In December 2013, a pick-up truck was stolen at a rural gas station north of Mexico City. In the back of the vehicle was a redundant radiation therapy machine that contained approximately 40 grams (1.5 ounces) of cobalt-60, a radioactive material that can cause cancer. It is likely that the thieves were unaware of the potential risks this isotope posed.
After a widespread publicity campaign, the abandoned truck was found by chance several days later. The isotope was still with the vehicle but had been removed from its shielded casing and would have exposed the unwitting thieves to potentially harmful levels of gamma radiation. The incident highlights the potential for hazardous materials in transport to be acquired by malicious actors. The hazardous material could then be weaponized.
There are two types of risk in this context:
1. Current risks
In many jurisdictions, organizations responsible for fleet management are required to take appropriate and legally enforceable measures to ensure hazardous materials are secure and pose minimal risk to the wider public. The United States Department of Transportation (DoT) mandates that organizations transporting hazardous materials over a certain level to develop security plans that help safeguard personnel and prevent unauthorized access to the material while it’s in transit.
They may additionally be required to lay out standards for staff training and ensure that they are competent to react correctly in the event of a security crisis. The requirements can be as strict as requiring personnel involved in the movement of the most hazardous of materials to be vetted.
Organizations are also required to conduct threat assessments and contingency planning to make sure that there are appropriate measures in place should a malicious attack occur. This could include requirements to register planned routes and timings with local authorities prior to a shipment. In cases where particularly hazardous material has to be transported, there may be a further requirement for a police or military escort.
2. Emerging risks
Many organizations now employ technology to manage their fleets. Real-time tools, such as GPS receivers, telemetry, cameras and mobile 4G data networks are common. There are also other components such as biometric sensors and even panic buttons that are more unusual, but are rapidly becoming an accepted part of fleet management. The benefits of these tools to personnel welfare, time planning and efficiency monitoring are significant and enable organizations to reduce risks as well as lower operating costs.
There are a number of threats that can be enabled by using these enhanced systems. The GPS highway guidance systems can be vulnerable to two types of attack. The first simply relies on masking the satellite signal by jamming, rendering it inoperable. Such an attack is likely to be readily identifiable, as GPS receivers commonly warn the user that it is not receiving the correct positioning data.
The second threat, GPS spoofing, is not yet mature enough to have manifested itself in the road freight industry, but has been seen on a few occasions within the maritime environment. It occurs when an adversary transmits a doctored signal that fools a receiving GPS into reporting an incorrect location. In terms of road transport, an adversary could trail, or covertly place a small device, on the target vehicle. These improvised devices, costing only a few hundred dollars, can also be controlled through a 4G network, meaning that they can be hard to trace and do not need to be tied to a particular location.
The consequences for fleet management could be significant. Vehicles hauling high value, or hazardous cargo could be targeted by terrorists or criminals into reporting false locations to fleet control systems, allowing the perpetrators the time they need to steal the goods. In the case of radioactive devices, they could then be used as weapons.
The next stage in the evolution of this threat is likely to be the illicit control of autonomous vehicles, be they road haulage or aerial delivery vehicles (drones). While there are encryption systems that could negate this risk, the cost of retrofitting or replacing current GPS receivers would be significant.
Managing these risks
Organizations running fleets need to stay abreast of the laws regarding the movement of hazardous loads. But alongside compliance with safety, duty-of-care and security regulations, enterprises should also consider how these evolving security threats could expose them to liability issues. If a malicious attack causes significant casualties, the lack of threat awareness is unlikely to be a strong defense in law.
While fleet management might not sound like it is an area where security is a concern, other than the prevention of theft or low-level criminal activity, technology is extending the capabilities of anyone with malicious intent. From terrorists who want to steal material for explosive devices to criminals who will seek to use GPS technology to re-route vehicles and disrupt logistics operations, effective fleet management is now about considering a much wider spectrum of actors and motivations than ever before.