The ripple effect of cyber disruption on commercial infrastructure
In May this year, a ransomware attack on U.S. Colonial Pipelines’ IT system led to a six-day shutdown of the 8,900 km pipeline that delivers 100 million gallons of petrol, jet fuel, and diesel from Texas refineries to East Coast markets every day.
The shutdown sparked a price spike and widespread panic buying, with images circulating of fistfights at petrol stations and people even filling plastic bags with petrol as over 16,000 filling stations ran dry. Florida, North Carolina and Virginia had to declare a state of emergency as ripple effects caused widescale collateral damage. Fuel shortages impacted everything from retail supply chains to emergency vehicles, disrupting businesses and services across multiple jurisdictions. The American Automobile Association noted that the average national gasoline price rose to above $3.00 a gallon in wake of the incident, the highest since October 2014.
How a single disruption creates a systemwide ripple effect
Analyses suggest that the attackers behind the Colonial Pipeline incident, an Eastern European group known as DarkSide, may have been surprised by the extent of the damage they caused.
The attack targeted Colonial’s IT systems and it was Colonial, not DarkSide, that shut down the pipeline itself as a precaution. Bloomberg reported that Colonial paid the hackers a ransom of nearly $5 million within hours of the hack.
A post on DarkSide’s website stated: “About the latest news: our goal is to make money, and not creating problems for society". The point to understand here is that ransomware hackers are usually not terrorists – they’re out to make a quick buck rather than blow things up. But the impact of an attack on critical infrastructure can be just as damaging as a terrorist attack.
Besides fuel pipelines, other critical infrastructures vulnerable to attacks include dams, power plants, factories, water treatment plants, transportation, telecommunications, oil refineries, critical manufacturing and the power grid itself. Researchers estimate a plausible cyberattack on the U.S. power grid could have an economic and insurance impact between $240 billion to $1 trillion.
Other concerning examples in the U.S. include an attempt by Iranian hackers to infiltrate the controls for a dam in upstate New York, and an attempt to poison a Florida water supply by remotely increasing the levels of sodium hydroxide. In isolation, these events seem small-scale. But if we consider the implications, we can see the ripple effects multiply quickly across a host of interconnected infrastructure elements.
Learning from Ukraine’s and Iran’s experiences
Perhaps no country has suffered as much as Ukraine from cyberattacks on critical infrastructure. As part of the 2017 Petya/NotPetya cyberattacks, Russian military hackers targeted Ukrainian energy firms, airports, shipping ports, banks, railways, and more.
Like the Colonial Pipeline attack, the Ukrainian incident had unintended consequences as the malware quickly spread across integrated supply chains and interconnected networks. Infections were reported as far off as Australia, the U.S., U.K., France, Germany, Italy, and Poland. Multinational company Merck suffered $870 million in damages, FedEx $400 million, and Saint-Gobain $384 million.
The Stuxnet worm similarly demonstrated the potential power of a cyberattack on critical infrastructure when it delayed the Iranian nuclear program for months. The malware targeted programmable logic controllers (PLCs) to disrupt the centrifuges used to separate nuclear material.
Cybersecurity for infrastructure control systems lags far behind IT system security
The potential impacts of a cyberattack on critical infrastructure are frightening, yet its cybersecurity lags far behind standard IT security in the private sector.
In the U.S., President Biden issued an executive order immediately after the Colonial Pipeline attack to improve cybersecurity for critical infrastructure, modernise standards, improve information-sharing and introduce new reporting requirements.
Arnnet has called for a compulsory U.S.-style cybersecurity compliance program for critical infrastructure here in Australia. As the articles’ authors point out, a framework already exists under the coordination of the Australian Cyber Security Sector (ASCS) but the problem is that these measures are currently treated as guidelines only.
Allianz Global has stressed the need for the security of industrial control systems to be raised to the level of IT system security to provide the public with confidence in the safety of critical infrastructure. Until baseline security standards are mandated for our critical infrastructure assets, we are all one cyberattack away from a national infrastructure crisis.