Cybersecurity lessons from the Colonial Pipeline hack

Governments worldwide are set to spend more on cybersecurity, and investors should look at exactly where this money is going, write Brian Gorman and Nick Reeve.

The Colonial Pipeline ransomware case refocused attention on cybersecurity in the infrastructure sector. The company paid a $4.4 million ransom to a criminal gang that had forced its operations offline by encrypting data on its internal system.

The Colonial Pipeline – owned by a consortium of investors including pension funds – supplies fuel from the US Gulf Coast to the East Coast market, and is a crucial piece of the energy supply chain in the region. The Federal Bureau of Investigation discourages making payments to ransomware attackers, as it may encourage other criminal networks to carry out similar attacks. However, Colonial Pipeline CEO Joseph Blount told the Wall Street Journal that he authorised the payment – made in cryptocurrency and subsequently partially recovered – because he did not know the extent of the damage and how long it would take to rectify.

Cybersecurity experts say more attacks like this will follow, and the situation is being made worse by target companies keeping such incidents under wraps. They may make ransom payments as the cost is small relative to the potential losses they could incur.

Growing threat

Lisa Chai, senior research analyst at Robo Global, a Dallas-based index, advisory and research company, says: “I think it’s happening a lot more than we hear about. People in a crisis are paying these ransoms because they have billions of dollars at stake.”

The US government is clear in its commitment to combat the problem. President Joe Biden issued an executive order in May aimed at improving national cybersecurity and protecting federal government networks.

A White House press briefing document on the executive order stated: “Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber-activity from both nation-state actors and cyber-criminals.”

“People in a crisis are paying these ransoms because they have billions of dollars at stake”

Lisa Chai
Robo Global

The statement was short on detail and did not specifically commit to major spending. Nevertheless analysts believe the administration will have to increase cybersecurity spending to remedy underspending in past years as well as addressing the most recent threats.

The US has been aware of digital threats to its infrastructure for some time. Under President Donald Trump, it established the Cybersecurity and Infrastructure Security Agency in 2018, dedicated to improving cybersecurity across government and private sector industries, including energy, water, emergency services, healthcare, dams and communications.

Any companies looking to supply the federal government with technology products or services will have to demonstrate that they have high levels of cybersecurity in place, provided by in-house teams or subcontractors. The governments of other countries are also set to tighten eligibility criteria for contracts, thereby tilting the market in favour of bigger players.

There is a consensus that private companies, as well as governments, have underspent on cybersecurity for some time. Chai believes that bigger companies, particularly those with an artificial intelligence offering, are more likely to succeed as this shortfall is corrected. “We’re expecting the cybersecurity market to grow at a very healthy rate,” she says. “It’s probably not an option for anyone to decrease their spending.”

Remote working increases risks

The rapid increase in home-based and remote working practices as a result of the pandemic has been seen across the infrastructure sector too. Outside the office environment, computer systems are often less secure and more vulnerable to attacks.

Between February and May 2020, more than half a million people around the world were affected by hacks and security breaches relating to video conferencing, according to Deloitte. In addition, the consultancy found there had been an increase in hackers developing new malware programmes to “attack and infiltrate systems” since the onset of the pandemic.

“This upsurge in sophisticated cyberattacks calls for new ‘cutting edge’ detection mechanisms to meet the threat, such as ‘user and entity behaviour analysis’ or UEBA,” Switzerland-based Deloitte director Cedric Nabe said late last year. “This analyses the normal conduct of users and applies this knowledge to detect instances where anomalous deviations from normal patterns occur.

“Before the pandemic, some companies were opposed to allowing remote working and especially when it came to accessing confidential data… In only a short period of time, companies had to increase their capacity and capabilities for remote working. Unfortunately, cybersecurity was not always a key priority in the fast deployment of remote working capabilities.”

The Biden administration is attempting to pass a bill through Congress that would result in $2.3 billion being spent on infrastructure in the next few years. The Colonial Pipeline hack demonstrates the importance of directing some of these funds towards ensuring that infrastructure assets have sufficient protection from digital threats. For investors, this makes cybersecurity a potentially lucrative area of investment within the digital infrastructure sub-sector. Cybersecurity investors may be rewarded as bigger firms with deep pockets seek to acquire additional expertise.

Investing in cybersecurity

Those looking to invest in cybersecurity can look to the exchange traded fund market, where several specialist offerings have been added in the past few years. Among those listed on US exchanges are the $2.2 billion ETFMG Prime Cyber Security ETF and the $527 million iShares Cybersecurity and Tech ETF.

One stock to feature in the top 10 holdings of many cybersecurity ETFs is Proofpoint, which specialises in email security threats. The company has delivered a handsome gain – 49 percent in the 12 months to early June, according to Bloomberg – and has attracted a $12 billion takeover bid from private equity firm Thoma Bravo.

Although most cybersecurity companies are based in the US, this is not exclusively the case. The historical global dominance of Silicon Valley in California as a tech hub is being challenged by countries and companies across Europe and Asia in particular.

The UK has highlighted technology as a key sector for growth post-Brexit. Another of Thoma Bravo’s cybersecurity purchases, Sophos, acquired in 2019, is London-based. DarkTrace floated on the London Stock Exchange in April. Its shares soared 30 percent on the first day to take its value to more than £2 billion ($2.8 billion; €2.3 billion).

As cyber-criminals and their methods grow ever more sophisticated, companies across all areas of infrastructure will have to invest heavily to stay ahead and secure. For investors, there may be opportunities in the rush for online safety.