What can be hacked, will be hacked: Colonial pipeline And Modern Supply Chains

One of the most interesting events over the last week was the cyberattack on the Colonial Pipeline.  The immediate impact was immense:

“The Colonial pipeline runs from Texas to New Jersey and carries about 45% of the fuel consumed on the East Coast, according to the company’s website. The shutdown is particularly worrisome for Southeastern states, including North and South Carolina, Virginia and Georgia; they have fewer sources of fuel than do states farther up the Atlantic Coast.”

While the issue has been resolved and the pipeline is restarting, we are not out of the woods yet: 

“Following this restart it will take several days for the product delivery supply chain to return to normal,” Colonial said in a statement. “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” the company added.”

It may take some time for the situation to settle, and prices may be volatile for a while.  But the real question is, what’s the long-term impact?   

In particular, the main question is what this incident tells us about the broader risks associated with digitization and the prospects for further incidents, primarily as these pertain to supply chains?

Three Main Trends

To understand why this question is as vital as ever, we need to understand three key trends that are only going to amplify over the next few years. 

Digital supply chains

supply chains are becoming more digitized over time. This may sound like a buzzword, so what does it really mean?  McKinsey provides a simple definition of  the next generations of supply chains: 

"Supply Chain 4.0 - the application of the Internet of Things, the use of advanced robotics, and the application of advanced analytics of big data in supply chain management: place sensors in everything create networks everywhere, automate anything, and analyze everything to significantly improve performance and customer satisfaction"

There are two important implications for this trend. First, communication between supply chains and firms within a supply chain will be done via digital means. Rather than people communicating with people, we will have software communicating with software via APIs. While the communication will be faster and more accurate, it’s also going to be easier to intercept and interfere with it. It also means that it’s enough to hack one component, to hack other parts or firms. 

The second implication is that we will probably understand supply chains even less than we understood them now. As more devices are going to enter the supply chain, and the communication will be done behind the scenes, fewer people will actually understand what truly is going on.  The divide between the physical supply chain (products) and the digital supply chain (information and funds) is going to widen even further. 

Supply chains are Infrastructure

The second trend is that supply chains are becoming the infrastructure of our day-to-day life. As we manufacture less and build less, we rely much more on moving things from one point to another. As products are becoming more complex, we rely on bringing products and components from different parts of the world. This is the case for anything from vaccines, to phones to cars to Boba tea.  

Supply chains are (more) Complex (than ever)

The third trend is that supply chains are becoming more complex. This is true for anything from T-shirts to vaccines to semiconductors.  While we call these supply chains, they are actually a very complex set of networks. The disruption of one distant node can have a significant and disproportionate effect on other nodes in the network. Fires in Japan can have a substantial impact on automotive manufacturing in Slovakia. Weather in Texas impacts chip manufacturing in Korea. As products became more complex, firms outsourced more and specialized more. The emerging supply chains (or networks) became complex networks of entities.  

Cybersecurity and Supply Chains

Taking all of these together and you realize that cyber-attacks are going to be more frequent and more disruptive moving forward.  Many of us imagine these cyberattacks to be done by amateurs, but the reality is that most of them are done by state actors or organized crime.  They usually require a significant amount of time and effort to study the systems and their vulnerabilities. Low-hanging fruits still exist, but they are decreasing in numbers. 

Since cyberattacks require significant effort, they will be directed at firms and institutions that provide leverage. And supply chain nodes offer exactly that: leverage. A disruption in a small and unprotected node can have the entire east coast running to the gas stations.   

The issue is even more acute since in order to protect against cyber attacks it’s not sufficient for firms to safeguard their systems. Since firms communicate with their suppliers through digital means, one can hack the supplier (or the supplier of the supplier) as a way to penetrate your systems. Unless you have visibility to your suppliers, you cannot protect against such attacks. Unless you know how vulnerable your suppliers are, you don’t really know how vulnerable you are. 

You can see a theme here: the first step in any supply chain risk mitigation is to have visibility into your network. This is doubly important in the age of digitization.  

Firms are working to reduce the risk of such cyber attacks.   But my claim is that from a supply chain point of view, we are thinking about it the wrong way.   We are trying to prevent the unpreventable, and don’t hedge against what can he hedged. 

What is Risk

When I think about risk, the main framework I usually use is that risk is the product of Likelihood times Consequences. Likelihood: the probability of a risky event. Consequences: the impact (financial or loss of life) if the event happens. In the case of cyberattacks, we should try to evaluate the likelihood of such an attack, as well as the consequences of such an attack.

This framework is practical because it not only helps evaluate the risk but also allows us to discuss different mitigations. For example, sometimes, it’s more effective to reduce the likelihood of a risky event. For example, not allowing people to text while driving reduces the possibility of an accident. It’s also prudent to wear a seatbelt. Wearing one doesn’t reduce the likelihood, but it does reduce the consequences of an accident by reducing the impact and thus the injury. Insurance is another measure that does not impact the probability of an accident but instead reduces the financial impact.

Let’s go back to our cybersecurity discussion. Over the last few years, firms have started investing in detecting and preventing cyber-attacks. For full disclosure, I am an angel investor in two such firms: Solvo, which offers a developer-centric security platform that creates and maintains a least-privilege security policy for cloud-native applications, and Sternum, which provides active preventions to cyberattacks on devices, and prevents exploitations of known and unknown vulnerabilities in real-time. Attackers are more likely to exert effort where it’s easier to penetrate. So having these tools reduces the likelihood of a successful attack. 

But this is only half of the equation. It seems that over the last few years, the supply chain cybersecurity discussion was focusing primarily on the IT side of the equation and less on the supply chain of the equation. The consequences part of the equation.  

I will begin with a somewhat bold statement.  We should assume that the likelihood of an attack is 100%. The likelihood of a successful attack, over time, is also 100%.  Don’t get me wrong, I do think we need to try to prevent cyber attacks. But since reducing the likelihood of a successful attack to zero is impossible, we need to assume that it is going to happen, and start thinking about how to mitigate and hedge against such attacks. 

We need to start thinking about cyberattacks like hurricanes.  They will happen. But a prepared and resilient supply chain will have minimal negative consequences. 

Mitigation and Hedging 

Before we go back to the supply chain discussion, let's take an example from our personal life. Once in a while, we get an email from a hotel chain saying that a few months(!) ago, their system was hacked, and passwords were stolen, including additional identifying data. The emails are usually full of legalese to reduce liability (talking about consequences) and give us a year-long subscription to an identity monitoring service. Essentially, the firm is trying to minimize its consequences by being reactionary to the event. Any step taken after the event is usually going to be expensive and limited in its effectiveness.

If you try to examine the impact on yourself as a person, if the password you used is shared with other websites, usually the first step is to go and change the password on that website as well as any other website. Time-consuming and unpleasant, but maybe not all that bad. What could have been a mitigating step? I am not sure about the hotel chain, but for you, it can be having a different password for every website, so there are no spillover effects. 

Let’s now take the same idea to supply chains and cybersecurity.  How can firms mitigate and hedge against cyberattacks on suppliers? We should start treating cybersecurity attacks the same we think about any attack or disruption to our suppliers. Or a pandemic.  We should build supply chains that do not have a single point of failure, both in terms of suppliers as well as in terms of systems.  We need to start thinking both about a failure in the ability of the supplier to deliver the product, as well as the inability of the supplier to provide safe and accurate information. Both are risks that can be hedged against and mitigated against. Dual sourcing, network flexibility, digital twins are just some of the concepts one can use to build such resilience. 

But this requires us to move the discussion on supply chain risk from being a discussion on reactions to a discussion on resilience. And resilience means: thinking end-to-end. It means having leadership involved in these discussions and asking these questions. Not only what have we done to prevent these in our systems. But also, what have we done to prepare and hedge against these anywhere in our supply chain, and what can be done when they happen. 

The main takeaway: Everything that can be hacked will be hacked. The only question is when. We should stop treating supply chain attacks as surprising events. We need to look at them as something that is absolutely going to happen and mitigate and hedge against them. How? Build a resilient supply chain.