Guidewire Analytics Aids Customers Navigating Colonial Pipeline Cyberattack

  • Guidewire Staff

May 27, 2021

Untitled

The Colonial Pipeline cyberattack has been a major news story in recent weeks. Colonial is one of the largest pipeline operators in the United States. Its infrastructure supplies 45% of fuel on the East Coast - including gasoline, home heating oil, and jet fuel.

In the days following the cyberattack, gasoline futures reached the highest levels in three years and analysts were concerned about disruptions to the busy summer driving season. The FBI, U.S. Department of Energy, and the White House were monitoring and investigating the incident closely.

Behind-the-scenes, and at the request of our customers, Guidewire provided cyber insights and analysis to help them manage issues they may have faced due to this cyberattack themselves and provide them with information to make calculated business decisions. For example, Guidewire’s comprehensive analysis regarding the financial loss and duration of this cyberattack helped its customers with insights on the financial impact of this cyberattack against the entire U.S. economy.

Background

On Friday May 7, reports surfaced that hackers had crippled operations at Colonial with a successful ransomware attack. As a result, the pipeline had been shut down and there were real concerns over the weekend about supply disruptions and price spikes in the United States given storage limitations and expected demand surge. Most fuel terminals have a 10-15 day supply, so a long term shutdown would be disruptive.

Impact of Cyberattack

The weekend immediately after the Colonial hack, many experts in oil & gas economics, cyber security, consumer demand trends, commodity pricing, financial markets, and even national security were scrambling to make sense of the evolving situation.

As the crises continued, many were making statements in the press with some version of the following messages: “We can handle this type of fuel disruption because the industry has supplies in storage, but if it goes on too long, bad things could start to happen.” Or “No need to panic about this, unless it goes on too long.” Many were not certain how “bad” things could be, and how “long” this might go on.

On May 9, the U.S. government relaxed rules on fuel transportation via roads in an effort to minimize the disruption of the closed pipeline. On May 11, the U.S. House Energy and Commerce Committee introduce bipartisan legislation to strengthen the Department of Energy’s ability to manage cybersecurity threats. How Guidewire is Involved

One Guidewire customer asked us on the weekend of the attack to jump into the fray with our perspective on how this incident might play out. However, Guidewire’s Cyence Risk Insights tool was designed to provide insights into this type of ‘non-natural catastrophe.’ See the whitepapers that address the rapidly evolving ransomware threat and a selection of other stories here.

Our analytics provided estimates based on our years of experience modeling cyber incidents (not only the attack itself but also the economic implications of events). With all the usual statistical caveats, we provided estimates on an economic loss between $5M-$6M and an event duration of five days, which seemed to be the variable that many fixated upon at the beginning of the potential crisis.

The Guidewire team provided our customer with a range of model estimates. Over the next several days, news eventually came out that Colonial had paid a $5 million ransom payment in cryptocurrency and that pipeline operations began starting up on May 12 (five days since the hack). It turned out these outcomes ended up right in the middle of the range in our statistical model results! This type of accuracy will not always be the case, but having fact-based analytics when dealing with complex potential catastrophic events is critical for our customers that provide risk solutions to their stakeholders.

When a cybersecurity crisis hits the news, it is likely that the Guidewire team has already been working on bringing insights to our customers. Our insurance and financial institution clients know that we have robust data and the most advanced models to provide the relevant economic analysis of cyber events for their needs. But their relationship with us is based on more than our powerful software solution; they also rely on our unique combination of individual experts to make sense of the analysis and help them navigate through complex business issues. Ongoing Debate About Ransomware

The payment of ransom to cybercriminals has been in the news recently. Recently, a tier one insurer announced that it will stop covering ransomware payments in France. The logical argument being made by many is that the payment of extortion only encourages more cybercrime. And, if you deal with cybercriminals, there is no guarantee that they will deliver on the decryption keys – the proverbial lack of honor among thieves.

Our models suggest that the vast majority of cybercriminals are keeping their word and making good on releasing the data. It seems that criminals may be thieves, but they are also rational economic actors and these professional organizations that can pull off a major cyber strike have no interest in hurting their business model by introducing uncertainty to their operations. The organization that is reportedly responsible for the Colonial incident, DarkSide, has created a franchise model to maximize the economic return on their strategy. So why disrupt their business, that some have noted “prints money,” by not following through as a reliable transaction partner?

In the U.S., the FBI discourages organizations from paying ransom to hackers. But when the White House’s top cyber expert, Anne Neuberger, was recently asked about this policy, she didn’t take a definitive position: “We recognize, though, that companies are often in a difficult position if their data is encrypted, and they do not have backups and cannot recover the data.” (Bloomberg, May 13, 2021).

In an effort to prevent future cyberattacks like the Colonial Pipeline incident, The Department of Homeland Security (DHS) is moving to regulate cybersecurity in the pipeline industry for the first time. According to The Washington Post, the Transportation Security Administration, a DHS unit, will be issuing “a security directive requiring pipeline companies to report cyber incidents to federal authorities,” with plans for more mandatory rules for how pipeline companies need to protect their systems against cyberattacks and steps that should be taken in the event of a hack.

The debate among politicians, insurance industry executives, law enforcement, policy and legal experts, and cybersecurity professionals will continue. We don’t know now how we will mitigate this risk as a society in the future – we do know that Guidewire will be engaged with our customers to bring the best of our analytics capabilities to our customers to meet this challenge.