Skip navigation

The rise of the Internet of Things correspondingly brings with it an exponential increase in the number of potential targets for cyber criminals. It isn’t just video cameras, for example, that may be exploited by cyber criminals, the list includes medical devices and even smart houses themselves. More worrisome is that steps need to be taken to safeguard cars, industrial facilities and even power grids and utilities.


Much has already been made of an incident last summer when two ethical hackers demonstrated the ability to remotely gain access to a moving Jeep Cherokee using a laptop to exploit loopholes in the vehicle’s audio system. The men were able to change the moving vehicle’s speed and braking capability, and also manipulate the radio and windshield wipers, before disabling the SUV. The incident led to the recall of 1.4 million vehicles made by FCA, including Jeep Cherokees, to patch software holes, and prompted other automotive companies to more closely scrutinize cyber security vulnerabilities in their cars.


“The situation is made worse because many engineers tasked with designing and building systems are not experts in network protocols and are even less versed in network security,” Cesare Garlati, chief security strategist at prpl Foundation, says in an article this week on iot (Internet of Things Institute). “They may know how to put together hardware components, but implementing TCP/IP protocols is a rarefied discipline which requires expert knowledge and extensive debug and testing. While it’s unfair to expect mechanical and electrical engineers to shoulder this burden, the lack of subject matter expertise is leaving systems wide open to attack, something which vendors, regulators and manufacturers must carefully consider as the evolution of connected cars continues.”


Industrial facilities and manufacturing plants are at risk as well. As the iot article notes, there already is an account of a German steel mill being hacked, which led to massive damage to the facility. Criminals used a combination of spear phishing and social engineering to gain access to the steel mill’s office network. From there, the hackers gained access to the production system and took over industrial control components in the plant.


Finally, the Ukraine has accused Russian hackers of shutting down almost a quarter of its power infrastructure, knocking out at least 30 of its 135 power substations. Cyber security experts have been warning of the risk of hackers breaching the power grid and natural gas pipelines for years, so the attack does lend an urgency to the threat.


“The attack on Ukraine’s power grid was a very frightening example,” says Garlati in the iot article. “At its core, it involved connected devices used in industrial control and automation: attackers wrote malicious firmware to replace the legitimate firmware on serial-to-Ethernet converters at more than a dozen substations—the converters are used to process commands sent from the SCADA network to the substation control systems. Taking out the converters prevented operators from sending remote commands to re-open breakers once a blackout occurred.”


Thomas Pore, director of IT and services at security analytics company Plixer International, says in the iot article that there are a number of steps all organizations should take to increase cyber security—beginning with providing on-going training so employees know how to identify phishing attacks and how to avoid being a victim of social engineering. For starters, users need to be trained not to click on links in emails.


“When a phishing attempt is identified, an announcement should be made to employees as an example of how to identify such attempts. Authentication and privilege should be configured under the principle of least privilege as well as implementing software restriction policies to help prevent an actor from gaining access to critical resources, should a breach occur,” Pore says. “At this stage in the game, we need to operate our networks as though a breach will occur.”


  What are your thoughts on cyber risk that comes with increased use of the Internet of Things? Does your company have an on-going training program to educate employees about phishing attacks and how to avoid social engineering?

The use of surgical robots in operating rooms around the world is potentially on the cusp of dramatic growth. Indeed, within five years, one in three U.S. surgeries—more than double current levels—is expected to be performed by surgeons sitting at computer consoles guiding robotic arms, according to data from Intuitive Surgical, a pioneer in robotic surgery, a Reuters story reports. Doctors say use of the robotics reduces their fatigue and offers greater precision.


Although surgical robots, such as Intuitive Surgical’s da Vinci machines, cost $1.5 million on average and require on-going maintenance, insurers pay no more for surgeries that use the systems than for other types of minimally-invasive procedures. Even so, most top U.S. hospitals for cancer treatment, urology, gynecology and gastroenterology have made the investment in robotics. The robots are used in hernia repair, bariatric surgery, hysterectomies and the vast majority of prostate removals in the U.S., according to Intuitive Surgical data. What’s more, the robots are featured prominently in hospital marketing campaigns aimed at attracting patients, and new doctors are routinely trained in their use, Reuters reports.


In other robotics news, Ford Motor Company announced it’s testing how human workers and robots may collaborate to manufacture vehicles. New collaborative robots, known as co-bots, are being used to help workers at Ford’s assembly plant in Cologne, Germany, fit shock absorbers to Fiesta cars. Developed over two years, the robot program was carried out in close partnership with German robot manufacturer, KUKA Roboter GmbH.


“Robots are helping make tasks easier, safer and quicker, complementing our employees with abilities that open up unlimited worlds of production and design for new Ford models,” says Karl Anton, director, vehicle operations, Ford of Europe.


Measuring just over three feet high, the new robots work side-by-side with line workers at two work stations. Rather than manipulate a heavy shock absorber and installation tool, workers can now use the robot to lift and automatically position the shock absorber into the wheel arch, before pushing a button to complete installation, Ford explains. To ensure human worker safety, the co-bots are equipped with high-tech sensors that stop action immediately if they detect a human arm or even a hand in their path.


“Working overhead with heavy air-powered tools is a tough job that requires strength, stamina and accuracy,” says Ngali Bongongo, a production worker at Ford’s Cologne plant. “The robot is a real help.”


The news from Intuitive Surgical and Ford remind me of a report from consulting firm McKinsey & Company earlier this month, which explains the firm’s forecast for the impact of automation on most jobs. While automation will eliminate very few occupations entirely in the next decade, it will affect portions of almost all jobs to a greater or lesser degree, depending on the type of work they entail, according to the report.


McKinsey broke down U.S. labor tasks into three categories: those highly susceptible to automation, those less-susceptible and those least susceptible. Among the most vulnerable are tasks involving physical activities or operation of machinery in predictable environments, work which makes up almost 20 percent of U.S. labor activity. Risk of automation for those tasks is 78 percent, according to McKinsey.


“Since predictable physical activities figure prominently in sectors such as manufacturing, food service and accommodations, and retailing, these are the most susceptible to automation based on technical considerations alone,” the report notes.


What are your thoughts on the growing use of robotics? How will their use have an impact on your company and others in the supply chain?

With two wildfires burning north of Los Angeles and drought in the Midwest U.S., it’s difficult to think of heavy rains and resulting flooding disrupting supply chains, but this is precisely the time to plan for such events. Indeed, a changing climate will almost certainly lead to extreme rainfall, and U.S. businesses, depending on their location, should start preparing now to minimize supply chain risk, according to a new white paper.


“Businesses must recognize that climate change is happening and it will generally get warmer,” writes Dr. Kevin Trenberth, distinguished senior scientist at the National Center for Atmospheric Research, in the white paper, “Coping with Extremes: The Impact of Climate Change on Extreme Precipitation and Flooding in the United States and How Businesses Can Prepare Now,” from FM Global, one of the world’s largest commercial property insurers. Dr.  Trenberth is one of four leading atmospheric scientists consulted for the paper.


In general, wet areas of the U.S. will likely become wetter and dry areas will become drier. Of particular concern, the paper notes, are changes that are severe in the extreme: “Extreme events have the greatest potential to produce natural catastrophes that affect businesses, jobs and economies on a regional or global scale,” according to the paper.


This isn’t the first time Dr. Trenberth has written about the changing climate and a likelihood of extreme weather. In the National Climate Assessment in 2014, he and other scientists explained that they have seen significant increases since the mid-20th century in the amount of precipitation falling in very heavy rainstorms: up 71 percent in the Northeast, 37 percent in the Midwest and 27 percent in the Southeast. It is the result of global warming, which has, on average, put more than a trillion gallons of extra water into the atmosphere over the contiguous 48 states, probably closer to two trillion gallons, Dr. Trenberth and David R. Easterling wrote.


Consequently, “It rains harder than it used to,” said Dr. Trenberth, who added, “When it rains, it pours.”


The new paper does note that geographic variability will be a key factor. For instance, certain regions of the U.S. are expected to be prone to more intense precipitation events and a potentially increased risk of flooding. On the other hand, the paper explains, other regions are prone to less precipitation, prolonged droughts and a potentially increased risk of wildfires. The paper recommends then, that businesses and property owners prepare for locally intense precipitation or drought considerations, depending on their location.


For those companies in states prone to heavy rain and flooding, the authors recommend that executives focus on both water management, such as diverting water from property and considering new weather extremes when managing supply chains, and psychological obstacles to preparation. So, for example, executives should beware of what the authors call “generational memory threshold,” which occurs when a community’s collective memory is too short to remember major disasters such as an earlier 1-in-500-year hurricane.


Another obstacle is heedlessness. In earlier FM Global research, 96 percent of financial executives surveyed said their companies had operations that were exposed to natural catastrophes such as hurricanes, flood and earthquakes, yet fewer than 20 percent said their organizations were “very concerned” about such disasters hurting the bottom line.


In recent years, Tennessee had heavy flooding that closed Interstate 24, two feet of rain fell on the Florida Panhandle and Alabama coast and caused the states to close highways, and seven inches of rain fell on Chicago overnight and flooded all highways and interstates around the city—and swamped homes as well as businesses, warehouses and distribution centers. Last year, after significant rain fell all week in Texas, Houston received 11 inches of rain in less than three hours, flooding much of the city and closing the freeway. These types of storms, and subsequent flooding, seem to be all too common now.


Is your supply chain prepared for disruptions caused by heavy rain and flooding?

Now that it’s peak mosquito season, fears of an outbreak of the mosquito-borne and sexually transmitted Zika virus in the U.S. are growing. Most people with a Zika infection may not even present symptoms. Nonetheless, pregnant women infected with the Zika virus have an increased risk of their babies being born with microcephaly. This condition results in an abnormally small head impairing brain development.


Meanwhile, Congress has been unable to prevent the situation from getting worse. Furthermore, lawmakers just went into a seven-week summer holiday without passing a $1.1 billion spending bill to fund the fight against the Zika virus. Another vote is scheduled on lawmakers’ first day back.


Last February, the Obama administration requested $1.9 billion in emergency funding for prevention and preparedness measures to protect against the spread of Zika. Top health officials from the Centers for Disease Control and Prevention and the National Institutes of Health have been asking Congress to pass the bill to help the country prepare for Zika all year. Now comes news that a $1.1 billion funding package to prevent the spread of the Zika virus failed to advance in the Senate after Democrats blocked the measure.


Senate Democrats explained that they blocked the bill because Republican lawmakers had added provisions they couldn’t agree too—including new restrictions on Planned Parenthood funding to clinics in Puerto Rico and cuts to the Affordable Care Act. They also objected to budget offsets in the plan. Meanwhile, Republicans in the House countered that the administration needs to shift existing funds that were being used to fight Ebola, and said any new money needs to be offset. Now Congress is on break.


Although there are no documented Zika virus cases originating in the continental U.S., more than 1,300 travelers have brought the Zika virus to the U.S. from abroad. Furthermore, officials predict it’s only a matter of time before there is a Zika outbreak in the U.S., particularly in the Gulf Coast states. By the CDC’s count, there have already been nine births involving Zika-related birth defects in the continental U.S., and there are more than 340 pregnant women with the virus. Consequently, the number of babies with microcephaly born in the U.S. is sure to grow.


The Zika virus vaccine isn’t the only pharmaceutical effected—or soon to be effected—by government actions or inaction. With both U.S. presidential candidates promising action on drug prices, November’s election could trigger a sea change in the industry, Novartis CEO Joe Jimenez says in a Financial Times article. Indeed, Jimenez predicts pricing pressures in the U.S. will only increase when a new administration takes over—whether that administration is led by Democrat Hillary Clinton or Republican Donald Trump.


“We believe that, no matter which candidate wins, we will see a more difficult pricing environment in the U.S.,” Jimenez told the Financial Times. “We all have to plan for new pricing models in the U.S. that could help us ensure the sustainability of the system as the population ages.”


Clinton has proposed a range of measures to crimp drug prices, including re-importation of meds—particularly those where U.S. prices are at least double those in other countries—under standards set by the FDA. Trump has also said he wants the U.S. to have access to imported drugs, Financial Times reports.


Jimenez has been a big proponent of pegging drug prices to their real-world results, Financial Times reports. He sees that approach as a way for drugmakers to capitalize on truly innovative, effective meds and discourage development of drugs that offer only incremental benefits. He also predicts that results-based drug payments would cut overall healthcare costs.


“If you move to that kind of pricing system over a period of years, you will be able to take out a lot of waste,” Jimenez says.


What are your thoughts on the spread of the Zika virus or potential changes to drug pricing?

Cars and lots of tequila generally don’t make for a good match. On the other hand, it is good to learn that Ford Motor Company is teaming up with Jose Cuervo to explore the use of the tequila producer’s agave plant byproduct to develop more sustainable bioplastics to use in Ford vehicles.


As the companies explain, Ford and Jose Cuervo are testing the bioplastic for use in vehicle interior and exterior components such as wiring harnesses, HVAC units and storage bins. Initial assessments suggest the material holds great promise due to its durability and aesthetic qualities. Success in developing a sustainable composite could reduce vehicle weight and thereby lower energy consumption, while paring the use of petrochemicals and alleviating the impact of vehicle production on the environment, according to Ford.


“At Ford, we aim to reduce our impact on the environment,” says Debbie Mielewski, Ford senior technical leader, sustainability research department. “We’re developing new technologies to efficiently employ discarded materials and fibers, while potentially reducing the use of petrochemicals and light-weighting our vehicles for desired fuel economy.”


The growth cycle of the agave plant is a minimum seven-year process. Once harvested, the heart of the plant is roasted, before grinding it and extracting its juices for distillation. Jose Cuervo uses a portion of the remaining agave fibers as compost for its farms, and local artisans make crafts and agave paper from some remnants. Now, as part of Jose Cuervo’s broader sustainability plan, the tequila maker also sends fibers to Ford, where they are chopped up and compounded into plastic.


The collaboration with Jose Cuervo is the latest example of what Ford calls the greening of its plastics through use of “environmental, plant-based materials.” The company began researching the use of sustainable materials in its vehicles in 2000. In 2008, Ford started using soy foam as a replacement for petroleum oil-based foams used in the seat cushions and headrests of its Mustang. Today, the company says it uses soy foam in seat cushions and headrests in every vehicle across its lineup in North America. In addition to soy foam, Ford says it uses seven other sustainable-based materials in its vehicles—castor oil, wheat straw, kenaf fiber, cellulose, wood, coconut fiber and rice hulls.


“There are about 400 pounds of plastic on a typical car,” says Mielewski. “Our job is to find the right place for a green composite like the one from the agave fibers to help our impact on the planet. It’s work that I’m really proud of, and it could have broad impact across numerous industries.”


Ford isn’t alone, of course, in its use of recycled materials. Indeed, most automakers use components that are made from recycled plastic, such as wheelwell liners, bumpers, and air and water baffles. Many also use seat fabrics produced from recycled water bottles.


In addition to Ford, there are a number of other automakers making use of bioplastics as well. For example, Edmunds reports that many Toyota cars have seat cushion material, radiator tanks and other components made from bioplastics produced from glycol from renewable sugar cane instead of petroleum-derived glycol. What’s more, the Honda Accord Hybrid and Accord Plug-In Hybrid use a proprietary biofabric in seat covers; the Hyundai Elantra has soy-based foam seat cushions; and the Kia Rio has a soy-based seat foam while the Soul EV uses cane- and cellulose-based bioplastics in door panels, headliners, seat fabrics, roof pillars and carpeting.


What are your thoughts on the growing use of bioplastics and recycled plastics in automobiles?

In a sign of just how quickly the automotive industry and connectivity technology are converging, Fiat Chrysler (FCA US LLC) launched a bug bounty program that rewards researchers—“good-guy hackers”—for discovering and reporting software vulnerability in its cars and trucks. Launched on the Bugcrowd platform, the program will give hackers bounties between $150 and $1,500 for vulnerabilities that they find in the car company’s software. The amount FCA will award will depend on the severity of the discovered vulnerability.


Last summer, two ethical hackers demonstrated the ability to remotely gain access to a moving Jeep Cherokee using a laptop to exploit loopholes in the vehicle’s audio system. The men were able to change the moving vehicle’s speed and braking capability, and also manipulate the radio and windshield wipers, before disabling the SUV. The incident led to the recall of 1.4 million vehicles made by FCA including Jeep Cherokees to patch software holes, prompted other automotive companies to more closely scrutinize cyber security vulnerabilities in their cars, and—most likely—also led to FCA’s current bug bounty.


“Our goal with the Bug Bounty project is to foster a collaborative relationship with researchers to participate in responsible disclosure of vulnerabilities in FCA’s vehicles and connected services,” Fiat Chrysler says in a statement on the Bugcrowd page for its program, adding that it will be investigating all reports that hackers send in and would apply the necessary fixes as fast as possible. There are an estimated 30,000 cyber security researchers on Bugcrowd.


“There are a lot of people who like to tinker with their vehicles or tinker with IT systems,” says Titus Melnyk, senior manager, security architecture, FCA US, in an article on Government Security News. “We want to encourage independent security researchers to reach out to us and share what they’ve found so we can fix potential vulnerabilities before they’re an issue for our consumers.”


The bug bounty program is focused on the connected vehicles of FCA US, along with the systems that operate within the vehicles and the external services and apps that interact with these systems. The company says the program gives it the ability to: identify potential product security vulnerabilities; implement fixes and/or mitigating controls after sufficient testing has occurred; improve the safety and security of FCA US vehicles and connected services; and foster a spirit of transparency and cooperation within the cyber security community. The company may make research findings public, based on the nature of the potential vulnerability identified and the scope of impacted users, if any, it says.


FCA says in a statement that it’s the first automaker with a full lineup of cars and trucks to offer such a bounty. However, electric car maker Tesla Motors did launch a bug bounty program last summer. The company initially offered bounties ranging from $25 to $1,000, depending on the vulnerability. However, Tesla later increased the maximum amount of money it’s prepared to pay out to researchers who find serious security vulnerabilities. Researchers are able to report SQL injection, command injection, and vertical privilege escalation vulnerabilities using the Bugcrowd platform.


While new for the auto industry, paying a bounty to researchers for discovering cyber vulnerabilities is nothing new for other industries. Google, Facebook and numbers of other companies have already been following the practice, and Twitter announced last May that it paid out a total of $322,420 in bug bounties over two years. Even the U.S. Department of Defense announced a “Hack the Pentagon” initiative last March, inviting hackers to test the security of its Web pages and networks. Although participants can win money and recognition for their work, the DoD says the program is only for “vetted hackers,” which means anyone hoping to find vulnerabilities in DoD systems will first need to pass a background security check.


What are your thoughts on bug bounty programs? Is making use of friendly researchers a viable means of discovering cyber vulnerabilities in connected products?

The combination of what seems like a steady barrage of data breaches and greater understanding of their impact on an organization has led executives at many companies to increasingly view cyber security as a business challenge, rather than an IT concern. Interestingly, chief financial officers and certified public accountants are able to play a vital role in efforts to improve an organization’s cyber security due to their skills and experience.


One of the challenges for a company’s chief information security officer (CISO)—if a company has one—is to explain technical cyber security risk factors in business terms. However, CFOs are in a unique position to help CISOs work through some of these challenges because they have experience managing other forms of business risk and can help CISOs structure a cyber risk management program based on business-appropriate metrics and an integrated data set, a recent CFO article notes.


There are several areas in particular where CFOs can help, the article continues. For instance, as companies address cyber-risk management as a business function, CFOs have the background and experience to help CISOs better understand where cyber defense dollars should be spent. CFOs are able to confirm that the organization’s current security plan addresses business development needs in a cost-effective way.


CFOs are also able to help CISOs understand cyber financial resilience by putting cyber risk in monetary terms, the article notes. Furthermore, CFOs are able to measure the cost of cyber defenses against hedging techniques such as cyber insurance and impact analysis given current risks.


Finally, CFOs are able to help others better understand cyber defense resource optimization by helping evaluate what the company should do with existing investments in technology, policies and processes. That way, leaders can ensure the organization is following the best course of action by optimally leveraging existing resources, rather than simply following trends, explains the article.


I was also interested to recently read that, according to AICPA President and CEO Barry C. Melancon, CPA, CGMA, the U.S. Securities and Exchange Commission has acknowledged that the accounting profession’s experience with integrating data, reporting and assurance puts CPAs in a unique position to assist organizations as they address their cyber security concerns. Consequently, AICPA (American Institute of CPAs) is taking a multifaceted approach to cyber security through the work of the Assurance Services Executive Committee and the Center for Audit Quality to enable CPAs to take a leadership role, he explains.


“The AICPA already sees explosive growth in the need for cyber security-related services that build on the foundation for Service Organization Control, or SOC, reports,” Melancon says. “This demand is driven by market forces—and the market is asking us to do more, from both the advisory and assurance perspectives.”


In response, the AICPA is taking action on many fronts, Melancon says. For example, various segments of the AICPA are working to help CPAs as they address cyber security concerns by leveraging services such as advisory, assurance, tax and management accounting, Melancon says. The AICPA is also looking at how the profession can address cyber security as a natural extension of the platform of services CPAs already perform.


“We see numerous roles for CPAs in the battle against cyber crime,” Melancon says. “CPAs must present their own front line against cyber attacks, implementing controls that help protect data and prevent service disruptions. CPAs in business can use their knowledge of the organization to advise their employers on administering a cyber security risk management program and provide the best cyber solutions. CPAs in public practice can assist their clients in an advisory capacity, as they grapple with cyber concerns and provide assurance when needed.”


What are your thoughts on having CFOs and CPAs help manage cyber security risk? Secondly, if you are a CFO or CPA, are you involved in your organization’s cyber security risk management program?

The trucking industry in the U.S. has dealt with a shortage of truck drivers from time to time, but the issue has now become what some analysts call a “crisis”—and it doesn’t appear to be ending anytime soon.


“During the last recession, beginning in 2008, the driver shortage had been eliminated due to industry volume plummeting, but as it began to recover in 2011, so too did the re-emergence of the shortage come about as well, growing to 38,000 jobs by 2014, and 48,000 by the end of 2015,” Rod Suarez, economic analyst for American Trucking Associations (ATA), writes in an article on Industry Today. “If the current trend holds, the driver shortage may explode to nearly 175,000 by 2024.”


In response, the trucking industry will need to hire a total of 890,000 new drivers, or an average of 89,000 a year, according to Truck Driver Shortage Analysis 2015 report, compiled by Suarez and Bob Costello, chief economist and senior vice president for ATA. Replacing retiring truck drivers will be by far the largest challenge, accounting for nearly half of the new driver hires (45 percent). The second largest challenge will be to accommodate industry growth, accounting for 33 percent of new driver hires, they explain.


In response, Suarez writes, companies are aggressively taking action, however, providing drivers with—in addition to increased pay—expanded incentives and application outlets, including more at-home time, lowering the driver age, improving the overall driver image and hiring more military veterans.


With the driver shortage in mind, I was interested to recently see that Jane Jazrawy, chief executive of CarriersEdge, a provider of online safety and compliance training tools, spoke about increasing ethnic diversity as a means to help alleviate the driver shortage during her presentation at the recent Truckload Carriers Associations’ Workforce Builders Conference.


Jazrawy’s presentation included data from a new report by the UCLA Study for the Center for Inequality and the Asian Pacific American Institute for Congressional Studies, which indicates that, overall, the fastest growing populations are non-white. The research indicates that nationwide, the percentage of minorities climbed from 32.9 percent in 2004 to 37.9 percent in 2014. Jazrawy also cited research by global management consulting firm McKinsey & Company which shows companies in the top quartile for both gender and ethnic diversity are 35 percent more likely to have above average financial returns and those in the top quarter for gender diversity only are 15 percent more likely.


“From a driver shortage point of view there is under-representation of minorities in trucking, and there has been very little attention paid to this fact,” Jazrawy said. “The focus has been on women and veterans because there are larger numbers of people in both of those groups, but it is an oversight to not look harder at what trucking companies could be doing to attract and retain ethnic minorities.”


Jazrawy also reported on successful practices among fleets in the Best Fleets to Drive For program. The annual survey and contest produced by CarriersEdge and the Truckload Carriers Association identifies for-hire carriers providing the best workplace experiences for their drivers.


“Some of the best fleets have bilingual staff that includes driver supervisors, recruiters and trainers, as well as payroll and safety personnel,” Jazrawy said. “They also work with drivers to make accommodations for particular religious beliefs, for instance allowing drivers to be home on certain days or not hauling products like alcohol or pork.”


Considering that compared to other methods of transportation, trucking accounts for 70 percent of all freight transferred across the country, and that the driver shortage is growing, it makes sense to identify and recruit from many different labor pools. Working to improve ethnic diversity could help alleviate the driver shortage.


What are your thoughts on the driver shortage in general? What about improving ethnic diversity among drivers? What challenges would come with those efforts?