Australia

The Impact of Automation on Cyber Risk

Anything that’s smart and connected to the internet can be hacked. Anything connected to a power source can fail during a blackout. Anything claiming to be ‘artificially intelligent’ can wreak havoc if the underlying algorithms are flawed.

In the era of rising automation across just about every sector of the economy, enterprises must revisit their risk register and review it through an automation lens.

What if you are hacked? What if your equipment shuts down mid process? What happens if a flawed algorithm delivers dubious advice? How quickly can you recover, and are you able to transfer any of the risk?

The advent of internet connected sensors and autonomous machines in Internet of Things (IoT) and Industrial Internet of Things (IIoT) networks, deployment of industrial control systems, autonomous trucks, digital financial advisers (robo-advisors), remotely controlled and surgical instruments, intelligent building controls and automated shipping terminals can all become new vectors of attack or potential failure points, establishing fresh risk factors that enterprises need to comprehensively assess.

The risks that can arise from failure, or attacks on such systems, are generally costly. They can be profound and, in some cases, extend to loss of life or serious injury.

Automation can add huge value to an enterprise. It promises both convenience and enhanced safety when dangerous tasks are performed by machines. But, these machines bring with them fresh risks that need proper consideration. Any enterprise deploying automation must develop a deeper focus on security and resilience and use a fresh lens to assess cyber risk and liability.

Yes, the automated vehicle may eliminate human error – but what if the algorithm is flawed and leads to crashes or injury? Are internet connected sensors properly secured or vulnerable to attack? What happens if the remotely controlled surgical scalpel freezes mid incision because of a network outage? What if the financial robo advice is flawed and customers see their savings eroded?

A hacked industrial robot could easily become a lethal weapon. A recent study linked robotic surgery to 144 deaths in the US1. IOActive's recent research on hacking robots details the fears around robotics manufacturers failing to treat security as a priority in their products2. The paper outlines serious security vulnerabilities in control software used in robots from multiple vendors. They say that new technologies are typically prone to security problems. Vendors prioritise speed to market over comprehensive security testing.

These considerations can be overlooked or undercooked in the race to automate.  Executives and directors need to carefully reassess organisational risk to ensure that they, their organisations, their customers and their employees are not left exposed.

The automation opportunity

Alphabeta's recent paper on the impact of automation claimed that there was a $2.2 trillion productivity opportunity if Australian firms embraced more automation over the next decade3.

The report, which was commissioned by Google, reveals the economic impact that more automation could have – but also the very positive human impact that is possible.

It forecasts that based on past automation trends the number of sick days due to accidents involving physical work in Australia could be 11 per cent lower by 2030.

Already individual companies are registering benefits.

For example, last year Rio Tinto noted that it had 69 fully automated trucks on its remote iron-ore mine sites in the Australian Pilbara. It claimed that since it introduced self-driving trucks, injury rates fell from 1.21 accidents per 200,000 hours worked in 2007, to 0.44 accidents in 2016.

While in some cases health and safety related risk may reduce, other risks arise. What happens if an automated vehicle’s algorithms are flawed and it knocks down a pedestrian? Where does liability lie and is the business covered for such risks?

The rise of automation also brings cyber risk into much sharper focus.

Whether the automating enterprise is a mining company with autonomous trucks, a wind farm running turbine sensors to predict the need for preventive maintenance, or a hospital offering tele-surgery using remotely controlled robotics, the risk of cyber-attack or data breaches needs to be carefully managed and assessed.

At the same time, the increasing automation of entire supply chains using technologies such as IoT sensors, predictive analytics, AI and robotics is being driven by enterprises seeking to improve demand forecasting. This can reduce or better manage volatility, increase asset utilisation, and provide customer convenience at an optimised cost4.

The impact of a cyber-attack at any point in an automated supply chain has the potential to be catastrophic. Any flaw or malevolent instructions ricochet up and down the chain. In many large retail organisations “digital control towers” have been established which have oversight of the entire supply chain. These control towers may be valuable enterprise facilities – but they are also clear cyber targets; bring down the tower and an entire industry can be brought to its knees.

According to a Frost & Sullivan paper examining the security of industrial automation cyber threats, such focused industry attacks – whether for economic, political, or malicious gain - are today primarily aimed at industrial control systems such as distributed control systems, programmable logic controllers, supervisory control and data acquisition systems (SCADA) and human machine interfaces. Attacks, it notes, may arise from unsecured remote access, inadequate cyber protection or a lack of network segmentation. This allows attacks in one area of an organisation to percolate to another5.

The most recent US industrial control system security report notes that frequently identified control system vulnerabilities include boundary protection (this has been the greatest area of concern for four years), identification and authentication of legitimate system users, and allocation of resources6.

Organisations making use of machine learning and AI as part of their automation face additional challenges. Flawed algorithms and inadequate machine learning can expose enterprise and its customers to new risks. Careful analysis and proper risk transfer is the only solution.

We explore some of the key risks across a mining, healthcare, construction, financial institutions, transport and logistics and critical infrastructure.  

Looking ahead

There is little doubt that automation will accelerate the digital transformation of multiple industries. However, enterprises should not overlook the need for regular and comprehensive reviews of their risk register to determine any emerging cyber exposures. They must identify any gaps and develop strategies both to mitigate risk and, where appropriate, transfer risk.

1 https://www.bbc.com/news/technology-33609495
2 https://ioactive.com/pdfs/Hacking-Robots-Before-Skynet.pdf
3 http://www.alphabeta.com/wp-content/uploads/2017/08/The-Automation-Advantage.pdf
4 https://hbr.org/2018/06/the-death-of-supply-chain-management
5 http://www2.schneider-electric.com/documents/support/white-papers/white-paper-cybersecurity-for-industrial-automation-control.pdf
6 https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/NCCIC_Year_in_Review_2017_Final.pdf

Michael Parrant
Cyber Insurance Practice Leader
+61 3 9211 3485

michael.j.parrant@aon.com