Colonial Pipeline is a Harbinger of Things to Come in Business
DarkSide has come out and said they somewhat regret attacking such a major infrastructure company and they don’t plan to attack such high-value targets in the future, but that remains to be seen. Oftentimes, hackers tend to look for vulnerable systems regardless of the industry or the organization behind the system. And if they find a vulnerability and it seems credible that the organization can pay, they will go ahead and proceed with the impact.
AN: How significant is this particular pipeline to the supply chain?
Dale Rogers: We’ve spent the past 30 years reducing the inventory in any system in the U.S. and globally. So we don’t have a lot of extra petroleum products that aren’t planned to go through a pipeline. You could replace a pipeline with trucks, but it’d be very inefficient and a whole lot slower. And those pipelines are incredibly vulnerable. The government knows it runs all along the port of Houston. They’ve got guys with rifles on the property because they expect some sort of physical attack. This cyberattack attack was unexpected. About 70% of the gas stations in Atlanta didn’t have product yesterday. So it’s a huge issue because we don’t have extra inventory floating around. We saw that with many products, particularly toilet paper, as a result of the pandemic. Any disruption is going to cause waves.
Now, supply chain managers in the U.S. and globally are usually pretty good at responding to whatever disruption there is. There’ve been a lot more disruptions over the past 10 years than there were 20 years before, but it’s still a huge problem just because we try to run as lean as possible on any product on any system. I expect this will take a while to get it going again.
AN: How often are there ransom attacks on our companies involving infrastructure? Are they on the rise and can we expect more?
Benjamin: Unfortunately, ransomware attacks are becoming more common and are on the rise. It’s a byproduct of computers becoming so ubiquitous. There’re so many more ways to attack a company potentially. You can attack it directly if vulnerabilities and some software are running on a server hosted by that company. Or you could get a virus on someone’s phone, and then they take it into the company because everyone has devices these days. So there’re more and more ways these attacks can occur. We will for sure see an increase in them.
Just a few years ago, it was estimated that cybercrime is costing the global economy in the hundreds of billions of dollars and that’s only expected to keep increasing as time goes on. As information technologies become more proliferated throughout the industry, these are things that we’re going to witness happening and we need to take more safeguards to ward them off.
AN: Given what just occurred, what are the U.S. fuel transit alternatives?
Rogers: There are not great ones. There are transit alternatives where fuel could be placed on trucks and rail and move it around. One of the real problems is that everything pretty much starts in the same place. We are quite vulnerable. If you look at a map of where the pipelines are in the U.S., all of the pipelines come from the Houston area, not every single one, but almost all of them. The government hasn’t published a map of the pipelines since the aftermath of 9/11. The Colonial Pipeline is the biggest one that supplies up to New York. So can you replace that with trains and trucks? Not very easily. The price of oil would probably double if that’s what you had to do, maybe even more than double.
AN: Should we expect more attacks in the future and how can companies protect themselves in the future?
Benjamin: We’ll definitely see more of these attacks in the future. Groups like DarkSide will scan the internet using tools called port scanners or network analysis tools to identify vulnerable targets. And they can almost automate these attacks to a certain extent. So, will we see more attacks? Definitely. What can companies do to defend themselves against it? They are improving security standards available for companies to follow such as the NIST Cybersecurity Framework and the International Organization for Standardization. A lot of companies can potentially focus on enforcing cybersecurity through their supply chain, perhaps supply chain contracts or contracts with suppliers or companies upstream. Many of the attacks these days are occurring because there’s a vulnerability in the vendor software. From there, hackers take that vendor software and deploy it on their systems and without oversight from the vendors. Perhaps there could be more enforcement of cybersecurity protocols through supply chain contracts and setting up standards.
Rogers: If I can just add something … We’re at an interesting tipping point right now where we’re thinking about getting rid of gas-powered vehicles and moving toward electric vehicles. That would be a relief for this particular attack, but if you think about putting all the vehicles in the U.S. on the electric grid, then relying on that to be resistant to hacks seems unlikely. Our electric grid is extremely vulnerable. If in 20 to 30 years, every single vehicle was attached to that electric grid to function, you could see how with just a few successful hacks, they could pretty much stop all transportation in the U.S. As a country, we’re going to have to figure out something because electric cars will be vulnerable to these kinds of hacks.
AN: What will be the lasting effects of this cyberattack on fuel supply and prices?
Rogers: Prices are very responsive, both going up and going down. I don’t think there’ll be a long-term hit, but it’ll take a few weeks to bring them back to normal. Gas prices tend to be sticky, going upside more than they’re going downside. So there will be some impacts that will stick around for a while. I think it’s more likely that because there’s going to be a surge in demand this summer because we’ve all been sitting in our houses for more than a year and there’s going to be a real demand. The oil companies are excited about seeing people getting on planes and driving cars.
AN: I remember reading about a cyberattack on a foreign water facility and the facility was able to launch a counterattack. Why can’t companies do more of that as a warning shot to these hackers?
Benjamin: Can companies respond to these hacking groups by perhaps launching attacks against them? Yes, potentially. But I would say that’s probably not the correct route. Attack attribution can become incredibly difficult sometimes because if you’re a company that’s being attacked, you are the scene of the crime. You have the bullets at the crime scene, but not the shooter. And who’s the shooter? Often you can’t tell who they are unless they declare themselves, and even when they do declare themselves, how credible is it? That can become, in many circumstances, a very difficult strategy for companies to employ.