On May 7, 2021, a fateful Friday morning, Colonial Pipeline, the company that operates a critical fuel supply pipeline for the Eastern United States, fell victim to a ransomware attack. Unbeknownst to the government, the company decided to suspend operation of the pipeline while it tried to determine what had happened and the extent of the damage. This decision had serious consequences, transforming a cyber incident into a broader crisis in just a few days. Several thousand gas stations exhausted fuel and gas price reached their highest levels in almost a decade.
The shutdown disrupted fuel supply chains, leading to panic buying and subsequent shortages at gas stations in several states. Reports of long lines and skyrocketing prices at the pump have illustrated the real-world implications of cyber threats, highlighting the interdependence of our physical and digital infrastructure. This also increased the public rush to gas stations.
Faced with the escalation of the situation, the American government took a series of decisive measures.
To calm public backlash, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Energy Jennifer Granholm addressed the American public from the White House podium on May 11, 2021. A small room in the West Wing was packed with about 50 journalists, television cameras rolling in the back. This is where the media comes together to hold the U.S. government accountable to the American public by asking probing questions about the most important issues of the day – forming a formidable stage where virtually the entire world begins to respond. listening to it. The two secretaries explained what the government was doing to mitigate the impact of the ransomware attack. They also appeals to the American public that “there should be no reason to stockpile gasoline, especially in light of the fact that the pipeline is expected to be virtually operational by the end of this week and into the weekend.”
Lasting implications
The geopolitical implications of the Colonial Pipeline ransomware attack were profound. In the process, President Biden engaged directly with Russian President Vladimir Putin, emphasizing the seriousness of the incident. This crisis has also highlighted the urgent need to more robust cybersecurity measures, particularly for critical infrastructure like Colonial Pipeline. It was a stark reminder that cyber threats are not limited to the digital world; they can quickly boil over, causing widespread disruption and societal impact. Ultimately, the Colonial Pipeline incident was a watershed moment.
This single incident still has ripple effects today, redefining the roles that CEOs and industry leaders play, and will shape our view of cybersecurity for years to come. It also highlights some important questions business leaders need to ask themselves and highlights how a cyber incident can quickly escalate into a national security crisis requiring the attention of the U.S. president. Just imagine what could have happened if another, equally impactful, ransomware attack had occurred in the United States in late February or early March 2022, just days after Russian troops invaded Ukraine.
One of the ripple effects is how CEOs view their roles and responsibilities. Colonial Pipeline CEO Joseph Blount said The members of Congress said paying an estimated $4.3 million in Bitcoin ransom was “the most difficult decision made in my 39 years in the energy industry.” Whether to pay hackers and further fuel the criminal cycle of ransom demands or risk significant disruption, or even bankruptcy, is an impossible choice.
CEOs have clearly taken note. Few would appreciate Canossa’s path to Washington and being in the congressional and media spotlight. What have we learned from this and other key incidents over the past two years? Here are six recommendations for CEOs:
1. Pay attention to how you communicate with the public.
A run on the banks is the classic example of how public reaction and group psychology can make a crisis worse. The rush for toilet paper during the Covid-19 pandemic and the rush to gas stations after the ransomware attack highlight that this problem is not limited to financial institutions.
Being careful about how and what you communicate to the public does not mean avoiding communicating with the public; on the contrary, it is a necessity. However, businesses need to take a thoughtful approach. As the Colonial Pipeline incident illustrates, this includes businesses that rarely need to interact with the public as part of their daily operations, but may need to do so unexpectedly from one day to the next.
2. Coordinate with the government.
Colonial Pipeline’s decision to close its pipeline system had to be made quickly, but there was likely time to consult with U.S. government experts. Taking the pipeline system offline meant that, whether infected or not, it would take days to restart, disrupting the fuel supply with all the consequences that required government action. Coordination with government is essential to prevent a crisis from unintentionally escalating.
3. Know who to contact.
To make informed decisions quickly and coordinate with the right people, CEOs need to know who in government is the right person to speak to. Contacting NATO or the military, as some anecdotes over the years suggest, is not the right answer.
That said, sometimes the government does not make it easy for external parties to identify the appropriate person or agency, so the government has a responsibility to provide clarification.
4. Have a plan in place and execute it.
This is perhaps the most crucial point because it constitutes a means to achieve the others. In addition to developing and having a plan – ideally overseen by the CEO – the plan should be put into practice at least once a year. Regular theoretical exercises will help company management and staff develop the “muscle memory” needed to respond effectively to a real crisis.
5. Know your networks.
A CEO should ideally have a high-level understanding of how enterprise IT networks and a company’s operational technology (OT) networks interact. If systems are isolated, there is no need to shut down the OT network if the compromise is limited to the IT network.
That said, the Colonial Pipeline ransomware attack demonstrated that even crippling corporate IT networks can have significant impacts. If a company can no longer issue invoices, doesn’t know who its customers are or how to contact them, the real impact can be as disruptive as stopping production. For any reader stuck in an airport due to an airline’s IT system suffering failureyou experienced the disruptive impact with your own eyes.
6. Be humble and seek help from an expert.
Cybersecurity is a broad term covering a very complex set of issues. Although there are commonalities and some software is used across all industries, pipeline cybersecurity is very different from cybersecurity in the context of the financial sector, hospitals, schools or railways. After years of multi-industry cyber incidents, it is essential to recognize the limits of everyone’s knowledge, including that of cybersecurity experts. CEOs should therefore not hesitate to seek assistance from outside the company to help them develop, test or refine a plan or review existing processes and policies.
Beyond these high-level recommendations, there are many other resources, including guides and checklists for CEOs, board members and CISOs that are more detailed. The US government, namely its Cybersecurity and Infrastructure Security Agency (CISA), also provides Stopransomware.gov And Shields as resources designed for businesses to use based on their cybersecurity maturity level.
Business leaders, guardians of trust
Beyond strengthening a company’s cybersecurity out of self-interest and to avoid a national security crisis, business leaders also play a larger role and can be seen as guardians of trust in technology in general . At its core, cybersecurity is about trust. Ransomware and many other cyberattacks exploit this trust. They exploit cases where someone clicks on an untrustworthy link, downloads an attachment from an unknown email address, or receives a malware update.
This principle extends to a company’s trust in the technology underpinning its systems, bringing geopolitics into the debate. The role of Chinese companies in the 5G network has been a central subject for several years. This marked the start of a broader debate about how to consider risk when investing, purchasing and using technology. The US government’s concerns about certain technologies emanating from the People’s Republic of China are well known. Simultaneously, in Brussels and other European capitals, a debate A process of “risk reduction” is underway, influenced by lessons learned from Russia’s invasion of Ukraine and dependence on Europe.
Business leaders are at the center of this debate because they are the primary guardians of trust in technology. Where technology companies decide to invest and how they weigh costs against other benefits such as increased security and trust will determine the overall resilience of a society as a whole.
A self-check for CEOs
Many have warned over the years of growing cyber threats and some have Free sound advice on how to strengthen an organization’s protection and resilience. Three questions can help determine whether sufficient action has been taken to complete the above recommendations:
- Have you recently participated in a cyber simulation exercise?
- Are your information security officer’s contact details stored anywhere other than your work phone or computer? (Remember, if your company’s networks fall victim to a ransomware attack, your work devices may be inaccessible.)
- Do you know your point of contact within government in the event of a cybersecurity incident?
If the answer is “no” to any of these questions, then reading this article will hopefully inspire follow-up action: it will help better protect your organization and could prevent a future national security crisis.
