[By Richard Oloruntoba and Nik Thompson]
On May 7, a pipeline system carrying nearly half of the fuel used on the east coast of the United States was paralyzed by a major cyber attack. The five-day shutdown of the Colonial Pipeline caused widespread fuel shortages and panic buying, as Virginia, North Carolina and Florida declared a state of emergency.
The attack highlights the vulnerability of critical infrastructure, such as fuel pipelines, in an era of growing cyber security threats. In Australia, we believe the time has come to make it critical for critical infrastructure companies to implement serious cybersecurity measures.
The risk of cyber attacks on critical infrastructure is not new. Following the events of September 11, 2001, research demonstrated the need to address global security risks while analyzing issues of vulnerability and protection of critical infrastructure. We also proposed systems to ensure security in critical supply chain infrastructures, such as ports and maritime practices, including container shipment management.
The rise in “ransomware” attacks, in which attackers take important data from an organization’s systems and demand a ransom for its return, has increased the risk. These attacks can have unintended consequences.
Evidence suggests that the colonial shutdown was the result of this attack, aimed at their data. It appears that the company shut down the pipeline network and some other operations to prevent the spread of malware. This resulted in a cascade of involuntary effects throughout society and collateral damage.
In fact, the attackers may have been surprised by the extent of the damage they caused and now appear to have closed their own operations.
We have seen how critical supply chain infrastructure can be severely disrupted as collateral damage. We must consider the seriousness of the consequences of a direct attack.
Critical infrastructure is an attractive goal
Cyber risk frameworks are often derived from traditional risk management approaches, which address the problems of a potential cyberattack as a conventional conventional risk. These risk management approaches weigh the costs of preventing a cyberattack against the costs and likelihood of infringement.
In some industries, this assessment will take into account the cost of a loss of customers that may never return. However, providers of critical services such as transportation, health care, electricity, water and food have little risk of losing customers.
After the colonial incident, customers returned to gas stations as soon as they could and continued to buy fuel. Therefore, critical industries may charge a lower cost for default than companies in other industries because their customers will return.
Time for compliance
Australia’s national cybersecurity efforts are coordinated by the Australian Cyber Security Center (ACSC) under the auspices of the Australian Signal Directorate. The ACSC works with public and private sector organizations to share information on threats and guidance on best security practices.
CCAA documents, such as Essential Eight, provide guidance to organizations on basic security measures. They are complemented by more comprehensive resources, including the Australian Government’s Information Security Handbook.
However, our research has shown that best practices are not universally followed, even by the Australian government’s own websites.
Lack of knowledge is not the problem. ACSC usually understands and documents recommended safety practices. The ACSC also provides specific guidance for critical sectors and industries, such as a security framework developed for the energy sector.
The challenge here is that these are just guidelines. Companies can choose whether to follow them or not.
What Australia needs is a cybersecurity compliance program. This would make it mandatory for companies that manage critical infrastructure, such as ports or pipelines, to comply with some sort of rules.
A first step may be to require these companies to comply with existing guidelines and to require certification of a cyber security base.
Lessons from the United States
The U.S. government responded to the colonial cyberattack with an executive order to improve cybersecurity and federal government networks. The order proposes a series of measures to modernize standards and improve information and information exchange requirements. These are valuable measures, many of which are already within the scope of Australia’s existing CCAA obligations.
Another measure of the U.S. order is the establishment of an independent Cybersecurity Review Board. Australia could also establish a partnership between government and industry to oversee cybersecurity. A similar body already regulates aviation: the Civil Aviation Safety Authority.
This organization would provide a solid analysis and notification of cyber incidents. It would also share information with information technology managers, software and hardware developers, public administrators, crisis managers, and others.
Cyber security threats create high levels of uncertainty for the public and private sectors. Attacks that disrupt critical supply chain infrastructure have a widespread impact on society and trade.
A cyber security compliance program can be economically costly, but it would be a worthwhile investment given the social impact of a successful cyberattack.
Richard Oloruntoba is an Associate Professor of Supply Chain Management and Supply Chain Manager, Curtin University.
Nik Thompson is an associate professor of information systems at Curtin University.
This article appears courtesy of The Conversation and can be found in its original form here.
The views expressed herein are those of the author and not necessarily of The Maritime Executive.