New California IoT Cybersecurity Law Could Impact Trucking Fleets
The California legislature recently passed a new law that could impact trucking fleets operating in the state – and many fleets may be unaware of it. Known as SB-327, the bill covers Internet of Things (IoT) devices, including ELDs and other telematics systems commonly used in trucks.
Under the new law, beginning January 1, 2020, manufacturers of connected devices are required to equip the devices with reasonable security features designed to protect the device and any data it contains from unauthorized access, destruction, use, modification or disclosure. If the device can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. Companies cannot rely on generic or shared logins that can leave them exposed to breaches.
Carlton Bale, Founder and Head of Strategy at connectivity provider ZED Connect, said the law – unique to Calif. – is a good start, but doesn’t go far enough. He’s also concerned that trucking fleets are unaware of it, and aren’t pushing their vendors to address and surpass the new, tougher security standard.
“Imagine a hacker taking over an 80,000 lb. vehicle,” said Bale. “That’s what a device breach could potentially enable, since many critical elements of the truck are connected. It’s a frightening concept – yet we still hear of hardware that uses generic or shared logins across fleets and devices.”
Bale recommends that fleets check with their connectivity providers and ensure they exceed the new Calif. standards. Questions that fleets should be asking include:
- Are all communications between the vehicle and server encrypted?
- Is the data stored on servers encrypted?
- Is the data stored on the vehicle connectivity device encrypted?
- Where applicable, do the connectivity devices have random, device-specific admin passwords?
- Does the vehicle connectivity hardware utilize an internal firewall between the internet connection and the vehicle datalink?
- Has the vendor conducted third-party security assessments of hardware and software to identify address potential issues?