I Don't Want to Say It But ... I Told You So: They Got HackedBy Fernando Thompson | Mon, 05/24/2021 - 12:57
Last year, I was invited to moderate a technology and innovation panel organized by Mexico Business Events, where other guests and I addressed important topics such as the digital and technological transformation of the energy sector and the impact on the industry in the new post-COVID reality. Alongside other panelists, we also addressed pivotal questions related to imminent risk scenarios, such as cyberattacks.
First, on a micro level, decision-makers, such as CEOs, COOs and CIOs, are not yet attaching enough importance — or providing the needed budget — to the issue of cybersecurity. And neither are the majority of those responsible in IT departments. In my opinion, the majority don’t have the level of knowledge or preparation required to put together everything that involves protecting the information and digital assets of a company. A technician thinks that they will be well protected with an antivirus or anti-spyware software and hardware like a firewall. But this is far from reality and it is making key companies, institutions, and government agencies highly vulnerable targets.
Second, on a macro level, we have governments and corporations. Wars between power groups and conflicts between powerful nations are happening right now and the vast majority of the population does not even notice. Russia, China, North Korea, and others are dedicated to hacking interests in the US and its allies. On the other hand, Americans also send cyberattacks to their adversaries.
While I was preparing this article, a large oil corporation in the US, Colonial Pipeline, was transporting more than 100 million gallons of gasoline and diesel from the Gulf to the US East Coast. They do this on a daily basis but this time it was hacked through a malware called ransomware. This malware hijacks information and renders computers and servers inoperative; it literally paralyzes the entire operation. To suspend the hijacking and give control back to Colonial Pipeline, the digital hijackers demanded US$5 million. Days of worry and chaos unraveled due to the fuel shortage in the US South. The consequences: business losses, an increase in the cost of gas, speculation, and many other economic pressures throughout the week.
Incidents of this kind have happened in our country too: In 2012, Saudi Aramco was attacked and PEMEX was also hacked by another ransomware in 2019.
In short, almost everything that represents critical infrastructure will be attacked: airports, hospitals, water dams, transportation systems, traffic control, security, the energy industry and others. Due to the fact that these industries are so essential, have so much money, and can’t survive if their operations are paralyzed, they become an appetizing target for cybercriminals.
Going back to the Colonial Pipeline story, neither its technology experts nor the FBI, nor any other entity, could do anything to rescue the company other than point fingers at a Russian group as the cause. In the end, the company had to pay the ransom. They paid US$5 million, which is the equivalent of MX$100 million. Worst of all, Colonial Pipeline could again be the victim of a similar attack. Shell, Mobil and all the companies dedicated to the extraction, distribution and sale of fuels are the most obvious targets for a hack because for each day that they stop operating, they lose millions.
Think about this: If the average cost per gallon is $3.5, and on one day they transport 100 million gallons, but they stopped operating for seven days, that means they lost $2,450,000,000 as collateral damage, in addition to what they paid for ransom.
What is the key to reducing risk? To start, training employees. Making people aware of the dangers of the internet is vital; quotidian things like opening an email, clicking on a link, downloading a photo or video is precisely what triggers hacking. Government, corporations and educational institutions must put together a national strategy to, first, protect citizens, and then companies of all sizes and the interests of the country. What I propose: the creation of a cyber-command is required to lead Mexico's defensive strategy.