Companies in the commercial trucking and hauling industry in the European Union and some parts of Asia are under pressure to improve safeguards against cyberattacks to comply with a new United Nations regulation.
Big firms in the industry are stepping up measures to prevent hackers from intercepting and manipulating trucks, which increasingly contain digital components that send data to internet-connected infrastructure and back end systems. Smaller suppliers, however, often lack the financial and human resources to implement important security changes, experts say.
A U.N. regulation approved earlier this summer requires vehicle manufacturers and their suppliers to prove they secure products before they are sold, WSJ Pro Cybersecurity reported in July. Countries including EU members, Japan and South Korea will start implementing the regulation over the next two years, and companies selling trucks and truck parts in those markets will also have to comply.
Companies in the haulage industry could face challenges in complying because its supply chain is complex, experts say. The U.N. regulation requires companies to make sure components and vehicles’ cybersecurity systems continue functioning after vehicles are sold. New trucks generally have more digital functions that could be hacked than cars, and many are provided by third parties.
The industry’s supply chain is also bigger than the supply chain for passenger vehicle production and includes more companies, increasing potential vulnerabilities. Manufacturers usually sell trucks to fleet providers for freight haulage and a large number of suppliers to Europe’s haulage sector are small companies with few resources to invest in cybersecurity.
“It’s relatively difficult to make sure everywhere the same level of standards are maintained,” said
a Germany-based partner at consulting firm Oliver Wyman.
Some European trucking firms have already had data stolen, said
secretary general of the European Road Haulers Association, a Brussels-based group representing mostly small and medium-size firms across Europe. But so far there are no known instances of small freight companies suffering destructive hacks that manipulated trucks or diverted routes, he added.
New, more damaging kinds of attacks could, however, become more common as the industry adopts advanced digital technologies. Separate EU laws recently required companies and road infrastructure providers to implement digital tools such as tolling systems, which could introduce new opportunities for cyberattacks. Because freight deliveries keep to certain schedules, hackers could also disrupt supply chains by attacking one company in a chain, said
head of security and privacy research and governance at Germany’s
, which makes brake systems, tires and other vehicle components.
Continental is changing how its cybersecurity experts monitor threats to the company’s products because the U.N. regulation requires firms to continue managing vulnerabilities that could affect hardware or software after those products are sold, Mr. Dehm said. The manufacturer will expand its existing work with academics researching cybersecurity flaws that could affect its products, he added.
“Now you need to be proactively looking for something. In the past, it was a little bit more reactive,” Mr. Dehm said.
Continental’s cybersecurity team, for instance, is analyzing its data tools to make sure they can access software code and look into potential vulnerabilities for each component the company makes, Mr. Dehm said. That requires finding a way to connect many different sources of information, including every software library used to build components, and ensuring experts can continuously monitor them, which may require hiring more security staff, he said.
The U.N.’s new, sweeping regulation requires vehicle manufacturers and their suppliers to make certain components that also meet the same security standard. Additionally, the regulation requires companies to document how they will prevent specific kinds of attacks, inform authorities at least once annually about whether cybersecurity measures have been effective and report relevant information on attacks.
“We need a much closer interaction with our suppliers,” Mr. Dehm said.
Some large European road transport companies might be subject to additional rules if national governments designate them as critical infrastructure, said Charles-Albert Helleputte, a Brussels-based partner at law firm Steptoe & Johnson LLP. Firms in critical infrastructure must comply with additional EU cybersecurity rules, such as notifying authorities about cybersecurity incidents.
Mr. Helleputte said he has received questions from companies in the haulage sector about which companies could be held liable for cyberattacks on connected vehicles. “There’s no really clear answer,” he said. The U.N. rules don’t spell out which party is legally responsible in lawsuits.
Small companies are particularly vulnerable because they lack the resources of bigger firms, said Mr. Digioia. Plus, some companies face unique challenges such as making sure truck drivers receive cybersecurity training to operate trucks with digital components, he said. “There is a lack of human resources, a lack of skills,” he said. “This sector is extremely sensitive.”
Write to Catherine Stupp at [email protected]