Cyber Threat: Transportation

Disabled Autos

Hyperconnectivity and driverless cars raise new cyber risks for automakers and their suppliers.
By: | April 7, 2014 • 7 min read
042014_03c_cars

Hacking into cars is not a future concern. It is possible now, and the potential danger will increase as carmakers continue to enhance connectivity features in automobiles.

But even that threat pales against the potential damage cyber attacks could wreak when driverless cars take to the roads for real.

Advertisement




One common perceived threat here and now comes from the ease of access that manufacturers have built in for drivers. If a driver can unlock a car door and start the engine using a cell phone, an unauthorized person can turn off that engine and lock the doors from a cell phone.

Taking a drive into the near future, could someone arrange for all of the cars on a Los Angeles freeway to have their engines turned off at the exact same time?

Even now, the ability to hack into and remotely control a car is a clear and present danger.

 Video: Behind the wheel of a car, you may be able to text, watch a movie or even sleep — if it’s a computer-controlled, driverless car. The WSJ’s Michael Kofsky heads to the test track to show how it works and safety questions it raises.

A pair of security engineers — doing their research with an $80,000 grant from the Pentagon — were able to hack into the systems of Toyota and Ford cars, and override a driver’s braking attempts, according to an account of the scenario in Forbes.

The pair was able to “demonstrate a range of nasty surprises: everything from annoyances like uncontrollably blasting the horn to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers,” according to Forbes.

Expanding such abilities simultaneously to a fleet of cars is a feat yet to be accomplished.

“It could be possible to hack into one or another vehicle, but there is nothing that can stop the whole fleet at the same time,” said Mark Brooks, senior research engineer at the Southwest Research Institute (SwRI) in San Antonio. “Current levels of connectivity are not seen as major threats because they are not continuous.”

No One at the Wheel

“Even when a driver is using a navigation system, that is just a single download. The industry is much more concerned about continuous streaming back and forth, as with driverless cars,” he said.

Driverless cars rely on a number of sensors to operate, and are definitely vulnerable to attack, according to one of the hackers at the Def Con Hacking Conference in August.

“I’m a huge fan of unmanned vehicles,” said a hacker who goes by the name of Zoz to Venture Beat, a blog that focuses on technology. “I love robots. I think they’re the future. But, like everything else humans ever made, it’s going to get hacked.”

Google’s driverless car’s primary system is a “laser range finder mounted on the roof of the car,” which generates a 3D map of the area, according to IEEE, a technology professional organization.

R4-14p34-36_03Cars_ER.indd“The vehicle also carries other sensors, which include: four radars, mounted on the front and rear bumpers, that allow the car to ‘see’ far enough to be able to deal with fast traffic on freeways; a camera, positioned near the rear-view mirror, that detects traffic lights; and a GPS, inertial measurement unit, and wheel encoder, that determine the vehicle’s location and keep track of its movements.”

Zoz told Venture Beat that it would not require sophistication to attack and derail those sensors, and he pointed out that engineers in Iran were able to hack and capture a U.S. drone by “spoofing” the GPS and feeding it incorrect location information.

Death and destruction are always a worry when hackers can subvert an operating system, but apportioning liability is also a major concern, SwRI’s Brooks said.

Advertisement




“If there were any problems, whose fault would it be? The carmaker? The navigation OEM? The software company? The driver? These are the discussions everyone is starting to have.”

Those initial conversations can be difficult, said Dave Wasson, professional and cyber liability practice leader at brokerage Hays Cos. in Chicago.

“The issues are known. People are aware of the risks. But at the moment there is kind of a paralysis because it is unclear how to quantify these risks, and also because even if we could quantify them, there are very limited options yet in how to deal with them.”

A Flawed System

Wasson added that a reordering of the current liability structure is both necessary and inevitable. “Right now, you have a pull market, with small OEMs seeking coverage because the first-tier OEMs and carmakers demand that they be indemnified. But that is not sustainable. A client might demand a $15 million cover from a small supplier, but that cover could cost the supplier $50,000 when he only grosses $100,000 on the contract.”

It is a situation where bigger companies are offloading their risk management onto smaller ones, and that, Wasson said, is flawed.

“Even when the suppliers comply, often the package does not work the way either the supplier or the OEM client thinks it will,” he said.

“Eventually the large firms will realize that they need to take this as primary,” Wasson said. “They have the assets, the skills, the risk managers, and the brokerage relationships to get it done properly.

“Besides, they are the ones who are going to get sued. They can turn to their indemnification contracts, but if the small supplier with few assets goes bankrupt, then what? It’s the company with the badge on the car that people are going to go after.”

As those issues percolate, commercial vehicle operators have other challenges as well.

“One really big cyber issue for a logistics company or express delivery service would be to have the GPS signals for their vehicles scrambled, or the electronic shipment documents tampered with,” said Steve Surber, area vice president for Arthur J. Gallagher in Irvine, Calif.

A cyber attack could be used to divert a shipment, cover theft, tamper with cargo, or even just to delay a shipment that is time sensitive. And the theft could be of the truck or trailer itself, some of which are worth up to $60,000, he said.

On another level, hacking can be used to disrupt the loss control systems of trucking lines, many of which use GPS and electronic reporting to track their fleet performance, Surber said.

Cyber alterations of such reporting could hide potential liability issues such as speeding, sleeping, unauthorized stops, fuel diversion, or many other misdeeds by shippers, loaders, drivers or consignees.

“Companies already rely heavily on computer systems and networks to help with loss control,” he said.

Among insurers, coverage is still evolving, he added. “There is some coverage from cyber policies, but mostly we are still seeing claims handled through general liability.”

Wasson, at Hays Cos., said that while the cyber risk and liability markets are pull markets at present, with owners seeking to transfer risk, the business is not without push.

“We are energetic about working with our carriers,” he said. “There is coverage and there is capacity.”

Cyber Security Efforts

In April, an automotive consortium started revving up its efforts to enhance cyber security.

The Automobile Consortium for Embedded Security — a part of SwRI — includes automakers, original equipment manufacturers, other suppliers, and cyber security experts.

The program aims to provide “pre-competitive and non-competitive research in automotive embedded systems security to protect the safety, reliability, brand image, trade secrets and privacy of client members’ future products,” according to the organization.

Mark Brooks, senior research engineer, Southwest Research Institute

Mark Brooks, senior research engineer, Southwest Research Institute

“As soon as they start claiming their vehicles are secure, they would paint a target on themselves. It’s not like safety or fuel economy. With security, there are bad guys and you don’t want to attract their attention.”

The consortium, Brooks said, “is looking at emerging research both in new technologies and new protections for embedded security for the automotive world.”

“There are lots of theoretical threats,” he said, “but we want to be sure we are focusing our efforts on the most relevant ones.”

The unique challenge is that automakers want to enhance the protections in their vehicles, but ironically, it is not something they want to advertise.

“As soon as they start claiming their vehicles are secure, they would paint a target on themselves.

“It’s not like safety or fuel economy. With security, there are bad guys and you don’t want to attract their attention.”

He said that automakers also are hesitant to unilaterally invest in cyber security efforts.

Advertisement




“As we started talking to automakers, we found them eager to be part of developing security, but it’s tough for them to take the lead or commit a lot of money to something that will not help them sell cars,” Brooks said.

“They also don’t want to reinvent the wheel,” he said. “They are very interested in solving common problems with peer-reviewed research and applications.”

                                                                                                               

Complete coverage on the inevitable cyber threat:

Risk managers are waking up to the reality that the cyber risk landscape has changed.

Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.

042014_02c_hospital_thumbnailCritical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.

Alaska Plane CrashUnmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.

dv738024An Electrifying Threat. There is a very real possibility hackers could devastate the nation’s power grids — for a potentially extended period of time.

Gregory DL Morris is an independent business journalist based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at riskletters@lrp.com.
Share this article:

Risk Insider: Bob Morrell

Risk Technology: Risk Managers Lead from Within

By: | April 22, 2014 • 2 min read
Bob Morrell is CEO and Co-Founder of Riskonnect. He oversees the strategic vision and strategy of Riskonnect, a provider of risk management technology. Bob hones his competitive skills practicing mixed martial arts, along with his family. Bob can be reached at bob.morrell@riskonnect.com.

This year marks my twentieth in the risk management field.  Now I would never call myself a risk manager.  Far from it: I’m a computer geek, and proud of it.  Today we refer to the Internet, Cloud, Mobile and Big Data, but I’ve been working with technology my entire life.  So much has changed in those twenty years.  Networking computers together was rudimentary and extremely limited when I started.  Now everything, and everyone, is interconnected, and that has changed everything.

That interconnectivity has allowed organizations to move away from the isolated, siloed processes of the past, and produced dramatic changes in the way we conduct our business and our lives. I’ve watched risk management evolve from a department called upon primarily when things go wrong, to a pervasive philosophy for running a successful business.  Fewer and fewer risk managers I speak to work in isolation, reacting to claims as they come in.  Rather they are a collaborative lynchpin to manage risk.  They don’t wait for bad things to happen.  They proactively put safety programs in place, analyze loss data and make their organizations more risk-aware.  They know an enormous amount about the inner workings of their organization, its suppliers, distributors, vendors and team members.  This is a fundamental transition from a middle management, administrative function, to an executive level function that is key to the organization’s success.

But risk managers are increasingly finding that email and spreadsheets are clumsy, inefficient, and ultimately create obstacles to managing risk throughout their company.  With the speed and global reach of business, when even ‘local’ businesses rely on a far-flung supply chain, yesterday’s technology introduces risk, inefficiencies and increased levels of error. Today’s business demands technology that facilitates decisions for tomorrow’s business challenges. Organizations need a platform – a platform that provides secure, efficient and consistent methods of communicating risk-related events and data.  Fortunately this need comes at a time when we have a convergence of technologies that can make this vision a reality.

 This is a fundamental transition from a middle management, administrative function, to an executive level function that is key to the organization’s success.

Just imagine running your business on technology of twenty years ago.  Sending paper memos (when CC referred to a literal ‘carbon copy’), using a phone tethered to your desk, taking delivery of policy documents in hard copy – oh wait, they still do that.  Would that put your business at a competitive disadvantage?  Of course it would – and risk management would suffer too.

Risk management no longer has to take a back seat to other parts of the organization. Quite the opposite. By leveraging commercial cloud platforms, the pervasiveness of the Internet and the interconnectivity of everyone and everything, the risk management team can be the most modern, forward-looking part of the company. Risk management has become the bellwether of change – actually bearing the standard for technology-enabled collaboration and productivity across the organization. Imagine that.

Share this article:

Sponsored: Healthcare Solutions

Diversifying Top Management in Workers’ Comp

Inaugural Women in Workers’ Compensation (WiWC) Forum focuses on advancing more women into top leadership roles.
By: | January 7, 2015 • 5 min read

SponsoredContent_HCS
The panel at the inaugural Women in Workers’ Compensation (WiWC) Forum. From left to right: Eileen Ramallo, Elaine Vega, Nina Smith-Garmon, Nancy Hamlet, Michelle Weatherson, Nanette de la Torre, Danielle Lisenbey.

Across the country, the business community is engaged in a robust conversation about women being under-represented among c-level positions.

Why aren’t more women breaking into upper management roles? Does gender bias still exist? And, perhaps more importantly, what can women and men do to add more diversity to top leadership ranks?

Elaine Vega and Nancy Hamlet, of Healthcare Solutions, the Duluth, Ga.-based health services provider to the workers’ compensation and auto liability/PIP markets, have discussed the issue between themselves many times over the years.

The duo agreed that starting an industry-wide conversation would be an effective start to addressing the challenge. After three years of internal discussions, the inaugural Women in Workers’ Compensation (WiWC) Forum became reality. Judging by the attendance, content and feedback, it was an auspicious, very successful, debut.

Nancy Hamlet, Senior Vice President of Marketing, Healthcare Solutions

Nancy Hamlet, Senior Vice President of Marketing, Healthcare Solutions

Specifically, Healthcare Solutions and LRP Publications teamed up at the National Workers’ compensation and Disability Conference (NWCDC), held Nov. 18-21, 2014 in Las Vegas, to present the first WiWC event focused on the development of women as leaders within the industry. The WiWC debut featured a keynote speaker, a panel discussion and a networking cocktail hour.

“We believe this is just the beginning for the WiWC organization,” said Hamlet, senior vice president of marketing, adding that the event’s main theme was the conversation regarding challenges that still exist for women in the workplace is “current, real … and relevant.”

Originally the forum was allocated a room to hold 150 people. Vega and Hamlet worried about the room being too large, so they asked LRP what the contingency would be to make the room smaller if they couldn’t fill it. They needn’t have worried, as more than 400 women, and some men as well, registered and attended, requiring an even larger room.

“Clearly, the topic is relevant and there was plenty to discuss,” said Vega, senior vice president of account management.

Hamlet explained that WiWC was formed to create an open forum to promote a strong sense of community and support for current and future female leaders in the workers’ compensation industry. Going forward, the WiWC forum will provide insight and ideas with opportunities for members to:

  • Engage … with accomplished industry professionals and build lasting relationships.
  • Enrich … their knowledge base with tactical insights from speakers and panelists.
  • Explore … opportunities and challenges facing women leaders today.
  • Encounter … senior executives’ perspectives on leadership.
  • Examine … leadership strategies and how to effectively apply the strategies.
  • Empower … themselves and others to achieve success and groundbreaking results.

At the inaugural event, keynote speaker Peggy Holtman, co-author of “Leading at the Edge: Leadership Lessons from the Extraordinary Saga of Shackleton’s Antarctic Expedition,” discussed how a seemingly unconnected historical event can offer critical lessons on leadership in the workplace, especially for women looking to move into top executive spots.

Elaine Vega, Senior Vice President of Account Management, Healthcare Solutions

Elaine Vega, Senior Vice President of Account Management, Healthcare Solutions

After Holtman’s talk, a panel discussion, moderated by Vega, offered the perspectives of five workers’ compensation industry executives on ways in which women can navigate past the glass ceiling. Panelists included Eileen Ramallo , EVP Healthcare Solutions; Danielle Lisenbey, CEO Broadspire; Nanette de la Torre, VP Zenith; Nina Smith-Garmon, EVP Mitchell International; and Michelle Weatherson, Director, Claims Medical and Regulatory Division, State Fund of Calif.

The panelists discussed a wide range of topics related to women in workers’ compensation. For example, one topic focused on the need to take the big risks when it comes to moving past workplace barriers. Other topics included the importance of women in higher positions serving as sponsors and advocates for younger, less experienced women; and the impact of industry consolidation on women’s careers and how to best manage that change. Another topic was how women could best master conflict and emotions in the workplace.

“What’s clear is conflict has to be managed; it will not go away. It will only get worse,” said Healthcare Solutions’ Ramallo. “It then can create other rifts that won’t necessarily be visible immediately, but can have a very large impact. You have to be able to understand what it is early on from another’s perspective, why the situation exists, and then encourage and try to resolve a conflict situation, whatever may be driving it.”

In the wake of the first WiWC Forum, Hamlet noted that while there are countless general reports showing that women have not yet achieved equal representation in top leadership positions in the workplace, studies deal with averages rather than individual stories. And while women must continue to look at the data and work toward closing the gap, hearing from accomplished women in the workers’ compensation industry at NWCDC drove home critical messages on a person level.

SponsoredContent_HCS

Today, Vega and Hamlet are looking to expand WiWC to make it “truly owned” by the industry. For example, they expect to recruit companies interested in becoming sponsors, forming an advisory council, creating a charter and discussing future possibilities for the organization on both the national and regional levels.

“Much remains to be done, but I have confidence that we will come together and make the organization stronger so that it prospers for years to come,” Hamlet said. “After all, it’s clear that our industry is filled with talented women who can make things happen!”

Vega added that WiWC has already received requests to live stream the event in the future, so it will examine the feasibility of that option in an effort to be even more inclusive.

“We have a shared vision for improving opportunities for current and future women leaders in workers’ compensation,” Vega said. “It doesn’t matter our gender or our title, it’s all about supporting the greater vision. As was said several times at the event, this is just the beginning. We hope more women and men will join us in this continued dialogue.”

For more information about the WiWC, send email to wiwcleadership@healthcaresolutions.com or join our WiWC group on LinkedIn.

SponsoredContent
BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthcare Solutions. The editorial staff of Risk & Insurance had no role in its preparation.




Healthcare Solutions serves as a health services company delivering integrated solutions to the property and casualty markets, specializing in workers’ compensation and auto liability/PIP.
Share this article: