What insurers need to know about the downside of 'IoT'
Property & casualty insurers must take time to understand this new frontier of threat and risk.
The Internet of Things (IoT) has profound benefits, both at the tactical level of building management systems and at the strategic level of smart cities and infrastructure.
But even as organizations across industries are pursuing the unparalleled opportunities presented by IoT, cyber criminals are similarly exploiting IoT as a new avenue for advancing their own illicit activities.
These corrupt activities have a range of potential implications, from mere inconvenience — incapacitating a municipality to provide certain residential services, for example — to catastrophe. A hack that opens a drawbridge at the wrong time, for instance, could easily result in mass casualties.
Designers, owners and operators of IoT-connected structures must be aware of the threats and risks they face and sensibly prepare for risk identification, management and mitigation. Likewise, property & casualty insurers that underwrite them should take time to understand this new frontier of threat and risk. Who are the actors? What methods do they employ to wreak their own brand of havoc? And how might insurers’ own IoT deployments put them at risk?
The Internet of Things
The IoT enables the integration and connection of millions, or even billions, of devices via the internet. The uses are many: remote operation, collection of telemetry data, on premise, real-time monitoring, and all manner of other activities across enormous estates of devices. From traffic sensors in urban traffic management systems to individual smart sensors and devices in consumers’ homes, the potential for IoT-enabled infrastructure to improve quality of life and societal efficiency is huge and exciting.
But as is so often true with new technologies, with the good comes potential bad. Consider privacy concerns, for one. To what extent should either service providers or government entities be permitted to access and use consumers’ personal information? Likewise, there are broader security concerns. Given the vulnerability of both individual IoT installations and wider strategic IoT architectures, how are organizations safeguarding their networks and growing stores of sensitive data?
Threat and hazard
An unpleasant fact about our contemporary lives is that, quite apart from hazard — that is, bad things happening by accident or non-malicious negligence — we are also subject to threat. Threat is a host deliberate actions aimed at causing bad things, typically driven by threat actors whose motivations and actual capabilities are quite diverse. They include:
- State actors: Those directly representing a nation-state and its specialist services.
- Quasi-state actors (also sometimes known as tolerated actors): See themselves as supportive of a nation-state, perhaps without official endorsement or support.
- Non-state actors: International or other groups with an agenda supporting political or other ends through attacking nation-states and their critical infrastructure; typically, groupings using terrorist techniques of asymmetric warfare.
- Criminals: Both executors of attacks directly and enablers and suppliers of such technology and capabilities to others for profit.
- Activists: Representing single issues; keen to apply pressure to nation-states without necessarily causing significant damage.
- Hackers: Interested in researching and discovering vulnerabilities, for altruistic or nefarious purposes.
These actors may be characterized by their capabilities, including the range, sophistication and destructive potential of their attacks. They may also be defined by their intent, such as the strength of their desire, and the specific target and aim of that desire, to attack a target.
Cyberattacks
Attacks may be broadly categorized into three basic impacts: destruction, compromise and denial.
Destruction is either eliminating data or the infrastructure containing or connecting it. This is done remotely through subversion of Internet-connected devices and generation of spurious or damaging commands, either externally or by way of malware. These are also known as advanced persistent threats, often burrowing into a network by way of social engineering or impersonation.
Compromise involves the removal or theft of network data, or attacking the confidence in the integrity and accuracy of that data. Part of industrial espionage, it is often done to steal intellectual property, but it may also be used to shake confidence in telemetry, billing or other critical data. It renders business and operational decisions unreliable.
Denial uses permanent or temporary denial of data access or the storage and network infrastructure. The classic example of this attack is ransomware, where critical information is encrypted by the attacker and only decrypted when a ransom is paid. This method is highly attractive to criminals, as the barriers to entry are quite low, with free availability of necessary tools on well-known criminal sites, and also because the risks and penalties quite low.
The insurer’s perspective
Insurers have been making major investments in digital innovation, including IoT, which has beneficial applications across the organization. Marketing executives can use IoT analytics to gain new insights into customer behavior. IoT offers actuaries and underwriting rich new data to more accurately assess and price risk. From a claims perspective, IoT can power automated loss notifications based on sensor data.
Together, these benefits have the potential to reduce losses and transform relationships with policyholders with value-added services. Still, the widespread adoption of IoT in the industry is hampered by myriad issues. Beyond regulation and data management and ownership issues, perhaps chief among them is data security.
The vast data flowing between connected vehicles, connected homes and insurance companies is vulnerable to interception. And as IoT becomes more prevalent, it will attract more potential for cyberattack and new types of application and claims fraud. It is incumbent on insurers to perform highly detailed threat and risk assessments to shore up their cyber defenses as they embrace telematics and all it has to offer. They would also be wise to invest in additional IoT data security and fraud protection.
IoT is shaping up to be a big disruptor in insurance. Security should not be an afterthought. The reward for those who plan and prepare well will be a new type of customer relationship where insurance becomes less reactive and more preventive.
Norman Black (Norman.Black@sas.com) is a principal insurance industry consultant at SAS. Henrik Kiertzner (Henrik.Kiertzner@sas.com) is principal cybersecurity consultant at SAS. These opinions are the author’s own.
See also: