The cybersecurity landscape
for our sector

The cybersecurity threats today and the “Call to action”

01

Cybersecurity

The call to action

“There is nowhere to hide”

The equipment rental sector across Europe faces an unprecedented challenge in the threats posed by information technology vulnerabilities and exposures in our business.
The equipment rental sector across Europe faces an unprecedented challenge in the threats posed by information technology vulnerabilities and exposures in our business.

Customers are demanding more and more from us on cybersecurity protection. Our industry is in a process of consolidation for many reasons, but leaders stress that some of these drivers bring added cybersecurity
risks; particular risks arise from smaller companies merging with others to achieve scale, larger companies acquiring smaller ones to enter new markets, to consolidate or win market share. The equipment rental business is embracing “Digitalisation”.

Hybrid working and more online interaction means more cybersecurity threats. Our equipment for rental is becoming more and more intelligent and more of it connected to networks, which can be the conduit for attack.

Today’s cybersecurity threats are a call to action for all equipment rental companies, regardless of size, product or service type or geography.

No organisation is less likely to be a target for attack attempts than another. Everyone needs to play their part.

Equipment rental companies face all the threats that all industry faces, but they also need to deal with factors special to our types of business.

Equipment rental companies, who have experienced a serious incident, feel they have put their business, their reputation and, most importantly, their customers and stakeholders at high risk.
  •  In 2021, ransomware attacks increased by 13%, a jump greater than the past 5 years combined. Verizon
  • Corporate cyber attacks increased by 50% in 2021, when compared with 2020. Cybersecurityintelligence.com
  • The damage related to cybercrime is projected to hit $10.5 trillion annually in 2025, according to Cybersecurity Ventures.
  • Where remote working was a factor in causing a breach, in 2021, the average cost was $4.96 million, that is $1.07 million higher than in breaches where remote work was not a factor. IBM
  • 2021 illustrated how one key supply chain breach can lead to wide ranging consequences, where supply chain was responsible for 62% of System Intrusion incidents. Verizon
  • Cybersecurity Ventures predicts that by 2031 there will be a new ransomware attack every 2 seconds. Cybersecurity Ventures

“You may think you can stay under the radar, but the on-line intruders are smart and geared up with systems to scan for vulnerabilities. There is nowhere to hide – you have to work on the basis that you will be found… sooner or later.”

* Refer to: cybersecurityventures.com – Spending 2021 – 2025

Cybersecurity

The threats facing us today

Cybersecurity threats

Equipment rental companies face all the same challenges as other sectors … but we also have special factors …

CYBERSECURITY THREATS REACH BEYOND OUR IT SYSTEMS. AREAS OF VULNERABILITY THAT ARE SPECIFIC TO OUR TYPE OF OPERATION INCLUDE THE UNEXPECTED VULNERABILITIES CAUSED BY CONNECTIVITY AND GPS COMMUNICATIONS. THESE INCLUDE VULNERABILITIES BETWEEN DIFFERENT INTERFACES (APIS), WHICH NEED FURTHER SECURING. THERE HAVE BEEN SERIOUS INCIDENTS IN OUR SECTOR, WHERE AN ATTACKER HAS, FOR EXAMPLE, USED A RENTAL COMPANY’S GEOLOCATION PLATFORM TO LOCATE STORED EQUIPMENT IN ORDER TO STEAL IT.

THE LAUNCH OF 5G OPENS DOORS FOR ADVANCED CYBER THREATS – THE HIGH SPEED OF DATA TRANSFERRING WILL ALLOW HACKERS TO INFECT MORE DATA PACKAGES AND SPY ON COMPANIES WITHOUT BEING NOTICED.

  • Email is the most common threat vector, commonly used for phishing, malware and ransomware, but increasing sophistication and the use of other channels, like SMS phishing (“Smishing”) are occurring.
  • Rental companies may be targeted on their own account or as a supply chain attack, looking to infiltrate large national infrastructure customer systems and networks. During the COVID-19 pandemic, there was an increase in this type of attack, with attackers exploiting emergency home or remote working, where operatives may be using unprotected devices.
  • Attacks on vulnerable systems in a rental company (including a reservation system, invoicing or even
    a preventive maintenance regime) that lead to compromise, or denial, of data can make it impossible to prove to customers that equipment is safe. This can lead to significant reputational damage and loss of business. Not only for the victim of the attack but across the sector.
  • Equipment is increasingly dependent on connectivity, many through telematics, which are not always currently fully protected by equipment manufacturers in their build. There is a need for more protection in equipment.

“In July 2022, BitSight reported six severe vulnerabilities in a popular vehicle GPS tracker (MiCODUS MV720). Including allowing hackers to impersonate the true user via SMS, gain control and bypass the use of passwords. There are believed to be 1.5 million MiCODUS devices across 169 countries in use across various organisations.
BitSight Discovers Critical Vulnerabilities in GPS Tracker.

“As a minimum, it should be more difficult for a hacker to crack our systems than the systems of others. Hackers will seek out the weakest first.

Many companies favour centralised and integrated systems architecture. But having decentralised IT systems can decrease vulnerability, as the attacker cannot gain control over the whole system.

Comprehensive and multilayer defence systems require significant investments from the company, which might not be appropriate to the level of risk involved. Systems, tailored to be fit enough for purpose, are best and should be matched to risk level individually by each organisation via a risk assessment across their estate.”

Cybersecurity

Special factors

An industry in consolidation

Customers are increasing their demands on us, their rental equipment providers, and we are increasing our demands on Original Equipment Manufacturers (OEMs) for constantly improving cybersecurity and evidence of preventive and protective practice. This is being driven by the drive to “Digitalisation”.
The risk that hackers could gain access to national or large scale infrastructure operated by our customers, via a “back door” weakness originating from equipment rental is ever present. Leaders report that there are significant variations across Europe with countries and markets at different “speeds” in terms of what, and how much, customers require of their providers. Successful tender responses may require evidence for the customer that an equipment rental company operates a nationally or internationally recognised cybersecurity framework (see “Roadmap” section) or standards, particularly ISO 27001 or its equivalent. Conversely leaders report that, in general, the equipment rental sector can sometimes claim to be ahead of customers and OEMs in the race to improve cybersecurity. This in turn creates additional risks for us, given that an infiltration attack can occur at any point in the chain and move up or down it, so equipment rental companies must protect vertically up and down the supply chain, especially in data protection and sharing, as well as in the public domain.

Special factors in equipment rental markets – Customer driven cybersecurity?

Leaders point to the fact that, amongst all the special considerations creating additional cybersecurity risks, perhaps the single biggest factor is that the equipment rental sector is undergoing a turbulent period of consolidation with larger companies, acquiring smaller players and, in some cases smaller players merging together, and then being acquired.

In many instances, this rapid consolidation in the market has led to a lack of integration of systems and processes across acquisitions and leading practice now demands full integration into centrally protected system of these to avoid importing vulnerabilities into the weakest points of a newly combined organisation. Infiltration through a weak point is flagged as a major risk for entry by an attacker into an organisation’s network “through the back door” and then onwards and upwards into their, and their customers,’ infrastructure.

Many leaders also point out that this risk is exacerbated when the acquisition strategy is focused on entry or growth in new markets, where (cybersecurity wise) processes and systems may be less mature than in the acquirer’s home market.

As a younger (five year old) equipment rental group, we had the opportunity to start from a zero base and approach IT security as a blank canvas. Given the special factors in the distributed nature of our industry, we found
standard IT available didn’t always meet our needs so we took the strategic decision to custom build systems – and we still do. Likewise we had to custom build our cybersecurity from scratch but it gave us the opportunity to “design in” cyber safe features and forced an ethos that we will always consider cybersecurity needs in any new or changing IT system at design stage.

Since day 1, bringing people along with us was a matter of pragmatic common sense. We said to ourselves “You would not design a depot layout without a fence round it and strong locks on the gate. And it would have an intruder alarm system and cameras monitoring it. Why would you ever think it
acceptable to design an IT system any differently”

Cybersecurity threats

Equipment rental companies face all the same challenges as other sectors … but we also have special factors …

Vulnerable telematics?

There have been a number of high visibility incidents involving the electronic hijack, mainly of road vehicles, over recent years as on board computing and network to vehicle communications grow in volume and sophistication. Much of the equipment in our sector carries telematics capability. Today, leaders do not typically consider such attacks as a clear and present danger, but it certainly could be a significant risk in the future and it should form part of a company’s “Horizon scanning” for threats.
There are already reports of cyber attackers attempting to gain unauthorised control over heavy machinery via the remote control and monitoring systems. They could cause machinery to deviate from the execution plans with the intent of causing damage, or even injury, to those onsite.
Concerns have been raised that OEMs and equipment service companies are not yet doing enough to make telematics attack proof. Procurement decisions for new equipment should include an assessment to check that the models chosen are at the forefront of safety in telematics access and attack security.

Increasing customer demands for data downloads via telematics of equipment location and utilisation on site are thought to be the highest risk area. Like all data sharing exercises, single packets of carefully screened data, transmitted “one way” are considered safest.

“We adopt the approach of minimising two way or live network communications of data between us and customers and other third parties. For GDPR (General Data Protection Regulation) and information security reasons, we make data downloads and transmission a “one way and one off” thing in each case, so as to avoid the risk of transmission and import of an infection.”

“We are very aware that potentially large and dangerous types of equipment are open to attack, just as our own IT systems are. We need the OEMs to make the telematics as secure as they do the locks and alarms on the operating equipment itself. We evaluate and procure the “best in class” equipment we can, security wise.”

“It’s important to choose a secure telematics provider. One telematics provider was recently hacked – because every single device they built had a hard coded password of 123456.”

Tech Tips: Telematics | For Construction Pros

“In 2019 Japanese security firm Trend Micro published a research paper demonstrating how it had been able to move full-size construction cranes by remotely taking control of radio frequency (RF) remote controllers. The researchers said that they were able to capture radio traffic and record RF packets which they could then replay to take control of the machine. This included replaying emergency stop commands indefinitely to produce persistent denial of service conditions. Hackers were also able to selectively modify the packets and craft new commands to completely control a machine.

In January 2022, 19-year-old researcher David Colombo tweeted that he had been able to exploit security bugs in the TeslaMate logging tool to remotely hack into 25 Tesla cars in 13 different countries without the owners’ knowledge, unlocking their doors and windows and starting keyless driving.”

How to keep smart construction safe from hackers – Construction Europe

Leader strategy

Retail and depot outlets as “Hub or Spoke”? 

Integration strategy is one of the most important areas of IT security focus for equipment rental Chief Information Officers (CIOs). They point to the fact that many operators have distributed operations with depots, compounds and retail outlets, often quite small, sometimes single person operations and they may well be geographically and internationally dispersed, compared to central operations.

These extended sites need to communicate with central networks in real time, but typically do so via mobile equipment, including smartphones, tablets and laptop computers. Where outlets have been acquired into the business, or are in less mature markets, they can be the weakest points in an equipment rental company’s network and therefore an easier point of entry for an attacker than central systems would be.

Whilst leaders look to the retail and banking industries for models on how to protect distributed outlets, they note that our industry is fundamentally different, in that its outlets are typically low volume transaction nodes (perhaps a fraction of the volume of a typical supermarket, for example). This means that investment at sites in high bandwidth and secure fibre networks, in firewalls, encryption and High Security Modules (HSMs) needs to be substantial and may not always be justifiable in business terms but essential for cybersecurity.

“You have to protect data transmission and network connections to outlets. That means VPN tunnels to the centre, data transmitted to a “Sandbox” first and only then on to a firewalled data warehouse.

Strict standardisation and enforcement of the disciplines at a satellite location is key for us. We don’t allow own devices to connect to networks, even use of the local hard disk on a laptop is against the rules. All storage is behind our firewalls on central servers.”

Leaders emphasise that IT security strategy has no single right answer for integration but it must be set clearly that either…

  • the organisation will centralise and standardise protection and place each outlet at “arm’s length” to its own firewall and security at point of sale or…
  • it will incorporate all outlets within an overarching central firewall envelope. Either strategy can be effective, with reported advantages and disadvantages of each summarised below.

BUT what is never right is “getting caught in the middle” with a mix of strategies.

“We believe in full integration of all acquired companies and outlets. We need to be advanced but not at any cost. There is no point spending money on cybersecurity central defence and millions more on an acquisition’s and then “leaving the back door open” with vulnerable satellites.”

Cybersecurity in our industry is also increasingly a legislative and regulatory matter

EU legislation is centred around: “The Directive on Security of Network and Information Systems” (“The NIS Directive”) and it is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

In May 2022, the NIS2 Directive agreement was reached. It updates the original NIS Directive due to the challenges of increasing digitalisation and interconnectedness (intensified by the COVID-19 crisis) and the rising number of cyber malicious activities at a global level.

NIS Directive | Shaping Europe’s digital future (europa.eu)

THE ORIGINAL NIS DIRECTIVE PROVIDED LEGAL MEASURES TO BOOST THE OVERALL LEVEL OF CYBERSECURITY IN THE EU BY ENSURING:

  • Member States’ preparedness, by requiring them to be appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority.
  • Cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States.
  • A culture of security across sectors that are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

THE UPDATED NIS2 DIRECTIVE ALSO INCLUDES:

  • Extended coverage, to include more critical entities across more sectors. Increasing the number of entities that are obliged to take cybersecurity risk management measures.
  • Companies’ cybersecurity requirements will be strengthened, by addressing supply chain and supplier relationships and accountability of top management.
  • Streamlining of reporting obligations, introducing more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, and aims at harmonising sanctions regimes across Member States.

Other areas of EU legislation are being developed that could impact the equipment rental industry’s move to digitalisation, including equipment that uses telematics and software in many forms.

New machinery regulation proposals

  • The Regulations will include, amongst essential health and safety requirements, rules on security for connection and remote communication with the machinery and equipment types that are central to our industry.
  • In order to pass the conformity assessment procedure, all these machines will need to have a certificate, issued under a relevant cybersecurity scheme.
  • The new regulations are expected to come into force as early as 2023.

International Rental News: EU Machinery Regulation to impact rental

THE CYBER RESILIENCE ACT STATES TWO MAIN OBJECTIVES:

1. Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and

2. Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.

Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)