“We’ve built significant device and communication security into our platform for managing the applications and equipment not only for Omnitracs, but for our many OEM partners as well,” said Brad Taylor, vice president of data and Internet of Things solutions at Omnitracs. “When you use our dedicated mobile communication devices in the vehicle, fleets can rely on the fact there are no unknown applications that can impact the security and safety of their operations.
Leveraging a driver’s personal mobile device is an option in the world of telematics, but Taylor asked, “How do you continue to ensure [security] for drivers who want a bring-your-own-device world?
“New technology also offers opportunities for improved security,” he answered. “For example, when you move to more advanced data communications, like LTE, you leverage any corresponding improvements in network communication security. This allows you to still be a gateway for information from the truck without compromising security.”
When it comes to vetting technology vendors, Ryan King, director of information security for CalAmp, a company that provides wireless telematics communications solutions using a portfolio of telematics devices, scalable cloud service platforms and targeted software applications, said that it’s important that a solution offers a secure, one-way (outbound) communications link between the telematics device and the vehicle itself.
“It is important to prevent command and control data from being written back into a vehicle’s onboard computers to mitigate the risk of equipment malfunction or loss of data integrity,” he explained. “Telematics devices should also have additional security controls in place to ensure they cannot be reprogrammed or reconfigured by an unauthorized source. The security posture of the back-end platform should be scrutinized as well to ensure that industry standard best practices are being used to secure data in use, at rest and in transit.
“Fleet managers should familiarize themselves with the redundancies that have been put in place to ensure high levels of availability,” he continued, “and the plans that are in place to allow for scalability of offered solutions.”
Who is responsible for data security?
Pfaffenbach feels strongly that OEMs need to be active players when it comes to driving industry data and connectivity standards and solutions. Omnitracs’ Taylor agreed, pointing to the recent electronic logging device mandate and saying, “it starts with recognizing that fleets have significant regulatory compliance requirements, and meeting those must be the foundation upon which new technology is built. Omnitracs must participate in the effort.”
However, the responsibility of security also falls on the shoulders of the fleet managers. As more technology focused solutions come to market, you need to scrutinize the devices you’re using on your trucks.
“Customers need to recognize that there is the risk that even larger entities may have overlooked something,” Pfaffenbach recommended.
CalAmp’s King explained that larger volumes of data require more bandwidth between the telematics device and the back-end platforms in order to deliver all of the data in a timely manner.
“In these scenarios, it is tempting for some providers to sacrifice controls such as secure communications protocols in favor of reducing the required bandwidth,” he said, before recommending that fleet managers ensure that they understand how data is being secured from end-to-end in a proposed telematics solution to ensure privacy and integrity of their fleet information.
“CalAmp uses a ‘defense-in-depth’ strategy that secures fleet data with multiple layers of security at different points throughout the solution,” he said. “It is important that fleet managers understand these various layers, the technologies that make them up and where they overlap to create a secure solution from end-to-end.”
In terms of creating a privacy policy for your fleet (if you don’t already have one), Taylor pointed to the regulatory requirements of data retention requirements of organizations like the FMCSA. For example, per FMCSR 395.8(k), the retention of driver-related duty information is six months.
“Does the fleet want to retain that information and associated data in encrypted format longer in order to be more effective in operations?” Taylor asked. “Omnitracs provides that as an option, along with the tools to use the data in predictive analytics, which can lead improved driver retention and safer operations.”
Taking the security idea even further, Pfaffenbach urged fleets to probe the security capabilities of off-board portals and apps. “Are they taking appropriate measures around even authentication and user IDs? Are they managing employees as the employee comes and goes? Are they turning off those employee accounts?” he questioned. “We all need passwords and we all hate having to change passwords every 90 days or whatever the duration is, but the fact of the matter is that they are in place to protect information.”
Addressing these issues and looking into how your own fleet handles data security is increasingly important and is becoming a standard business practice. It’s the way of today’s data-driven world. That’s not to say that you should be afraid of that reality, but it is important to be cautious as more data-fueled technology works its way onto your trucks.
“The danger is real, but there is real value to pursuing this frontier,” Pfaffenbach stated matter-of-factly. “There is there’s no reward in life without risk, but what is critical is the acceptance of an appropriate amount of risk.”