Category Archives: Cyber Risk

Wedding Big Rigs to IoT: What Could Possibly Go Wrong?

“We went out again. We got maybe six steps before lights blared in our faces. It had crept up, big wheels barely turning on the gravel. It had been lying in wait and now it leaped at us, electric headlamps glowing in savage circles, the huge chrome grill seeming to snarl.”

Transportation and logistics companies are now among the top-targeted industries by computer hackers

When Stephen King wrote Trucks – a tale of big rigs, pickups, and earth movers coming suddenly to life and terrorizing people they had trapped in a diner – he didn’t speculate about how or why they’d been incited to malevolence. Aliens? The Soviets? Who cared? It was the 1970s, and all he needed to do was deliver a solid horror yarn.

I loved that story when I read it in high school – mainly because it scared the daylights out of me and yet I knew for sure it couldn’t happen. Could it? Nah!

Today I read an article about “platooning”, in which “a lead vehicle wirelessly assumes control over the throttle and braking of one, two, or more vehicles following along behind it. In many scenarios, the drivers in a platoon continue to steer their vehicles and can disengage from the convoy at any time, but the first vehicle determines the speed and braking maneuvers of the entire platoon. Because the follower trucks maintain constant communication with the lead vehicle and have synchronized acceleration and braking, platooning trucks can maintain much shorter distances between themselves as they travel.”

Bam! I was right back in that 1970s diner inside Stephen King’s warped, brilliant, and quite possibly prophetic brain.

From there I time traveled forward to Bastille Day 2017 in Nice, France, where 84 people were killed when a radicalized individual plowed a 20-ton truck into a crowd waiting to watch a fireworks display. The previous December, CNN reminded me, 12 people were left dead and 48 injured when a tractor trailer was driven into a Berlin Christmas market.

“Platooning, which is based on vehicle-to-vehicle (V2V) communications, has been shown to increase the fuel efficiency of both the lead and following vehicles, saving fleet operators money and reducing carbon dioxide emissions,” the article in Verisk’s Visualize insurance news and thought leadership site tells me comfortingly. It cites a German pilot program in which truck platooning generated fuel savings of 3 to 4 percent. Platooning could lead to huge cost savings for businesses and consumers.

Who doesn’t love fuel efficiency?

And then I read an article in Today’s Trucking that began:

“When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.”

Sumerford is CEO of J&M Tank Lines. According to the article, it took four days for his company to begin functioning after the attack, “and during those four days, they weren’t able to bill any customers or enter anything into the system.”

Granted, this is a far cry from having the entire fleet go on a murderous rampage, but the Internet of Things is still young.  It hasn’t been long since researchers demonstrated that they could remotely do everything from altering a big rig’s  instrument panel to triggering unintended acceleration or disabling brakes.

“These trucks carry hazardous chemicals and large loads,”  Bill Hass, one of the researchers from the University of Michigan’s Transportation Research Institute, told Wired. “If you can cause them to have unintended acceleration…I don’t think it’s too hard to figure out how many bad things could happen with this.”

J&M’s experience, according to Today’s Trucking, was “just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers.”

According to an article in ZDNet published just a few weeks ago, “Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware. Identified and detailed by researchers at Palo Alto Networks’ Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.”

This as everyone I know seems to be panting with enthusiastic anticipation for vehicles that drive themselves!

Look, I’m no Luddite. I appreciate the benefits offered by and realized through interconnectivity.

But I also have a front row seat observing the difficulties people who assess and quantify risk for a living experience in getting and keeping their heads around the ever-changing world of cyberrisk.  As data and “stuff” become increasingly intertwined and the risks surrounding them are less clearly defined, is it so unreasonable to suggest that pushing humans out of the driver’s seat at this moment isn’t the only or best path to traffic safety, low prices, and reducing our collective carbon footprint?

Older Generations More Cyber Savvy Than Their Younger Counterparts

By Loretta Worters, Vice President, Media Relations, Insurance Information Institute

Getty images

Despite a never-ending cycle of cyber breach headlines, individuals continue to be underprepared for even the most common cyber exposures.  According to Chubb’s third annual Cyber Risk Survey, which examined individuals’ comprehension of cyberrisk and the steps they are taking to protect themselves, complacency seems to have taken hold: eight-in-10 Americans continue to be concerned about a cyber breach, yet only 41 percent use cybersecurity software and only 31 percent regularly change their passwords. These numbers are virtually unchanged from 2018.

According to Chubb’s survey, individuals don’t recognize the value of individual pieces of personal data. For example, just 18 percent of respondents are concerned about their email addresses being compromised. Similarly, only 27 percent of respondents cite concern about their medical records being breached.

The UK’s National Cyber Security Centre (NCSC), which analyzed passwords belonging to accounts worldwide that had been breached bares the Chubb survey out.  The NCSC notes that several combinations of numbers made up the top 10, while “blink182” was the most popular musical artist and “superman” the most common fictional character. But “123456” was the most common password, with 23.2 million accounts using the easy-to-decipher code. “123456789” was used by 7.7 million, while “qwerty” and “password” were each used by more than 3 million accounts.

Chubb survey results indicate that a consistently large portion of older respondents employ better cyber practices than younger generations. Per the survey, 77 percent of those 55 years and older delete suspicious emails, compared to half (55 percent) of respondents between 35 to 54 and just a third (36 percent) of respondents from 18 to 34. Similar patterns arise when looking at those enrolled in cybersecurity monitoring services, where 53 percent of respondents over 55 are enrolled in a cybersecurity monitoring service.  But this same service is used by only 1 percent of respondents between 35 to 54 and just 29 percent between 18 and 34.

More concerning is that the behavior of younger generations appears to be getting worse, the Chubb report noted. For example, 76 percent and 74 percent of adults over 55 regularly deleted suspicious emails in 2017 and 2018, respectively, as compared to just 47 percent and 40 percent of adults between 18 and 34 during the same time period.

In most narratives, it’s the younger generation teaching older generations about the latest internet trends. When it comes to cyber safety, however, it’s clear that the tables have turned. The first lesson older generations should impart? The importance of talking with an independent agent and broker about coverage for a cyber-related incident.

Without it, and in the event of a hack or breach which leads to a financial loss, individuals could be left without a safety net in place. In some cases, policies will also cover incident response expenses, including legal services, reputation management, and mental and emotional pain diagnosed by a physician.

October is National Cybersecurity Awareness Month, (NCSAM), a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. This year’s NCSAM will emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. This year’s overarching message – Own IT. Secure IT. Protect IT. – will focus on key areas including citizen privacy, consumer devices, and ecommerce security.

 

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

Hope the (fire)wall is high enough

Getty Images

Fans of Game of Thrones are getting ready to learn the fate of their favorite characters when the final season of the show starts airing on HBO on April 14th. At the same time, security experts are warning that cyber-crooks are ready to take advantage of the show’s popularity to attack people’s computers.

The huge popularity of the show makes illegal download sites, where users can view episodes without the required subscriptions, popular distribution points for malware. In 2018 Game of Thrones accounted for 17 percent of all infected pirated content, according to Kaspersky Labs, even though no new episodes aired that year. This suggests that the coming premiere could be the most dangerous time to be downloading the torrents.

According to Kaspersky, the most popular kind of attack via pirated content was a trojan, a piece of software that is installed on a computer and allows the hacker to take control of that device.

The good news is that, overall, the prevalence of TV show-related malware has been declining. In 2018, the total number of users who encountered this kind of malware was 126,340, a third less than it was the year before. The number of total attempts dropped by 22 percent, to 451,636. Kaspersky said that drop was in line with a reduction in the number of security threats across the internet. But it might also be linked to a drop in the number of people using torrents, as interest in the technology declines.

Reminder: your smart home security system is hackable

Doors that can be locked remotely with a smartphone app. Facial recognition cameras that alert you when certain people arrive at your front door. Motion sensors that trigger video recordings when someone steals your Amazon packages.

If we’re being honest, smart home security systems sound extremely creepy to me.

But I understand the sell: smart home security devices can keep people safe and offer peace of mind – did I remember to lock the door? Doesn’t matter, my phone can lock it.

Nothing in this world is perfect, though. Unlike smart home security systems, you can’t use a computer to hack into and unlock a standard deadbolt.

The Insurance Journal recently ran a piece describing yet another experiment where researchers easily hacked into someone’s smart home security system. In one scenario, a researcher hacked into a person’s phone using a coffee shop’s free WiFi. Once inside, he accessed their smart light switch app, and then jumped from there into the smart home’s security devices. Voila, smart door unlocked. All that’s missing is a red carpet to welcome thieves as they waltz in the front door.

This shouldn’t be news. Here’s a video from 2016 of researchers hacking into a smart lock:

Everything is a trade-off. As informed consumers, we can’t assume that a solution to one security problem (forgetting to lock our doors) will solve every other security problem – or that it won’t create new ones (hacking into our front doors). It’s important to weigh the risks and benefits of smart home security, and to conduct due diligence in researching the cybersecurity protections of each system. It’s also important to consider additional protections, like purchasing cybersecurity insurance coverage, just in case.

If that sounds onerous, it’s nothing compared to dealing with a robbed house.