On Friday 7 May 2021, Colonial Pipeline, the largest fuel pipeline in the United States, was hit by a cyberattack. The pipeline carries 2.5 million barrels a day, 45% of the supply of diesel, gasoline and jet fuel of the US East Coast.
This attack against an organization providing essential services comes amid a wave of attacks against healthcare organizations and water treatment facilities, notably in Israel and the US. In the case of Colonial Pipeline, the company stated on Sunday 9 May that the cyberattack appeared to be a ransomware attack. As we, at the CyberPeace Institute, have documented in healthcare, ransomware has recently grown to become a weapon of choice for cybercriminals pursuing financial gain. And the impact of ransomware attacks are dire: attackers are not threatening to shut down systems, they shut them down and then request payment to, possibly, restore them.
The security of critical infrastructure facilities like water plants, power stations and pipelines have been a source of concern for governments around the world because they provide essential services to a country’s population. This has been officially recognized in recent United Nations findings (para. 19; Open Ended Working Group on developments in the field of information and telecommunications in the context of international security), where states concluded that :
“[…] ICT activity contrary to obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public, could pose a threat not only to security but also to State sovereignty, as well as economic development and livelihoods, and ultimately the safety and wellbeing of individuals”
The cascading harmful effects of a fuel shortage, from the obvious increase in fuel prices to dependencies in other critical sectors such as healthcare, have led the US Government to declare a regional state of emergency. The four main lines that Colonial Pipeline uses to transport fuel are still out of order as of the release of this article.
Colonial Pipeline, a privately held company, has already sought third-party assistance, and indeed it can count on the cybersecurity expertise available from local companies, the local and federal governments and international partners.
In other parts of the world, cybersecurity expertise is not necessarily as readily accessible and yet, accessing safe water or energy is as much a necessity in the rest of the world as it is in the US.
In several countries, states lack the resources to secure critical infrastructure to the level that the US does already. Consequently, NGOs are often crucial purveyors of support for essential services, ensuring that local populations have access to healthcare, water treatment and sanitation services, energy or even finance. NGOs do not all have the same capacity to protect themselves against cyberattacks, and when they are targeted, the communities they support could become even more vulnerable.
Like Colonial Pipeline, NGOs offering essential services may be perceived as prime targets: while gains may be lower, attack costs would likely be lower, too. Risks for the attackers would also be lower.
Most importantly, what about the impact on people’s lives? It could be dire, when you consider the dependency between NGOs and their beneficiaries on critical infrastructure. One in three people in the world does not have access to safe drinking water, causing serious health issues ranging from cholera, dysentery, hepatitis A and typhoid. When water sanitation or healthcare NGOs supporting these people become a target or collateral victim of a cyberattack, the threat to human life is utterly real.
Last but not least, some ransomware groups will claim that they do not target non-profits – some even choose to give back some of the stolen funds to charities offering essential services. But first, many such groups had claimed they would not target hospitals. This wasn’t always true and ultimately, the amount of financially motivated cyberattacks against healthcare facilities is on the rise.
Second, politically-motivated attackers may well disguise themselves as cybercriminals pursuing financial gain: this was for instance the case in the NotPetya attacks with ransomware being used to wreak havoc, without any consideration for financial gain.
The attack against Colonial Pipeline is a stark reminder of an ominous scenario for the future in which human life becomes the direct target of cyberattacks. We propose to write another scenario, one in which critical infrastructure is not subject to any such attacks.
Reach out to us at the CyberPeace Institute if you are interested in discussing what we are doing to protect vulnerable communities from cyberattacks and further cyberpeace.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.