Infrastructure protectionCyber Attacks Can Shut Down Critical Infrastructure. It’s Time to Make Cyber Security Compulsory

By Richard Oloruntoba and Nik Thompson

Published 28 May 2021

The 7 May attack on the Colonial Pipeline highlights how vulnerable critical infrastructure such as fuel pipelines are in an era of growing cyber security threats. In Australia, we believe the time has come to make it compulsory for critical infrastructure companies to implement serious cyber security measures.

On May 7, a pipeline system carrying almost half the fuel used on the east coast of the United States was crippled by a major cyber attack. The five-day shutdown of the Colonial Pipeline resulted in widespread fuel shortages and panic-buying as Virginia, North Carolina and Florida declared a state of emergency.

The attack highlights how vulnerable critical infrastructure such as fuel pipelines are in an era of growing cyber security threats. In Australia, we believe the time has come to make it compulsory for critical infrastructure companies to implement serious cyber security measures.

Collateral Damage
The risk of cyber attacks on critical infrastructure is not new. In the wake of the events of September 11, 2001, research demonstrated the need to address global security risks as we analyzed issues of vulnerability and critical infrastructure protection. We also proposed systems to ensure security in critical supply chain infrastructure such as seaports and practices including container shipping management.

The rise of “ransomware” attacks, in which attackers seize important data from an organization’s systems and demand a ransom for its return, has heightened the risk. These attacks may have unintended consequences.

Evidence suggests the Colonial shutdown was the result of such an attack, targeting its data. It appears the company shut down the pipeline network and some other operations to prevent the malicious software from spreading. This resulted in a cascade of unintended society-wide effects and collateral damage.

Indeed, the attackers may have been surprised by the extent of the damage they caused, and now appear to have shut down their own operations.

We have seen how critical supply chain infrastructure can be severely disrupted as collateral damage. We must consider how severe the fallout might be from a direct attack.

The events in the US also raise another important question: how vulnerable is our critical supply chain infrastructure in Australia?

Critical Infrastructure Is an Attractive Target
Australian society is dependent on many international and domestic supply chains. These are underpinned by critical supply chain infrastructure that is often managed by advanced and interlinked information and communication systems. This makes them attractive targets for cyber attackers.

Cyber risk frameworks are often derived from traditional risk management approaches, addressing issues of a potential cyber attack as routine conventional risk. These risk management approaches weigh up the costs of preventing a cyber attack against the costs and probability of a breach.