RP 1225A - General Guidelines For Security Risk Analysis Of Electronic Driver Log Systems: Introduction: Background
Electronic driver log systems are subject to the performance requirements in CFR 395. 15 - Automatic On-Board Recording Devices (AOBRDs), and CFR 395 - Subpart B - Electronic Logging Devices (ELDS). While the rules for AOBRDs did not provide a detailed standard for system security controls, the ELD rules include specific anti-tampering measures and system security controls in Appendix A to Subpart B of CFR 395-Functional Specifications for All Electronic Logging Devices (ELDs).
Most electronic driver log systems that have been implemented to date have been a key component of a larger compliance and safety management program by the carrier. The driver log features are often included as an application with a mobile system also providing fleet management system capabilities. As a result, most systems have tended to work very well with limited incidents.
There are some carriers and drivers in the industry that are opposed to the use of electronic logs. They often make claims about the security vulnerabilities of these systems, with issues such as:
- The system cannot ensure accurate driver entries for non-driving duty statuses.
- Carriers will make edits to falsify logs to cover up and/or encourage drivers to exceed driving limits.
- Drivers can manipulate the device and interface to vehicle electronic control module (ECM) to prevent recording of driving, or simply hide or not use the device.
These are, in fact, among the security risks identified in this RP. Historically, commercial vehicles have not been designed with connected ELDs in mind, and onboard electronic control units (ECUs) werev not designed to defend against security intrusions.
However, with appropriate security considerations such as those outlined in this RP, security concerns (including those listed above) can be addressed. Security controls can be put in place, and carriers can continue employing the business improvements provided by ELDs without being exposed to unacceptable levels of security risk. The ELD functional specifications, support systems' detailed data archives, and exceptions reporting provides carriers and enforcement with robust measures to address such threat behaviors.
There are several security risks to be considered, some of which are very technical and existing from other sources. The variations in systems in terms of services ecosystem and technology architecture may add somewhat to the threats to be considered. These variations, however, will most likely affect how security controls are implemented.