This article originally appeared on November 3, 2016 in the Horton Group’s newsletter.
The term “Internet of Things” (IoT) refers to networks of “smart” devices (including appliances, vehicles, watches and toys) that collect and exchange data over the internet. In the last few years we have started to see these devices become part of our homes and personal lives. And, unfortunately, we have seen hackers gain more access to our homes and personal lives through these interconnected devices.
While the IoT is not a new concept for many insurance or technology professionals, manufacturers and smaller businesses have recently seen how interconnected devices, such as video cameras or computers, can give their businesses an edge over the competition. These devices are improving productivity by allowing remote access, by automatically checking in with the manufacturer for software updates and by allowing data storage. And, as seen in our homes and personal lives, these devices are unfortunately allowing hackers more access to our workplaces and giving hackers more unguarded devices that can be used in their attacks on society. While the full extent as to how much access hackers will have is still unknown, a glimpse at these issues makes clear that the best strategy includes integrating cyber insurance with its other safeguards.
The Good: The Industrial Internet of Things Can Improve Productivity
It is not difficult to see how the interconnectivity offered by these IoT devices can improve the workplace. For example, the October 25, 2016 issue of the Chicago Business Journal describes what is commonly referred to as “the industrial internet of things” (IIoT). Similar to that seen in the technology showing up in our homes, the technology giving rise to the IIoT connects industrial machinery “to enhance functionality and improve operational efficiency in industrial settings, ultimately making manufacturing more flexible, efficient and profitable and better able to serve their customers.” The IIoT is being credited with increasing efficiency in factory processes, energy usage and transportation. In particular, the Chicago Business Journal discusses how IIoT provides “real-time data,” methods for “better asset use,” and the ability to fix problems quicker by using “predictive diagnostics.” At this early stage, the IIoT is a method worth exploring to increase productivity.
The Bad: IIoT Gives Hackers Access to the Workplace
While the overall impact of the IIoT on industry is considered positive, there should be no question that, as seen with any technological advance, there are some drawbacks. Specifically, the one trait that allows the IIoT to be useful, interconnectivity, has allowed hackers and criminals to gain access to interconnected industrial networks. For example, in 2008, hackers shut down a Turkish oil pipeline which resulted in a massive explosion. The hackers, believed to be Russian, compromised the pipeline’s surveillance camera software and infiltrated the pipeline’s internal network. After gaining access, the hackers shut down alarms, cut off communications and caused the crude oil in the line to over-pressurize to cause the explosion. Without setting off a single alarm, the explosion shut the pipeline down and caused large financial losses for the private companies and governments with interests in the pipeline.
A second example was seen in 2004 when a German steel factory was attacked by hackers who gained control of a blast furnace. According to reports, the factory suffered massive damage when hackers managed to access the factory’s production networks and tampered with the controls of a blast furnace. After the system was compromised, individual system components began to fail. As a result of the failures, one of the plant’s blast furnaces could not be shut down, resulting in extensive damage to the plant.
These attacks on the Turkish oil pipeline and the German blast furnace demonstrate the damage when hackers are given the opportunity. More troubling is the fact that these two incidents occurred before the interconnected devices were even remotely common in the workplace. That is, hackers will have more opportunity in the coming years. As businesses continue to adopt interconnected technology, we can expect hackers to have increased access to industrial systems. And, in turn, we can expect more security issues to impact industrial systems, networks and systems.
The Ugly: The Influx Of Devices Used in the IIoT Also Increases the Number of Devices Available for Hackers’ Attacks
Unfortunately, the increase in interconnected devices translates into more devices available for hackers to hijack and use in cyber attacks. For example, internet-connected surveillance cameras and other unprotected IoT-connected devices were used by hackers to cause massive internet disruptions on October 21, 2016. This recent attack is generally blamed on the “Mirai botnet” which used unprotected IoT devices to launch a Distributed Denial of Service (DDoS) attack on at least 80 major websites. While it is still early in the investigation, it appears many interconnected devices were hijacked to take part in this attack.
Thus, the devices giving rise to the IIoT do not just merely increase the number of devices available for hackers to infiltrate individual networks. In simple terms, the chances of large-scale cyber attacks increase as the number of unprotected devices increase which can be used in such attacks. And, while many businesses understand the importance of cyber security for computers in the workplace and at home, cyber security for other interconnected devices can be easily overlooked. Consequently, we can expect to see internet connected devices used in the workplace to be used in many DDoS attacks in the near future. And, those attacks, which shut down websites and other computer systems, could easily cut into the productivity in a number of industries.
Cyber Insurance Available to Address IIoT
While it may be unclear what technological safeguards are worth the investment, businesses can be certain that cyber insurance provides a cost-effective and simple method to decrease the risks associated with the IIoT. In particular, first party insurance policies with the following coverages are essential for any business attempting to limit the possible harm created by interconnected devices:
- Loss or damage to digital assets: This coverage may include loss or damage to data or software programs, resulting in costs incurred through restoring, updating, recreating or replacing devices to the same condition they were in prior to the loss or damage. For example, this coverage may cover the costs to repair software used in the workplace which has been lost to a virus or otherwise compromised by hackers.
- Business interruption from network downtime: This coverage may include costs related to interruption, degradation in service, or failure of the network, resulting in loss of income, increased cost of operation and/or costs incurred by mitigating and investigating the loss. For example, one factor that did not become clear until recently is the fact that while the property damage in the Turkish oil pipeline and German blast furnace incidents was expensive, a company that suffers such a loss would also have to stop their assembly lines or other industrial processes while clean-up and repairs/replacement are completed.
- Cyber extortion: This coverage may include costs related to attempts to extort money by threatening to damage or restrict the network, release data obtained from the network, and/or communicate with the customer base under false pretenses to obtain personal information. This coverage becomes more important everyday as businesses are increasingly targeted for “ransomware.” As seen in our homes, businesses will get the most out of IIoT-connected technology by understanding and preparing for unforeseen risks. The threat from the increasing number of interconnected devices is two-pronged: first, hackers have more access to the individual networks and systems; and, potential losses related to shutdowns caused by DDoS or similar attacks can disrupt productivity and vendor productivity. Therefore, it will be become increasingly clear that obtaining cyber insurance is part of any reasonable strategy to handle the unforeseen risks related to the IIoT.