Understanding Roles and Responsibilities for Non-Road Equipment Cybersecurity

By Gregg Wartgow, Special to AEM —

As non-road equipment has become more technologically advanced and oftentimes automated, things like cybersecurity have taken on a new level of importance. In fact, safeguarding non-road equipment and the data it contains has become a priority for manufacturers, dealers, equipment owners, and other stakeholders.

The challenge is that data exists in different ways and can live in different places. Who is responsible for ensuring data protection when the data is on a piece of equipment? What about when data is being transmitted to an off-machine destination like a cloud-based storage system? And what about when data is stored off-machine in a cloud-based system or fleet management software platform, etc.?

“As equipment becomes more connected, the risks associated with machine data access and integrity have grown significantly,” said Erica Baird, executive director for global Sales and service at AEM member company Cummins. “The AEM Technology Leadership Groups recognized the need for a common framework that helps manufacturers and stakeholders understand their roles in protecting machine data.”

To provide that common framework, the AEM Technology Leadership Groups in agriculture and construction collaboratively produced Cybersecurity for Machine Data for Non-Road Equipment, one of three guidance documents AEM first unveiled back in May. The documents were created to help non-road equipment manufacturers use agreed-upon common language when representing the industry and discussing the topics of cybersecurity, data, and autonomy.

“We wanted to create a document people could have a conversation around,” said Seth Zentner, an engineer with CLAAS of America and Vice Chair of AEM’s Ag Technology Leadership Group. “We also wanted to make sure the document was useful to people who had limited knowledge about cybersecurity, so people with varying levels of expertise could all have a conversation about it.”

Baird, who serves as Vice Chair of AEM’s CE Sector Board, did point out that the cybersecurity guidance document isn’t about prescribing a one-size-fits-all solution. Rather, it’s about establishing a foundation for consistent, collaborative cybersecurity practices across the non-road equipment industry. “Laying the groundwork for these topics now will facilitate even more in-depth discussion in the future,” Baird said.

“The AEM guidance document emphasizes permissions-based authentication and clearly defines who has access at various data touchpoints—whether that’s the operator, OEM, or a service provider. It sets expectations for responsible access control without prescribing specific technologies, allowing flexibility for different system architectures.” -- Erica Baird

What is the Data That Needs Protecting?

Machine data includes a wide array of information generated by equipment during operation. This spans GPS location, operating hours, diagnostics, fault codes, performance metrics, sensor readings, and even interactions with attachments or remote systems. Additionally, some equipment equipped with certain sensors could also be collecting nonmachine-specific data.

“In many cases with agriculture equipment, there is also agronomic data being populated on a machine, whether it be a terminal or some ISO device,” Zentner said. “Some of that data is being transmitted and some isn’t. Regardless, it all must be protected.”

Non-road equipment data not only encompasses a variety of information, but also exists at a variety of levels. Each level presents its own unique considerations with respect to data security.

“AEM’s cybersecurity guidance document summarizes all the steps machine data must traverse as it moves from the equipment with cellular connectivity device, to a telematics data processing cloud, and finally to a customer-facing system,” Baird explained. “Because there are very different technologies in play at each of these different levels of data transfer, it is important to understand and address the unique cybersecurity concerns for each level.”

There are three levels:

• On-Machine: This includes data from sensors, ECUs, displays, or third-party systems on the equipment itself. 
• Data Transfer: This is where data moves from the equipment to a cloud or on-premise server system.
• Off-Machine: This involves cloud systems, on-premise servers, analytics platforms, or third-party management systems.

“Data access protocols ensure that only trusted users and systems can view or interact with sensitive machine data,” Baird emphasized. “This is foundational to cybersecurity. The AEM guidance document emphasizes permissions-based authentication and clearly defines who has access at various data touchpoints—whether that’s the operator, OEM, or a service provider. It sets expectations for responsible access control without prescribing specific technologies, allowing flexibility for different system architectures.”

AEM’s guidance document on cybersecurity also clarifies which parties are expected to detect, protect, and recover from cyber incidents across the data lifecycle. For example, OEMs are tasked with providing security patches for on-machine systems, while platform providers are responsible for off-board recovery and updates. “This clarity is vital in a multi-stakeholder environment and encourages proactive planning,” Baird said.

“Another important point relates to the agreements you have with a supplier of an ECU or provider for data transfer,” Zentner said. “It’s important to include cybersecurity measures in the contractual language so everyone knows their responsibilities in keeping those portions of the data chain safe.”

“We wanted to create a document people could have a conversation around. We also wanted to make sure the document was useful to people who had limited knowledge about cybersecurity, so people with varying levels of expertise could all have a conversation about it.” -- Seth Zentner

Why Data Needs Protection

Baird offered some examples that help illustrate why proactive cybersecurity planning is critical throughout the data lifecycle.

• On-Machine: If unauthorized firmware is loaded onto a machine without proper authentication protocols, it could impact operational safety or override protective functions. Threat level will often vary by equipment type. Using the agriculture industry as an example, Zenter said the risks associated with something like a field rake will be far different than risks associated with a more complex product like a tractor or harvester. It’s important that at each data level the security and potential risks of that data are understood, weather that be by the supplier of an ECU, the OEM or a third-party data provider, Zentner said.
• Data Transfer: If data is transmitted over unsecured channels, it could be intercepted or altered during transit—potentially leaking sensitive location or usage data. Organizations should do what they can to ensure data isn't lost, stolen, or manipulated. And oftentimes, there are different stakeholders with access to the data, so that it can be transferred. With that said, it's important the data arrives safely to the correct destination and in the correct format.
• Off-Machine: If access controls aren’t in place on a remote platform, an unauthorized user could manipulate fleet data or download operational logs for competitive or malicious use. For large fleets connected across different platforms it’s imperative that data arrives safely in a format which can then be interpreted by the receiving system, whether that be in an existing standard format or a format as agreed upon by the two exchanging parties.

Working Within a Framework of Existing Standards

According to Zentner, it's critical that those from outside the industry, including lawmakers and regulators, are aware of existing standards and best practices that were already guiding the non-road equipment industry’s efforts. All of those standards—including ISO 24882 with respect to on-machine data, and ISO 27001 for transfer-level data and off-machine data—are referenced in AEM’s guidance document.

“By referencing them, AEM gives its members a toolkit of established, proven frameworks that can be tailored to specific needs,” Baird said. “The guidance document in general serves as a valuable starting point for any organization looking to elevate its cybersecurity posture.”

AEM members can begin by reviewing their current practices through the lens of this framework, asking themselves:

• Do we have clear roles defined?
• Are our access controls robust?
• Are we aligned with best practices?

From there, AEM members can identify areas for improvement and begin implementing stronger governance and technical controls. “This will allow us to educate all industry stakeholders and policymakers,” Baird said.

Most importantly, it will allow for ongoing education based on a common language that is clear and consistent.

About AEM's Guidance Documents

A trio of member-driven guidance documents to help promote the agreed-upon use of common language when representing the non-road equipment industry and discussing the topics of autonomy, cybersecurity, and data were issued by AEM. 

The guidance documents, which are available to view and download on AEM.org, were released in conjunction with AEM’s Celebration of Construction on the National Mall in Washington, D.C. They serve as consensus resources for association staff, members, and industry peers to drive conversations and communications related to autonomy, cybersecurity, and data.