On Friday last week, America’s largest gasoline pipeline that runs from the Gulf Coast to the New York Harbor was hijacked by hackers who used ransomware in a cyberattack against the pipeline company. The pipeline, which supplies 2.5 million barrels of refined gasoline, diesel and jet fuel per day and provides almost half of the gasoline used on the US East Coast, is a key conduit for transporting fuels across major cities in the US.
DarkSide, which is responsible for the ransomware has access to the pipeline company data and is holding it hostage until its monetary demands are met. In the last few days since the hack, the US has faced significant ripple effects. The price of gas on the East Coast has risen by a couple of cents with the likelihood of further increase in the coming days. There are speculations of possible scarcity in some parts of the North-East, while places like North Carolina and Atlanta which are served by the pipeline are already experiencing pockets of scarcity.
The incident has led the President to relax fuel road transport laws to ensure that trucking of fuel from the Gulf Coast serves as a viable alternative. There are currently talks too of importing fuel from Europe to stem possible scarcity in the North-East that could result if the shutdown of the pipelines continues. The use of alternative pipelines like the Plantation Pipeline which has much less capacity than the hijacked pipeline has also been mooted.
The result of this singular cyberattack and the ripple effect it has on the US economy and global energy markets is telling and should raise questions for Nigeria on its cybersecurity preparedness. Is Nigeria prepared for attacks of such nature on its critical energy infrastructure? In the past few weeks, Nigeria has witnessed an upsurge in security challenges, ranging from multiple kidnappings to ethnic clashes to violent attacks and killings by terrorist groups which have made it generally unsafe to conduct business.
The manner in which the country has wilted under the pressure of these attacks goes to show its unpreparedness, and the ripple effect on the energy sector cannot be overestimated. The recent vandalism of the grid in Borno leading to blackout in the State as well as the years of unrest in the Niger Delta that significantly reduced oil production in Southern Nigeria go to show how insecurity can affect energy supply.
Similarly, a critical angle that little attention has been paid to is cybersecurity, the failure of which has the potential to cripple energy sector activities in seconds.
In a recent research carried out by Sophos Group, a British security software and hardware company, it was revealed that Nigeria has the highest percentage of data leakages worldwide and ranked the top five for issues like ransomware, malware and cryptojacking. Little wonder that late last year during the ENDSARS protests, a number of Nigerian government agency websites, including the website of the Central Bank of Nigeria, were hacked. Another report from 2019 showed that Africa lost $3.5 billion to cyberattacks in that year, with Nigeria making up the largest share of the loss – $649 million.
Despite this glaring porousness of our cybersecurity systems, no special measure has been taken to secure critical infrastructure like our pipelines that are the basis of our energy security, and inevitably our national security. There seems to be the mistaken belief that “Nigeria is not there yet” and is not susceptible to these “elite” attacks.
On the contrary, regardless of how much technological gap may exist in the country, a significant part of the operations of the oil and gas and power infrastructure runs on technology and data, and is by that alone subject to the possibility of cyber tampering.
The Nigerian Cybercrimes Act of 2015 while attempting to combat cyberattacks falls short by restricting its reference to the protection of “critical information infrastructure,” focusing predominantly on telecommunication infrastructure. In Part III where it eventually refers broadly to “critical infrastructure,” it again limits the scope of penalties to where such is being tampered with by employees of the organisation. The Act is hardly fit for purpose to tackle cyberattacks targeted at pipelines by third parties, as in the case of DarkSide.
Pipelines like the Trans-Niger Pipeline, the Escravos-Lagos Pipeline and the West African Gas Pipeline are critical infrastructure that can be hijacked by mischief makers, especially with the increasing use of technology in pipelines security. For instance, only early this year, the DPR approved the use of intrusion pipeline technology to identify and manage leaks, external corrosion and other interferences. This employment of technology equally opens the system up to technological tampering.
Nigeria needs to take cybersecurity issues more seriously. If anything, the US DarkSide incident gives us a clue to how a group of unidentified individuals could remotely hold an entire country and its economy to ransom.
