Cyber Threats: Highway Motor Carrier and Maritime Transportation

Nestled within the “Transportation Systems Sector,” one of the 16 critical infrastructure sectors of the United States that, according to CISA, are integral to national security, economic security, public health, and/or safety, or any combination of those, are the “Highway Motor Carrier” and “Maritime” sub-sectors.

The Highway and Motor Carrier sub-sector consists of more than 4 million miles of roadway, more than 600,000 bridges, and more than 350 tunnels.[1] Further, it includes all of the traffic management systems, vehicle and driver licensing, trucks, school buses, and other commercial vehicles. The trucking industry in the US transports nearly 72% of freight, often acting as the final mile in supply chains for almost every major industry.

Also, according to CISA, the Maritime Transportation System sub-sector is made up of around 95,000 miles of coastline, 361 ports, 25,000 miles of canals and waterways, and intermodal connections to move freight and people back and forth from land to water. When taken from a macro point of view, it is not hard to understand why the maritime sector accounts for 90% of global trade by volume.

Taken together, the Highway Motor Carrier and Maritime transportation systems sub-sectors encompass most of what it takes to deliver goods and services sustainably where life needs it. Aside from rail, air, and pipelines, this is the supply chain. And without trucks, most goods aren’t making it that final mile. The continued smooth and efficient operations of these sub-sectors working together are the platform that enables effective supply chains, resulting in just-in-time inventory for manufacturing, retail, and even the consumer. Congestion at the ports, trucking delays, or cyberattacks on logistics systems can create a domino effect spreading across supply chains, causing greater damage, increasing response time and cost, while degrading response capabilities. Ultimately, global trade is impacted, ships are waiting at sea, and trucks are waiting at intermodal yards.

Modernization and digital transformation of these sub-sectors are a matter of course for these sub-sectors in order to effectively provide services in a growing population. Automated port operations, smart fleet management, self-driving trucks and freight solutions, GPS-integrated navigation, digital logistics platforms, traffic management systems, barge controls, all advance our ability to deliver efficiently, and bring cyber threats along for the ride. Unlike the following scenario, these threats are not fantasy, they are real and are being exploited now with consequences.

Operation Phantom Detour – A Fictional Scenario

This is a fictional account of a cyberattack and coordinated logistics heist based on a real event. A cyber kill chain walkthrough of the scenario follows.

It is late October 2026. The 23^rd, to be more precise. In the Midwest, it’s wet, rainy with a chill in the air, and the late-season freight is ramping up for the coming holidays. Amongst the trucks moving along I-94 into Chicago are several that have been identified as high value, with one carrying semiconductor wafers, another defense-grade processors, and a third drums of the pharma precursor Ephedrine.

The stretch of highway is normally one of the most congested in the country, so delays are common. At precisely 3:23 p.m., a temporary traffic sensor on a roadside barrier quietly reboots. It is now running new firmware, but it’s not from the manufacturer. Attackers had exploited a known vulnerability a few weeks earlier. Now, with access to the traffic management systems (TMS), they were ready to start.

The plan of attack wasn’t just to steal; it was to control everything that moves in order to trap their prey in gridlock while giving the intercept teams an entrance and an exit.

Digital signage displayed messages rerouting freight carriers onto alternate local and arterial roads. The traffic lights for four blocks were operating strategically to bring traffic to a stop in all directions at key intersections.

TMS

Overall TMS architecture presenting the major entities which compose it.
Source: Traffic management systems: A classification, review, challenges, and future perspectives

In the chaos, three trucks are stopped at three intersections within a mile of each other, each within a block of the highway. Blocked in by temporary lane closures, contradictory signage, and snarled cross-traffic from a red light two blocks away, they were right where they were supposed to be.

Within moments, from the cross-traffic at the intersections, physical intercept crews arrive at the trucks driving marked vehicles from known subcontractors. They are wearing the right vests, carrying the right clipboards, their badges scan, and their forged manifests sync with the driver’s dispatch app.

One weary and nervous driver radios in: “Unexpected route change with delay. Some transfer agents are onsite for local handoff.”

The dispatcher hesitates and pulls up the portal. “Why is the driver calling in when they appear to be at the warehouse?” he thinks to himself. What the dispatcher thought they heard was, “Unexpected route change with the day. On-site for local handoff.”

The delivery code matches and has approval. Everything looks legit. He blinks and responds, “acknowledged.”

The cross-traffic snarl releases, and the subcontractors are gone. There was no forced entry, no alarms, no pursuit, and no violence required. Just three clean handoffs enabled by digital sleight of hand.

Operation Phantom Detour Cyber Kill Chain Walkthrough

Reconnaissance
The attackers use exposed APIs from a regional carrier’s logistics platform to map freight schedules. They also identified a type of roadside sensor that was vulnerable and, once compromised, could be used to compromise the Traffic Management System.
Friday the 23^rd is selected as the optimal day as there are overlapping inbound deliveries of high-value and highly desired products.

Weaponization and Delivery
In order to exploit the traffic sensor’s RCE flaw, a malicious firmware update is uploaded through an exposed manufacturer VPN maintenance tunnel using leaked credentials that are reused across devices. The payload includes C2 beacons masked as telemetry, custom PowerShell scripts to enable lateral movement.

Exploit and Installation
After deployment, the malware moves from the sensor into the central servers of the infrastructure-based TMS. Once there, it installs access tools to maintain persistence and schedules the traffic disruptions that played out in the scenario. Traffic message boards, lights, and congestion avoidance systems are now under the control of the attackers.

Command and Control
Remote access is maintained by the attackers using a TLS-wrapped beacon that is disguised as normal traffic monitoring logs being sent to cloud storage. Commands are issued using custom JSON packets that blend with legitimate traffic.

Actions on Objectives
On Friday, October 23^rd, at 3:23 p.m., during a time when a storm advisory in the area keeps attention on weather-related risks:
- Dynamic traffic message and logistics systems, taking direction from traffic management signals, redirect commercial carrier routes onto alternate side roads.
- Traffic lights at key points off the highway and along local traffic arteries are programmed to cause congestion and bottlenecks at specific intersections, allowing the attackers to facilitate the handoff.

While traffic is stalled:
- Three trucks are physically compromised by organized teams impersonating subcontracted warehouse workers.
- Digital bill-of-lading modifications and GPS spoofing confuse dispatchers by allowing the handoff and delaying any alarms or escalation. According to the carrier’s dispatcher, the shipment was delivered at the warehouse.

In about 32 minutes, the attackers obtain:
- More than $5 million in processors
- About $3 million in Ephedrine
- Approximately $4 million in semiconductors

Impact and Fallout

Loss of Freight Cargo: $12 million of controlled substances and computer hardware on the black market.
Traffic Delays: More than 8,000 vehicles were affected, with a total of 4 hours of residual traffic disruption.
Insurance: Four insurance carriers reassess cargo coverage across zones, increasing cost in the area.

Recovery and Lessons Learned

Network segmentation between IT and OT systems did not exist, allowing for easy compromise of the central servers for the Traffic Management System.
Backups are key to system recovery, enabling roll-back to a time before compromise.
Auto-firmware updates from vendors were disabled, and third-party risk programs, along with asset management and tracking processes, were instituted to ensure devices are accounted for and their state maintained.

What are the Top Cyber Threats to the Highway Motor Carrier and Maritime Transportation Systems Sub-sectors?

Ransomware

Expeditors International (2022) – The company shut down operational systems and continued operating with limited ability to do so. According to CEO Jeffrey Musser, “All of our products suffered as a result of the cyber-attack, particularly during the first three weeks after the attack, as we quickly adjusted to a new and unfamiliar operating environment in which our core systems were taken offline to protect our network.”[2]

Port of Seattle (2024) – A ransomware attack in August caused an IT outage that disrupted multiple services and systems, including reservation check-in systems, passenger display boards, the Port of Seattle website, and delayed flights are the Seattle-Tacoma International Airport. The information of about 90,000 people was compromised and released on the dark web.[3]

Impact: Customer data loss, $60 million in remediation, system shutdown, major operation disruption
Methods: Unpatched software vulnerabilities, phishing, and compromised credentials.

Supply Chain and Third-party Vendor Compromise

Maersk, NotPetya (2017) – a software update from an accounting software services provider caused a cascade of failures across Ukraine and Europe, shut down Maersk operations, and crippled ports.[4] The cost to Maersk alone was reportedly over $300 million.

DNV ShipManager (2023) – a ransomware attack on ShipManager software provider, DNV, impacted 1,000 ships at sea. DNV was forced to shut down servers supporting the system, and stated users can still use on-board, offline functionalities.[5]

Impact: Massive economic losses, cascading disruptions, unreliable logistics data, long recovery time, and software supply chain security risks gain awareness.
Methods: Exploited software supply chain, trusted updates from vendor, weak supplier cybersecurity controls.

GPS Spoofing and Navigation Systems Attacks

Iran GPS Spoofing Incident (2019) – The Royal Navy’s maritime security reporting apparatus received several reports of GPS jamming in the Strait of Hormuz. The incident was connected to Iranian electronic warfare outposts on Abu Musa Island.[6] Ships were directed off course by false signals.

Tequila Truck Hijacking (2024) – Two truckloads of premium tequila were hijacked, wiping out the brand of its special blend that took 39 months to bottle. Estimated losses were over a million dollars. “It wasn’t until the distributors called and reported that the trucks never arrived that we knew something was up.”[7]

Impact: Economic loss, loss of asset visibility, increased vulnerability to theft or compromise, safety hazards, and navigational risks increase.
Methods: GPS emulation to spoof tracking software, GNSS signal jamming, and compromise unencrypted satellite communications.

Web Application and Logistics Platform Attacks

Port of Los Angeles Stops Cyber Threats (2023) – The Port of Los Angeles reported stopping over 750 million cyber-intrusion attempts in 2023, demonstrating the threat volume the sub-sector is managing.[8]

CDK Global (2024) – CDK Global was forced to shut down digital operations across North America due to a cyberattack. The dealer management software outage caused more than 15,000 dealerships across North America to fall back on manual workarounds to service appointments and process vehicle sales.[9]

Impact: Successful attack on logistics platforms leads to widespread supply chain disruptions, potentially compromised shipment data, disclosure of customer information, and delayed cargo movements.
Methods: Leveraging web application attacks, including SQL injections, and exploiting open vulnerabilities, unpatched servers, and stolen credentials.

Insider Threats and Credential Abuse

Cyber Cargo Theft – insiders sell their credentials to access systems that provide shipping information so criminals can conduct fictitious pickups and alter the bill of lading.

Motor Carrier Fraud – criminals buy motor carrier numbers and credentials to bid on shipments and steal them.

SOURCE: Verisk CargoNet

Impact: Verisk CargoNet, reports record-breaking cargo theft across the U.S. and Canada, with traditional cargo and cyber theft combined totaling an estimated $455,000,000 in 2024.[10]
Methods: Credential theft or purchase, insider cooperation, purchasing legacy Motor Carrier numbers and credentials from retiring companies.

Regulatory and Industry Response

As awareness of the significance of the threat has increased, the Transportation Sector has responded by creating and adopting cybersecurity frameworks and regulations to enable and enforce the adoption of programmatic security measures. These include ISO 27001, the NIST Cybersecurity Framework (CSF), IMO Maritime Cyber Risk Management, along with the NIST RMF, and the publishing of FMCSA cybersecurity recommendations.

ISO 27001: An internationally recognized standard providing companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.[11]

NIST Cybersecurity Framework (CSF ): The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks.[12]

International Maritime Organization (IMO) Maritime Cyber Risk Management: Issued guidelines MSC-FAL.1-Circ.3-Rev.2 on maritime cyber risk management, including high-level recommendations which can be leveraged by existing risk management processes. Resolution MSC.428(98) was also adopted by the Maritime Safety Committee to encourage administrators to ensure cyber risks are properly addressed.[13]

The Federal Motor Carrier Safety Administration (FMCSA) Cybersecurity Recommendations: The FMCSA researches and provides targeted recommendations for specific challenges to motor carriers. Examples include “Cybersecurity Assessment and Best Practices for Truck Stop Technologies” and “Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems into Heavy Vehicles.”

How does Zero Trust and OT Segmentation help Safeguard against Cyber Threats?

OT segmentation and Zero Trust adoption are critical to meet the requirements set by the regulatory bodies and standards frameworks. Appropriate network segmentation would likely have thwarted our earlier fictional heist scenario.

Zero Trust is an architecture and a philosophy in which perimeter-based security models are no longer sufficient. Per NIST Special Publication 800-207, the tenets of zero trust include:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy, including the observable state of client identity, application service, and the requesting asset, and may include other behavioral attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure communications, and uses it to improve its security posture.[14]
OT Segmentation: aligned with Zero Trust, OT segmentation can limit the spread of malware throughout the network if compromised. This can be the difference between continued safe operations without impact to customer data and a very bad couple of days or weeks.

Collaboration and Threat Intelligence

The Highway Motor Carrier and Maritime sub-sectors are improving coordination, collaboration, and the sharing of intelligence through:

Industry-wide Threat Intelligence: Information Sharing and Analysis Centers (ISACs) have been established, and aviation operators are leveraging sector-specific information to defend against threats.

- The Maritime Transportation System ISAC (MTS-ISAC) serves as a centralized point of coordination to share timely and actionable cyber threat information between trusted stakeholders. Information sharing and analysis efforts focus on sharing information related to information technology (IT), operational technology (OT), and Internet of Things (IoT) systems that stakeholders can use to prevent and/or minimize potential cyber incidents.[15]

- The Surface Transportation ISAC (ST-ISAC) provides real-time cyber threat intelligence, expert analysis, and industry-specific alerts. It shares information for carriers, brokers, and logistics providers about threats to fleet operations, load boards, and transportation management systems.

Through the use of global standards, strategies following programmatic frameworks, and the sharing of threat information, teams can mitigate the risks to operations from cyber attackers and provide for the resilience the industry needs.

Recommended Guidance for Sector Participants

IT Governance and Risk Management: Implement IT governance to enable the incorporation of cybersecurity and IT-related risk into the organization’s broader enterprise risk management strategy. Leverage integrated cyber risk governance aligned with DoCRA principles and practices to validate and verify the operation of controls cited in frameworks and regulations.
Assess Existing Cybersecurity Posture: Begin conducting regular security assessments that identify the existence and health of controls in place, and gaps where additional controls are required. Use this opportunity to implement continuous control monitoring and centralized reporting, and a road map to address identified control weaknesses.
Enhance Ransomware Defenses: Ensure EDR (Endpoint Detection and Response) is deployed, and the SOC has been tested. Simulate attack situations, testing the teams’ responses. Step up defenses with browser security solutions. Ensure patching and vulnerability management processes are functioning. Continuously verify and report the operation of these processes through standard operating metrics. See the CISA ransomware guide for more information.[16]
Accept Zero Trust and OT Segmentation: Start with segmenting OT and IT, and implement microsegmentation in each zone. This allows granular control for network flow and prevents lateral movement if attackers gain a foothold in the network or on a device. Deploy Identity Governance and Administration, follow the principles of least privilege, implement MFA, and account for Non-Human Identities.
Employee Awareness and Training: This cannot be stressed enough. Social engineering is the easiest method of attack with the lowest cost, and the greatest success. Continue phishing exercises, but provide the help desk and anyone with administrative responsibilities to say “no, I need to verify your request.” If something isn’t right.
Implement Regulatory and Industry Standards: Verify your controls align with ISO 27001, NIST CSF 2.0, and IMO guidelines. Leverage the NIST RMF, and continuously monitor and report on the relevant operational metrics to support evidence of the controls in place, and develop roadmaps to address gaps over time
Leverage Shared Threat Intelligence: Engage with Information Sharing and Analysis Centers (ISACs) and sector-wide cybersecurity groups to keep in front of evolving threats.

Next Steps

This guidance is meant to allow each organization to understand its current security posture, the gaps present in its environment when measured against an accepted standard, and provide for a programmatic means to resolve them, prioritized by risk. The recent events discussed, risks realized, and impacted people show that we are all vulnerable, but with a risk-based approach and investing in a cybersecurity strategy that includes integrated cyber risk governance, organizations can protect their infrastructure, employee and customer information, and provide safe operations for our transportation systems.

For a comprehensive risk-based cybersecurity assessment, contact HALOCK Security Labs to evaluate your organization’s current security posture against the top threats facing the Highway Motor Carrier and Maritime sub-sectors.

About HALOCK Security Labs

HALOCK is a risk management and information security consulting firm providing cybersecurity, regulatory, strategic, and litigation services. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, using due care and reasonable person principles. As the principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers unique insight to help organizations define their acceptable level of risk and establish reasonable security.

Review Your Security and Risk Profile

Cybersecurity & Risk News, Updates, Resources
HALOCK Breach Bulletin
Exploit Insider
Cybersecurity Awareness Posters

References

[1] Transportation Systems Sector

[2] Ransomware attack cost Expeditors $60m in remediation, lost business

[3] Port of Seattle says ransomware breach impacts 90,000 people

[4] The Untold Story of NotPetya, the Most Devastating Cyberattack in History

[5] Ransomware attack on maritime software impacts 1,000 ships

[6] Multiple Vessels Report GPS Disruption in Strait of Hormuz

[7] Thieves Hijack Two Truckloads Of Guy Fieri And Sammy Hagar’s Santo Tequila

[8] Port of Los Angeles Stopped Millions of Cyber-Intrusions in 2023

[9] Car dealerships forced to process orders by hand after cyberattacks shut down computer system