The reams of personally identifiable information in the possession of healthcare and pharmaceutical companies makes them a clear target for cyberattacks, but the transportation industry, which now ranks third in security vulnerability according to a recent whitepaper released by Gallagher, has different exposures than just the threat of losing drivers’ licenses or social security numbers.
“The transportation sector has a lot more risk in the operational technology side, so we look at how the transportation sector is deploying technology and how technology’s infused in the operation, and of course, unique is that they’re dependent more so than ever on technology,” said Adam Cottini, managing director of the cyber liability practice with Gallagher. “The critical processes themselves could be vulnerable to attacks which could lead to business interruption, cyber ransomware, and potentially data protection.”
GPS tracking, used within the transportation network to identify the location of goods and trucks, the computer networks themselves, and automation are all specific vulnerabilities within this industry.
“An overlooked component of this discussion is when you think about the premises, the grounds themselves, where you have automation put into the actual movement of goods and products on the ground into the vehicles themselves,” explained Cottini, adding that robotics are now often in place to help move goods from warehouses to trucks – a simple step that’s at threat from hacking since IoT devices are often deployed to help in that process.
The fallout from a breach for a trucking, shipping or airline company can impact others inside and outside of the industry – consumers and resellers, for instance. Cottini highlighted an incident from 2017 when a large marine entity experienced an attack and put a pause on their operations as well as products being transported, an example of what can happen when any transportation organization is struck with a hack.
“They’re now stuck in ports waiting to get out because there’s no organized systems in order get those goods out the door,” said Cottini. “Interestingly enough, you have X-ray machines in the port system, for instance, where the X-ray machines scan for whether there’s malicious material, nuclear material, whatever it might be. Those X-ray machines are critical to move trucks in and out of ports, and so if your system is tied up because you had a cyber ransom and you can’t run that particular process, you now have a whole bunch of trucks on the road waiting to get through a port and that is causing a tremendous amount of ripple effect.”
At the end of the line, people hoping to buy goods might be left empty-handed if those items never make it to stores, making business interruption a key component of the cyber insurance coverage for this sector.
“The biggest and most sought after component of insurance for the transportation business is the cyber extortion coverage and the business interruption coverage,” said Cottini. “That piece of the pie has contingency concerns that exist uniquely in the space of transportation that a lot of other entities may not feel as strongly about.”
While the transportation industry has implemented technology in some ways, namely to increase efficiency in operations, the adoption of technology that minimizes vulnerability to cyber threats hasn’t necessarily occurred at the same rate. Cottini cites an endpoint technology that monitors for cyberattacks through AI and machine learning, and can detect zero-day attacks, which are new and never-before-seen, and thus don’t have a known signature yet.
“The transportation business as a norm is less willing or less inclined to adopt this technology than we have seen from other industries,” he said.
While the discussion around cyberattacks is growing, especially as Gallagher’s whitepaper states that 2017 was a record year for cyberattacks and the average total cost per breach for the average company has reached $3.79 million, there are certain elements missing that make the conversation relevant to the transportation industry.
“What we have realized is that when speaking about cyber exposures, a lot of folks are speaking about personally identifiable information concerns, and aren’t focused enough on operational technology and the business interruption concerns,” said Cottini.