Multiplying risk in an expanding cyberspace

When two hack­ing experts demon­strat­ed to a WIRED jour­nal­ist how they could access the com­put­er sys­tem of the Jeep Chero­kee he was dri­ving, it high­light­ed a wor­ry­ing threat in an increas­ing­ly con­nect­ed world. Through mali­cious code, the hack­ers were able to con­trol every­thing from the air con­di­tion­ing and music to the vehicle’s steer­ing, brakes and trans­mis­sion.

As the inter­net of things (IoT) takes off it will inevitably intro­duce new cyber vul­ner­a­bil­i­ties, says Michael Carr, tech­nol­o­gy prac­tice leader at Argo Group. “The biggest con­cern with IoT is you have mass­es of mul­ti­pli­ca­tion of the attack sur­face. Every con­nect­ed device is a point of entry into a net­work,” he warns.

Tech­nol­o­gy research firm Gart­ner fore­casts that 20.8 bil­lion con­nect­ed things will be in use world­wide by 2020, up from 6.4 bil­lion today. It also antic­i­pates that up to 20 per cent of annu­al secu­ri­ty bud­gets will go towards address­ing com­pro­mis­es in IoT secu­ri­ty.

The dif­fi­cul­ty for secu­ri­ty experts, cor­po­rates, IT depart­ments and insur­ers is that many IoT devices are not designed with secu­ri­ty in mind. “Up until recent times con­nect­ed devices tend­ed to be things that we took some effort to defend – desk­top and lap­top com­put­ers, even mobile phones and cer­tain­ly servers,” says Mr Carr. “When you start con­nect­ing ther­mostats and refrig­er­a­tors there’s a real ques­tion if those things are going to be engi­neered secure­ly or if they could become the weak link.”

Data breach

The data breach at Tar­get in 2014 offers an exam­ple of how such weak links can be exploit­ed. The per­son­al data of more than 100 mil­lion indi­vid­u­als was com­pro­mised after hack­ers used stolen cre­den­tials from a con­trac­tor to access the retailer’s cor­po­rate sys­tem. “They had the vul­ner­a­bil­i­ty not in their own sys­tem, but in the sys­tem of their heat­ing and ven­ti­la­tion sup­ply com­pa­ny,” explains Graeme King, senior cyber under­writer at Allianz Glob­al Cor­po­rate & Spe­cial­ty (AGCS). “By exploit­ing that vul­ner­a­bil­i­ty they got in.”

As the Jeep hack­ing stunt demon­strat­ed, anoth­er emerg­ing threat ema­nat­ing from a con­nect­ed world is actu­al phys­i­cal harm aris­ing from an intru­sion. Poten­tial sce­nar­ios range from indi­vid­ual attacks, such as tam­per­ing with the ther­mo­stat at a food or phar­ma­ceu­ti­cal ware­house and caus­ing spoilage of per­ish­able goods, through to major inci­dents, such as tak­ing down a pow­er grid.

In 2014, a blast fur­nace at a Ger­man steel mill suf­fered mas­sive dam­age after cyber attack­ers breached the mill’s con­trol sys­tem. This, along with polit­i­cal­ly moti­vat­ed attacks such as the Ukraine pow­er grid attack of Decem­ber 2015 and 2010 stuxnet attack on Bushehr Nuclear Pow­er Plant in Iran, demon­strate these sce­nar­ios are not just the stuff of Hol­ly­wood block­busters.

They also indi­cate the poten­tial for sys­temic risk in a world where every­thing is con­nect­ed. “Most cyber attacks car­ried out by crim­i­nals are about extract­ing extor­tion pay­ments or steal­ing data to sell on,” says Mr Carr. “Crim­i­nals are typ­i­cal­ly not going to be per­pe­trat­ing some­thing that could turn into a sys­temic attack. How­ev­er, polit­i­cal­ly moti­vat­ed attack­ers might be much more inter­est­ed in caus­ing sys­temic dam­age because their moti­va­tion isn’t mon­e­tary, except maybe to wreck the econ­o­my of the coun­try or region they were attack­ing.”

Last December’s cyber attack on Ukraine’s pow­er grid and sub­se­quent black­out demon­strate the emerg­ing threat ema­nat­ing from a con­nect­ed world

Super­vi­so­ry con­trol and data acqui­si­tion sys­tems used by indus­tri­al and util­i­ty com­pa­nies are typ­i­cal­ly not con­nect­ed to the inter­net, a prac­tice known as “air gap­ping”. But this defence could be obso­lete in the future. “One of the hot uses of IoT is sen­sors that allow you to man­age pow­er usage more opti­mal­ly,” says Mr Carr. “That means you have sen­sors on the pow­er meters of homes and busi­ness­es talk­ing to the pow­er gen­er­a­tion sta­tions.”

How­ev­er, the ongo­ing con­cern for the vast major­i­ty of busi­ness­es will con­tin­ue to be data pro­tec­tion and busi­ness con­ti­nu­ity, says Joshua Gold­farb, vice pres­i­dent and chief tech­nol­o­gy offi­cer of emerg­ing tech­nolo­gies at cyber secu­ri­ty and mal­ware pro­tec­tion firm Fire­Eye. “One of the biggest risks organ­i­sa­tions face these days is the theft of sen­si­tive con­fi­den­tial and pro­pri­etary infor­ma­tion,” he says. “Theft of data can cause brand dam­age, loss of rev­enue, law­suits and fines for vio­lat­ing pri­va­cy laws.

“It is a risk that can be mit­i­gat­ed in var­i­ous ways. But what peo­ple some­times for­get is that attack­ers are con­tin­u­ous­ly evolv­ing. Late­ly they’ve been doing quite a lot of attacks to com­pro­mise user cre­den­tials, allow­ing them to mas­quer­ade as a legit­i­mate user.”

Making millions

Cyber crime is set to be worth $2.1 tril­lion by 2019, accord­ing to Juniper Research. In addi­tion to data theft, 2016 has seen the pro­lif­er­a­tion of cyber extor­tion. The cryp­tolock­er gang is under­stood to have made more than $30 mil­lion in 2015 using rel­a­tive­ly sim­ple ran­somware.

“The insur­ance indus­try in the UK is ready for this, but the clients are not yet buy­ing the prod­uct in their droves. Had there been wide­spread uptake of insur­ance to date we would have had a much big­ger han­dle on the scale of this prob­lem. An insur­ance pol­i­cy would prob­a­bly help an awful lot of these com­pa­nies, enabling them to iden­ti­fy where that threat is com­ing from, plug the gap, restore the data and secure their sys­tems from more of the same,” says Mr King at AGCS.

Cyber insur­ance providers will con­tin­u­ous­ly need to adapt their prod­ucts and ser­vices to the chang­ing threat envi­ron­ment

The impend­ing Euro­pean Commission’s Gen­er­al Data Pro­tec­tion Reg­u­la­tion and head­line-hit­ting data breach exposés will con­tin­ue to dri­ve greater demand for cyber cov­er. Mr King says: “That’s when you’ll see the real upswing, as media head­lines start caus­ing peo­ple embar­rass­ment.”

Cyber insur­ance providers will con­tin­u­ous­ly need to adapt their prod­ucts and ser­vices to the chang­ing threat envi­ron­ment. If one of the objec­tives of future cyber attack­ers is to cause prop­er­ty dam­age, bod­i­ly harm, pol­lu­tion or wide­spread pow­er out­ages, it could mean insur­ance claims are made under more tra­di­tion­al class­es of busi­ness, includ­ing com­mer­cial and res­i­den­tial prop­er­ty, motor, envi­ron­men­tal, busi­ness inter­rup­tion, gen­er­al and pro­fes­sion­al lia­bil­i­ty, and acci­dent and health.

While some cyber prod­ucts offer cov­er for phys­i­cal dam­age, this is not yet wide­spread and cur­rent­ly cyber expo­sures are not being priced into oth­er insur­ance poli­cies. “You either need to start adding cyber to all class­es or intro­duc­ing cyber exclu­sions and expand­ing cyber poli­cies to encom­pass phys­i­cal dam­age and bod­i­ly injury,” says Argo Group’s Mr Carr.

Insur­ance buy­ers may well pre­fer the for­mer. The lat­ter is prefer­able from an insurer’s per­spec­tive, as with the first sce­nario there is a pos­si­bil­i­ty that a sin­gle piece of mal­ware could end up trig­ger­ing cov­er­age for six dif­fer­ent con­tracts for the same insured. “Where­as if all the cyber stuff was in the cyber pol­i­cy, I’d at least be pre­pared to man­age my total expo­sure – I don’t think the indus­try has fig­ured this out yet,” Mr Carr con­cludes.