Emerging Cyber Risk

Out of Control in the Driver’s Seat

Security researchers provide haunting proof of how vulnerable our high-tech vehicles really are.
By: | April 20, 2016 • 5 min read

You’re tooling down the highway when suddenly your car’s A/C turns on to full blast. Then the radio fires up and switches to a Hip-Hop station.

You’re startled when the wipers turn on, wiper fluid obscuring your view of the road for a moment.

Advertisement




You’re frantically trying to turn it all off when your car loses power completely, leaving you stranded on a busy stretch of road with no shoulder, a semi closing in fast from behind you.

That sounds a little a scene from a spy thriller or maybe even the “X-Files,” but it happened to the driver of a 2014 Jeep Cherokee as researchers Charlie Miller and Chris Valasek hacked into and took control of it.

The duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.

Miller and Valasek first made headlines in 2013, when they publicized their success hacking into Ford and Toyota models. At that time, they only managed to accomplish the attacks while their PC was plugged into the vehicles’ diagnostic ports.

Only two years later, the duo found a way to hack in wirelessly, exploiting a widely used onboard entertainment system to take over a vehicle’s dashboard functions, brakes, steering and transmission.

They found they could do it from absolutely anywhere, so long as they had an internet connection. Most disturbing of all, they identified a loophole that could be used to attack multiple cars at once — creating a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.

The team published part of the project online and later demonstrated their “progress” at the 2015 Black Hat conference.

Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get.

After Miller and Valasek published their results, Fiat Chrysler issued a recall for 1.4 million vehicles affected by the vulnerability exploited by the team. The automotive industry has been on high alert ever since, even while they simultaneously boast about models equipped with more and better technology.

Without question, the more technologically sophisticated and connected vehicles become, the more vulnerable they get. The push toward autonomous vehicles will only increase those vulnerabilities.

“We are a long way from securing the non-autonomous vehicles, let alone the autonomous ones,” said Stefan Savage, a computer science professor at the University of California, San Diego, during an Enigma security conference early this year.

Autonomous isn’t necessarily synonymous with “connected,” however, even for early entrants to the commercial autonomous vehicle space.

Advertisement




Daimler’s Freightliner Inspiration, the world’s first road-ready self-driving truck, “doesn’t rely on ‘connectivity’ or wireless communication to/from the outside world to drive itself,” said Dan Holden, manager of corporate risk and insurance for Daimler Trucks North America.

“Rather, the system is self-contained, meaning it uses production cameras and radars as inputs to determine the vehicle position and keep it centered in its lane.  Therefore the Inspiration truck is as secure from a cyber perspective as production vehicles today.”

More Frightening Than Fiction

Until cyber vulnerabilities can be addressed, it doesn’t take a broad stretch of the imagination to see what the future implications could be for this type of attack. Consider a few scenarios:

  • The vehicle of a courier transporting sensitive documents is disabled in a remote location, where armed thieves are waiting to steal the documents.
  • A high-level executive receives a message alerting him that ransomers have control of his teen daughter’s car — with her in it — and will drive it off of a bridge if he doesn’t pay $10 million in Bitcoin.
  • A ring of thieves finds a way into the systems of a trucking fleet’s rigs through its onboard camera system, enabling it to stop the trucks remotely so teams can hijack the cargo.
  • An extreme hactivist group decides to “brick” every car in Los Angeles, disrupting businesses and lives until its demands are met.
  • An attacker hacking into a commercial truck’s system disables the brakes, sending the truck careening into a school bus in the middle of an intersection.

Keep in mind that even less extreme types of hacking could create vulnerabilities for both individuals and businesses.

Miller and Valasek proved their ability to wirelessly hack a vehicle for surveillance, tracking GPS coordinates, measuring speed, and tracing routes. When a vehicle’s onboard systems are connected to the driver’s smartphone, the smartphone is also at risk for attack, and any data stored in it is fair game, including passwords and credit card information.

Government and Industry Respond

Miller and Valasek’s work is part of what inspired the drafting of an automotive security bill introduced last year. The Security and Privacy In Your Car Act (the SPY Car Act) would require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy.

The bill’s creators surveyed 20 carmakers and discovered that only seven used independent security testing to check their vehicles’ security, and only two had tools in place to stop a hacker intrusion.

Several Japanese companies are working on automotive cyber security technology.

In March, the FBI, along with the Department of Transportation and the National Highway Traffic and Safety Administration, published an advisory on the realities of hackable vehicles and making recommendations to increase security.

Several Japanese companies are working on automotive cyber security technology. Panasonic is developing a device that can detect unauthorized network signals and cancel them out. Fujitsu Laboratories and a researcher from Yokohama National University are developing technology that detect an attack, notify the driver, and encrypt signals to allow the vehicle to be stopped safely.

However these technologies are still five years away from commercial availability, as are fully encrypted next-generation automotive networks.

Advertisement




Transportation companies, their clients and every organization with a fleet of its own should be asking questions about the security of the vehicles that are used in the course of their daily operations — and whether they have cover that will respond if their vehicles fall prey to cyber tampering.

“Having insurance coverage in place that would address bodily injury and property damage is something companies should seriously consider as this risk matures,” said William A. Boeck, senior vice president. and insurance and claims counsel for Lockton’s cyber risk practice.

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Claims Trends

Treating Pain Without Drugs

Other pain relief therapies hold substantial promise in defeating drug dependency.
By: | February 20, 2018 • 9 min read

From high praise to a spiraling crash, opioid-based pain medications are out of favor. Once thought to be the solution to chronic pain, opioids opened the door to an even bigger and scarier addiction epidemic — one that menaces the workers’ comp industry and the population in general.

Advertisement




According to the Centers for Disease Control and Prevention, since 1999, more than 183,000 people have died from narcotic painkiller addiction. An estimated 91 people die each day from opioid abuse.

“Opioids are dangerous drugs. The side effects are dangerous and severe. Their efficacy is not always what people expect,” said Marcos Iglesias, senior vice president, chief medical officer, Broadspire.

“If opioids aren’t the answer, what do we turn to?”

The time to answer that question is now. Workers’ comp professionals, physicians, insurers and employers alike are looking for that next solution to pain, one that will help curb addiction and more quickly get workers on their feet.

Medical cannabis is one candidate.

Marcos Iglesias, senior vice president, chief medical officer, Broadspire

“Marijuana is unique in that everyone comes into the conversation with a bias,” said Mark Pew, senior vice president, PRIUM, a division of Genex Services.

With opioids, he said, no one knew of the dangers at first. Marijuana, on the other hand, always provoked two very polarized views: It does a great deal of good or it’s a strong drug with bad consequences.

A 2014 study published by the Journal of the American Medical Association (JAMA) found a link between legalized medical marijuana and a decrease in opioid-related deaths. States that legalized medical marijuana saw a 25 percent decrease in deaths from opioid overdoses.

Yet, “when people make the claim that medical marijuana is the solution to the opioid epidemic, it resonates with some people because of that bias,” said Pew.

Because of ongoing controversy, not to mention its classification as a Schedule 1 narcotic by the federal government, medical marijuana isn’t lined up to be the pain-relief answer anytime soon.

Non-Drug Therapies

So how about this: Let’s treat pain with no drugs. Radical as it may sound, non-drug pain therapies hold merit.

Meta-analyses collected for a U.S. National Library of Medicine study found that cognitive behavior therapy (CBT) had a positive effect on chronic pain and fatigue. Specifically, CBT was found to be a superior method to other treatments for decreasing pain intensity in fibromyalgia patients.

Iglesias, who has worked as a physician for more than 25 years, said CBT, a psycho-social therapy used to teach patients about the emotional and psychological factors influencing their pain, leaves a lasting impression on the injured.

“The methods I’ve seen work well are behavioral approaches — giving people tools and methods so they can manage their own life.”

“Marijuana is unique in that everyone comes into the conversation with a bias.” — Mark Pew, senior vice president, PRIUM

In workers’ comp, physicians using a CBT approach look at an injured worker’s life outside the office walls. Their home life, their health, their financial responsibilities and their mental ability to cope with an injury all factor into the healing process and could potentially lead to a lengthened claim if untreated.

Assessing these additional forces enables a physician to recommend therapies beyond the typical pill prescription.

Sometimes that means sending a patient to physical or occupational therapy. Sometimes yoga or acupuncture will do the trick, with both philosophies tapping into the mind-body connection  and encouraging relief. Exercise, diet and overall wellness are factored into an injured worker’s chronic pain management.

“Drug-related therapies tend to mask the pain symptoms,” said Michelle Despres, vice president, national product leader physical therapy, One Call Care Management. “Opioids are like the ‘quick fix.’ In physical therapy, we investigate pain patterns, seek to correct musculoskeletal problems and teach people about their anatomy.”

Advertisement




A non-drug pain therapy, PT looks at the physical components of an injury, educating injured workers about the muscles that hurt and how to effectively use them in daily activities. The big question physical therapists ask: What triggers the pain?

“We look at outside activities that could be affecting the injured worker,” she said. “We look at strength, range and flexibility. We want to change the behavior instead of masking the pain.”

Iglesias pointed to another example of non-drug pain therapy called acceptance and commitment therapy (ACT), in which health care professionals work with an injured worker to accept their chronic pain but then commit to living their values in spite of that pain.

ACT, in essence, focuses on mindfulness and function in a person’s life.

Iglesias added he’s seen disability duration lessen because more professionals are starting to address function instead of pain.

Cost and Well-being

But pain is still a big factor in an injury, and CBT primarily focuses on pain management. It’s being used increasingly as an alternative to opioids, too. So much so, in fact, that some states are starting to draft legislation aimed at adopting  its methods.

In Ohio, for example, residents with work-related back injuries are now required by law to try remedies such as rest, physical therapy or chiropractic care before surgery or opioids are even brought into the discussion.

And Ohio isn’t alone; at least 17 states have added restrictions on opioid prescriptions, including limiting the length of time such pills can be prescribed. But not all states are turning to CBT and like methods to combat the growing epidemic.

Michelle Despres, vice president, national product leader physical therapy, One Call Care Management

“In workers’ comp, anytime we talk about change, it’s about cost containment,” said Pew. “But this has nothing to do with cost containment, premiums, closing claims, scale of benefits. It’s about personal well-being.”

Iglesias added he has seen much more acceptance of CBT and other non-drug therapies on the payers’ side, though not everyone is on board.

“Payers see opioids have not helped patients. They’re cognizant of needing to move beyond just drug medications. However, psych and behavioral factors can be a significant issue in workers’ comp. Some individual payers are afraid that a behavior approach might induce a psych claim,” he said.

“Nobody wants to pay for everything that happened to you in your life but, in essence, we do when psychosocial concerns aren’t addressed early and it delays recovery,” added Pew.

“There are payers who have started to see the value in the biopsychosocial model [looking at every aspect of a person’s life], but there’s still an obstacle with psych.”

Still, cost-wise, moving beyond opioids yields reduced pharmacy expenses — not just for opioid prescriptions but also for other prescriptions written for opioid-related side effects like nausea, vomiting, headaches, lack of sleep and so on.

“Opioids have addictive qualities,” said Despres. “It’s easy for us as a society to want to see something diagnostic tied to a drug-based solution. But with alternatives, we lose nothing and chances are we can mitigate chronic pain. We know there are no long-term bad effects to physical therapy.

“The cost to get people off of opioids is huge. Just getting them back to their daily routine, the back-end cost of detox from opioids is enough to at least consider other non-drug pain relief methods as the first treatment option.”

Changing Mindsets

Effective change comes once the employers and their workers understand the benefits of non-drug pain therapies.

Untill now, “in between the payer and the treatment is the patient who has often created this passive mindset that someone else will take care of them,” said Pew.

This mindset isn’t going to help in the long run. Education is key for both employees and employers to work toward pain management.

Advertisement




“One appointment isn’t going to solve the problem,” said Despres. “We have to break the cycle. Time is the biggest downfall; we have to get people moving versus letting someone sit at home. For chronic pain, we provide the education [to the injured worker] on what’s happening inside when they do activities and how to not only manage their symptoms but also correct musculoskeletal imbalances.

“Workers’ comp, as a practice, needs to embrace the idea of being seen quickly and early and getting the injured worker in the mindset of having a role to play,” she added.

For employers, Pew said those who are engaged in their workers’ well-being see more positive outcomes when injuries occur. Investing in wellness programs enables workers to address those outside factors — like psych and diet and exercise routines — before any injury.

“[Wellness programs are] a way of trying to show there is more than a drug or a procedure; employers and physicians can work to teach that concept before an injury even occurs,” said Iglesias.

“There’s a fear that we’re taking something away. There’s a belief that opioids are the best pain modality. Could we develop more programs to teach about opioids to an employer’s population before an injury?”

His answer is a resounding yes.

Public perception plays a big role in the move away from opioids. Workers’ comp professionals, health care workers and legislators see and understand the negative effects of opioids; however, the public isn’t as convinced.

Mark Pew, senior vice president, PRIUM

The New England Journal of Medicine released a study in January entitled, “The Public and the Opioid-Abuse Epidemic.” In it, researchers examined several national polls conducted in 2016 and 2017 regarding how the public believes opioid addiction should be addressed. They found that a significant number (28 percent) don’t actually see it as a national emergency.

Fifty-three percent did say it was a major problem, though only 38 percent of respondents said it affected their home communities.

“An important finding from our review is that at a time when [we] are seeking a substantial increase in government funding for opioid-addiction treatment programs … polls show a large share of the public uncertain about the long-term effectiveness of treatment,” the authors wrote.

They speculate this uncertainty might lead to less funding for alternative treatments to opioids and less funding for people recovering from addiction.

“Sometimes we don’t know everything,” said Despres, “but we should still open up and embrace what could be. If [non-drug therapies] don’t work, you haven’t lost anything. If it does help, you’re better off.”

That’s why engaging employers and their employees is imperative.

“If we see an employer with a pattern of the same injuries, we can offer many possible solutions from ergonomic improvements to classes for body mechanics training.”

A Balancing Act

But one size doesn’t fit all when it comes to pain relief, and while non-drug pain therapies do help, Pew said that doing away with drugs altogether would be unwise.

“Every person is an individual and needs customized — individualized — treatment plans. Every individual is different. How they deal with pain is different, what their support system is like is different — that’s why treating pain is so difficult.

Advertisement




“Exercise, a better diet, yoga and other non-pharmaceutical treatments are effective, but often underutilized components to a successful pain management protocol. But trying to come up with a one-size-fits-all is counter to common sense,” he added.

In a 2017 study released by JAMA, researchers examined patients admitted to the emergency room for pain-related causes. They monitored the cause of their pain and what medicine brought them relief.

Acetaminophen and ibuprofen were found to be more effective than opioids. Combined, they had as much of an effect on pain as opioids.

Iglesias added, “We do need to move beyond opioids. Other pharmaceuticals do have a role to play, but we need to embrace other modalities of treating pain.” &

Autumn Heisler is a staff writer at Risk & Insurance. She can be reached at [email protected]