Cyber Risk and Insurance for Transportation Infrastructure

Please download to get full document.

View again

of 18
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Nature & Wildlife

Published:

Views: 0 | Pages: 18

Extension: PDF | Download: 0

Share
Related documents
Description
Cyber Risk and Insurance for Transportation Infrastructure Gina Tonn Risk Management and Decision Processes Center, Wharton School, University of Pennsylvania Jay Kesan University
Transcript
Cyber Risk and Insurance for Transportation Infrastructure Gina Tonn Risk Management and Decision Processes Center, Wharton School, University of Pennsylvania Jay Kesan University of Illinois Jeff Czajkowski Risk Management and Decision Processes Center, Wharton School, University of Pennsylvania Linfeng Zhang University of Illinois March 2018 Working Paper # Risk Management and Decision Processes Center The Wharton School, University of Pennsylvania 3730 Walnut Street, Jon Huntsman Hall, Suite 500 Philadelphia, PA, USA Phone: Fax: https://riskcenter.wharton.upenn.edu/ THE WHARTON RISK MANAGEMENT AND DECISION PROCESSES CENTER Established in 1985, the Wharton Risk Management and Decision Processes Center develops and promotes effective corporate and public policies for low-probability events with potentially catastrophic consequences through the integration of risk assessment, and risk perception with risk management strategies. Natural disasters, technological hazards, and national and international security issues (e.g., terrorism risk insurance markets, protection of critical infrastructure, global security) are among the extreme events that are the focus of the Center s research. The Risk Center s neutrality allows it to undertake large-scale projects in conjunction with other researchers and organizations in the public and private sectors. Building on the disciplines of economics, decision sciences, finance, insurance, marketing and psychology, the Center supports and undertakes field and experimental studies of risk and uncertainty to better understand how individuals and organizations make choices under conditions of risk and uncertainty. Risk Center research also investigates the effectiveness of strategies such as risk communication, information sharing, incentive systems, insurance, regulation and public-private collaborations at a national and international scale. From these findings, the Wharton Risk Center s research team over 50 faculty, fellows and doctoral students is able to design new approaches to enable individuals and organizations to make better decisions regarding risk under various regulatory and market conditions. The Center is also concerned with training leading decision makers. It actively engages multiple viewpoints, including top-level representatives from industry, government, international organizations, interest groups and academics through its research and policy publications, and through sponsored seminars, roundtables and forums. More information is available at https://riskcenter.wharton.upenn.edu/. Abstract Cyber Risk and Insurance for Transportation Infrastructure Gina Tonn a, Jay P. Kesan b, Jeff Czajkowski c, and Linfeng Zhang d a. Corresponding author. Wharton Risk Management and Decision Processes Center, University of Pennsylvania, 3819 Chestnut Street, Suite 130, Philadelphia, PA 19104, USA; phone: ; fax: ; b. University of Illinois, 504 East Pennsylvania Avenue, Champaign, IL 61820, USA; c. Wharton Risk Management and Decision Processes Center, University of Pennsylvania, 3819 Chestnut Street, Suite 130, Philadelphia, PA 19104, USA; d. University of Illinois, 504 East Pennsylvania Avenue, Champaign, IL 61820, USA; While advances in information technology and interconnectivity has improved efficiency for transportation infrastructure, they have also created increased risk associated with cyber systems. This study includes both an analysis of cyber incident data for transportation systems and a series of interviews with transportation infrastructure managers and insurers. The objective is to identify barriers to a robust cyber insurance market and improved cyber resilience for transportation infrastructure. Results indicate that the annual number of cyber incidents and associated costs are on the rise. The most common incidents involve data breach, while incidents involving unintentional data disclosure have the highest average loss per incident. Cyber risk assessment, mitigation measures, and insurance are being implemented to varying degrees in transportation infrastructure systems, but are generally lacking. Infrastructure managers do not currently have the tools to rigorously assess and manage cyber risk. Limited data and models also inhibit the accurate modeling of cyber risk for insurance purposes. Even after improved tools and modeling are developed, residual cyber risk will be significant, and insurance purchase is an important risk management strategy to allow transportation infrastructure systems to recover from cyber events. Keywords: transportation; cyber risk; cyber insurance 1 1 Introduction Transportation systems support the movement of people and goods within a defined region and include the combination of vehicles, infrastructure, and operations that enable these movements [1]. The U.S. transportation network includes aviation, roads and bridges, inland waterways, ports, rail, and transit. These transportation systems are vital to the U.S. economy and way of life, and disruptions can have short-term and long-term socio-economic impacts. Information technology and interconnectivity have improved efficiency and functionality for transportation infrastructure. However, they have also brought increased risk associated with cyber systems that are now essential for safe and continuous operation of transportation systems [2]. According to the US Department of Homeland Security, there are more than 60 US critical infrastructure entities for which damage associated with a single cyber entity could potentially result in $50 billion in economic damages, 2,500 immediate deaths, or a severe impact to US national defense [3]. Cyber risks are increasing, and cyber related losses are growing as new technologies are implemented and reliance on them increases. Thus, it is likely that full cybersecurity for transportation infrastructure is not achievable solely by technological improvements. Therefore, in addition to attempting to prevent attacks and lower cyber risk, transportation managers should also prepare financially for inevitable losses through selfinsurance and insurance [4]. Cyber insurance is currently available, but limited, and expansion of cyber insurance coverage is needed to manage the growing risk. In this study, we aim to identify barriers and opportunities for a robust cyber insurance market and improved cyber resilience for transportation infrastructure. Section 2 provides background on general cyber risk and insurance as well as cyber risk specific for transportation infrastructure. Section 3 describes methods and data. Section 4 provides insights from analysis of cyber incident data for transportation systems. Section 5 describes the current state of cyber insurance for transportation infrastructure based on the findings from interviews with insurers and infrastructure managers. Section 6 concludes and presents recommendations for future research. 2 Background 2.1 Overview of general cyber risk and insurance Cyber losses can be associated with liability from a customer data breach, property damage and theft (e.g., accidents caused by compromise of signaling systems), data damage (e.g., hacking maritime cargo management systems), loss of income due to outages and failure, website defacement, and cyber extortion [5]. Cyber attackers can be hackers, criminal organizations and thieves, state-sponsored attackers and spies, other companies or organizations, terrorists, malicious insiders, and contractors [6,7]. There are four main layers of cyber systems, each of which are at risk for cyber attack. The first is the perceptual layer, which links cyber and physical through components like wireless sensors and GPS. The second is network systems which transmit information (e.g. satellite networks and the internet mobile communication network). 2 The third is support systems such as cloud computing and intelligent computing, and the fourth is the application layer which links users and the physical world with cyber systems (e.g. intelligent transportation and environmental monitoring [8]. Given the variety of possible cyber losses, there are also a variety of approaches to mitigating these losses which can include design methods which improve system architecture and activities, or operational methods that involve changes to business operations [8,9]. Other approaches to managing cyber risk include countermeasures like security software, system design and operations improvements, and investments in the cyber workforce. Protective measures like firewalls, software encryption, virus detection, and system compartmentalization are also used to reduce cyber risk. Security benefits of these protective measures must be balanced against associated costs and productivity losses. Institutional measures for managing cyber risk can be structural (software and hardware), procedural (management and operation of systems), and responsive (response and damage management after an incident is detected) [6] was possibly the worst year for cyber attacks to date, with three significant events changing the cyber risk landscape. In May 2017, the WannaCry ransomware attack created global impacts including significant effects on the UK Health System. In June 2017, the NotPetya virus was launched in Ukraine and spread to many parts of the world, resulting in over $1 billion in economic damage. In August 2017, a breach at the Equifax consumer credit agency created a market cap loss exceeding $5 billion [10]. Marsh & McLennan predicts the situation to worsen and identified two emerging trends. The first is attacks on industrial control systems, with the potential for cyber attacks to result in physical damage. The second is a tightening of cyber security laws as attacks grow more severe. The extensive nature of cyber attacks in 2017 highlights that sufficient cyber risk management cannot be achieved solely through information technology management that attempts to mitigate the risk. A further way to deal with the residual cyber risk is to transfer the risk through insurance. And as cyber risks increase, heightened concern among executives over liability associated with customer data breach as well as financial and operational effects of cyber risks will likely drive changes in cyber insurance purchases and in the cyber insurance market with policies that reflect the expanding nature of cyber attacks. For example, on the demand side, businesses will likely turn to more tailored enterprise cyber insurance policies, whereas on the supply side insurers will likely limit the cyber loss coverage of traditional property, casualty, and other business policies [11]. Existing cyber risk insurance coverage generally includes liability, remediation, and legal and regulatory fines and penalties and is primarily designed to cover losses associated with a data breach. New or future products could address more holistic coverage for operations, system failures, business interruption, and supply chain disruption [5,12]. And even today, cyber policies are generally very client-specific and negotiated on a case-by-case basis. In addition to the transfer of risk to willing partners, benefits of cyber insurance include incentivization of investment in IT security, and a boost in overall IT security, because as cyber insurance increases, best practices and standards spread through the economy [4,13]. Accordingly, the cyber 3 insurance market is growing in the U.S. in conjunction with the rising number and cost of data breaches. As of 2015, the U.S. cyber insurance market had $2-$2.5 billion of gross written premium. However, 40% of companies surveyed by insurance broker Aon did not assess cyber risk or assessed only by gut feel [12]. Unlike terrorism risk, cyber risk has the potential for a thorough data set to support a robust insurance market. However, the cyber insurance market is relatively new and not yet mature. How to set premiums is a key question for the development of a more mature cyber insurance market. Setting premiums is particularly challenging due to lack of actuarial data from past events and lack of normative standards [4]. Some cyber risks may not be quantifiable, and therefore are not insurable. The ability to model cyber risk is currently limited, but will improve substantially as more data is accumulated and shared. Additionally, cyber insurance products lack clear loss triggers and objective determination of loss severity [12]. Beyond the issues surrounding the quantification of risk, conceptual issues exist around correlated risk and lack of re-insurance. Also, traditional insurance market issues apply to cyber insurance, including moral hazard and adverse selection caused by information asymmetry. For example, there is a moral hazard associated with companies that may not feel the need to improve cyber security if they are insured [4]. Other cyber insurance challenges include a lack of legal framework, with uncertainty in liability and lack of cyber standards. All-told, cyber insurance hasn t fully taken off yet due to these issues, and market inexperience leads to conservative pricing [5]. However, Aon estimates that by 2025, cyber will be a major line of business for insurers [12]. 2.2 Cyber risks for transportation infrastructure The various modes of the U.S. transportation system act as a system of systems locally, regionally, and nationally. Transportation infrastructure consists of three main components: hard infrastructure, vehicles, and operations components. Network infrastructure and components are a key part of the hard infrastructure [8]. In this study, we are focused on three primary types of transportation infrastructure: aviation, rail and transit, and marine. U.S. aviation infrastructure includes aircraft, air traffic control systems, about 450 commercial airports, and 19,000 additional air transportation facilities for movement of people and cargo [14]. Rail and transit systems operate locally and nationally, and include a variety of modes of transportation including trains, buses, subways, trolleys, and the systems that support passenger and cargo transport. U.S. freight rail includes over 140,000 miles of active railroad and 1.3 million freight cars, with over 12,000 trains operating daily [14]. Marine transportation includes cargo transport and cruise ship passenger transport. Components include ports, ships, and control systems. IT systems are used to manage the movement of vehicles and to control vehicular traffic. They are also vital to the management, identification, and tracking of passengers and cargo throughout the system. 4 Transportation infrastructure is subject to cyber dependency, where its state is dependent on information transmitted through information infrastructure. This information infrastructure is used to manage the flow of vehicles and goods, and the reliance on information technology and communications infrastructure makes transportation infrastructure particularly susceptible to cyber-attacks [15,16]. Cyber-attacks can affect the power grid, sea port operations, air traffic control, and other components and services of transportation infrastructure. A cyber-attack on global positioning systems could significantly impact many infrastructure sectors, including transportation infrastructure [6]. Cyber risk is significant and growing in the aviation industry, with 85% of airline CEOs expressing concern about cyber risk. Airlines are at risk for theft of customer or company data, but also for their communications and connectivity systems to be compromised. Managing aviation cyber risk requires efforts from airlines, manufacturers, maintenance providers, air traffic controllers, airports, and third-party suppliers. Cybersecurity measures can include threat intelligence, identity and access management, data protection and encryption, application security, and security awareness [17]. Cyber systems are used in rail transport for communications-based automatic train control. Cyber components include wireless communication and control systems, both of which can be subject to cyber-attacks [18]. Cybersecurity measures are needed to reduce the risk of data loss and to ensure steady and stable rail operations. Previous rail related cyber incidents include a 2008 derailment of tram trains in Poland via an adapted TV remote, a two-day shutdown of train service in the northwest U.S. in 2011 due to remote computer attacks, and a 2016 ransomware attack on the San Francisco Bay Area Rapid Transit (BART) ticketing machines which disrupted public transit [19]. Cyber incidents impacting marine transportation can involve navigation, cargo control, and other industrial processes, threatening lives, the environment, and property, and disrupting trade activity. Marine cyber disruptions can impact control of temperature for refrigerated containers and emergency systems. Port operations such as raising a drawbridge, controlling traffic lights, scheduling trucks, and controlling pumps, values, and pipelines for delivery of fuel and liquid cargo to ships can be impacted. There are two factors increasing marine cyber risk: increasing control of computer systems and increasing networking of computers with each other and the internet. One example of a cyber-marine incident involved malware impacting a dynamic positioning system used in the offshore oil industry for precise navigation control. Malware on a crew member s smart-phone which was plugged into an electronic chart system deleted or corrupted all charts, causing a two-day delay. In another incident, organized crime exploited a European container terminal s tracking system for cargo, allow for use of the system in drug smuggling [7]. 5 3 Methods and Data 3.1 Cyber incident data and analysis methods One approach we use to understand and get more insights into the cyber risk in the transportation infrastructure industry is to study the historical cyber incidents collectively. The incident data is provided by Advisen, a leading data provider in the property-and-casualty insurance market. Unlike many other data sources, which are mostly voluntary reporting databases, such as VERIS Community Database (VCDB: and Web Hacking Incident Database (WHID: Incident-Database), Advisen is actively collecting cyber incidents from various information channels, and maintaining and updating the database periodically, so it has advantages over other databases in terms of the quality and quantity of information, which help us deliver more accurate results. In the database, currently over 40,000 cyber incidents are recorded, and each record comprehensively covers the most important aspects of an incident, including: Information about the victim company Case characteristics including affected asset, case type, etc. A timeline marking different stages during the development of this incident Outcomes including loss types and loss amounts With the victim company information, we can tell the industry that each company operates in by its NAICS (North American Industry Classification System) code. To match the scope of this study, which primarily consists of aviation, rail and transit, and marine transportation infrastructures, we distinguish companies in transportation infrastructure industry from companies in other industries, and we define transportation infrastructure industry as a collection of sub-industries based on their 6-digit NAICS codes. Then, to study the cyber risk in transportation infrastructure industry, we define cyber risk as the potential occurrence of incidents with information systems involved, and the incidents can originate from various types of causes. In this study, we consider not only risks associated with potential malicious actions, such as hacking or phishing, but also risks arising from data handling procedures, such as the privacy violation during data collecting or disclosing process. Table 1 describes the cy
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x