In October 2022, a cybersecurity researcher demonstrated that he could remotely access the braking and steering systems of a heavy-duty commercial truck through an unpatched vulnerability in its telematics gateway. He didn’t need physical access to the vehicle. He didn’t need specialized hardware. He needed a laptop and a cellular connection.
The vulnerability was reported and patched. But the demonstration exposed a truth that the cybersecurity community is only beginning to fully appreciate: the 3.5 million heavy-duty commercial trucks operating on American highways are becoming some of the most connected—and least protected—computing platforms in the world.
A Rolling Network Nobody Is Defending
Contents
A modern Class 8 truck is not a mechanical machine with a few electronics bolted on. It’s a mobile computing network. A single vehicle contains dozens of electronic control modules (ECMs) communicating across internal CAN bus networks using the SAE J1939 protocol. These modules manage engine performance, transmission shifting, braking systems, exhaust aftertreatment, tire pressure monitoring, and instrument clusters. Each one is a potential entry point.
Layered on top of this internal network is an expanding ecosystem of connected devices: telematics gateways transmitting data over cellular networks, electronic logging devices (ELDs) mandated by federal law, GPS tracking units, Wi-Fi hotspots for drivers, Bluetooth-connected diagnostic tools, and increasingly, over-the-air (OTA) update systems that can push firmware changes to ECMs remotely.
In enterprise IT, a network with this many endpoints, protocols, and external connections would be monitored by a security operations center, protected by firewalls and intrusion detection systems, and subject to regular penetration testing. In commercial trucking, the cybersecurity posture at most fleet operations is effectively nonexistent.
The ELD Mandate Created Millions of Attack Surfaces
In 2017, the Federal Motor Carrier Safety Administration mandated that virtually all commercial motor vehicles use electronic logging devices to track driver hours of service. The regulation was designed to improve safety by preventing fatigued driving. It also had an unintended consequence: it forced millions of trucks to install internet-connected devices that interface directly with the vehicle’s engine control module.
Researchers at the University of Michigan’s Transportation Research Institute have demonstrated that compromised ELDs can be used to inject malicious CAN bus messages into a truck’s internal network. In controlled experiments, they showed it was possible to manipulate engine parameters, trigger false fault codes, and in some cases, force the vehicle into a derated mode—effectively crippling its performance on a live highway.
The ELD market is fragmented, with hundreds of manufacturers competing largely on price. Many of these devices run outdated firmware, lack encrypted communications, use default credentials, and receive no regular security patches. Unlike the consumer smartphone market, where Apple and Google enforce baseline security standards across their ecosystems, the ELD market has no equivalent gatekeeper. FMCSA’s certification requirements focus on hours-of-service recording accuracy, not cybersecurity resilience.
Why Trucking Is Uniquely Vulnerable
Several characteristics of the commercial trucking industry make it a particularly attractive target for threat actors—and a particularly difficult environment to secure.
First, the attack surface is enormous and distributed. Unlike a data center or a factory floor, a fleet’s connected assets are spread across thousands of miles of highway, operating in unpredictable environments with intermittent connectivity. Traditional perimeter-based security models don’t translate to assets that are physically dispersed and constantly in motion.
Second, the industry’s technology adoption has dramatically outpaced its security maturity. Fleet operators now rely on sophisticated engine diagnostics software platforms that connect to vehicle ECMs via standardized interfaces, cloud-based fleet management systems processing sensitive operational data, and telematics platforms streaming real-time vehicle telemetry. Each layer introduces connectivity—and each connection is a potential vulnerability. Many of these platforms were designed for functionality and speed-to-market, not security hardening.
Third, the workforce gap compounds the problem. The trucking industry is facing a severe technician shortage—ATRI research shows 65.5 percent of diesel shops are understaffed. When shops can’t find enough technicians to perform basic maintenance, cybersecurity hygiene falls to the bottom of the priority list. Most fleet IT staff, where they exist at all, focus on back-office systems rather than vehicle network security.
The Threat Scenarios That Keep Security Researchers Awake
The most frequently discussed threat vector is ransomware targeting fleet management systems. In 2021, a ransomware attack on Colonial Pipeline disrupted fuel supplies across the southeastern United States for nearly a week. A similar attack on a major fleet’s dispatch, routing, or telematics platform could immobilize thousands of trucks simultaneously—with cascading effects across supply chains that depend on just-in-time delivery.
But the scenarios that concern vehicle security researchers most involve direct manipulation of onboard systems. Injecting false fault codes to trigger unnecessary engine derating could strand trucks at scale. Manipulating GPS data could misdirect loads of high-value freight. And in the most alarming scenarios, compromised braking or steering systems could create immediate safety hazards on public roads.
There’s also the data theft dimension. Fleet telematics systems continuously collect and transmit sensitive information: vehicle locations, delivery schedules, customer addresses, driver personally identifiable information, and financial data related to fuel purchases and toll payments. For a sophisticated threat actor, this data has both intelligence value and monetization potential.
What the Industry Is Doing (and What It’s Not)
Awareness is growing, but slowly. The National Motor Freight Traffic Association (NMFTA) has been one of the most vocal advocates for trucking cybersecurity, publishing vulnerability disclosures and hosting annual cybersecurity conferences focused on transportation. SAE International has developed J3061, a cybersecurity guidebook for vehicle systems, though adoption in the heavy-duty sector remains limited compared to passenger vehicles.
On the fleet operations side, the most security-conscious operators are beginning to segment their vehicle networks, require encrypted communications from telematics vendors, and evaluate the security posture of third-party fleet management apps and software platforms before deployment. But these operators represent a small minority. For the vast majority of fleets—particularly the small operators that make up over 90 percent of the industry—cybersecurity remains an afterthought at best.
The regulatory landscape is similarly underdeveloped. While NHTSA has issued voluntary guidance on vehicle cybersecurity, there is no federal regulation requiring cybersecurity standards for commercial vehicle electronics or connected fleet systems. The ELD mandate requires functional compliance but imposes no security requirements on the devices themselves.
The Clock Is Ticking
The commercial trucking industry is repeating a pattern that cybersecurity professionals have watched unfold in sector after sector: rapid digital transformation followed by a painful reckoning when threat actors inevitably exploit the gaps that were overlooked in the rush to connect everything. Healthcare learned this lesson. Critical infrastructure learned it. Manufacturing is learning it now.
Trucking is next—and the stakes are uniquely high. These aren’t servers sitting in a climate-controlled room. They’re 80,000-pound vehicles sharing the road with families. The convergence of mandatory connectivity, fragmented device ecosystems, a severe workforce shortage, and virtually no regulatory cybersecurity framework creates a risk profile that should concern everyone—not just the industry itself.
The question isn’t whether a major cybersecurity incident will hit commercial trucking. The question is whether the industry will have done enough to mitigate the damage when it does.
About the Author
Michael Nielsen is the Editor and Publisher of Heavy Duty Journal, a trade publication providing diesel technicians, fleet managers, and owner-operators with free technical resources, diagnostic tools, and data-driven industry insights. With over 15 years of hands-on experience in commercial vehicle repair and fleet operations, Michael covers the intersection of technology, maintenance, and workforce development in the heavy-duty trucking industry.