On Friday, 7th May 2021, a ransomware attack, which locked (and effectively encrypted) their data network, caused the Colonial pipeline to close down operations (which took roughly an hour), and brought the issue of fuel security into sharp focus for the people of the USA, its industry and the larger global community. The pipeline pumps an average 100 million gallons (454,609,000 litres) of fuel daily across the United States from Texas to New York. The impact was particularly difficult on the East Coast.
As it supplies roughly 45% of the East Coast's fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies, the destabilising effect from the attack was felt all over the country with panic buying and hoarding which exacerbated the problem and dragged supplies from further west – causing a ‘domino effect’.
The success of the attack, for which the pipeline reportedly paid the hackers $4.4m1 in untraceable bitcoin cryptocurrency, exposed the vulnerability of the system and brought into sharp focus the fact that a secure fuel supply is so fundamental to modern day living, that when it’s jeopardised, general panic ensues. The overall cost could of course be much more than the ransomware paid by possibly five times as much.
The incident also pointed to the need for universal improvements in security systems, processes and behaviours, especially around critical infrastructure.
In this case, the motivation appears to have been financial, because the perpetrators, DarkSide1, targeted the business side rather than operations themselves and it wasn’t designed to bring the pipeline crashing down. It does, however, highlight the threat of a politically motivated attack designed to do just that.
One very unfortunate consequence of this attack is that other cyber criminals are likely to be emboldened to launch similar attacks on vulnerable infrastructure. They may well be thinking that $4.4m isn’t such a massive figure, considering the actual cost of the disruption.
So, what is the current state of Cyber-security in the global fuel sector?
CyQu* (Cyber Quotient Evaluation) is Aon’s rating system by which companies or industries can measure their cyber-security vulnerabilities.
With an average CyQu rating of just 2.4 (out of 4), Cyber security in the energy sector is still at a basic level. The rapid digital evolution has left some fuel supply organisations with inadequate protection where organisational cyber security risk management practices are weak, and risk is managed in an ad hoc and sometimes reactive manner2. As in most industries, both globally and in the UK, legacy vulnerabilities remain, due to a mixture of out-of-date and misconfigured systems, open ports and management systems, which do not prevent and protect from human errors.
One consequence of the Colonial Pipeline incident is that everybody involved in essential infrastructure or supplies is going to need to learn from such events first, consider their cyber-security measures and re-evaluate their cyber security practices with due diligence, otherwise there is nothing to stop a similar attack happening again in the UK or any other territory.
Of all the cyber-security threats, ransomware is perhaps the biggest, because of the potential to disrupt virtually every aspect of commercial and domestic living. Until now very few companies in the sector purchased specific cyber insurance, but this focus seems likely to shift, and insurers will need to start offering it as a fundamental cover to critical infrastructure providers and supply chain systems.
The whole supply chain can involve multiple elements and entities, from massive terminals to smaller haulage contractors and retailers ‘going the last mile’ so-to-speak. But from a security and resilience point of view, the supply chain cyber-resilience could be regarded as only as strong as the weakest link. That weakest link is often people accessing IT systems who may be tricked into also accessing infected websites or emails, thereby giving the hackers access to the wider system.
The risk to large fuel companies can therefore also come from third party contracts, with only 2% of organisations obligating equivalent levels of cyber-security on their contracts2. Inevitably potential hackers will look for that weakest link in the whole supply chain, and the larger companies will be looking upstream and downstream to ensure the same level of resilience is present within even peripheral players such as software companies, tanker manufacturers, parts manufacturers and suppliers.
So, what are the questions fuel distributers should be asking themselves?
If they were to suffer a Cyber attack, would they still be able to operate and deliver fuel to their customers?
Continuity and contingency planning should now be a top priority for fuel suppliers everywhere. Right now, major distributers will be investigating alternative fuel supply sources and contemplating the provision of complete back-up information technology systems and networks. The objective will be the capability for business continuity to be as seamless as possible. But what would the reality be? Back-systems are one thing, but can alternative supplies be counted on when presumably every major supplier will be competing for the same sources?
How would they handle the potential reputational damage?
If and when a reputational crisis occurs, research3 reinforces the importance of promptly acknowledging the seriousness of the event itself and most importantly, translating this understanding into decisive action. Such decisive action will instil confidence in colleagues, clients and communities.
If their main sources (e.g. fuel terminals) were attacked or otherwise shut down, where would their fuel come from? Do they have plans for a back-up source?
The back-up source would be a major consideration in contingency planning, but depending upon the nature of the attack, there may be other claims on those alternative sources.
Insurance cover for cyber attacks
Inevitably the Colonial Pipeline attack will have precipitated a lot of re-reading of terms and conditions on insurance policies, because unless there is material damage to infrastructure (rather than just a forced shutdown) many PDBI (Property, Damage and Business Interruption) policies may not pay out. Because of these exclusions, there is likely to be a big take-up of specific affirmative cyber-security policies, which will in turn require a clear understanding of cyber risk best practice and cyber-security hygiene. Individual access is likely to be much more limited to ‘essential roles’ rather than on a ‘good-to-have’ or convenience basis.
Continuity planning and the proof of it is increasingly a factor in determining the terms or levels of insurance premium available to fuel suppliers and distributers.
Addressing the basics
Alongside all of the higher-level planning, a fundamental culture change is needed. If Cyber-security is a priority rather than a corporate value, and best practice isn’t embedded and enshrined in the behavioural ‘dna’ of fuel supply companies, then it’s going to need to become a corporate value, as it is in virtually every other sector of the economy.
Embedding cyber risk management into wider risk management frameworks is, however, a challenge for many organisations, with 61% polled indicating they have not adopted the appropriate governance, risk management, or data protection measures2. Collaboration with other risk management oversight functions such as audit, Enterprise Risk Management (ERM) and legal, to assess and manage cyber risk, remains low. This impacts on an organisation’s ability to anticipate and respond to future privacy regulations. It has to be done though, because this is a wake-up call.
Inevitably, the peer pressure to ‘step up’ from the rest of the supply chain will be great, but the risks of not doing so could now be so much greater.
For more information or any questions you may have surrounding the topics discussed in this article, please contact John Jenkins, Senior Account Executive at Aon.
Aon will be exhibiting at the UKIFDA Expo on the 7th and 8th of July. Come and visit our virtual booth (booth 7) - we look forward to e-meeting you.
Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FPNAT557. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
*The following products or services are not regulated by the Financial Conduct Authority:
- Cyber risk services provided by Aon UK Limited and its affiliates
- Cyber security services provided by Stroz Friedberg Limited and its affiliates
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. No one should act on any information contained in this article without appropriate professional advice after a thorough examination of the particular situation. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 27/05/21.
© Copyright Aon UK Limited 2021. All rights reserved.
No part of this article may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.
1 BBC report 19.05.2021 https://www.bbc.co.uk/news/business-57178503
2 Aon Global 2021 Cyber Security Risk report
3 Respecting the Grey Swan - examining risk to build reputational resilience