Can your server on wheels outpace cyber attacks?

Technology and innovation are revolutionizing the influence of autonomous trucks and equipment in the mining and metals industry. Significant advancements in technology – such as machine learning, sensor processing, smart robotics, high processing maps and enhanced AI – are fostering innovation in the connected and autonomous truck industry.

The use of embedded technology especially among enterprises in the mining space has increased their manufacturing capacity, propelling the autonomous truck market forward. From safety to productivity, the advantages of autonomous technology offer substantial possibilities for both truck manufacturers and customers.

A report states that the number of autonomous haul trucks in operation rose from 769 to 1,068 (a growth of 39%) globally between May 2021 and May 2022.

The first generation of autonomous trucks were adopted in around 2016 across various mining sites in Australia and Canada. These first-generation trucks required continuous testing and reviewing of cybersecurity vulnerabilities. And at times, required manual workarounds to maintain security and safety.

From then, autonomous trucks have come a long way. However, there are still concerns about the technology that drives the production of these trucks. When will we see more self-driving trucks in mining? Are they safe from cyber attacks? What can be done to secure autonomous machines against threats?

Cyberattacks on autonomous trucks are on the rise … but are we prepared?

At a time when the complexities of the cyber threat landscape are growing and many cybersecurity technologies are becoming obsolete, human talent and technology should be constantly renewed. However, this is proving to be a significant challenge for businesses.

In the latest edition of the Global Risks Perception Survey (GRPS) by the World Economic Forum (WEF), “cybersecurity failure” features among the top 10 risks that have worsened most since the start of the COVID-19 crisis. In 2020, malware and ransomware attacks increased by 358% and 435% respectively – outpacing societies’ ability to effectively prevent or respond to them. Cyber threats are slated to turn critical by the end of the next two years.

How can truck manufacturers outrun cyber attacks in this complex digital landscape? In this interview, EY leaders Ulrika Eklöf, Tim Best, Tony Schlyter and Henrik Lind answer a few key questions on this subject.

What are the key benefits of using autonomous trucks in mining?

As autonomous trucks never stop to eat or sleep, they are – when properly managed – safer, faster and more cost-effective than its manual counterpart.

The use of self-driving trucks provides significant benefits in terms of safety. Mines often operate in regional and remote environments. Be it a location in treacherous terrains or underground where air quality is poor, reducing the need for humans to physically be present there is a welcome approach. This also means more consistent operating processes that reduce the cost of asset management – labor shortage issues are alleviated and labor costs are reduced.

Autonomous trucks can also boost productivity and efficiency. Whenever a shift ends, it can take workers some time to rest and changeover – time that could be saved with autonomous trucks. This could result in greater uptimes and less room for human error.

We’ve also observed a growing concern for the planet among EY clients in the mining space. The speed monitoring capacity of autonomous trucks and the reduction in idling play a major role in cutting down greenhouse gas emissions. This, coupled with many other fuel-saving technologies make autonomous trucks more environmentally sound compared with normal trucks.

Further, when a mine plan is created to be autonomous from the stage of development itself, future scaling of remote and integrated operations for additional labor synergies become easier.

What are the digitalization challenges faced by autonomous truck manufacturers?

While technology is a great enabler for companies, digitalization also brings along with it a lot of risks, especially to legacy systems that naturally seem to resist change. Gravitating towards a technology-powered business model is great, but this needs to be done with great deliberation so that vulnerabilities are identified and addressed before they can be exploited.

One must note that many legacy truck manufacturing companies – due to acquisitions performed over time – have multiple technologies at play. To build a secure, comprehensive digital backbone, digitalization roadmaps must properly align the business with a tech agenda. Building a solid foundation is essential to providing long-term value to shareholders, customers and the market.

While the challenges with the uptake of digital solutions can be strategically solved, an area that warrants increased attention is cybersecurity. Autonomous vehicles are heavily based on technology, hence exposing a large surface area to cyber threats. Patchwork governance methods, more malicious attack methods and low barriers for cyber threat entry are few of the main causes that aggravate this risk.

Why should cybersecurity be an important consideration for truck manufacturers?

The increasing use of technology in autonomous trucks also increases the risk of cyber attacks. The hyperconnected communication systems make remote attacks easier for malicious hackers, giving them an open window to exploit system vulnerabilities.

A hacker could gain access to an autonomous drive and change its safety rules – controlling how fast it should go and when it should stop. The attack could leave data exposed – leaking it to a hacker group or a cyber espionage group – for malicious intent such as defeating competition, threatening personnel security, extortion, exfiltrating information and damaging reputation.

In addition to losses suffered by the company being attacked, there can also be a profound impact on the customers. Many manufacturing companies are part of critical national infrastructure. They provide services to governments and other critical infrastructure providers. As a result, they need to fulfill certain obligations to meet their customers’ security requirements. They will require risk assessments and mitigation activity around the risks that they identify around cybersecurity.

The customer also has a significant role to play in securing the truck. Often, the customer owns, operates and secures the internet gateways, IT/OT interconnectivity and other core infrastructure in the OT zones. As a result, the truck manufacturer must also consider the cybersecurity weaknesses of the customer or risk suffering reputational damage when something goes wrong due to an existing but unidentified vulnerability.

All of these reasons mandate a security monitoring process that ensures hidden vulnerabilities are detected and prevented from impacting operations.

What are the consequences of a cyber attack on autonomous vehicles?

Mining underpins every aspect of our economy – providing the metals, minerals and coal that are essential to nearly every sector identified as critical infrastructure. And when an autonomous truck that is supposed to support mining goes under, the impact will be felt.

In the wake of a cyberattack, autonomous trucks could just stop functioning. They could shut down in the middle of a tunnel and just block access, which could impact employee safety, or they could completely disrupt mining operations by crashing into other mining equipment. Unexpected scenarios must also be considered. For example, an object moving laterally at an unexpected velocity in a trajectory that is unexpected might force the truck into an emergency stop, causing serious damage. In such cases, cyber threats cause business interruption and productivity downtime – causing irreparable damage to the company – ranging from reputation to revenue.

Importantly, cybersecurity can no longer be considered simply a technical issue as it has spilled over to the geopolitical realm. The technology behind hyperconnected trucks and other vehicles offers conduits to impact a country’s economic progress, national security and societal upliftment.

How do you apply the principle of security by design to autonomous trucks?

Autonomous trucks in the mining industry are essentially computers with wheels. A laptop device or a mobile phone might have the same software complexity inside – except, in this case, it is a motor driving wheel, which can carry a threat to life.

Security needs to be built into the whole infrastructure of the truck – by approaching the development from a zero-trust perspective. Infrastructure also encompasses the connectivity layer that maintain the GPS, Wi-Fi and WLAN within the truck. Some GPS servers have little cybersecurity hardening – if compromised, the trucks could just stop or potentially operate as unintended.

From the security by design perspective, it is essential that automobile manufacturers make use of secure coding practices and enable static and dynamic testing, to ensure that they're on top of how the code is being developed. Having the ability to regularly update the software is a must-have.

Combining and streamlining all these perspectives itself is a major requirement. You need good governance in place to be able to ensure that cybersecurity risks and threats are identified and mitigated across the organization.

What role do the people, culture and leadership of an organization have in ensuring cybersecurity?

The people, workplace culture and leadership attitudes are centric to the success of any organization’s cybersecurity policies – be it a manufacturing company that produces autonomous trucks or a software development company. Security cannot be achieved through technology implementation alone. Instead, the concept of cybersecurity needs to be baked into the organizational culture, end-to-end.

Security considerations must not be an afterthought. Instead, security should be subconsciously included in all levels of decision-making. This calls for more than just training – it requires a shift in the organizational mindset. For example, products can be made more secure to prevent security incidents, but incidents could still happen. So, a product security transformation must also address resilience capabilities.

It is also important to note that no cybersecurity policy is complete if it is not understood or internalized by the employees of the organization. Often, unaware employees are major contributors to the success of cyber threats. Creating cybersecurity policies and frameworks at a micro-level will help ensure that cybersecurity practices are baked into the everyday work at your organization.

How can EY teams help?

EY teams have had the rewarding experience of working in both the cybersecurity consulting space as well as with mining companies. This helps the team understand problems and challenges from both ends of the spectrum, uniquely combining them to see where needs and offerings overlap to maximize benefits. The EY experience in helping clients with ambitious digital transformation and business transformation goals will also be a great enabler in helping manufacturers navigate the cybersecurity aspect with certainty.

EY teams can help autonomous truck manufacturing companies identify secure environments for truck development, help them run automated testing and ensure security monitoring of the operating environment, the development process and the vehicles themselves.

EY teams can support manufacturers in using threat intelligence to identify new zero-day threats and vulnerabilities that may exist in these autonomous vehicles and help ensure that those are removed before they impact critical operations.

 To build better defences against evolving cyber threats, autonomous truck manufacturers need to break silos and echo chambers. Independent outside parties can help companies expand knowledge bases, build stronger capabilities and identify blind spots in security and risk management programs.