In the Public Eye: "Killware" - What is It? and How to Prevent this Next Generation of Cyber Attacks

Introduction (00:00):
Welcome to the Alliant, In The Public Eye Podcast, a show dedicated to exploring risk management topics and challenges faced by today's public sector leaders. Here are your host, Carleen Patterson and Justin Swarbrick.

Carleen Patterson (00:18):
Welcome back everyone to another episode of In the Public Eye. It seems like every time I turn around, there is a new topic coming up with cyber. The market is crazy and there are new and different ways that our clients are being attacked. And so, today we've invited back Susan Leung, who is our public energy cyber specialist to talk about a new and alarming development in cybersecurity called Killware. But before we dive in Susan, welcome back.

Susan Leung (00:47):
Thanks, Carleen.

Carleen Patterson (00:49):
So just a quick reminder to our audience, please introduce yourself and tell us a little bit about your background and specialization.

Susan Leung (00:56):
Absolutely. Thanks. My role at Alliant is: I am the head of the cyber line in a business for our public entity group. And my background in cyber, I actually started in 2014 over in Asia, on commercial business. And I came back in 2016 to combine my knowledge of public entities and public entity pooling and my knowledge of cyber and have been working on it ever since.

Carleen Patterson (01:21):
So, in our last cyber-focused podcast, we spent a lot of time talking about the difficulties in the insurance market and really focused on ransomware. But as I mentioned, a new moniker has come out recently called Killware, and wanted you to talk a little bit about what exactly Killware is and how it can impact our clients.

Susan Leung (01:43):
It's actually quite interesting that it's called Killware right? It's, very buzzy and it's actually not necessarily new. It's still a type of malware as ransomware is, but right now we're seeing it being deployed a little bit more scarcely, but I believe we'll probably see it with a higher frequency going forward. And its sole intention is to cause some sort of physical harm or even death, which is why it's got the moniker of Killware. Right now, what we've seen in the news specifically. I think we're going to talk a little bit more about how it affects municipalities in a little bit about what happened in Oldsmar, Florida in March. But what we're seeing right now is that they haven't yet coupled it with ransomware to demand money. I think they're actually seeing how effective it is. So, they're testing it and it could be some combination of whether they're going to demand money, utilize it as control, or it could be a nation, state type hackers utilizing it for political reasons as well. I think right now it's still very new. And then they're seeing how and where they can attack US public and private infrastructure to be able to show what their capabilities are, to be able to further their agenda.

Carleen Patterson (03:04):
So, our client base stretches across the US and includes everything from municipalities to water districts and power generation. Are there certain particular public entities, or segments that should be more aware of this threat than others?

Susan Leung (03:18):
Absolutely. So, the municipalities, you know, the cities and states because they're running a lot of different infrastructures, they might be running airports, water districts, power generation, themselves, their traffic lights might be on computer systems and also they have right police, fire, 9 11. So, they definitely would be a larger target for this. And then just in general, water districts, power generation airports, transportation districts and counties. There are counties where a lot of the door-locking systems for jails and such are based on computer systems as well. So, there could be quite a bit of risk out there for our public clients.

Carleen Patterson (04:04):
Do you have any details about that Oldsmar, Florida water system attempted to hack a few months ago? Could you talk about that?

Susan Leung (04:11):
Just a little bit of what was on the news and that this wasn't one that came across in our portfolio, but it's an incident that happened in Florida around early spring, where an attack was used at a water plant in Oldsmar, Florida. But it just so happened that there was an attack on the computer that was watching their mouse change, where the levels of chemicals were being adjusted to very high toxic levels into the drinking water supply. And so, the tech was able to stop that and reverse the level. So, it's incredibly fortunate that somebody was there to be able to see it and stop it, but should that have actually happened and not been stopped and out into the population. It could have made people severely ill and there might have been deaths that would result from that. There was no information in the news about whether or not the hacker was going for some sort of monetary gain or notoriety of some sort that they can actually do this. But what that has brought to the forefront is this is definitely another way that hackers are attacking our infrastructure and that we have to keep an eye out for. And also, that we have to think about how to overlay these types of incidents in our cyber policies.

Carleen Patterson (05:30):
So how would a cyber policy react to this type of threat?

Susan Leung (05:34):
That's a great question. It's very interesting. Because there are exclusions in the policy surrounding bodily injury, but you look closely at many of these standalone wording, the exclusion wording, doesn't exclude mental anguish as a result of the incident. It excludes mental anguish as a result of bodily injury. So, it's bodily injury and mental English as a result of the bodily injury. So, what we're thinking here is that I would say a brave new world for insurance companies, clients and their claims department in understanding how is that actually going to work its way through the system with regards to bodily injury on a standard cyber insurance policy? I think we're probably going to see in the future, really case law drive this piece. And we're just at a very new point where we can't say one way or another, that the policy will exclude it in an absolute way or that it won't.

I think that this will be really duked out at extreme levels in the courts and that insurance policies will change as a result of that. But in general, for the hacking piece having a data privacy council there, to be able to let you know if there was some sort of personally identifiable information or some non-public third party information that was also accessed during the hack, that that is pretty much typical of any other incident where if there was there's likely some coverage and then for the forensics to teams to go in and see what actually happened and to try to contain the incident. It's pretty typical, regardless of it, ransomware Killware is some sort of malware and then there might be a business interruption type component as well. And that would be no different again on any other malware of how a policy would typically respond.

Carleen Patterson (07:30):
So, one of the worst-case scenarios, I'm thinking about Susan, as you're talking about Killware would be something along the lines for a city or a municipality where if they are attacked and perhaps like change all the stoplights to green. And so, a school bus is in an accident and there's a lot of kids involved. Would your cyber policy respond to something like that?

Susan Leung (07:54):
Absolutely. And you bring up a great point because that could potentially touch upon other lines of business such as general liability. And this is a conversation that clients will need to have with their brokers and their insurance companies of how does my general liability cover me in a cyber incident? Is it silent? Is there some sort of absolute exclusion for cyber or is it somewhere in between? And then we have seen that there is in some standalone policy’s, some contingent bodily injury coverage. That's very sublimated but when you look closely at the cyber policy, it'll say only provided if this coverage is not provided in a general liability policy. So, there's some type of dovetailing there to be reviewed. And then the kind of silent cyber that we've seen in all their lines of business, like property we'll have to start having those conversations pretty quickly here. If we start seeing more and more Killware attacks in the casualty lines of business.

Carleen Patterson (08:56):
My last question regarding Killware is how our public entities can protect themselves?

Susan Leung (09:02):
What we've been banging the drum on, is focusing on improving their cybersecurity controls. We've had a bulletin come out recently in October that we've been sending around to our clients and we can of course send it around again, in case some of our clients have not yet seen it, but it's all the typical type controls that they've been hearing us talk about to try to get the insurance coverage placed. But I think an important note is that yes, it's incredibly important to try to have multifactor authentication for privilege access, remote access, and point detection and response well-managed remote desktop protocols as well as patching schedules, but that's getting insurance is a byproduct of having better security controls, but the security controls should be thought of as this is what organizations are facing these constant persistent and newer threats that this just really something that needs to be done as part of business operations, not just to get insurance.

Carleen Patterson (10:01):
Any other thoughts before we wrap up today?

Susan Leung (10:04):
I guess, just the finishing thoughts as we are in what is being now called high season for hackers because of the holidays they know in the us that many people will be taking time off and focusing specifically on the systems during their time off that they are looking to get into the system. So, I think just kind of the basic stuff, if the link looks suspicious, don't click on it. If the attachment is suspicious, don't click on it, work with your IT department. If there's an email that is suspicious, manage those ports patch in a timely basis, I think was recently Palo Alto networks had recent vulnerabilities that they have released patches for. So, keep up on those because that is where the hackers are. They're getting in more easily. And so those kind of low-hanging fruit areas to try to mitigate those as much as possible.

Carleen Patterson (10:54):
Absolutely. Well, thank you very much, Susan, for joining us today, we recognize this is a challenging time to be in public entity risk management. And we continue to focus on providing our clients and prospects with information and resources as we navigate 2022 and beyond.