Cyberattack response plans need to be in place to avoid chaos

IT exec says if companies ‘don’t know what to do when something happens, then all bets are off’

A recent conference in Houston focused on cybersecurity and avoiding cyberattacks. (Photo illustration: Jim Allen/FreightWaves)

HOUSTON — Much of the first day and a half of a cybersecurity conference sponsored by a leading less-than-truckload trade group focused on preventing cyberattacks. But that left the question of what happens if you get hit by one.

Steve Hankel, the vice president of information technology at Johanson Transportation Service, had that job Tuesday, the second day of the Digital Solutions Conference in Houston sponsored by the National Motor Freight Traffic Association (NMFTA). Hankel went through a lengthy list of steps that he said need to be prepared in advance and then implemented when a company gets hit with a cyberattack. Most of them could be applied to almost any type of company facing the job of dealing with the chaos that accompanies a technology shutdown from an outside attack.

Steve Hankel (Photo: John Kingston/FreightWaves)

At the heart of Hankel’s blueprint for dealing with a cyberattack is a business continuity plan. 

“Business continuity provides a framework for building organizational resilience and a capability for effective response,” Hankel said. Without it, “it doesn’t matter what you do, to go through all your tests, due diligence, cyber resilience and everything, but if you don’t know what to do when something happens, then all bets are off.”


Communication will extend out to the customers of a company that gets hit with a cyberattack. The demand for that communication is coming from the customers themselves, Hankel said. “A lot of our larger customers are starting to ask us and tell us, ‘You need to notify us if you have a data privacy breach, a ransomware breach or if you have any kind of cyberattack that would put us at risk.’” 

It isn’t just a request, Hankel added. Spelling out the necessary communication is showing up in contracts. 

Not surprisingly, implementing a solid approach toward readiness all starts at the top, he said. Support for a robust business continuity needs support up and down — “upper management, the executive team, your management chain. You have to make it clear that this is something that the business needs to focus on. You can’t do it on your own.”

When “new fancy firewalls” are installed, it provides the opportunity for the team leading the battle against cyber bad guys to show management the effectiveness of the new tools. Company logs can record that the system was attacked “90 times a day or whatever,” Hankel said, “and you can show that to your executive team and say, ‘These are all the things that we have prevented because of tools X, Y and Z.’”


Communication with the outside world is important, he said. Who is going to communicate for the incident response team and “who do they need to contact and why?” That includes using such tools as texting because “voice channels may be clogged up in an emergency.”

Hankel ripped off a list of obvious contacts: law enforcement (including the FBI), vendors and, maybe the most obvious one of all, employees. “You want them to understand what’s going on,” he said. Not being upfront with communications creates the possibility of rumors flying around social media, “and you want to get a handle on them.”

Clear lines of control need to be established going into a cyberattack, Hankel said, and it is likely to mean that the CEO or other top brass are not in charge. 

“Make sure that you address that beforehand, that ‘I know you’re the CEO and we love you to death but please stand back and let us do our job,’” Hankel said. It’s a normal situation for “managers and executives who want to jump in and run it but don’t know what’s supposed to happen.”

Incident response needs to be clear on numerous issues, according to Hankel. “How are you responding? Who is responding? Who is communicating and how are you doing all that?” And if those questions are not answered before the attack hits and an attempt to tackle them is made when chaos is reigning, “the time it takes to respond can greatly affect the severity and outcome of a cyber incident or other disasters. … Make sure everybody knows who is in charge and what their role is.”

Despite the fact that Estes Express, an LTL carrier, was hacked just a few weeks ago and the full restoration of all services coincided with the final day of the NMFTA conference, its name was rarely heard from any of the speakers. But in private discussions, attendees at the conference from the LTL industry commended Estes for how it handled the communication aspect of its ransomware attack, including the rapid establishment of a portal separate from the compromised systems in which customers could communicate with Estes, and the videos on the company’s progress featuring Webb Estes, the company’s president and COO.

Another key need is to set recovery time objectives (RTOs) and recovery point objectives (RPOs). Although Hankel did not define them, RPOs have been defined elsewhere as “a planning objective that defines how often data needs to be backed up to enable recovery.” RTOs can be defined as “the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences.” 

Among the questions that Hankel said would fall under those parameters: “Do you need to restore data from three days ago? Or would you rather have it so that you’re doing a backup every 15 minutes?” But these and other questions can’t be answered in a vacuum, Hankel said. A company needs “to look upstream and downstream” to both its customers and technology vendors to determine what can and needs to be done. 


The complexity of putting together a business continuity plan tied smoothly into one of the final sessions of the meeting, at which Ben Gardiner, NMFTA’s senior cybersecurity researcher, laid out some of the initiatives internally and externally that have been undertaken to combat cyberattacks on trucking.

Day one of the conference seemed at times to be at an elementary but necessary level. Stopping cyberattacks, the attendees were often told, can involve simple steps like frequent password changes, constructing those passwords with some rules of complexity and trying very hard to get staff not to click on links in emails that come from shady addresses.

But the Gardiner session showed just how technically complicated the challenge can be to shut off all possible avenues into a company’s system.

A key argument made by Gardiner is that thinking in terms of a hack just coming in through a network doesn’t capture the risk from trucks connected to the cyber world through telematics. 

The list is long. Trucks that are satellite connected bring a special set of risks; old cellular-based systems that haven’t been updated to the latest technology are another vulnerability. And then there’s the issue of tablets working on the docks at LTL facilities, and the list goes on to even include the possibility of a hack coming through a forklift at a terminal. 

There are plenty of smart people working on these issues, and many of them are young. The NMFTA is the lead sponsor of the CyberTruck Challenge, in which students from a wide range of schools attempt to hack into trucks. This year’s version was in June outside Detroit. 

More articles by John Kingston

TriumphPay’s EBITDA loss narrows, volume increases, factoring invoices stay flat

California Trucking Association sues to block Advanced Clean Fleets rule

Stock-battered e2open now has activist investor Elliot as big shareholder

Exit mobile version