Six days after the Colonial Pipeline was attacked by cyberhackers and left millions hanging at the gas pump, they have gained control of their operations once again. But not before the refinery paid their attackers $5 million in untraceable cryptocurrency, according to several news outlets.
A Russia-based hacking group called DarkSide has claimed responsibility for the destabilizing attack on the company’s network, who said they were in it strictly for the money. Their actions caused panic and long lines at gasoline pumps in the southeastern portion of the country, reminiscent of the 1973 oil crisis.
The 5,500-mile pipeline is a major fuel supplier of the East Coast, transporting more than 100 million gallons of fuel per day to more than a dozen states from Georgia to New York.
While the worst is over for now, two Arizona State University professors from the W. P. Carey School of Business say that it’s a harbinger of things to come and more preparation and alternative modes of supply chain are needed to ward off future attacks.
Victor Benjamin, assistant professor of information systems, and Dale Rogers, professor of supply chain management, discuss what happened, who was responsible, the prevalence of cyberattacks on U.S. companies and how these attacks impact supply chain issues in this country.
Question: Many people know about last week’s cyberattack on the Colonial Pipeline, but who are the folks responsible and what was their motive?
Victor Benjamin: The threat against the Colonial Pipeline is called a ransomware attack. Hackers went into their network system and locked it down and demanded the ransom to release those systems back to Colonial Pipeline.
The group behind this attack calls themselves DarkSide. They are a hacking group located within the darknet that seems primarily financially motivated, according to statements they’ve made. So this isn't an attack motivated by ideology or for geopolitical reasons. They’re strictly financially driven hackers who targeted the Colonial Pipeline as well as other major firms that they think can pay multimillion-dollar ransoms. It just so happened that the Colonial Pipeline got swept up in this attack. It also wasn’t a targeted attack to shut down infrastructure. DarkSide has come out and said they somewhat regret attacking such a major infrastructure company and they don't plan to attack such high-value targets in the future, but that remains to be seen. Oftentimes, hackers tend to look for vulnerable systems regardless of the industry or the organization behind the system. And if they find a vulnerability and it seems credible that the organization can pay, they will go ahead and proceed with the impact.
Q: How significant is this particular pipeline to the supply chain?
Dale Rogers: We’ve spent the past 30 years reducing the inventory in any system in the U.S. and globally. So we don’t have a lot of extra petroleum products that aren't planned to go through a pipeline. You could replace a pipeline with trucks, but it'd be very inefficient and a whole lot slower. And those pipelines are incredibly vulnerable. The government knows it runs all along the port of Houston. They've got guys with rifles on the property because they expect some sort of physical attack. This cyberattack attack was unexpected. About 70% of the gas stations in Atlanta didn’t have product yesterday. So it's a huge issue because we don't have extra inventory floating around. We saw that with many products, particularly toilet paper, as a result of the pandemic. Any disruption is going to cause waves.
Now, supply chain managers in the U.S. and globally are usually pretty good at responding to whatever disruption there is. There've been a lot more disruptions over the past 10 years than there were 20 years before, but it's still a huge problem just because we try to run as lean as possible on any product on any system. I expect this will take a while to get it going again.
Q: How often are there ransom attacks on our companies involving infrastructure? Are they on the rise and can we expect more?
Benjamin: Unfortunately, ransomware attacks are becoming more common and are on the rise. It’s a byproduct of computers becoming so ubiquitous. There're so many more ways to attack a company potentially. You can attack it directly if vulnerabilities and some software are running on a server hosted by that company. Or you could get a virus on someone’s phone, and then they take it into the company because everyone has devices these days. So there're more and more ways these attacks can occur. We will for sure see an increase in them.
Just a few years ago, it was estimated that cybercrime is costing the global economy in the hundreds of billions of dollars and that's only expected to keep increasing as time goes on. As information technologies become more proliferated throughout the industry, these are things that we're going to witness happening and we need to take more safeguards to ward them off.
Q: Given what just occurred, what are the U.S. fuel transit alternatives?
Rogers: There are not great ones. There are transit alternatives where fuel could be placed on trucks and rail and move it around. One of the real problems is that everything pretty much starts in the same place. We are quite vulnerable. If you look at a map of where the pipelines are in the U.S., all of the pipelines come from the Houston area, not every single one, but almost all of them. The government hasn’t published a map of the pipelines since the aftermath of 9/11. The Colonial Pipeline is the biggest one that supplies up to New York. So can you replace that with trains and trucks? Not very easily. The price of oil would probably double if that's what you had to do, maybe even more than double.
Q: Should we expect more attacks in the future and how can companies protect themselves in the future?
Benjamin: We’ll definitely see more of these attacks in the future. Groups like DarkSide will scan the internet using tools called port scanners or network analysis tools to identify vulnerable targets. And they can almost automate these attacks to a certain extent. So, will we see more attacks? Definitely. What can companies do to defend themselves against it? They are improving security standards available for companies to follow such as the NIST Cybersecurity Framework and the International Organization for Standardization. A lot of companies can potentially focus on enforcing cybersecurity through their supply chain, perhaps supply chain contracts or contracts with suppliers or companies upstream. Many of the attacks these days are occurring because there's a vulnerability in the vendor software. From there, hackers take that vendor software and deploy it on their systems and without oversight from the vendors. Perhaps there could be more enforcement of cybersecurity protocols through supply chain contracts and setting up standards.
Rogers: If I can just add something ... We're at an interesting tipping point right now where we're thinking about getting rid of gas-powered vehicles and moving toward electric vehicles. That would be a relief for this particular attack, but if you think about putting all the vehicles in the U.S. on the electric grid, then relying on that to be resistant to hacks seems unlikely. Our electric grid is extremely vulnerable. If in 20 to 30 years, every single vehicle was attached to that electric grid to function, you could see how with just a few successful hacks, they could pretty much stop all transportation in the U.S. As a country, we're going to have to figure out something because electric cars will be vulnerable to these kinds of hacks.
Q: What will be the lasting effects of this cyberattack on fuel supply and prices?
Rogers: Prices are very responsive, both going up and going down. I don't think there'll be a long-term hit, but it'll take a few weeks to bring them back to normal. Gas prices tend to be sticky, going upside more than they're going downside. So there will be some impacts that will stick around for a while. I think it's more likely that because there’s going to be a surge in demand this summer because we've all been sitting in our houses for more than a year and there’s going to be a real demand. The oil companies are excited about seeing people getting on planes and driving cars.
Q: I remember reading about a cyberattack on a foreign water facility and the facility was able to launch a counterattack. Why can’t companies do more of that as a warning shot to these hackers?
Benjamin: Can companies respond to these hacking groups by perhaps launching attacks against them? Yes, potentially. But I would say that's probably not the correct route. Attack attribution can become incredibly difficult sometimes because if you're a company that's being attacked, you are the scene of the crime. You have the bullets at the crime scene, but not the shooter. And who's the shooter? Often you can’t tell who they are unless they declare themselves, and even when they do declare themselves, how credible is it? That can become, in many circumstances, a very difficult strategy for companies to employ.