By Joseph F. Bermudez, Esq. of Wilson Elser, et al
A recall notice to fix critical control software on 1.4 million vehicles should raise concerns for companies, brokers and insurers across several business lines. The vulnerability of vital control systems to a remote hacking threat is a significant exposure that raises concerns for many industries and supply chains. As we learned late last year with a German steel mill cyber event, the threat of physical harm caused by a control system hack is no longer theoretical. Governments, companies, brokers and insurers must recognize and understand the risks, implement safety measures and consider loss contingencies. Emerging coverages for cyber exposures, automotive or components product recalls and supply chain risks can assist companies with surviving crisis cyber events.
Jeep Hack Exposure
Security experts teamed with Wired magazine to demonstrate the ability of anyone to wirelessly hack into and control a vehicle’s entertainment and control systems. An entertainment system, or head unit, is usually connected to numerous electronic control units (ECUs) found throughout a vehicle. Today’s vehicles can contain up to as many as two hundred ECUs. The experts showed how to wirelessly break into a car’s control systems and electronically operate vital vehicle functions. They advised that they could have easily demonstrated the same ability to hack ECUs found in hundreds of thousands of vulnerable vehicles traveling the world’s highways.
Government Response to Vehicle ECU Cyber Threats
Two United States senators, Edward Markey and Richard Blumenthal, reacted quickly to the demonstrated threat and have introduced a bill in the Senate that would require automobile manufacturers to develop standards that secure drivers against vehicle cyber-attacks. The Security and Privacy in Your Car Act of 2015 (the Act) would require automakers to comply with cybersecurity standards and equip vehicles with software that would detect, report and stop attempts by hackers to intercept driving data or control the vehicle. The Act would also seek to incorporate isolation measures to separate critical software systems from non-critical software systems. However, under the proposed Act’s current language, the measures would not be implanted for several years.
Control System Exposure to Cyber Threats Is Widespread
Before late 2014, cyber events were thought to concentrate on the loss or theft of information or data. At the end of last year, we learned cyber events have evolved into a more dangerous and malicious threat as industrial control systems/supervisory control and data acquisition (ICS/SCADA) systems are being targeted. The use of malware to compromise and manipulate ICS/SCADA systems has raised the stakes for many business lines.
The emergence of this cyber threat is not surprising as more and more control systems become accessible directly from the Internet. By allowing employees to gain remote access to control systems networks, companies face an increased risk of cyber attacks gaining unauthorized access to control environments. Recent, though little noticed events have increased concerns about ICS/SCADA attacks.
For example, in late 2014, the control systems of a German steel mill were remotely manipulated causing significant plant damage. Using sophisticated spear-phishing (use of emails that appear to come from within an organization or from a trusted source) and social media engineering techniques, the attackers gained access to the plant’s business network. From there, the attackers were able to infiltrate the facility’s production network. As they explored the company’s networks, they were able to compromise a number of systems, including various industrial components on the facility’s production network. The manipulations of the company’s systems caused a number of internal failures and the company was unable to properly shut down a blast furnace, which resulted in massive damage to the facility.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is part of the U.S. Department of Homeland Security, reported that U.S. ICS were hit by cyber attacks at least 245 times in 2014. Significantly, the ICS-CERT reported that the Energy and Critical Manufacturing sectors were the most sought-after targets. Other targeted sectors include Health Care, Communications, Water Supply and Transportation. The identified incidents included a range of threats and methods that successfully gained access to business and control systems infrastructure, including ICS/SCADA. The evolution and emergence of cyber events involving ICS/SCADA systems raises significant concerns in regard to damaged property and potentially to resulting bodily injuries.
Supply Chains May Deliver Hidden Cyber Threats
The Internet of Things, or the ability of conventional or everyday objects to connect to the web to send and receive data, continues to grow and spread into every aspect of our daily lives. See The Internet of Things: Liability Risks for Tech Cos. All of these devices, appliances, gadgets, mechanisms and components reach companies and consumers in the same manner: the supply chain. Today, global supply chains are common and are fraught with vulnerabilities enhanced by cyber threats. The very nature of supply chains makes them inherently vulnerable and hard to protect against cyber threats. Supply chains are extended, complex and interconnected with various links that do not follow regular routes. The supply chains that will connect component parts and deliver finished goods can begin far, far away from the ultimate destination. Thus, various links in any supply chain may be vulnerable to the installation of malware. In other words, the product a company purchases for incorporation into its ICS may already be loaded with malware or a malicious code, which is impossible to remove. Understanding and protecting against such vulnerabilities is critical to auto, components and other supply chains.