The Coming Transformation of Insurance: A Cyber Security Driven Revolution

Historically, insurance providers have sought to offer services to keep families safe in the event of a disaster, offering protection for peoples’ cars, homes, and health. The landscape of this industry is undergoing a rapid change, however, as the dangers of cyber terrorism are being brought to light faster than anyone could expect. The recent WannaCry attack highlighted how unprepared the world is for large-scale, malicious cyber-attacks, a weakness that if left unchecked could lead to horrendous loss of life and property.

The unfortunate reality is that hacking cannot be stopped. The nature of cyber-attacks allows hackers to remain anonymous, making it exceedingly difficult to prevent attacks from occurring. As a result, defense is the only strategy that can be feasibly taken, and insurance companies have no small part in the execution of that tactic.

In addition, the automotive insurance industry is facing a steep dilemma, namely the advent of autonomous vehicles. As automotive insurance rates are often defined by the risk factor of the customer, self-driving cars throw this business strategy for a loop. With one of the most widely advertised advantages of autonomous cars being their safety and ability to minimize accidents, the automotive insurance industry will find it harder to keep demand for their services high. Insurance firms must take step towards the future, entering the market of defending those new attack surfaces brought about through the emergence of connected cars – car hacking.

By integrating themselves into the connected nature of new cars, insurance companies will also be able to offer a plethora of services never before possible. These include innovative new products like UBI (User-based Insurance), tailor made, user behavior based insurance plans allowing customers to benefit from truly accurate insurance plans. We are already seeing the application of PAYD (Pay as you Drive) plans that offer better plans based on mileage. True IoT development will further refine these strategies, and may make them a possible de facto standard.

Other uses include FAAS (Forensics as a service), which will give insurers access to the data collected by a vehicle as it drives. This ability to investigate crashes using the on-board computers’ data can significantly reduce the time and effort needed to find the facts in the event of an accident.

Ed Leefeldt of CBS alludes that presently, companies pay at least $3.25 billion each year for cyber insurance. More shocking though, is that the number is anticipated to rise to $20 billion by 2025. This huge increase in necessity for cyber insurance is one of the key targets for cyber security firms like Trillium. With even corporate giants such as Disney not being safe from the dangers of hacks, small businesses and even individuals need to consider the value of investing in cyber insurance. As a lead innovator in the field of IoT security, Trillium is dedicated to securing the lives and livelihoods of the people and companies of tomorrow.

Cyber Security: Closer to the Heart than you Thought

While Trillium’s main area of focus is securing the automotive industry from cyber-attacks, as threats evolve so must we.

As the internet of things becomes more integrated into peoples’ daily lives, more aspects of everyday life will be vulnerable to hacking. Despite the convenience of being able to connect your refrigerator or washing machine to a smartphone, the reality of the risk involved is rather dire. Even these seemingly insignificant edge nodes can be the gateway for a malicious hacker to penetrate a sensitive system, potentially stealing or destroying personal information. Even worse, however, would be an exploitation of a life-saving medical device.

Precedent has shown that pacemakers with wireless capabilities can be hacked, with potentially fatal consequences. According to an article by Jikku Varghese Jacob on Onmanorama, once granted access, a hacker has the life of the patient in their hands. “The hackers would be able to increase or lower heart rates of the patient, or even hijack it to deliver a fatal shock to the person’s heart.” (Jacob, 2017)

As advances in medical technology are being made, it is not unthinkable for computers to become integrated into other medical devices, such as prosthetic limbs. The thought of a hacker exploiting such devices initially devised to improve the lives of the patients is repulsive. There is little merit to developing such technology if we don’t take the necessary steps to ensure that those who need those products are safe from potentially worse threats. To that end, Trillium is dedicated to raising awareness for the need for strong, reliable cyber defense for the products of today and tomorrow.

From Fixed to Fluid: The Dawn of Custom Vehicle Systems

With vehicles becoming increasingly software-oriented over the years, the potential for customized automotive software has skyrocketed. More and more each day, drivers are learning about the inner workings of their cars, how the CAN bus and OBD II port of their vehicles can be used to enhance their vehicle. CAN (Controlled Area Network) is the network of connections between the electrical control units in a vehicle. The OBD (On-board diagnostics) port is the gateway to the CAN network in vehicles, a unique port found in most cars. From enabling hidden features in a vehicle, to improving a car’s mileage, communities across the internet are further and further exploring the possibilities car hacking can bring.

This customize-ability adds a new, needed dimension to how people will use cars. The car of yesterday was something you bought as-is, with all the features decided by the OEM. The car of tomorrow allows for user driven customization based on wants and needs.

Just as we expect the ability to download apps to our computers and smartphones, the same will inevitably come to be true for automobiles. Johnathan M. Giltin of arsTechnica emphasizes on this, saying that “…an entire ecosystem of companies exists ready to give you the tools to take your WRX, GT-R, or whatever to the next level.”

As this field grows, a future where people can re-wire their cars for each trip throughout the day is entirely feasible. One might chose to optimize their mileage for their morning commute and instead select to change that setting on their way home, when they know that they’ll encounter less traffic. But while the possibilities are endless, so are the risks.

It is common knowledge that the internet is full of programs that advertise themselves as safe, useful applications while secretly infecting the user’s computer with malware. As the communities of car-hack enthusiasts grow, so will the number of unregulated, unverified user-created car programs. It is best practice not to download risky software without an antivirus on one’s computer, and the same practice will be a necessity in the future of car customization. For a field in which new programs and applications will be produced at such an alarming rate, static, non-dynamic security will not suffice. Fast, seamless updates to powerful security protocols are needed, and meeting that demand is the core of Trillium’s ambition.

The Truth About Approaching Cybersecurity

With cyber security achieving an increasingly important position in the world, many companies have found that their initial measures have not held up well enough in the face of novel cyber-attacks. This issue stems from factors such as failure to seriously consider cyber security, as well as an inability to implement security effectively.

Possibly the most difficult-to-grasp aspect of defense in cyberspace is the need to escape notions that are true for the physical world, but are not necessarily true for cyberspace. One example of this is common understanding of borders and proximity. In the physical world, borders are observable, placed and maintained by the people around them with clear dimensions. Location and distance are very different in cyber space, as Michael Daniel, president of the Cyber Threat Alliance, states in an article in the Harvard Business Review. “Proximity is a matter of who’s connected along what paths, not their physical location.”

Daniel also points out the flaws of relying on physical jurisdictions – a cyber-attack can be purported from any location to any network, using an array of hacker tools. It is thus not reasonable to mandate jurisdiction based on physical location. Laws and policies regarding cybersecurity need to be approached with a new mindset, one that acknowledges the need for flexibility in securing the networks of the world.

The responsibility for the protection of companies and consumers lies not only with governments, but with those individual entities and end users as well. For a field in which designating areas of jurisdiction is so asymmetric, the division of accountability cannot afford to be rigid. Daniel suggests employing the same strategy taken by disaster response planners.

“In disaster response, preparedness and initial response reside at the local level; if a given incident overwhelms or threatens to overwhelm local responders, then steadily higher levels of government can step in. We could apply these principles to allocating responsibility in cyberspace -businesses and organizations remain responsible for securing their own networks, up to a point. But if it becomes clear that a nation-state is involved, or even if the federal government merely suspects that a nation-stat is involved, then the federal government would start bringing its capabilities to bear.” (Michael Daniel, 2017)

Daniel’s statements echo Trillium’s beliefs, that no business or organization should lack preparation for a cyber-attack. Waiting defenseless until an incident occurs and then depending on the government to take care of the situation is not only risky, but irresponsible. If the damage caused by the initial infiltration is severe enough, loss of wealth, privacy, and even life can occur. To this end, it is imperative that the world prepare itself for the future, for in an invisible environment in which countless threats lurk, no shelter is not an option.

Trillium takes Shanghai!

Last week Trillium’s CEO, David Uze, was the keynote speaker at the second Asia Intelligent Connected Vehicle Conference and Expo 2017 in Shanghai! We wish to send out our warmest thanks to all those involved in organizing such a great event.

View post on imgur.com

 

View post on imgur.com

View post on imgur.com

View post on imgur.com

East Asia’s Hidden Threat: Unit 180

With cybersecurity experts across the globe scrambling to recuperate after the WannaCry attack earlier in May, suspicions have begun to fall onto the Democratic People’s Republic of Korea. Dozens of publications, including The Japan Times have published articles focusing on North Korea’s cyber spy programs.

Given special attention recently is a sector called Unit 180, a special cell in North Korea’s spy agency suspected of carrying out some of the largest cyber-attacks in the past decade. These include a cyber-heist on the central bank in Bangladesh and an infiltration of Sony’s Hollywood studio in 2014. Despite the publicity these attacks received, Pyongyang has always been able to deny their involvement in them, leading to an inability to investigate them further.

A prominent reason for the difficulty in indicting the hackers rises from the fact that the hackers often perform their attacks from outside of North Korea, travelling to China or other Southeast Asian countries under the premise of other business. These countries often have superior internet infrastructures than North Korea, a side-effect of their closed-off nature. From that position, they can attack computers all around the world, and with remote IP addresses no less. This problem highlights the need for not only a strong defense when it comes to cyber security, but also a swift and potent rebuttal. In order to truly be safe from future attacks, Trillium has poured time and effort into the development of our SecureIXS platform, giving us the much-needed ability to aggressively counterattack in the case of an intrusion. Not only is such functionality critical to securing users’ life and liberty, it is also instrumental in ensuring that perpetrators can be held accountable for their crimes.

In an age where dangerous military secrets could be plundered in a cyber-attack, this level of anonymity is a threat that cannot be left unaddressed. For as long as malicious entities such as Unit 180 exist, further investment and development of cyber defense is an avenue all nations must prioritize, lest that malice turn to open, unrestrained aggression.

Threats Lurking Beneath the Surface: The Rise of Cryptocurrency Snakes

With the world’s focus on the recent aggressive cyber-attack endemic, a subtler, yet equally terrifying threat has begun to emerge. WannaCry represented the brutal, blow-like impact a cyber-attack can have, directly assaulting the lives and livelihoods of people across the globe. This attack is drawing mass media attention, as it affects thousands of people worldwide, and prioritizes making itself known, forcing the afflicted user to either pay a ransom or settle for having their devices locked. What has failed to receive its due attention, however, is the snake known as Adylkuzz.

In contrast to WannaCry’s brash, up-front demand of a ransom in exchange for unlocking a system, Adylkuzz is a background cryptocurrency miner. It infects a device and uses it to mine Monero, a cryptocurrency similar to Bitcoin. This process is very computationally intensive, and as such results in loss of performance for both the devices and the servers they are connected to. These symptoms can often be attributed to simple problems, such as high internet traffic. The problem therein lies in that this kind of attack can continue indefinitely, without the user being explicitly aware that an issue exists. The average user could be a host for Adylkuzz for weeks and not even notice the drop in performance.

WannaCry is to a tornado as Adylkuzz is to a poisoned water supply. While the former openly draws the attention of those that it devastates, the latter allows the victims to proceed with their everyday routines with little to no idea that a problem exists in the first place. In fact, an article by proofpoint claims that Adylkuzz has been in play even longer than WannaCry, having begun shortly after the EternalBlue exploit was leaked.

“…it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.” (proofpoint, May 15th 2017)

This threat, while on the same scale as WannaCry has received little media attention despite being present since early May. While the fear of open attacks keeps the public occupied, this kind of subtle attack has the chance to make its way into our systems.

The cybersecurity community needs to work hard to ensure that our networks and devices are secured, as when it relates to cyber-attacks, the absence of evidence is not the evidence of absence. Strong, flexible, and easily updateable security solutions like those developed at Trillium are a necessity not only to protect users from the threats they can see, but also the ones they can’t. The importance of swift preemptive action cannot be denied, as indeed an ounce of prevention is worth a pound of cure.

Cybersecurity and the Law

With the pressing issue of cybersecurity being brought into the public eye again as a result of last week’s WannaCry attack, lawmakers have been taking steps to see that laws are put into place to thwart similar incidents in the future. In a recent article by The Hill, Governor Terry McAuliffe is quoted in his dissatisfaction with congress’ approach to cybersecurity.

“I have been very public in my displeasure with the Congress,” McAuliffe said. “We don’t even have a committee [in] Congress today on cybersecurity. It is spread through many different committees — nobody will give up jurisdiction to come together.” (The Hill, May 17th 2017)

The governor’s words highlight the lack of concern for cyber defense in both chambers of congress up until now. As the fear of future large-scale cyber-attacks spreads, so does the pressure on lawmakers to begin enforcing regulations concerning state-level cybersecurity. As the chairman of the National Governors’ Association, Gov. McAuliffe is striving to establish basic minimum cybersecurity protocols that all states must abide by, with penal retaliation in the event of negligence on a state’s part.

With the increasing demand for safety from cyber-attacks, lawmakers and other governmental entities will be picking up speed in their establishment of standards for cybersecurity. Organizations such as the Society for Automotive Engineers (SAE) are already working in tandem with cybersecurity companies like Trillium to establish standards to protect automobiles and their drivers from cyber threats. The National Highway Traffic Safety Association (NHTSA) already dictates automotive safety measures through legislation, with safety policies for seat belts, airbags, brakes, and more.  It’s no stretch to say that the next major safety concern needing to be tackled in cars is cybersecurity, and to that end no small effort will suffice. The solutions must be potent, reliable, and dynamic enough to match speed with the ever changing environment of cyber-attacks, and Trillium is determined to provide those solutions.

Automotive Ransomware On The Rise

Not even a week has passed since the WannaCry incident began, and already cybersecurity experts around the world are voicing their concerns for the state of cyber defense today. In particular, attention has been brought to the possibility of a similar “ransomware” attack on automobiles, a potential threat dubbed “clampware.” News publications on both sides of the Atlantic have brought attention to this prospect, including coverage by Fox News’ Auto Tech column.

The idea of clampware comes from the notion that a car could be disabled through a cyber-attack, with the driver being ransomed into paying a sum in order to have control of the vehicle returned to them. It has already been shown that nearly all of an automobile’s functions can be controlled remotely by exploiting cracks in a car’s network connections. Software defects in a vehicle’s ECUs, radio, and wireless communication systems such as WiFi, Bluetooth, GSM, and 4G could be exploited to grant the attacker access to the car’s vital operation components.

In the event of such an attack, a driver could be left stranded on the road with no way to operate their vehicle unless they pay the ransom fee. If a driver is unable to pay the fee, it then begs the question of who’s responsibility it is to assist these drivers? Horrifyingly, even emergency vehicles such as ambulances, fire trucks, and police cars could be subject to such attacks. This has the potential to be a huge area of concern for car insurance companies and lawmakers alike, as standards for handling such scenarios will inevitably need to be put into place.

Not only is the integrity of the individual networks important, but so is the interconnectedness of the networks themselves. Services like Trillium’s SecureCAR that provide powerful encryption and authentication solutions for in-vehicle networks will rapidly become a necessity as cars become more integrated into the Internet of Things. As different forms of connectivity are added to the smart cars of the future, the number of attack surfaces that need to be protected increases at the same rate. To this end, static, unintegrated cybersecurity solutions will not hold up.

In a quote from professor Martyn Thomas, an IT expert at Gresham College, Financial Times brings to attention the necessity of speed in administering fixes to such problems. To reliably and efficiently keep an entire fleet of vehicles protected in such a constantly changing environment, smooth Over the Cloud updates such as those provided by Trillium’s SecureOTA are a necessity. The fixes need to be available as soon as an attack is discovered, and must be as un-intrusive as possible to minimize the disruption of customers’ everyday lives.