San Francisco, California, 18 May 2021 –

The cyber attack on a major US fuel pipeline is a wake-up call to insurers about the potential for cyber risk to accumulate around vital infrastructure or technology systems that affect large numbers of connected organisations. This is the verdict of leading cyber risk analytics firm CyberCube in a new analysis published this week.

The Colonial Pipeline, which was attacked last week causing petrol shortages across the eastern USA, is connected to 30 oil refineries and nearly 300 fuel distribution terminals throughout the United States. In addition, thousands of gas stations, consumers and hundreds of companies including mass-transit hubs such as airports, rely on Colonial to deliver fuel. 

According to CyberCube, the Colonial attack demonstrates the vulnerability of so-called Single Points of Failure (SPoF) to cyber criminals. SPoFs are components or entire companies – physical or electronic – whose failure will shut down an entire system and affect many end-users.

William Altman, Cyber Security Consultant at CyberCube, said: “Colonial is a taste of what is to come. Both criminal ransomware operators and nation-state sponsored threat actors are increasingly turning their attention toward attacking SPoF. By going after SPoF criminal attackers will create maximum leverage to convince their victims to pay a ransom, and nation-state actors will use SPoF as a jump-off point into adjacent systems for conducting espionage and other information operations. While we have yet to see a true accumulation catastrophe event in cybersecurity, the writing is on the wall. Recent attacks on SPoF like SolarWinds, Microsoft Exchange, and Colonial Pipeline indicate clearly the direction the industry is headed.

“It should now be abundantly clear to the insurance industry that cyber attacks with catastrophic scope – and the potential for catastrophic losses – are no longer just science-fiction. In 2021, it will be widely acknowledged that a rigorous and structured approach to cyber risk accumulation management is now a prerequisite and a necessity for all (re)insurers.” 

Colonial discovered its IT systems had been hacked on 7 May. Prior to that date, CyberCube’s underwriting tool Account Manager had already identified and flagged several high-risk signals for the Colonial Pipeline including malware infections and the potential for a remote user to gain access to Colonial’s network through an Open RDP Port, which is one of the most common ransomware attack vectors.

Yvette Essen, Head of Content for CyberCube, said: “The attack underscores the rising need for underwriters to assess basic cyber hygiene alongside threat-specific risks such as ransomware for organisations of all sizes across industries.”

According to CyberCube, the attack was perpetrated by a group of organised criminals that likely have tacit approval but not operational support from the Russian government. The group, DarkSide, reportedly took nearly 100 gigabytes of data out of Colonial's network in just two hours before encrypting the company’s data and leaving a ransom note threatening to release the company’s data if no payment was made. This is known as a double-extortion ransomware attack and provides an example of the rapidly evolving nature of the cyber criminal playbook.

DarkSide inadvertently took down 5,500 miles of critical US oil pipeline infrastructure, causing one week of downtime before a $5 million ransom payment was made.

CyberCube recently published a report on SPoF and supply chain risk. It can be found here.