Many people think that things like a cyber-attack or a natural catastrophe that can damage the business, is something with a very low probability of occurrence. Mainly if some measures have been already taken to prevent such situations.

In a world where the future is uncertain and change comes fast, companies need to look beyond short-term performance and basic organizational health. They must be able not only to withstand unpredictable threat or change but to emerge stronger. In short, they need to be resilient.

Firms cannot afford to be either inflexible or imprudent. Those unwilling to take sufficient risk will not respond or innovate to meet changing circumstances. But at the same time, those too focused on financials, growth, or expansion may take on risk that kills their long-term success. Industries have developed specific resilience capabilities, but when disruptions occur, “surprise gaps” become visible.

The rising danger posed by cyberattacks on critical infrastructure was evident again in May 2021, when a small group of hackers launched a ransomware attack on Colonial Pipeline, the United States’ largest pipeline network for delivery of refined petroleum products. Colonial shut down its main lines for five days, disrupting nearly half the fuel supply for the eastern part of the country. Worried drivers drained supplies in gas stations in the Southeast, airlines rerouted flights to airports with available fuel, traders were rocked by unexpected price volatility, and logistics companies scrambled to locate new sources of fuel.

The attackers seem to have initiated the havoc through “spear phishing”—the sending of emails apparently from familiar and trusted sources. Expected user response opened the way for the attackers to launch executable ransomware. This, in turn, enabled lateral movement deeper into the system and the compromising of credentials as the attack progressed. Colonial shut down affected systems, which protected them from broader damage. The company also paid a ransom to the attackers, to enable a reopening of operations.

One unusual aspect of the attack is that the attackers attempted to apologize for it. On its site on the dark web, the group issued a statement that its sole motive was financial, and it would choose its targets more carefully in the future. Future investigations may tell us more, but whatever the details, the attack is unsettling. A small group of hackers may have temporarily, and inadvertently, cut off energy flows to an important economic center, triggering real-world impact.

The Colonial Pipeline hack reveals that societies and economies are vulnerable to serious disruption, and physical harm, from accidental overreach by criminals. Ransomware exists to make money, usually through extortion from the private sector (or, sometimes, government agencies). When, as now, criminals launch unusually ambitious attacks on targets whose managers do not know exactly how their own systems work, then things can go wrong in dangerous ways.

Not long ago, cyber threats to critical infrastructure were known only as acts carried out by specialized groups. Specialists assumed that only certain specialized groups possessed the various skills and resources necessary to develop such threats. The target assets were generally based on analog operating technology and relatively isolated from the Internet. Gaining and maintaining access to such assets required specialized tools, similar operational technology, reconnaissance capabilities, and even physical access to the site itself, but now; we live a totally different reality in a totally interconnected world.

How should organizations prepare?

Recent high-profile attacks and breaches have elevated awareness levels; however, this is not enough.

Companies will have to improve their knowledge of their own systems. Knowledge of operations, vulnerabilities, and remedies will be the starting point for building resilience. It will also enable companies to communicate effectively—to governments, regulators, customers, and the media—to build trust in the event of an incident.

The new threat to critical infrastructure is now out in the open, and it shows that a step change in both cyber defenses and our capabilities to absorb and navigate operational attacks is urgently needed.

To best prepare for ransomware and similar disruptive cyberattacks, critical-infrastructure companies can take preemptive action, by developing a comprehensive plan with steps to be taken within one, three, and 30 days.

These preparations require advanced levels of cybersecurity capabilities. Depending on the status of their security environment, organizations will have to accelerate their journeys from maturity-based cybersecurity to an advanced, proactive cybersecurity posture. Foundational capabilities are only the starting point. The journey then moves to a risk-based approach, focusing on the risks that matter to reduce enterprise risk, and then to holistic resilience, embedding security by design into next-generation processes, services, and technologies, and incorporating customers, partners, third parties, and regulators into enterprise resilience management.

Evidence suggests that the ransomware attack on Colonial Pipeline was not a particularly sophisticated cyberattack—and yet it managed to paralyze a significant part of the fuel supply of the world’s largest economy. Good could come of this disturbing event if it acts as a call to action for nations and organizations. Critical infrastructure is vital to a company’s security and sustainability. The investments needed to truly protect it can no longer be delayed.

We are here to help!