Cyber Threat: Transportation

Disabled Autos

Hyperconnectivity and driverless cars raise new cyber risks for automakers and their suppliers.
By: | April 7, 2014 • 7 min read

Hacking into cars is not a future concern. It is possible now, and the potential danger will increase as carmakers continue to enhance connectivity features in automobiles.

But even that threat pales against the potential damage cyber attacks could wreak when driverless cars take to the roads for real.

Advertisement




One common perceived threat here and now comes from the ease of access that manufacturers have built in for drivers. If a driver can unlock a car door and start the engine using a cell phone, an unauthorized person can turn off that engine and lock the doors from a cell phone.

Taking a drive into the near future, could someone arrange for all of the cars on a Los Angeles freeway to have their engines turned off at the exact same time?

Even now, the ability to hack into and remotely control a car is a clear and present danger.

 Video: Behind the wheel of a car, you may be able to text, watch a movie or even sleep — if it’s a computer-controlled, driverless car. The WSJ’s Michael Kofsky heads to the test track to show how it works and safety questions it raises.

A pair of security engineers — doing their research with an $80,000 grant from the Pentagon — were able to hack into the systems of Toyota and Ford cars, and override a driver’s braking attempts, according to an account of the scenario in Forbes.

The pair was able to “demonstrate a range of nasty surprises: everything from annoyances like uncontrollably blasting the horn to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers,” according to Forbes.

Expanding such abilities simultaneously to a fleet of cars is a feat yet to be accomplished.

“It could be possible to hack into one or another vehicle, but there is nothing that can stop the whole fleet at the same time,” said Mark Brooks, senior research engineer at the Southwest Research Institute (SwRI) in San Antonio. “Current levels of connectivity are not seen as major threats because they are not continuous.”

No One at the Wheel

“Even when a driver is using a navigation system, that is just a single download. The industry is much more concerned about continuous streaming back and forth, as with driverless cars,” he said.

Driverless cars rely on a number of sensors to operate, and are definitely vulnerable to attack, according to one of the hackers at the Def Con Hacking Conference in August.

“I’m a huge fan of unmanned vehicles,” said a hacker who goes by the name of Zoz to Venture Beat, a blog that focuses on technology. “I love robots. I think they’re the future. But, like everything else humans ever made, it’s going to get hacked.”

Google’s driverless car’s primary system is a “laser range finder mounted on the roof of the car,” which generates a 3D map of the area, according to IEEE, a technology professional organization.

R4-14p34-36_03Cars_ER.indd“The vehicle also carries other sensors, which include: four radars, mounted on the front and rear bumpers, that allow the car to ‘see’ far enough to be able to deal with fast traffic on freeways; a camera, positioned near the rear-view mirror, that detects traffic lights; and a GPS, inertial measurement unit, and wheel encoder, that determine the vehicle’s location and keep track of its movements.”

Zoz told Venture Beat that it would not require sophistication to attack and derail those sensors, and he pointed out that engineers in Iran were able to hack and capture a U.S. drone by “spoofing” the GPS and feeding it incorrect location information.

Death and destruction are always a worry when hackers can subvert an operating system, but apportioning liability is also a major concern, SwRI’s Brooks said.

Advertisement




“If there were any problems, whose fault would it be? The carmaker? The navigation OEM? The software company? The driver? These are the discussions everyone is starting to have.”

Those initial conversations can be difficult, said Dave Wasson, professional and cyber liability practice leader at brokerage Hays Cos. in Chicago.

“The issues are known. People are aware of the risks. But at the moment there is kind of a paralysis because it is unclear how to quantify these risks, and also because even if we could quantify them, there are very limited options yet in how to deal with them.”

A Flawed System

Wasson added that a reordering of the current liability structure is both necessary and inevitable. “Right now, you have a pull market, with small OEMs seeking coverage because the first-tier OEMs and carmakers demand that they be indemnified. But that is not sustainable. A client might demand a $15 million cover from a small supplier, but that cover could cost the supplier $50,000 when he only grosses $100,000 on the contract.”

It is a situation where bigger companies are offloading their risk management onto smaller ones, and that, Wasson said, is flawed.

“Even when the suppliers comply, often the package does not work the way either the supplier or the OEM client thinks it will,” he said.

“Eventually the large firms will realize that they need to take this as primary,” Wasson said. “They have the assets, the skills, the risk managers, and the brokerage relationships to get it done properly.

“Besides, they are the ones who are going to get sued. They can turn to their indemnification contracts, but if the small supplier with few assets goes bankrupt, then what? It’s the company with the badge on the car that people are going to go after.”

As those issues percolate, commercial vehicle operators have other challenges as well.

“One really big cyber issue for a logistics company or express delivery service would be to have the GPS signals for their vehicles scrambled, or the electronic shipment documents tampered with,” said Steve Surber, area vice president for Arthur J. Gallagher in Irvine, Calif.

A cyber attack could be used to divert a shipment, cover theft, tamper with cargo, or even just to delay a shipment that is time sensitive. And the theft could be of the truck or trailer itself, some of which are worth up to $60,000, he said.

On another level, hacking can be used to disrupt the loss control systems of trucking lines, many of which use GPS and electronic reporting to track their fleet performance, Surber said.

Cyber alterations of such reporting could hide potential liability issues such as speeding, sleeping, unauthorized stops, fuel diversion, or many other misdeeds by shippers, loaders, drivers or consignees.

“Companies already rely heavily on computer systems and networks to help with loss control,” he said.

Among insurers, coverage is still evolving, he added. “There is some coverage from cyber policies, but mostly we are still seeing claims handled through general liability.”

Wasson, at Hays Cos., said that while the cyber risk and liability markets are pull markets at present, with owners seeking to transfer risk, the business is not without push.

“We are energetic about working with our carriers,” he said. “There is coverage and there is capacity.”

Cyber Security Efforts

In April, an automotive consortium started revving up its efforts to enhance cyber security.

The Automobile Consortium for Embedded Security — a part of SwRI — includes automakers, original equipment manufacturers, other suppliers, and cyber security experts.

The program aims to provide “pre-competitive and non-competitive research in automotive embedded systems security to protect the safety, reliability, brand image, trade secrets and privacy of client members’ future products,” according to the organization.

Mark Brooks, senior research engineer, Southwest Research Institute

Mark Brooks, senior research engineer, Southwest Research Institute

“As soon as they start claiming their vehicles are secure, they would paint a target on themselves. It’s not like safety or fuel economy. With security, there are bad guys and you don’t want to attract their attention.”

The consortium, Brooks said, “is looking at emerging research both in new technologies and new protections for embedded security for the automotive world.”

“There are lots of theoretical threats,” he said, “but we want to be sure we are focusing our efforts on the most relevant ones.”

The unique challenge is that automakers want to enhance the protections in their vehicles, but ironically, it is not something they want to advertise.

“As soon as they start claiming their vehicles are secure, they would paint a target on themselves.

“It’s not like safety or fuel economy. With security, there are bad guys and you don’t want to attract their attention.”

He said that automakers also are hesitant to unilaterally invest in cyber security efforts.

Advertisement




“As we started talking to automakers, we found them eager to be part of developing security, but it’s tough for them to take the lead or commit a lot of money to something that will not help them sell cars,” Brooks said.

“They also don’t want to reinvent the wheel,” he said. “They are very interested in solving common problems with peer-reviewed research and applications.”

                                                                                                               

Complete coverage on the inevitable cyber threat:

Risk managers are waking up to the reality that the cyber risk landscape has changed.

Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.

042014_02c_hospital_thumbnailCritical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.

Alaska Plane CrashUnmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.

dv738024An Electrifying Threat. There is a very real possibility hackers could devastate the nation’s power grids — for a potentially extended period of time.

Gregory DL Morris is an independent business journalist based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]