Within just three days of the Colonial fuel pipeline ransomware attack, States on the eastern seaboard of America began to see the first-hand effect that a cyber attack on a critical infrastructure could have. Block long queues for petrol pumps pushed tempers to the limit, and states of emergency were declared to curtail the growing crisis.
The Colonial pipeline attack represents a watershed moment in how people think about cybercrime. No longer is it just personal data at risk, but actual life and liberty itself are now inextricably under threat from our digitalised world.
What effects can such an attack have on every organisation in our highly connected world, and what can this tell us about our own organisation's resilience to a critical infrastructure failure?
The Colonial pipeline passes through 12 US states, stretching 5,500 miles from Houston, Texas to the Port of New York and New Jersey, New York. It has the capacity to carry three million barrels of fuel (approximately 500 million litres) per day. The pipeline is fed from several different refineries along the route and directly supplies several major cities and airports with up to 86 different products, including gasoline, diesel and jet fuel.
On Friday 7th May, the Colonial Pipeline Company became the victim of a ransomware attack which prompted them to take the pipeline down for five days. The ransomware consisted of a "double extorsion" attack, which involves both theft of the victims' data and then encryption of the data. Should the victim not pay the ransom, the stolen data is made public whilst the encrypted data remains locked.
Whilst it is not believed any physical systems themselves were compromised in the attack, Colonial could not take the risk. By voluntarily shutting down the pipeline, they could control the reestablishment of supply in five days; all be it utilising a delivery schedule created prior to the hack.
Whilst there are many cyberattack methods, there are essentially three attack vectors currently available for wannabe physical cybersaboteurs. The first is a denial of access, including ransomware, which prevents legitimate operators from safely accessing systems, as seen in the Colonial hack, or previously in the infamous NotPetya or Wannacry attacks. The second is the infiltration of control systems via remote control to make changes to the operation of a process. The third is the insertion of malicious code to change an operating parameter.
Denial of access: In many respects, ransomware has become a very lucrative black market business model. Organisations such as DarkSide, whom the FBI believe are behind the Colonial pipeline hack, provide "ransomware as a service" to other criminal groups, taking a cut of the proceeds. Audaciously they even have a code of ethics on their webpage and claim to donate a portion of their ill-gotten gains to charity.
Remote control: Since 2020 the Covid-19 pandemic has exacerbated the number of remote control hacks as so many more technicians started working remotely during the lockdown, exposing their critical systems to many more attack opportunities.
In February 2021, the Oldsmar water plant, which supplies water to the city of Oldsmar, Florida, was reportedly compromised. Unknown hackers infiltrated the control system via a remote viewing system called TeamViewer, and adjusted the settings to add excess sodium hydroxide to the water supply of 15,000 people, with the potential to cause significant harm to anyone who came into contact with the water. According to reports, the operator could see their curser being moved on the screen by someone else but could not stop them.
Malicious code: Compared to the other two, the malicious code attack is a much more sophisticated physical attack. By infiltrating the supervisory control and data acquisition (SCADA) system, malicious code can affect devices such as pumps, valves, motors, and sensors, causing them to malfunction. The most famous example of this was the Stuxnet worm that affected the Iranian nuclear enrichment process by changing the speed of critical centrifuge systems.
There are essentially eight critical infrastructures that hold the modern world together. These are:
While each is considered critical in its own right, two essentially underpin the others: electrical power and telecommunications. A failure in either one of these has the potential to render all others inoperable. And the consequences of failure, whether through cyber-attack or another source such as space weather, are truly staggering.
In 2015, Lloyd’s and the Centre for Risk Studies at Cambridge University published a report called "Business Blackout: The insurance implications of a cyber attack on the US power grid". The report speculated that a SCADA attack causes a blackout across 15 States, leaving 93 million people without power. Estimates of the direct damage to assets and infrastructure, the decline in sales revenue to electricity supply companies, loss of revenue to business and disruption to the supply chain ranged from $243bn to more than $1trn in the worst-case scenario. The report also looked at direct and indirect insurance losses. These ranged from $21.4bn up to $71.1bn.
Unfortunately, such a scenario did not remain hypothetical for long. On December 3rd 2015 hackers attacked three electrical distribution companies in Ukraine and disrupted the power to a quarter of a million people for several hours. Believed to be the work of Russia, the Ukrainian power grid attack demonstrated the enormous impact a critical infrastructure cyberattack could have on a nation-state.
If critical infrastructure is vulnerable, then where does this leave companies?
The answer to this lies in thinking about the resilience of organisations in relation to their business ecosystem, their staff members, and ultimately the expectations of their key stakeholders. How well do you know your exposure across your connected ecosystem, and what steps are required to ensure resilience?
If the Covid-19 pandemic has taught us anything, then it is that some organisations are more resilient to external threats than others, and the ones who are prepared to adapt to a new environment rapidly are the ones who can flourish and find opportunities where previously there was none. This philosophy needs to be learned and adapted to the prospect of a critical infrastructure failure. As the Colonial pipeline and Oldsmar water plant demonstrate, 2021 could be the year to learn it, either the easy way or the hard way.
With supply chains stretching around the world, a critical infrastructure failure in a far off country can impact an organisation within minutes. Telecommunications and electrical services are particularly time-sensitive and can have a widespread impact far beyond the blackout region. Examples include customers not being able to place orders, servers not being able to process data, or instructions not being delivered to suppliers. How many delivery companies in New York lost business because they could not get petrol due to a ransomware attack 5000 miles away on a company many people had never even heard of?
Pre-planning for disaster is never easy and is often perceived as a distraction from the primary business objective. Yet, some simple measures could make the difference between success and collapse, particularly in time-sensitive environments.
First and foremost is the distribution of leadership. If a company concentrates all leadership from a central location, the loss of communication can render the company headless. Through pre-planning fallback leadership structures, organisations can shift to alternative leadership and communication without interruption. The same principle can apply to creating redundancy in communication networks. If your process only enables communication by email, then you have no redundancy. However, if telephone, fax, or even good old snail mail is allowed, you can at least continue to function in a reduced capacity.
There are many scenarios, both local and remote, which have the potential to impact your business today. Understanding what they could be and the impact that they could have is essential business intelligence that every organisation should be seeking out.
As eloquently demonstrated by the Colonial pipeline attack, so much of the world is now inextricably connected. Never before has business been so vulnerable to threats, both malicious and benign. Due to the sheer complexity of the business ecosystems, organisations need to understand that resilience goes beyond data and science and starts entering the realm of imagination.
To create scenarios that start at a distant and remote place from your current world view, and envisage how that can manifest itself on your business model and your bottom line is an art form.
Russell has developed this art form and learned how to combine it with hard data in a unique service that enables decision-makers and business leaders to contemplate the plausible and optimise their response to minimise loss and capitalise on opportunities. We help your business anticipate, absorb and adapt to the effects of rapidly changing circumstances in a dynamic environment to enable it to deliver its objectives, to survive and prosper. We call this the Imagination to Create.