21 May 2021

What the cyber-attack on the US oil and gas pipeline means and how to increase security


The recent cyber-attack on the US major oil and gas pipeline could become one of the most expensive attacks to an economy.

80% of senior cybersecurity leaders see ransomware as a dangerous growing threat that is threatening our public safety.

Here are six principles to improve the cybersecurity of critical infrastructure.

The recent cyber-attack on the US major oil and gas pipeline could become one of the most expensive attacks to an economy. It's also the latest reminder that both the frequency and severity of catastrophic digital shocks on critical infrastructure are on the rise.

The increasing digitalization of critical infrastructure sectors such as oil and gas, and the associated industrial systems, is changing the nature of cyber risks. As digitalization drives growth and transition to net-zero emissions, the energy sector’s ecosystem has become increasingly decentralized and complex. According to the 2021 Global Risks Report, cybersecurity failures are among the top mid-term threats facing the world.

The World Economic Forum recently ran a survey among our Cybersecurity Leadership Community members (representing about 100 senior cybersecurity executives from around the globe) and found out that 80% see ransomware as a dangerous growing threat that is threatening our public safety. Moreover, 97% of the community expressed that business continuity is the main risk when it comes to ransomware attacks.

This is exactly what we saw in last week’s cyber-attack on the pipeline.

After a ransomware attack on Friday, Colonial Pipeline, a US fuel pipeline operator, shut down its network. At the time of this writing, the pipeline is still mostly shut. It's estimated that a prolonged shutdown of the pipeline, which supplies almost half of the East Coast's fuel, would cause prices to rise at gasoline pumps across the country.

This cyber incident has underscored that, increasingly, providers of essential services are more vulnerable to widespread cyberthreats. As a result, cybersecurity is becoming a corporate strategic challenge requiring the highest level of oversight in the complex global industrial environment.

Other recent cyber-attacks like those on a Florida water plant and a Solarwinds software provider further emphasized that the success of these events will depend on the shortcomings of the measures in place to mitigate these threats.

To harness the value offered by digitalization and mitigate potential risks, businesses and governments must reimagine how we use and manage our critical infrastructure. This involves understanding how our individual actions impact the collective and establishing frameworks for shared responsibility.

Unless cybersecurity practices are embedded into the corporate or organizational culture and digital products lifecycle, we are likely to see more frequent attacks on industrial systems like oil and gas pipelines or water treatment plants.

The following principles should guide industry stakeholders shape a responsible course of actions based on the recommendations developed by the World Economic Forum and a multi-stakeholder oil and gas community:

Establish a comprehensive cybersecurity governance model
Promote a security and resilience-by design culture
Increase visibility of third parties risk posture and consider broader ecosystem impact
Implement holistic risk management and defense mechanisms with effective preventive, monitoring, response and recovery capabilities.
Prepare and tests resilience plan based on a list of pre-defined scenarios to mitigate the impact of an attack.
Strengthen international public-private collaboration between all stakeholders In the industry

Read more about our project on Cyber Resilience in Oil & Gas here and about our Partnership against Cyber-Crime here.

No comments: