As the trucking industry continues to become increasingly reliant on software and digital infrastructure, organizations like the National Motor Freight Traffic Association (NMFTA) aim to make application programming interfaces (APIs) more secure.
As any disruptions to the trucking industry have wide-reaching impacts on the economy and present serious national security risks, commercial transportation security concerns are now more vital than ever.
The NMFTA is dedicated to cybersecurity, as protecting the physical and digital assets of the supply chain is essential to almost every sector.
APIs make it possible for digital platforms to communicate with each other, which allows the essential logistics of the trucking industry to function. However, experts such as Paulo Silva, principal security researcher at Char49, point out that the proliferation of APIs has outpaced many companies’ security protocols.
This lack of precautions is a major weakness that bad actors could potentially exploit.
During NMFTA’s October 2023 Digital Solutions Conference on Cybersecurity, expert panelists all urged trucking companies to take two critical steps:
- Adopt a no-trust environment when it comes to both enterprise and assets, meaning neither people nor other applications should be able to access an application without going through multi-factor authentication (MFA).
- Train people not to bypass security measures, and not to give others the opportunity to do the same.
According to Eren Yalon, VP of security research at Checkmarx, access control is the number one problem in API security.
“Access control is characterized by two main issues: authentication and authorization,” Yalon said.
Authentication is the process of verifying that an individual, entity, or website is who it claims to be, while authorization is the process of verifying that a requested action or service is approved for a specific entity.
“Protection starts with proper inventory management of APIs,” Yalon said. “You cannot protect what you don’t know. ”
An additional concept that all trucking companies should understand is the use of API keys. API keys are unique identifiers used to authenticate and authorize users. They separate credentials from API access and prevent issues when users change companies or even when individuals accidentally leak passwords or other account info.
According to Josiah Carlson, CTO and co-founder of Liminal Network, API keys partition what human users can do and what automated systems can do. “We like that because we sometimes want our automated system to fetch documents, but we don’t want that same system to be able to update billing or change phone numbers, and so on,” said Carlson. Without robust security in place, such systems could easily be exploited or simply cause unintended failures.
To protect API keys, every company must take precautions such as encrypting archived passwords on local servers. “No password should ever be stored in plain text on any server anywhere,” Carlson said.
“Why does the business care? This data is commercially important,” said Hillary Drake, CEO and co-founder of Liminal Network. According to Drake, criminals, hackers, and even foreign agents can exploit unprotected data.
Targeted cargo theft, for example, occurs when thieves take advantage of data breaches to steal or hijack specific shipments or containers, and “spear phishing” attacks occur when a malicious actor uses sensitive information to trick specific companies or users into trusting fake websites.
“What’s at risk includes data that is confidential and important to carriers, customers and business partners,” said Drake.
Customers and insurers are increasingly concerned about this kind of security. “Many customers are sending IT security questionnaires asking specifically about API security to prevent this type of scenario,” Drake added.
The trucking industry cannot afford to allow cyberattackers to cripple or disrupt its operations, and it takes diligence at every step. Check out NMFTA’s 2024 Trucking Cybersecurity Trends Report today to become more informed and better protected from malicious attacks.
To learn more about cybersecurity in trucking, listen to NMFTA’s monthly cybersecurity webinar series, leading up to its 2024 October Cybersecurity Conference in Cleveland, OH.
The conference will bring together cybersecurity, trucking and supply chain professionals to discuss emerging cybersecurity threats and related issues the transportation and logistics industries face.