5/18/21: Gasoline prices spiked 9 cents/gallon over the weekend. The move was not prompted by a sudden increase in driving demand nor a spurt in economic activity, but rather because of a cyberattack waged on Colonial Pipeline, one of the nation’s largest pipeline networks for refined petroleum products. The attacked prompted the company to shut down its 5,500 miles of pipelines, a conduit which supplies nearly half of the East Coast’s refined petroleum product needs, like gasoline and jet fuel. Colonial’s pipeline, which has operated since the 1960s, currently pumps 2.5 million bbls/day of gasoline and jet fuel. A prolonged shutdown would have a profound effect on a region of the country that accounts for more than one-quarter of America’s GDP. Some of the region’s gas pumps are running dry as motorists scramble to top off their tanks. The price of unleaded gasoline is approaching $3.00/gallon, its highest level since late 2014. With crude in abundance and gasoline in short supply, unleaded is trading nearly 25 cents/gallon higher than what crude prices suggest, according to a Cresset Capital study.
Attacks on critical infrastructure have been a hot-button issue for nearly a decade, although their importance have intensified in recent months. Last year’s Solar Winds intrusion by Russian intelligence was not discovered until months after the fact. The breach tapped into the nexus of internet security serving hundreds of prominent corporate and government users. The incident, and the nature and number of affected US government agencies – most notably the US Energy Department, which controls the National Nuclear Security Administration – is unprecedented. Earlier this year, a Chinese espionage group was responsible for exploiting flaws in Microsoft Exchange Server email software and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over the infected systems.
Established in 2018 as a division of the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) is responsible for building the national capacity to defend against cyber-attacks and work with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the US government networks that support the essential operations of partner departments and agencies.
Cyber-attacks, for ransom or other motivations, have the potential to wreak chaos on our nation’s infrastructure, like the electrical grid we all take for granted. Widespread power outages, if sustained, could easily cripple our economy and cost lives. Cyber vulnerability has gotten President Biden’s attention and has become one of the most important national security issues. Cybersecurity, in fact, has prompted the Biden administration to issue a series of executive orders intended to bolster America’s public and private digital security in light of several major attacks from Russia and China in recent months. The Colonial Pipeline breach is just the latest ransomware attack on a critical piece of our energy infrastructure. CISA disclosed that last year a cyberattack affected an unnamed natural gas compression facility. In one of the most disturbing breaches of our nation’s infrastructure, in February hackers took control of a water treatment plant in the 15,000-person city of Oldsmar, Florida. The still-unknown perpetrator attempted to poison the water supply by changing the level of sodium hydroxide (also known as lye or caustic soda, which regulates the water’s pH level) released into the system by moving the setting from 100 ppm to 11,100 ppm. Thankfully, the attempt was thwarted when an operator quickly spotted the intrusion and returned the settings to normal levels.
Cybercrime and ransomware are costly in both financial and human terms. And, unfortunately, the measurable financial impact is expected to multiply. Cybercrime is forecast to cost $20 billion globally this year, according to Security Detectives, a computer virus consultant. Significant downtime, loss of trust and reputational risk are among the other, intangible side effects of a cyberattack. Consider Sony Pictures, whose email servers were breached by a hacker group called “Guardians of Peace” in 2014. The hackers published confidential emails, leaked scripts, distributed unreleased movies and divulged executives’ salaries, causing financial and reputational damage to Sony’s brand and its employees. Sony stock lost 10 per cent of its value in the immediate aftermath of the hack, but recovered within the next three months. The reputational costs to the company and its executives are immeasurable.
The market reaction to the Colonial Pipeline breach has been muted, with a 9-cent spike in the price of a gallon of unleaded gasoline over the weekend which quickly reversed. That’s because fuel inventories in the Northeast are comfortably high, thanks to reduced travel owing to COVID-19. According to company spokespeople, Colonial plans to restore the pipeline service sometime this week. A prolonged shutdown would undoubtedly push pump prices higher, particularly in the Northeast.
Our global reliance on internet connectivity and the cloud makes society vulnerable to cyberthreats. Already, the cost to the economy and its infrastructure is profound. A global cybersecurity industry, helping companies, governments and individuals protect their networks against attack, has emerged as public and private sectors face manifold cyberthreats. Due to our interconnectedness, our networks are only as secure as their weakest link: those companies and systems that aren’t adequately prepared to combat the constant barrage of phishing email and corrupted websites, or provide inadequate training. An index of cybersecurity companies, comprising names like Crowdstrike Holdings, FireEye and Proofpoint, have outpaced the broader market over the last several years, with most of its relative advantage coming over the last 12 months. Like it or not, cybersecurity is, and will remain, a dominant theme in the public and private sectors, as well as with investors, for many years to come. Cresset has built a cybersecurity portfolio as one of our nine thematic strategies., and we encourage you to talk to your advisor to learn more about this strategy.