Are Trucking Cybersecurity Measures Keeping Pace with Hackers?

Show Notes

Cybersecurity in Transportation with Jason Winter.

In this episode of the Trucking Risk and Insurance Podcast, your host Chris speaks with Jason Winter, head of business development at Castellan Information Security, about the growing threat of cybersecurity in the transportation and logistics sectors. 

They discuss the alarming rise in supply chain attacks, the importance of business resilience, and practical steps companies can take to protect their assets. Jason emphasizes the need for a multi-layered approach to cybersecurity, including advanced technologies, up-to-date software, and employee training. 

The conversation highlights the real and increasing risk of cyber-attacks, urging businesses to strengthen their security measures and consider partnerships with cybersecurity experts.

Our Guest:
Jason Winter
Castellan Information Security
Email: Jason.Winter@castellaninformationsecurity.com
Phone: (226)755-2590
Website: www.castellaninformationsecurity.com

Your Hosts:
John Farquhar
National Risk Services Specialist, Transportation, Gallager GGB
https://www.ajg.com/ca/
M: 437-341-0932
John_Farquhar@ajg.com

Chris Harris
CEO, Safety Dawg Inc.
905 973 7056
Chris@SafetyDawg.com
https://safetydawg.com/
00:00 Introduction to Cybersecurity in Transportation
00:42 Meet Jason Winter: Expert in Information Security
02:33 The Rising Threat of Cyber Attacks in Logistics
04:30 Protecting Your Trucking Company from Cyber Threats
05:29 The Human Element in Cybersecurity
07:25 Real-World Examples and Statistics
13:13 The Importance of Business Resilience
24:33 Final Thoughts and Contact Information

Keeping it Safety Dawg Simple!
#trucksafety #truckinsurance #truckpodcast

Do you need a "Truck Driver Safety Policy?" Get it today! https://safetydawg.com/policy

Transcript

Chris Harris, Safety Dawg 1: 0:00

Today I'm speaking with Jason Winter, the head of business development for Castellan Information Security. We are diving deep into the issue of cyber security in transportation and logistics. Have you watched the Netflix series called Zero Day? What a great example of computer hacking. That's what we're talking about today. You can learn about the staggering rise in the supply chain attacks and the importance of business resilience and practical steps that you can take. to protect your company. That's coming up next. Jason! Welcome to the Trucking Risk and Insurance Podcast. Hey Jason, welcome to the show. Can you just take a minute and introduce yourself

Jason Winter: 0:52

absolutely. It's a pleasure being here today. So my name is Jason Winter. I'm the head of business development for an information security services company called Castellan Information Security. So we provide cybersecurity related services specific to governance risk compliance and something a little bit unique for most other organizations is resilience. We always say that it's not a matter of if, it's a matter of when. And in addition to protecting a company's most important assets, which are information, we also balance it with things like business continuity to make sure that we keep the lights on while an organization is responding and recovering from adverse events.

Chris Harris, Safety Dawg 1: 1:35

Adverse events, many forms, uh, several years ago when I was working for my insurance company, uh, I went out to see a client and, you know, Hey, what's happening? How are things going? And he had to postpone the interview, uh, by a few weeks because a dump truck. Hit the telephone pole or hydro pole at the end of his driveway, sent a surge through the electrical lines, fried everything that was electrical, so his whole computer system and everything went down, and for several days was communicating by cell phone only. And of course, um, the data backups were on site.

Jason Winter: 2:24

Yep. It's always the worst case scenario. You're playing for the worst.

Chris Harris, Safety Dawg 1: 2:28

Oh God. And you know, I, I work for a captive insurance company right now. We do get into this a little bit in the interview and I am shocked at how little preparation or thought many trucking companies give. To security to hacking. Um, I don't know. I think there's a real vulnerability there. Is that the case?

Jason Winter: 2:56

Yeah, absolutely. We're seeing across many different sectors, certainly in transportation and logistics. There's been a significant increase in the number of cyber related events over the past several years. There was a real shocking statistic that since 2018, there has been a 1600. percent increase in supply chain attacks across North America. It's just a staggering number. And the fact is, is that all these organizations are becoming more and more dependent on technology and the flow of data across all of the different elements, whether it's from the vehicles themselves or from different logistic Supply chain, um, organizations, definitely we are seeing it as a major threat because it's, it's more about disrupting the supply chains as well as it is for economic gain.

Chris Harris, Safety Dawg 1: 3:49

Well, there's, there's disruption. Recently, I had, um, Jennifer Lockhart, I think her name was, if I remember, a couple episodes ago and She was talking about theft of cargo, um, through stealing, largely stealing the, uh, information that you can find on the internet to move and steal the cargo. So, very similar theme, uh, but how would a trucking company go about protecting their assets? I mean, in my mind, the greatest asset a trucking company has is its information.

Jason Winter: 4:28

Without a doubt. Absolutely. And, you know, gone are the days when a simple firewall and some antivirus software on your computers Make it work and and keep you protected there. There are a number of different technologies that need to be put into place. So it's really more of a multilayered approach to your security. So you do. You certainly need to look at some advanced solutions because hackers are getting much more intelligent on a day to day basis. The other aspect we need to think about is the technology needs to remain up to date. One of the most vulnerable people. components when you're looking at cyber security are out of date software packages as well as a lack of patch management, which means that all of your different systems, all of your different solutions need to be in the most up to date patch levels and upgrade levels, even though it may take some time and effort and potentially some outside supports. Another aspect is The human element. Uh, I always say that in a lot of cases when there is a breach or when there is an attack, it's not necessarily the technology. It's actually the people aspect of it, whether it's laxed policy or procedure or, uh, not a Oh. A mature training and awareness program, we need to be able to take that risk and reduce it by proper training, by making sure that we've got the right policies in place to protect against those, um, those vulnerabilities associated to cyber attacks. We also need to be thinking about how do we monitor. They're supply backers. Sorry, threat vectors on a day to day basis are changing. Hackers are getting more intelligent. They're looking at new ways of being able to create the habit that's associated to these adverse events. They're using AI generated tools to be able to Find the vulnerabilities in organizations. So we need to be able to implement ongoing monitoring, not only solutions but also services because we recognize that we can't be everything for everybody. Transportation and logistics. Organizations are lean to begin with. They are experts in what they do. They're not necessarily experts in cyber security. And that's where you need to look at leveraging partners to be able to help support that ongoing monitoring and management of your security posture to make sure that you are as safe as possible. And I guess the last thing I would say is there, there definitely is a lot more collaboration in the industry. And certainly all across all different levels of government as well, and maintaining that communication, that transparency and compliance to new regulations that are coming out related to cyber security will also help in reducing that overall risk.

Chris Harris, Safety Dawg 1: 7:23

I mean, the risk is real. Uh, I'd say about six years ago, my wife and I, my wife owns her own business. Uh, and so do I. And I was fortunate. She used to do my books for me. Um, I bring this up because she was doing her banking information and watched a 3, 000 e transfer happen as she was on the bank. Uh, and then, you know, so she phoned me in a panic. And I went and looked. I was out 7, 000. She saw a total of 10, 000 get e transferred. Um, Now, the bank, we got all of our money back, thank goodness. My point is that many years ago, before as things have changed with AI and more, even more sophistication, we got hacked and in her case, uh, it was her computer. She had somehow downloaded key logging software. And so as quick as she could change the password for the bank, The hackers had the new password.

Jason Winter: 8:34

Yeah, it's, it's insane. And 85 percent of Canadian businesses will have at least one cyber related attack per year. That's a staggering amount.

Chris Harris, Safety Dawg 1: 8:44

I was gonna say say that again.

Jason Winter: 8:48

85 percent of Canadian organizations are going to have at least one cyber related event per year, and it's growing every single year. You see in the media every single day. A new organization has had either a major data breach or a cyber related event through ransomware or malware. It is becoming more prevalent and more dangerous because of the information that that is being transferred and used is being used. Is becoming more dependent, you're more dependent on that technology and that information.

Chris Harris, Safety Dawg 1: 9:21

I mean, I live in the city of Hamilton in Ontario and we were, the city was hacked about two years ago. And it took them almost a year to recover because they apparently didn't pay a ransom. And like we couldn't even pay our property taxes for almost six months. You know, and of course, the city did catch up. Um, you know, these types of hacks are happening now. If I own, I don't know, 10 trucks or 20 trucks, what is a hacker going to get from me? Like, I understand the city of Hamilton, perhaps. Um, I don't even know what the hell hackers do with all this information they steal. But, if I've got a 10 or a 20 truck account or a 50 truck account, basically, I'm a little guy. What are they using all this information for?

Jason Winter: 10:20

For a couple different purposes. One is disruption. So certainly if they can stop the flow of information, as you mentioned, the most important aspect in tracking logistics is information itself. So if, if a hacker was to disrupt that, and that would potentially cause your services to be paused. And knowing the economic impacts of not flowing. Goods and services across, uh, across the province, across the company can shift the economy significantly. So it's really more about the, the intent of the actor to be able to create that disruption. Another, uh, another aspect that they use this data for is to sell it. They sell, uh, information to competitors, they, uh, sell the information to other hackers so that they can use it as a stepping stone to, um, to be able to breach manufacturing, uh, organizations or, uh, endpoint retailers or service providers. So no matter what they can do, they look at information as nuggets, nuggets of information that they can, um, exploit and grow their ability to either, exploit. Put a ransom out there, which in a lot of cases, the typical ransom is, is between two and 3 million. So that's a significant staggering amount of money that organizations need to pay in order to get their services back up and running. The city of Hamilton's is a fantastic example where critical infrastructure and critical services were out for months because they didn't. Pay. And so look at think of the lost opportunity and the lost cost associated to that. Trucking companies, they, they depend on the movement of goods across the country every single day, every hour of every day. What if that stopped for two days, two weeks, two months? That would certainly put a lot of organizations at risk.

Chris Harris, Safety Dawg 1: 12:18

Well, and nowadays, like my typical client is a 50 truck or less type person, and so they're using the load boards a lot, um, to find their loads, especially, or at least one way. Uh, often they'll have a contract taking freight down to the states, for example, um, but they often use a load board coming back. If that load board went down, and I could see that happening. Using my imagination, not being a hacker, but you could tell me if this, uh, could actually work is you hack the 20 truck fleet, uh, and then from there, it's a stepping stone to get into the load board software. And then. They hack that and shut that down for a few days or weeks or months like Hamilton. Is that a possibility?

Jason Winter: 13:10

Absolutely. And that's why it's so important. Not only are we looking at ways to protect against that hacking, but what happens When it does happen, how are you able to still maintain those critical services for those smaller organizations with those load boards to be able to continue moving the goods to wherever they need to be going? And that's really where business resilience comes in, because you really need to ensure that you have an alternate strategy, whether it's tactical or whether it's plan B, C or D, you still need to. Identify which, identify ways that you can keep the lights on while you're dealing with the response and recovery from that hack.

Chris Harris, Safety Dawg 1: 13:51

And it's getting more and more difficult today to do just that. Now, I just had a thought. Let's say a load board was hacked. Um, and obviously they hire people to come in and help them undo the devastation. Would they be able to trace it back to that individual trucking company? The one that somehow The hackers used as the stepping stone.

Jason Winter: 14:19

It depends. It depends on how they were able to get into, um, the organization, get it, get onto that load board to hack it itself, depending on the type of organization and the type of incident response. The quicker you're able to identify the threat or identify the exploitation and shut it down, then you can capture much more information as it goes on. Hackers are very are very smart at being able to hide their own tracks. So gone are the days where they left cookie crumbs for which you can investigate and go back to that source or patient zero, so to speak. And it's, it is much more difficult. Now there are technologies, uh, and solutions that can be Implemented so that it can take that proactive step and identify that a potential threat might be happening so that you are trying to be as proactive as possible when it comes to these kind of events occurring, because the last thing you want to do is to have a full out exploitation of all of your infrastructure. You want to stop the bleeding as quickly as possible, and there are technologies and services available that will help with that. But again, it's they're getting smarter. And, you know, to try and keep up with the change, with the pace of change associated to that is very difficult for a lot of organizations.

Chris Harris, Safety Dawg 1: 15:42

You say the pace of change, even just keeping your employees educated and cautious, um, that's a huge undertaking. The insurance company that I work for, I know once a year we had to take cyber security training. Yes. And I, I know how I treated it. It was like, God damn, I got to do this again? Um, because I was blessed to be there for about 13 years. So, you know, that was a good side, but the downside was I didn't take it all that serious. You know, how do you get employees to pay attention and really take this stuff serious? Because it is, it's a serious threat.

Jason Winter: 16:31

It really is. And that the people aspect of it is such an important component in building out that resilience of being able to protect against an attack. So certainly keeping it on top of mind for all of the different staff and the different roles within an organization. Make it role based training, scenario based. So put it into context that drivers and logistics analysts and administrative staff will understand So that they can They can really put into context what that threat is and what steps they need to take not only to respond to it or to report a potential threat that's happening, but also to protect against it. So use things like phishing simulations. So phishing attacks are our email based. Um, exploitations that mask who you are. So you may think it's from your colleague, an email come from a colleague saying, please open this document, I need you to review it. When in fact, it's a hacker that has embedded a malware in that application. So as soon as you click on it, it will open up. If you are able to simulate those and to be able to show a cause and effect of doing or not doing that. action, then you can help to build that resilience within your organization. So certainly, um, scenario based training is very, very important. Um, Continually do training and awareness programs, posters, emails, seminars, webinars, lunch and learns, all of those things need to be top of mind for organizations and for staff. It's constant. As much as new safety regulations come out for drivers, as an example, cybersecurity, uh, awareness needs to be just as frequent and just as, um, in context for an organization to remain. Protected and resilient.

Chris Harris, Safety Dawg 1: 18:26

You know, you're in the I. T. Security area. I'm in the trucking training drivers regime and I'll tell you, I'll bet you the need to train drivers on updated items in the world are far less frequently needed than to train and keep I. T. Hacks and stuff like that front of mine. Because I mean, I my imagination is going, but I just I believe that the hackers are way better in learning new stuff every day, uh, than a truck driver has to learn.

Jason Winter: 19:05

Yeah, absolutely. Because as much as we're trying to put in new technologies and new processes to protect, they're ahead of that curve because they're always looking at ways to be able to exploit that. And so it's, not any one aspect of protection is going to be enough. So you need to have the training and awareness programs. You need to have robust solutions implemented in your organization to be able to Increase that wall of protection around your information as well as, you know, choosing expert partners to be able to help with that monitoring and reporting of potential threats and risks. You need those experts in order to understand. What that changing landscape is on a regular basis. And that's really why we're in business. If, if there wasn't that challenge of ongoing risks associated to cyber attacks, then we wouldn't need all of these, uh, checks and balances. And

Chris Harris, Safety Dawg 1: 20:03

I was going to say, when you were talking about the simulation, that's something that your company is able to, uh, assist companies with.

Jason Winter: 20:11

Absolutely. So we have, uh, we have robust programs around training and awareness. We also, uh, engage, uh, expert partners that specialize in, uh, different industry related, uh, training programs. And so we can, we can cater or create, uh, very specific programs for different organizations in addition to other services that we can provide to help manage and monitor technologies. The one thing that we're starting to see, and you, you touched on this a little bit earlier, is insurance. Many insurance organizations are now starting to expect or demand that there are certain cyber security related Uh, protections in place in order to receive a policy and or a reduction in their policies because they have these checks and balances in place. So compliance related activities is another service that working with a partner like Castellan can certainly help you identify and provide an ongoing management of, uh, of those certain expectations from insurance companies right across the board.

Chris Harris, Safety Dawg 1: 21:16

Yeah, and I would imagine I haven't asked a broker, but, um, I certainly would imagine that if a company asked for cyber insurance. Uh, that there must be some checks and balances on the trucking company's end in order to get it. Because if I was an insurance company, why would I give it to you if you didn't give a shit and didn't do anything about it?

Jason Winter: 21:39

Absolutely. And you're absolutely right. So not only is it one thing to become compliant in order to receive the policy, but there's, there's audits that are associated to it. There's expectations that it's maintained. So things like I mentioned around patch management and updates to the software. Again, a lot of these things are outside of the wheelhouse of your traditional transportation services organization. And they're not meant to be these experts in cybersecurity. And that's why we can come in and help support that ongoing management and maintenance of those systems, but also the services surrounding the new threats that may be needed. Banging on the wall, trying to get into that organization to disrupt or to exploit those vulnerabilities.

Chris Harris, Safety Dawg 1: 22:25

Now, just to kind of circle back a little bit. You mentioned that Canadian companies, you've seen an increase in threats, and I want to say it was 1, 800 or 18, 000?

Jason Winter: 22:38

So 1, 600%, yeah, 1, 600 percent increase in supply chain attacks over the past five years.

Chris Harris, Safety Dawg 1: 22:46

To me, that's incredible and that's scary, um, because I like to go to the store and eat and buy my food and if they disrupt that What would that do to the economy? Not sorry. That was one of those questions. I really don't want you to answer. But

Jason Winter: 23:03

yeah, I mean, but the fact that you that you're aware that there is that significant impacts in the economy. It's drastic. I mean, it is. It is significant in terms of that. And it also speaks to the dependency on technology that traditional organizations really haven't Yeah. Put at the forefront. So like you mentioned at the beginning where transportation services organizations the most important asset is their information That's grown in importance over the past five years. So that's another vector to exploit and try and disrupt. You look at when there's an accident on a major highway across Canada, how disruptive that is to trade and to the economy. It's the same philosophy. Whereas if you're able to disrupt that information flow from suppliers to receivers to logistics companies, you're going to negatively impact. You're not going to be able to get those services. or those, those products to the end customer, or it's going to be a delay. And so that's going to really risk the long term viability of organizations, as well as increasing the prices to the consumer, because it's just not going to be available.

Chris Harris, Safety Dawg 1: 24:17

Yeah, it's, it's just one of those things. A crash on the highway can certainly disrupt things for a long time, and a service hack Um, into a computer system can do the exact same thing. Exactly. Now, Jason, I know that all of your contact info was in the show notes down below for the people who want to reach out and get more information. What else, uh, just to wrap it up, what haven't we covered? What would you like our audience to know that we didn't speak about?

Jason Winter: 24:51

I would say that, um, There's, there has, there is in across many different industries, there's a false sense of protection or a false sense that it's not going to be me. It's always going to be the larger organizations or it's always going to be different sectors. It's not a matter of if it's a matter of when. And you can't expect that you're going to be able to do everything for everybody all the time. Leverage and lean into organizations like Kastle and Information Security to help support you. We are, we are there for a long haul. We are there as a partner rather than a transaction. And it's not just about the technology. It's about the people and the processes as well. And we take a very holistic approach when providing those services. So please reach out, have a conversation with us. We can talk about where there potentially may be challenges and we can help you along the way to be able to increase your security posture in the organization. And

Chris Harris, Safety Dawg 1: 25:49

Castellan is, I mean, let's just throw it out there. It's Canadian, eh? It certainly is.

Jason Winter: 25:56

So we are solely a Canadian entity and we provide services coast to coast to coast, but we can We can identify and provide, uh, really great partners that we work with in the U. S. that can help support transportation organizations down there as well. There's many organizations that can provide the similar services.

Chris Harris, Safety Dawg 1: 26:15

Wonderful. So if you're Canadian, reach out, think about this, uh, because we all know cybersecurity is a huge threat. If you are an American listener or viewer and you haven't thought about it, again, reach out to Jason. He can put you in contact. With similar companies in the US that would also love to have the conversation Jason, thank you so much for coming on the trucking risk and insurance podcast.

Jason Winter: 26:43

It has been my pleasure I appreciate the time and it was a great conversation. Thank you so much

Chris Harris, Safety Dawg 1: 26:49

And thanks, Jason, for coming on the show. That was spectacular. I really believe I got a lot out of it, and I've got to take steps to protect my little company. What are you going to do out there, our viewers and our listeners? Um, did you get value from this? Please, if you did, click like, subscribe, leave me a comment. I love to hear from you. Johnny, you'll be back soon. All right. That's it for this week. Trucking risk and insurance podcast. I'm out of here.