Risk Analysis Approach: Experience
The contributors to this RP collectively have a broad knowledge of electronic driver log systems that are currently implemented among U.S. motor carriers. TMC expects that users of this RP will have in-depth understanding of the characteristics of their system as well as the security controls that are currently applied.
ASSETS SUMMARY
| Asset | Definition | Asset Type |
|---|---|---|
| Vehicle System | The system includes components for. mobile computing device, vehicle data interfaces, and peripheral devices. Residing application software and integrated data storage are included as part of the asset. |
|
| Driver Log | Driver records of duty status and supporting documents as required to verify HOS compliance. |
|
| Support System | Host computing environment and/or services to manage carrier log records and support carrier and support functions for electronic driver log systems. System enaoles management of driver log records in synchronization with vehicle systems. System provides driver log compliance review, log record corrections, violation intervention processing, and system audit reviews. |
|
| Carrier Log Records | Carrier records for driver logs including active logs (current and prior 7 days) as available, and log archives (6 months), plus supporting documents and information from log reviews. |
|
| System Security Controls | Driver and user ID records, hardware authentication records, network access authentication records, access controls per system functions and data stores, encryption keys, and others. |
|
| Vehicle System Installation and Field Support Services | Installation and provisioning services for vehicle system hardware and verification of its readiness. Field support of vehicle system hardware and software, including over-the-air updates for software and security controls. |
|
| Wireless Network Services | Wireless network for data transfer between vehicle and support systems. Services may also include "Cloud-based" services for vehicle and support system applications, including network management services for data transfers over wireless networks between vehicle and support systems, and Internet or wired network for data transfers among other entities. |
|
| Data Transfer Media/Device | Data device used for data transfer between vehicle and support systems. |
|
| Enforcement Inspection Access to Vehicle System | Information access for accurate and efficient review of driver log records as part of driver inspection. |
|
| Compliance Investigation Access to Support System | Information access for accurate and efficient review of carrier log records as part of a compliance investigation. |
|
SUMMARY OF KEY STAKEHOLDERS
| Stakeholder | Role |
|---|---|
| Driver | Primary user of vehicle system for electronic driver logs and responsible for HOS compliance with an accurate and current driver log. |
| Carrier management staff | Primary user of support system for electronic driver logs. Also accountable for compliance performance of drivers. |
| Field support and technical services staff | Carrier or service provider responsible for system management functions, including provisioning, system updates and repairs, system exceptions management and performance monitoring. |
| Security management staff | Carrier or service provider responsible for managing driver and support system user IDs, access controls, and security and authentication credentials distribution. System exceptions monitoring also may be part of the role. |
| HOS management staff | Carrier or service provider responsible for monitoring driver compliance and system exceptions that may limit the accuracy or integrity of the driver log data |
| ELD provider | Manufactures, sells and supports ELD devices that are self-certified and registered with the FMCSA as meeting the functional specifications outlined in Appendix A of Subpart B of CFR 395 . |
| Customer service staff for system and network operations | Service provider and/or carrier technical staff responsible for monitoring system operating performance, resolving system & network issues, and ensuring backup and recovery capabilities are effective. |
| Inspectors | Roadside enforcement agents with authority for driver and vehicle safety inspections. |
| Investigators | Motor carrier enforcement agents with authority for comprehensive compliance and safety reviews with carrier operations. |
| Vehicle maintenance staff | Carrier or service provider responsible for vehicle mechanical and electrical repairs including vehicle sensors and ECM interfaces. |
| Certification management entity (CME) | Government or commercial entity responsible for security certificate management as part of public key infrastructure (PKI). If encryption keys are to be managed for data exchanges among multiple entities, the CME must be a trusted third party. Also responsible for monitoring and maintenance of the FMCSA's Electronic Records of Duty Status (eRODS) system. |
| Vehicle and Vehicle Component OEMs | Responsible for vehicle operational support. Potentially provides solutions following a security incident with vehicle impact through software updates, recommendations on third party device installation, and incident response |