October is National Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM) kicks off this week. And in the wake of last month’s Equifax breach announcement—in which nearly 145.5 million Americans learned their personal information may have been compromised, coupled with the government’s recent efforts to combat cyber threats—NCSAM’s timing could not be better.

The Department of Homeland Security (DHS) hosts the annual NCSAM and will provide online and in-person tools to engage and educate the private and public sectors about cyberrisks. The DHS will also offer mitigation tips and techniques in tandem with this year’s campaign, which is divided into five different weekly themes:

Week 1: Oct. 2-6         –Simple Steps to Online Safety

Week 2: Oct. 9-13       –Cybersecurity in the Workplace is Everyone’s Business

Week 3: Oct. 16-20     –Today’s Predictions for Tomorrow’s Internet

Week 4: Oct. 23-27     –Consider a Career in Cybersecurity

Week 5: Oct. 30-31     –Protecting Critical Infrastructure from Cyberthreats

But NCSAM’s nationwide events are not limited to those themes and will cover topics that run the cybersecurity gamut through formats like workshops, webinars, twitter chats and conferences – some of which can be livestreamed. One major highlight will be the day-long global launch of NCSAM’s international adoption on Oct. 3 in Washington D.C. Featured speakers at other events include FTC Acting Chairman Maureen Ollhausen, White House Cybersecurity Coordinator Rob Joyce, Senate Homeland Security Chair Ron Johnson, and Palo Alto Networks CEO Mark McLaughlin. Visit here for an event calendar.

NCSAM is part of the ongoing DHS cybersecurity awareness program, Stop.Think.Connect., which began in 2009 as part of President Obama’s Cyberspace Policy Review. Non-profit organizations, government agencies, colleges and universities are encouraged to join Stop.Think.Connect. as “partners,” while individuals can become “friends” to engage their respective communities and memberships. The program also offers handy toolkits organized by topics such as mobile security and phishing, and by audiences, which range from corporate professionals to young children and law enforcement.

Increasingly, the government is taking cyberrisk seriously. In September, the SEC announced two initiatives to enhance its enforcement division’s efforts to combat cyber-based threats and protect businesses, investors and the public. A new Cyber Unit will focus on targeting misconduct which includes market manipulation schemes involving false information spread on social media, violations involving initial coin offerings and distributed ledger technology and hacking, among others. Its Retail Strategy Task Force will combat fraud in the retail investment space, from everything involving the sale of unsuitable structured products to microcap pump-and-dump schemes.

In August, President Trump elevated the United States Cyber Command’s status to Unified Combatant Command, with a focus on cyberspace operations. The elevation, he said, will increase “resolve against cyberspace threats, reassure our allies and partners and deter our adversaries,” by streamlining operations under a single commander, which will also ensure adequate funding. In connection with the elevation, the president said Secretary of Defense James Mattis would examine “the possibility of separating United States Cyber Command from the National Security Agency” and will eventually announce recommendations.

RIMS Survey Reveals Continued Confidence in Cyber Insurance

Cyber insurance is still a priority for risk professionals and stand-alone policies continue to gain international prominence, according to the 2017 RIMS Cyber Survey.

The survey’s 288 respondents represented industries ranging from financial services, government and non-profit and manufacturing to retail, health care and more.

Based on survey insights it is clear that cyber exposure is a primary concern, with nearly half of respondents confirming they are spending more now than they did last year to protect against it. The most alarming elements of risk continue to include business interruption and its consequent expenses, reputational harm, and notification and response costs. In light of recent ransomware attacks, 72% indicated that cyber extortion is also an important and growing first-party exposure their organizations are facing—a 9% increase from 2016.
Key findings from this year’s RIMS Cyber Survey include:

  • Organizations with a stand-alone cyber insurance policy increased 3% (to 83%) from 2016.
  • Of the organizations without a stand-alone cyber policy, 84% indicated that other insurance policies include cyber liability coverage.
  • Nearly three-quarters (72%) of respondents transfer cyber exposures to a third-party (up 3% from 2016).
  • Only 34% of respondents thought that the government should mandate cybersecurity standards.

With 61% of respondents considering purchasing cyber coverage in the next two years, it is likely the industry will continue to see slow-but-steady growth. But with 83% of respondents reporting that their companies have stand-alone cyber insurance policies, up 3% from 2016, the survey suggests that the market for these policies may be nearing maturity.

“At any given moment, cyber predators can unleash a new hack to infiltrate an organization’s system, steal or lock critical data and cause significant business interruption damages,” said RIMS President Nowell Seaman. “RIMS Cyber Survey shows that risk professionals continue to invest in cyber insurance products and must work in tandem with their insurers and IT professionals to help develop innovative and adaptable solutions for the next generation of cyber threats.”

Manufacturers Vulnerable to Cyberrisk

Manufacturing companies face a serious threat from cyber criminals. According to IBM’s latest intelligence index, theirs is now the second-most targeted sector, after attack numbers increased significantly year-on-year. This heightened risk is compounded by increased vulnerability: the connectivity that manufacturers have embraced to bring about greater operational efficiencies is accompanied by significant and largely uninsured exposures, such as physical damage arising from cyber incidents or loss of income due to stolen intellectual property.

Part of the vulnerability lies in process control and supervisory control and data acquisition (SCADA) systems. Previously deemed impenetrable, due to their proprietary and highly customised networks, the convergence of these industrial control systems with enterprise infrastructure, particularly web services and ethernets, has created a potentially catastrophic risk. Such connections and the increasing Industrial Internet of Things (IIoT) can drive through great advantages, but also simultaneously produce weak links that manufacturers can not afford to overlook.

For example, expensive capital assets such as production machines will be retrofitted with technology that allows them to be connected to corporate networks. But they were typically built without the sophisticated measures to afford cyber-protection, or have operating systems that are incompatible with current cyber-security products. All these factors make manufacturers’ industrial control systems particularly vulnerable to cyber-attack.

Physical damage
Physical damage arising from cyberattacks has to date been relatively rare. Early high-profile events, such as claims that Russians hacked into U.S. water treatment facilities to damage pumps, or the Israeli-U.S. ‘Stuxnet’ attack on Iran’s nuclear centrifuges were believed to be state-sponsored.

One of the most underestimated threats to manufacturers is the rogue employee, disillusioned with their employer or falling victim to blackmail. One such attack involved a German steel mill. Hackers, thought to involve a rogue employee, took over its industrial control systems via its enterprise system, preventing employees from shutting down a blast furnace. This caused irreparable damage to expensive equipment and yet physical damage, as well as bodily injury caused by a cyber event, is typically excluded on most policies. The rise of the hackers-for-hire phenomenon further multiplies potential sources of attack, with competing companies looking to use third parties for corporate espionage, for example.

Stolen Innovation
Other rising areas of threat revolve around the significant non-physical assets residing in manufacturers’ information systems. Cyber theft of intellectual property (IP) has been difficult to insure properly, despite the extraordinary value of items such as the technical specifications of a new product, or the composition of a new pharmaceutical. PwC reports that the number of such thefts, notably of product designs, has doubled.

While competition is a big driver of IP cyber theft, risks such as the loss of income due to stolen IP or the legal pursuit of it are not currently insurable. When you consider the degree to which a manufacturer’s value will be directly linked to their IP, this represents a considerable risk but also one where evidencing and quantifying a loss is very difficult.

Cyber attacks are now identified as the leading cause of supply chain stoppages but supply chain risk is also largely uninsured. Some losses, like business interruption arising from a cyber incident on an IT provider’s network, can sometimes be covered but an interruption caused by a product supplier’s cyber-event typically cannot. Upstream supply risk, associated with liabilities arising from failure to supply goods following an attack, is also difficult to insure.

Market developments
According to research by consultancy BDO USA, 92% of manufacturers cited cyber-security among their top 10 risk concerns in 2016, up 44% from 2013. Another study, however, found only 8% of manufacturers “very confident” in their ability to prevent an IT breach.

This rising risk issue demands action from all parties. Manufacturers must invest further in heightened security and control for their operating technologies, while cyber insurance specialists must continue to develop further sophisticated solutions to more effectively transfer manufacturers’ unique exposures. Insurance carriers are starting to work together more effectively across lines to more sufficiently underwrite the complex cyber risks facing the sector. Failure to respond to this new era of cyber threats and vulnerabilities will leave manufacturers exposed to reputation and physical damage, bodily injury, severe business interruption, loss of intellectual property, and significant financial loss.

Going Lo-Fi At Sea May Mitigate Cyberrisk

Cyberthreats have become seaborne in recent years, and preventative measures are on the radars of governments and the shipping industry.

GPS and other electronic systems have proven to help ensure safe and accurate navigation, but they have also put digital bullseyes on ship decks. These technology upgrades have unwittingly exposed ships to cyberrisk because their signals are weak enough for remote perpetrators to jam.

When ships and crew members rely solely on GPS systems, they can be at the mercy of a cyberhacker seeking to provide wrong positions (or “spoof”), endanger the crew and their cargo, or hold the crew, cargo or sensitive information for ransom.

These risks are exacerbated by the fact that ships typically do not have automatic backup systems, and younger crew members are increasingly reliant upon the newer electronic navigation tools.

Allianz’s Safety and Shipping Review 2017 highlighted the growing threat of cybercrime in the sector, and noted the increasing level of activity in the last five years. For example, World Fuel Services fell victim to an online bunkering scam in 2014 when it agreed to participate in a tender for a large amount of fuel from what it believed to be the United States Defense Logistics Agency. Cybercriminals collected $18 million from that successful impersonation. In 2016, hundreds of South Korean vessels had to return to their ports after North Korea allegedly jammed their GPS signals.

The report noted that most maritime cyberattacks have been aimed at breaching corporate security, rather than taking control of vessels, but warned that such attacks could occur.

Captain Rahul Khanna, head of marine risk consulting at Allianz Global Corporate & Specialty, noted in the report that more, larger-scale attacks are imminent if the risks are not appropriately addressed. “We can’t put IT security on the backburner,” Khanna said. “Just imagine if hackers were able to take control of a large container ship on a strategically-important route. They could block transits for a long period of time, causing significant economic damage.”

The report also stressed that “crew education and identifying measures to back up and restore systems should be implemented” to reduce cyberrisk.

Looking Back For a Signal Forward
Some companies and governments have heeded the warnings and are identifying these indicators of attack. Preventative measures may lie in a maritime tool that had taken a backseat to the prevalence of GPS—a backup radio technology called Enhanced Long-Range Navigation (eLoran), which was developed in the United States in the mid-1990s. It has continental reach, emits strong signals via a low-frequency and relies on land-based transmitters that reveal a limited number of fixed positions. These once-limiting traits could be the automatic backup systems ships need in the event of jamming or spoofing.

On July 20, 2017, when the Department of Homeland Security Authorization Act (H.R. 2825) passed the floor of the U.S. House of Representatives, eLoran’s importance was stressed. The act includes a section titled “Backup Global Positioning System,” which features provisions for the U.S. Secretary of Transportation to initiate an eLoran system. H.R. 2825 proposes that eLoran be made available as a “reliable…positioning, navigation and timing system,” with the purpose of providing “a complement to, and backup for the Global Positioning System to ensure availability of uncorrupted and nondegraded positioning, navigation and timing signals for military and civilian users.”

Reuters this week reported that South Korea’s Ministry of Oceans and Fisheries is looking to establish the technology in a test form by 2019.

Time will tell if eLoran is the most practical and cost-efficient method to mitigate cyberthreats at sea. It seems if companies want to mitigate maritime cyberrisk now, the first steps would be to look to the technology of the past and turn on the radio.