FBI questions for ELD product assessment
On July 21, 2020, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification (PIN) on the security of electronic logging devices (ELDs). The document, titled “Electronic Logging Device Cybersecurity and Best Practices” outlines key information on ELDs and cyber risk, as well as advice on managing risk.
The FBI is concerned that cyber criminals could exploit vulnerabilities in ELDs. Companies choosing an ELD can mitigate their cyber risk by following best practices and asking specific questions of the supplier.
As a leader in the field of cyber security, Verizon is committed to the safety and security of our customers and their assets.
Is the communication between the engine and the ELD enforced?
Verizon strictly controls the communication between the engine and the telematics device. Only commands authorized by our secure server can be sent to the engine controller.
Were technical standards or best practices followed in the device’s development?
Yes, Verizon device development follows both technical standards as well as industry best practices including CMMI3 and ISO 9001. The application development requires all code to be peer reviewed and subjected to static code analysis. Change approval processes are followed before code is deployed for customer use.
Does the component protect confidentiality and integrity of communications?
Yes. Confidentiality and integrity of communications is maintained using authentication and encryption. Communication between the mobile and server side components are secured via HTTPS and TLS.
Has the component had penetration tests performed on it?
Penetration tests are regularly performed for select devices internally and validated by a third-party vendor.
Does the device have secure boot?
Verizon Connect uses a variety of methods to confirm the devices are securely executing authorized software from trusted sources. These methods include secure boot, firmware encryption and digital signature validation.
Does the device ship with debug mode enabled?
Debug mode is a user interface implemented that allows the user to view and/or manipulate the program's internal state for the purpose of debugging. Verizon telematics devices do not ship with debug mode enabled to limit the ability of cyber criminals to access the operation of the device. Debug mode can only be enabled by Verizon Connect on selected devices for remote service and maintenance.
Cyber security professionals are invited to download the Verizon Data Breach Investigations Report, now in its 13th year.https://enterprise.verizon.com/en-us/resources/reports/dbir/