In May, the Colonial Pipeline, which supplies 45% of the East Coast’s supply of diesel, gasoline, and jet fuel, was taken offline after it was impacted by a ransomware attack. For nearly two weeks some American motorists were forced to wait for hours for fuel in parts of the country, but the problem was quickly addressed.
Now on the other side of the world, another cyber attack has left drivers in Iran with virtually no fuel. The online attack successfully crippled essentially every gas station across Iran, and there was some irony in the fact that the nation is a leading exporter of oil, yet its motorists were essentially without the ability to obtain any fuel for their cars and vehicles. State TV showed the desperate situation, as Iran’s National Security Council acknowledged the cyber attack.
In Tuesday’s brazen attack, government-issued electronic cards that many in the Islamic Republic use to buy subsidized fuel at the pump were rendered useless. The Associated Press reported that the cyber-based assault was similar to another such targeted attack earlier this year that hit the Middle Eastern nation, and directly challenged Iran’s Supreme Leader Ayatollah Ali Khamenei.
Gasoline Supply Chain a Concern
These attacks, which can be conducted remotely, have proven to be nearly as devastating as if a bomb were used to take out the Colonial Pipeline or if fuel trucks were hijacked. As the attack on the American fuel supplies, which was followed by another ransomware attack against a major meat supplier, have shown critical infrastructure remains extremely vulnerable today.
As our country faces the worst supply crisis in decades, we could also be at a tipping point, where one incident could cripple the economy and leave Americans in very dire straits.
“This is a grave concern for many, namely the U.S. and members of the gasoline supply chain,” warned Josh Brewton, chief information security officer (CISO) at cybersecurity firm Cyvatar.
“We have seen the crippling effect of shutting down one part of the gasoline supply chain in recent history,” Brewton told ClearanceJobs in an email.
As in Iran, these attacks against the United States didn’t actually impact the amount of fuel, just the ability for it to reach consumers. That actually created panic buying on the East Coast, which exacerbated the situation, and led to further chaos – which then encouraged executives to pay the ransom.
“Although the amount of available fuel did not dramatically drop, the threat of a critical resource shortage drove panic, buying depleting supplies even further,” explained Brewton.
“Targeting any part of the gasoline supply chain can have a similar outcome,” he added. “A significant factor that contributes to the public response to an incident is media coverage. In most cases, it doesn’t matter what the attack was; the public hears a malicious actor shut down their access to a vital resource. The public will draw their conclusions about the personal importance of their way of living and respond accordingly.”
Targeting Critical Infrastructure
Taking down such critical infrastructure can also have significant impact on a large segment of the population, even if the actual attack is contained quickly.
“We’ve seen what happens to shutting down supply chains, but such critical data can be altered that can certainly part of the disruption including measurements, logistics, tracking, quality of gasoline, quantity of fuel, or any other vital components that can tie into critical infrastructure,” Tom Garrubba, vice president of the third-party risk association Shared Assessments, told ClearanceJobs.
Moreover, while a gasoline shortage for a few days may cause an inconvenience for most, a water shortage or electricity shortage can have life-threatening consequences, added Brewton, who also noted that our infrastructure is in dire need of major repairs.
In addition to being repaired and updated, our critical infrastructure needs to be upgraded and hardened with far better security to keep such attacks from being so devastating.
“Many critical infrastructure security systems are aging at a rapid rate, and the government knows this,” added Brewton. “Within recent infrastructure bills proposed by the U.S. government, there has been a tremendous increase in funding to address this issue. Doing this would allow the implementation of new and improved security technology. While the possibility of funding is there, the amount of time it will take to implement the robust security needed to protect our critical infrastructure may be years away.”
Broken Links in the Supply Chain
The targeting of Iran’s gas stations also shows how the supply chain can be disrupted even when supplies are readily available. Any link that can be broken can leave an entire supply chain entirely compromised. The United States faces a looming holiday crisis because retailers may not be able to get goods for consumers.
That remains very much a first world problem, and even if the supply chain crisis is the Grinch that steals this Christmas, life in the United States will go on. However, a cyber attack against some other sectors could disrupt our lives in far more ominous ways.
“We’ve recently seen the affects within the agriculture industry along with the cargo ships awaiting off port,” said Garrubba. “The distribution of goods and services that are mass consumed should all be under the microscope.”
And that is just one part of the greater supply chain, added Ron Bradley, also a vice president at Shared Assessments.
“We often talk about manufacturing as being the hub in critical infrastructure. What’s becoming more apparent every single day is the inter-dependency of international supply chain failures which is causing a domino effect,” he told ClearanceJobs.
“I would not think of this as a single target rather than a potential collapse of the global supply chain system. There are many factors which contribute to this concern, including cyber attacks,” Bradley added. “Obviously, the global pandemic and its expanded affects have also continued to create havoc across multiple industries and throughout the fabric of our everyday lives. Therefore, being resilient to a typical cyberattack in normal circumstances could be catastrophic towards a system which is already suffering.”