This weekend’s ransomware attack that forced the closure of the largest U.S. fuel pipeline provides another powerful illustration of the need for a resilience mindset that applies to more than just natural catastrophes.
Colonial Pipeline Co. operates a 5,500-mile system that transports fuel from refineries in the Gulf of Mexico to the New York metropolitan area. It said it learned Friday that it was the victim of the attack and “took certain systems offline to contain the threat, which has temporarily halted all pipeline operations.”
Individually, the event demonstrates the threat cybercriminals pose to the aging energy infrastructure that keeps the nation moving. More frighteningly, though, it is yet another example of how vulnerable the complex, interconnected global supply chain is to disruptions of all kinds – a message that isn’t lost on risk managers and insurers.
Last year, a ransomware attack moved from a natural-gas company’s networks into the control systems at a compression facility, halting operations for two days, according to a Department of Homeland Security (DHS) alert.
The DHS described the attack on an unnamed pipeline operator that halted operations for two days. Although staff didn’t lose control of operations, the alert said the company didn’t have a plan in place for responding to a cyberattack.
“This incident is just the latest example of the risk ransomware and other cyber threats can pose to industrial control systems, and of the importance of implementing cybersecurity measures to guard against this risk,” a CISA spokesperson said at the time.
Not just energy companies
It isn’t only energy and industrial companies that need to be paying attention. According to cyber security firm VMware, attacks against the global financial sector increased 238 percent from the beginning of February 2020 to the end of April, with some 80 percent of institutions reporting an increase in attacks.
“Cyber is an existential issue for financial institutions, which is why they invest heavily in cyber security,” says Thomas Kang, Head of Cyber, Tech and Media, North America at Allianz Global Corporate & Specialty (AGCS). “However, with such potentially high rewards, cybercriminals will also invest time and money into attacking them.”
He pointed to two malware campaigns – known as Carbanak and Cobalt – that targeted over 100 financial institutions in more than 40 countries over five years, stealing over $1 billion.
An ACGS report shows technical failures and human error are the most frequent generators of cyber claims, but the financial impact of these is limited:
“Losses resulting from the external manipulation of computers, such as distributed denial of service attacks (DDoS) or phishing and malware/ ransomware campaigns, account for the significant majority of the value of claims analyzed across all industry sectors (not just involving financial services companies).”
According to the report, regulators have turned their attention to cyber resilience and business continuity.
“Following a number of major outages at banks and payment processing companies, regulators have begun drafting business continuity requirements in a bid to bolster resilience.”
Not just cyber
The COVID-19 pandemic has taught the world a lot of lessons, not the least of which is how vulnerable the global supply chain – from toilet paper to semiconductors – is to unexpected disruptions. Demand for chlorine increased during 2020 as more people used their pools while stuck at home under social distancing orders and homeowners also began building pools at a faster rate, adding to the additional demand. Such disruptions can ripple through the economy in different directions.
Business interruption claims and litigation have been a significant feature of the pandemic for property and casualty insurers.
When the container ship Ever Given got wedged in the Suez canal – one of the most important arteries in global trade – freight traffic was completely blocked for six days. Even as movement resumed, terminals experienced congestion and the severe drop in vessel arrival and container discharge in major terminals aggravated existing shortages of empty containers available for exports. The ship’s owners and the Egyptian government remain locked in negotiations over compensation for the disruption, and the ship is still impounded.
Spurred in part by this event, the Japanese shipping community is considering alternative freight routes to Europe, both reliant on Russia: the Trans-Siberian Railway and the Northern Sea Route. Neither option is devoid of risks.
In an increasingly interconnected world, there is no bright line distinguishing man-made from natural disasters. After all, the Ever Given grounding was caused, at least in part, by a sandstorm. April’s power and water disruptions that left dozens of Texans dead and could end up being the costliest disaster in state history were initiated by a severe winter storm.
A resilience mindset focused on pre-emptive mitigation and rapid recovery is called for in both cases. There is no “either/or.”