rest using AES 256 disk encryption provided by Google. More information on Google disk encryption can be found athttps://cloud.google.com/security/encryption-at-rest/. Customer data transmitted inside the My Geotab solution is encrypted in transit with TLS 1.2.
Customer access to their data stored in My Geotab is through one of two ways — via web browser or via API. The My Geotab web application and API access is over HTTPS with TLS 1.2. Customer access is controlled through either username and password, or by SSO with SAML 2.0. Password complexity rules are set up by customers within the My Geotab application.
Has the component had penetration tests performed on it?
Yes. Geotab performs at least annual hardware penetration testing on the GO device.
Does the device have secure boot?
The GO device uses firmware that has been cryptographically signed by Geotab and the encryption keys are securely stored in on-board microprocessor memory. This ensures the firmware used by the GO device is authentic when the GO device goes to boot up.
Does the device ship with debug mode disabled?
The GO device ships with debug mode disabled.
WHAT ADDITIONAL CYBERSECURITY MEASURES DOES GEOTAB HAVE IN PLACE?
Geotab takes a proactive approach to information security. As a global leader in connected vehicles and IoT, Geotab has developed a rigorous and comprehensive cybersecurity program. We work with industry associations and universities to develop security technologies and practices, and create awareness around best practices.
Last year, Geotab was the first telematics company to achieve FIPS 140-2 validation from the National Institute of Standards and Technology (NIST) for the cryptographic module in our Geotab GO vehicle tracking device. FIPS 140-2 validation is the benchmark for cryptographic modules protecting sensitive information in computer and telecommunication systems for government and military applications in North America.
Read more about FIPS 140-2 validation in this blog post and the related press release.
VISIT THE GEOTAB SECURITY CENTER FOR MORE SECURITY RESOURCES
We invite you to go to the Geotab Security Center for more details on Geotab’s policies and practices. The Security Center includes information about the Geotab security policy and leadership team, customer data privacy, learning resources, and a contact form.
Read Geotab’s response letter to the FBI notification
MORE GEOTAB LEARNING RESOURCES ON FLEET CYBERSECURITY
The following Geotab resources provide an overview on important considerations and best practices for telematics security. Additionally, you can see more best practices and guidelines in the FMCSA’s Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems into Heavy Vehicles.
Blog posts:
Four questions about cybersecurity every fleet executive must ask
Cybersecurity basics — how to protect your business
15 security recommendations for building a telematics platform resilient to cyber threats
Federal fleet manager cybersecurity considerations for telematics
White paper:
Best practices for cybersecurity management in telematics
CONCLUSION
Cybersecurity is a key consideration when it comes to any technology or device for your business, including ELDs. The FBI notification on electronic logging is a reminder that along with safety, productivity and efficiency, fleets and solution providers alike need to be ever mindful of security in their organization.
