Last week it was reported that an error in an iPad navigation application used by airline pilots caused 74 flight delays at American Airlines. The issue was resolved within 48 hours, according to CNNMoney.
This is the latest in a series of incidents that Russell Group has reported upon in the last 18 months where the connected modern world has caused major disruption that has resulted in loss of income or loss of reputation. Specialty insurance underwriters and risk managers are increasingly aware of the potential for such risks to have an impact on their combined ratios.
American Airlines switched to a paperless program in 2013 and says that 8,000 iPads have replaced over 24 million pages of documents. The devices are reportedly used to communicate flight plans and for navigational purposes. American estimates the modification has saved approximately half a million gallons of fuel and $1.2 million of fuel annually.
The airlines said that a third-party app, not Apple, caused the complications and that the anomaly only affected a tiny percentage of the company's 6,700 daily flights
The Guardian reported that the malfunction in the electronic flight bags happened in the same month that a US supervisory body warned of the possibility of in-flight Wi-Fi being used to hack into the avionics system of a plane. The Government Accountability Office (GAO) warned that: “Modern aircraft are increasingly connected to the internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”
As the Guardian explains, cockpit electronics are indirectly connected to the passenger cabin through shared IP networks. The connection between passenger-accessible systems and the plane’s avionics is heavily moderated by firewalls, but information security experts have pointed out that firewalls, like all software, can never be assumed to be totally infallible.
“Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented,” explains the GAO.
“According to cybersecurity experts we interviewed, internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” the report adds.
The Federal Aviation Administration does not currently verify the cybersecurity of a new airliner before certifying it for scope, although it “currently issues rules with limited scope, called Special Conditions, to aircraft manufacturers when aircraft employ new technologies where IP interconnectivity could present cybersecurity risks”.
A worst case scenario is that a terrorist with a laptop would sit among the passengers and take control of the airplane using its passenger Wi-Fi.
Airplanes are not the only mode of transport that are vulnerable to hacking. A system used by maritime vessels worldwide to broadcast their location for safety purposes lacks security controls and is vulnerable to spectacular spoofing attacks, researchers have shown.
A system used to track ships worldwide has also been shown to be easy to hijack. Researchers found that it is possible to cause fake vessels to appear, real ones to disappear, and to issue false emergency alerts using cheap radio equipment.
According to MIT Technology Review: “Researchers with the computer security company Trend Micro discovered the problem, which stems from a lack of security controls in a technology known as Automatic Identification System, or AIS, used by an estimated 400,000 ships worldwide.
“Ships using the system transmit a radio signal with their location and some other details, so that other vessels and port authorities can view a map with all nearby craft shown in real time. International Maritime Organization rules make AIS mandatory on passenger vessels and on cargo ships over a certain size. Lighthouses, buoys, and other marine fixtures also transmit their location using the system.”
Russell Group has been involved in numerous conversations with the (re)insurance community over the last 12 months to discuss the threat posed by internet connectivity on the specialty insurance classes. As a result, our ALPS Enterprise captures a corporate’s exposure to technology vendors and compares with its own in-built vendor listing to assess a corporate’s risk profile to probable security threats and cyber events.
The question is not if a major cyber event has the potential to erode (re)insurers’ aggregates but when.
For a comprehensive capture of your portfolio and underlying risk data, contact firstname.lastname@example.org.
View Alps Enterprise for further information.