All posts by Jeff Dunsavage

Cyber Risk, Terrorism Risk

Wedding Big Rigs to IoT: What Could Possibly Go Wrong?

Leave a comment

“We went out again. We got maybe six steps before lights blared in our faces. It had crept up, big wheels barely turning on the gravel. It had been lying in wait and now it leaped at us, electric headlamps glowing in savage circles, the huge chrome grill seeming to snarl.”

Transportation and logistics companies are now among the top-targeted industries by computer hackers

When Stephen King wrote Trucks – a tale of big rigs, pickups, and earth movers coming suddenly to life and terrorizing people they had trapped in a diner – he didn’t speculate about how or why they’d been incited to malevolence. Aliens? The Soviets? Who cared? It was the 1970s, and all he needed to do was deliver a solid horror yarn.

I loved that story when I read it in high school – mainly because it scared the daylights out of me and yet I knew for sure it couldn’t happen. Could it? Nah!

Today I read an article about “platooning”, in which “a lead vehicle wirelessly assumes control over the throttle and braking of one, two, or more vehicles following along behind it. In many scenarios, the drivers in a platoon continue to steer their vehicles and can disengage from the convoy at any time, but the first vehicle determines the speed and braking maneuvers of the entire platoon. Because the follower trucks maintain constant communication with the lead vehicle and have synchronized acceleration and braking, platooning trucks can maintain much shorter distances between themselves as they travel.”

Bam! I was right back in that 1970s diner inside Stephen King’s warped, brilliant, and quite possibly prophetic brain.

From there I time traveled forward to Bastille Day 2017 in Nice, France, where 84 people were killed when a radicalized individual plowed a 20-ton truck into a crowd waiting to watch a fireworks display. The previous December, CNN reminded me, 12 people were left dead and 48 injured when a tractor trailer was driven into a Berlin Christmas market.

“Platooning, which is based on vehicle-to-vehicle (V2V) communications, has been shown to increase the fuel efficiency of both the lead and following vehicles, saving fleet operators money and reducing carbon dioxide emissions,” the article in Verisk’s Visualize insurance news and thought leadership site tells me comfortingly. It cites a German pilot program in which truck platooning generated fuel savings of 3 to 4 percent. Platooning could lead to huge cost savings for businesses and consumers.

Who doesn’t love fuel efficiency?

And then I read an article in Today’s Trucking that began:

“When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.”

Sumerford is CEO of J&M Tank Lines. According to the article, it took four days for his company to begin functioning after the attack, “and during those four days, they weren’t able to bill any customers or enter anything into the system.”

Granted, this is a far cry from having the entire fleet go on a murderous rampage, but the Internet of Things is still young.  It hasn’t been long since researchers demonstrated that they could remotely do everything from altering a big rig’s  instrument panel to triggering unintended acceleration or disabling brakes.

“These trucks carry hazardous chemicals and large loads,”  Bill Hass, one of the researchers from the University of Michigan’s Transportation Research Institute, told Wired. “If you can cause them to have unintended acceleration…I don’t think it’s too hard to figure out how many bad things could happen with this.”

J&M’s experience, according to Today’s Trucking, was “just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers.”

According to an article in ZDNet published just a few weeks ago, “Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware. Identified and detailed by researchers at Palo Alto Networks’ Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.”

This as everyone I know seems to be panting with enthusiastic anticipation for vehicles that drive themselves!

Look, I’m no Luddite. I appreciate the benefits offered by and realized through interconnectivity.

But I also have a front row seat observing the difficulties people who assess and quantify risk for a living experience in getting and keeping their heads around the ever-changing world of cyberrisk.  As data and “stuff” become increasingly intertwined and the risks surrounding them are less clearly defined, is it so unreasonable to suggest that pushing humans out of the driver’s seat at this moment isn’t the only or best path to traffic safety, low prices, and reducing our collective carbon footprint?

Business Risk, Catastrophes, Cyber Risk, Emerging Risks, Terrorism Risk

Intent and ability distinguish cyberrisk from natural perils

Leave a comment

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

Specialty Coverage

Travel company collapse offers lessons in risk

Leave a comment

Most people don’t like to think about risk — especially when planning a holiday abroad. If they think about travel risk at all, it tends to be in terms of nuisances like flight cancellations or misrouted luggage.

The collapse of British travel company Thomas Cook, which left many thousands of travelers stranded, highlights the types of risks travelers rarely think about.

This week’s seemingly overnight collapse of British travel company Thomas Cook – leaving approximately 600,000 travelers stranded worldwide and leading U.K. authorities to launch what has been called be the “largest peacetime repatriation ever” – underscores several of the myriad risks that most travelers rarely think about.

For better or worse, when I hear “repatriation” the word is typically followed in my mind by “of remains.” While mass repatriations like the one occurring this week are rare, people often die while traveling for pleasure or business. Whether it’s headline-grabbing strings of mysterious deaths like those in the Dominican Republic earlier this year or more common, less publicized deaths by auto, drowning, or natural causes, the cost and complexity of returning the bodies of loved ones can compound the stresses typically experienced by grieving families. A travel policy with adequate coverage for repatriation of remains is a relatively inexpensive way to help address this burden.

Now, you’re even more likely to become ill or injured while traveling than you are to die. Have you checked your current health insurance to see what it does and doesn’t cover when you’re traveling outside your country? Depending on what you learn, you may want to consider buying medical travel insurance. If your health policy does provide international coverage, the U.S. State Department advises that you remember to carry your insurance policy identity card and a claim form.

In the case of a serious illness or injury, the State Department says, medical evacuation can cost more than $50,000, depending on your location and condition. A policy that covers medical evacuation and emergency extraction (say, in the event of natural disaster or political unrest) also is worth considering for international trips.

Perhaps the most important lesson to draw from the “surprise” collapse of 178-year-old Thomas Cook is that it wasn’t exactly a surprise for those who were paying attention. As the U.K.-based Guardian news site reports, “The tour operator’s woes go back much further” than its inability to secure a £200 million lifeline from its bankers. The Guardian calls Thomas Cook “a victim of a disastrous merger in 2007, ballooning debts and the internet revolution in holiday booking. Add in Brexit uncertainty, and it was perhaps only a matter of time before the giant of the industry collapsed.”

Travelers often are so focused on capturing bargains that they don’t take the time to research the organizations bringing them great deals or the safety considerations in the lovely destinations being marketed to them. In travel, as in other adventures, it’s often the case that “you get what you pay for.”

Maybe a bit of research might have kept some of the hundreds of thousands of inconvenienced Thomas Cook clients from putting all their holiday eggs in a single overstuffed basket.