September 2022 - Interos

Nord Stream Pipeline Leaks Underscore Threats to Critical Energy Infrastructure

Posted on September 28, 2022 by interos-blogger

By: Trevor Howe, Senior Operational Resilience Consultant

On September 26th, sudden drops in pressure were observed in the natural gas pipeline Nord Stream 2 before undersea leaks were detected in the Baltic Sea. Shortly thereafter, leaks were also detected for Nord Stream 1. While the pipelines are not currently facilitating gas flows from Russia to Europe, they were filled with natural gas which has leaked into the Baltic, creating an operational hazard for vessels in the area. The Prime Minister of Sweden, Magdalena Andersson, disclosed to a news conference on September 27th that seismologists in Sweden, as well as Denmark, had registered two powerful blasts the day prior in the vicinity of the leaks. Moreover, the explosions occurred in the water, not under the seabed, and at relatively shallow depths which would be reachable by divers or unmanned underwater vehicles.

Nord Stream Sabotage Damages European Energy Infrastructure

While these explosions occurred inside the exclusive economic zones of Sweden and Denmark, they have not been considered an attack on either country, which could trigger NATO intervention through Article V of the Washington Treaty. European Officials, including NATO, have claimed that the explosions were the result of sabotage, though the European Union has not yet named a perpetrator or suggested a reason behind the incidents. The Kremlin’s spokesman, Dmitry Peskov, also told reports that the incidents could have been the result of sabotage and that they would promptly investigate the matter.

While investigations are underway to ascertain the cause of the explosions and responsible parties, neither pipeline was active and these incidents should have no immediate effect on the supply of natural gas to Europe, though they have put additional upward pressure on prices.

Operational Threats Against Energy Infrastructure & Supply Chain

What the Nord Stream events highlight is the fact that European critical infrastructure can be a potential target for those seeking to precipitate disruptions and undermine energy security on the continent. This threat is made particularly dangerous amid EU Member States’ efforts to prepare for the winter season without Russian natural gas.

The speaker of Lithuania’s parliament, Viktoria Čmilytė-Nielsen pointed out that “these incidents show that energy infrastructure is not safe” and that “[the explosions] can be interpreted as a warning.” If indeed these explosions were intended as a warning, it is possible the threat could be directed towards the Baltic Pipe, a new gas pipeline carrying supplies from Norway through Denmark to Poland which was just opened on September 27. Norway has been a crucial supplier to Europe amid the scramble to replace Russian energy, so disruptions to Norwegian exports could have significant downstream effects. However, it is crucial to note that this threat is not unique to Norwegian energy infrastructure.

Cyber Threats Against Energy Infrastructure

While physical threats to critical infrastructure (as defined by Council Directive 2008/114/EC of 8 December 2008) are a priority for EU Member States, governments must also prepare against cyber threats. According to the Commission, “traditional energy technologies are becoming progressively more connected to modern, digital technologies and networks,” and while this makes the energy system smarter, “digitalization creates significant risks as an increased exposure to cyberattacks and cybersecurity incidents potentially jeopardizes the security of energy supply and the privacy of consumer data.”

One need only look to the disruptions caused in the U.S. in the wake of the ransomware attack against the Colonial Pipeline Company in May 2021 which led to the shutdown of 5,500 miles of pipeline carrying around 45% of fuel supplies on the East Coast. That attack was made possible by a single password being compromised for a legacy virtual private network (VPN) which didn’t use two-factor authentication. A relatively simple theft enabled hackers to disrupt one of the country’s largest and most vital pipelines, forcing President Biden to declare a state of emergency.

Europe is not immune to threats similar to the Colonial Pipeline cyberattack. Early February 2022 saw a slew of cyberattacks against oil transport and storage companies across the continent. These attacks forced an affected company, Oiltanking Deutschalnd GmbH & Co. KG, to operate at a limited capacity and even caused slowdowns at ports in the Netherlands as barges awaited oil deliveries. With supply chains in a state of recovery due to the COVID-19 pandemic, disruption events like this have the potential to set recovery efforts back significantly, especially at a time when energy security in Europe is a top priority.

Russian Hybrid Warfare

Though Russia has wielded energy as a foreign policy weapon, by cutting flows entirely through the Yamal pipeline and Nord Stream 1 the Kremlin has lost leverage in terms of the future damage it can unilaterally instill via energy exports to Europe. As a result, it would be unsurprising if Russia were to employ additional hybrid warfare tactics in the form of cyberattacks, an area in which the Kremlin wields asymmetrically advanced capabilities, to further Russian national interests. These could include attacks which target critical energy infrastructure to further destabilize Europe’s energy security and put more upward pressure on energy prices which threaten business’ operations across the continent.

Multiple entities in Russia are known to possess and deploy advanced cyber capabilities against adversarial targets, this includes Russia’s Federal Security Service (FSB); Russia’s Military Intelligence Agency (GRU); Russia’s Foreign Intelligence Service (SVR); and a private organization, the Internet Research Agency (IRA). These actors can act alone, or in tandem with one another, to devastating effect if they so desired to further destabilize Europe’s energy security.

Supply Chain Risk Management

To guard against physical disruptions, Norway and Denmark have already stepped-up security posturing around their oil and gas industries’ infrastructure, rigs, and buildings after the Nord Stream incidents. However, physical security does not guard against cyberattacks which can be mounted from halfway across the world.

Companies can better-understand their risk exposure to physical and digital infrastructure attacks by gaining greater visibility into their third parties’ risk posture. Doing this at-speed, continuously, and without breaking the budget requires artificial intelligence-driven software like the Resilience platform offered by Interos.

Additionally, entities should implement risk management programs, conduct internal reviews to assess their own security posture, prepare and test resilience plans for likely scenarios, and strengthen collaboration with stakeholders in their respective industries to better manage risk in their supply chains.

Enabling Operational Resilience with DORA: Supply Chain Risk Management

Posted on September 23, 2022September 23, 2022 by interos-blogger

By Max Kanaskar and Geraint John

Upcoming regulatory compliance requirements under the European Union’s Digital Operational Resilience Act (DORA), will require financial institutions to transform the way they conduct supply chain risk management (SCRM) and thus the way they build digital operational resilience.

However, financial services companies typically do not have visibility of their digital supply chains beyond third parties. Many lack comprehensive operational risk intelligence on their core ICT (information and communication technologies) suppliers, and more still struggle to scale SCRM processes, especially continuous monitoring.

Successful firms will begin by focusing on SCRM resource efficiency and risk mitigation, and transition to engaging it for true operational resilience.

DORA: Beyond compliance to transformation

DORA, an EU-wide rule book governing cyber resilience management for financial institutions and their critical ICT suppliers, is expected to become law sometime later this year. It underscores the strategic significance of operational resilience: the “double dividend” of operational loss avoidance and higher levels of business effectiveness in terms of financial stability, risk-taking and stakeholder engagement.

Leading institutions are approaching DORA not as a compliance requirement, but as a transformational opportunity. Central to this transformation is the maturity of SCRM programs.

While we await detailed supervisory guidance around DORA, European financial services firms are examining their third-party relationships, uncovering hidden risks, and driving maturity of their SCRM processes. In parallel, they are setting up enterprise resilience programs, with a top-down, cross-functional organizational mandate to institute operational resilience.

SCRM can help to enable several resilience-related capabilities, including:

Enhanced scenario identification through nuanced illumination of third parties and their connection to critical economic assets and business services.
Improved response and recovery speed through timely and targeted event monitoring and third-party engagement.

Building up to this strategic resilience vision is the 360-degree situational awareness of digital supply chain risk – a challenge that many financial institutions still have today.

The importance of multi-tier supplier visibility

Data analysis by Interos using its global relationship mapping platform on 12 systemically important European banks reveals the extent of this challenge:

On average, a single such institution has 75 direct, tier-1 (third-party) relationships with ICT suppliers.
This quickly explodes to 3,500 relationships when tier-2 suppliers (fourth parties) are included, and a whopping 15,000+ at the tier 3, or fifth-party, level.

Very few institutions have good visibility into this extended ICT supply chain, and fewer still can ascertain where vulnerabilities may arise.

To underline the importance of this multi-tier visibility, Interos’ 2022 global supply chain survey found that while 18% of financial services executives said they experienced disruptions among third-party suppliers in the previous 12 months, the corresponding figures for fourth and fifth parties were 31% and 43% respectively.

If financial institutions do not have visibility of their extended digital supply chains, then they are not prepared to prevent, respond to and recover from incidents that occur there.

At the same time, there is a more insidious effect that companies need to be cognizant of when dealing with ICT suppliers and their extended supply chains: complacency.

Interos’ analysis of the cyber risk scores of the most common ICT suppliers to major European banks reveals that they are generally well positioned to handle cyber threats. However, as recent incidents affecting vendors such as F5 Networks and VMWare show, even the best firms are vulnerable.

Invest in resilience-building capabilities to meet DORA requirements

The impact of this is wide ranging, especially from a resilience standpoint:

If financial institutions do not have the required visibility into their extended supply chains, how can they develop sound threat-led penetration tests to test their resilience strategies?
How can they engage with suppliers on joint resilience planning if they do not understand their suppliers’ detailed risk profiles?
How can they continuously monitor their vast digital supplier relationships and notify concerned authorities under strict SLAs with limited resources?

This challenge is acute for financial services and projected to become even more so, given the exploding number of supplier relationships for a typical company.

Studies highlight the importance of investing in building these capabilities: by one measure, a dollar invested in resilience-building early on helps avoid downstream losses to the tune of five dollars. Other similar other studies have highlighted the impact of resilience on total return to shareholders (TRS).

These financial measures are useful, but only one-dimensional; the returns in terms of preserving trust and reputation with key stakeholders are immeasurably greater – perhaps by several orders of magnitude.

Get started with ‘no regret’ actions

Once DORA becomes law later this year, financial institutions will have two years to comply with the requirements. The EU supervisory bodies that are currently working on the detailed Regulatory Technical Standards for DORA have until six months before the compliance deadline to release those requirements.

Companies have already been complying with various regional, cybersecurity-specific and resilience-related requirements and guidelines that predate DORA. So, from a compliance standpoint, many will not be starting from a greenfield position.

The challenge will be to pursue organizational transformation in the quest for true enterprise-wide operational resilience, for which institutions can start with “no-regret” actions today. These include:

Understanding risk exposures of extended digital supply chain – companies can begin by enabling this visibility and creating the supporting process and organizational infrastructure.
Leveraging these insights to begin planning for collaborative resilience with their key ICT suppliers.
Enhancing their existing resilience operating models to better leverage such risk insights by bringing in SCRM experts earlier in the planning process.

Such actions will not only help financial institutions comply with DORA requirements when they are released, but also will pay off from an enterprise resilience standpoint.

The EU’s DORA framework may well serve as the template for global resilience efforts. Either way, resilience requirements are coming from a regulatory standpoint.

Financial institutions are advised to take action today to prepare for this eventuality and ensure that they don’t fall behind nimbler peers.

To learn more about supply chain issues affecting major financial services institutions and banks, read the FSI cut of our annual industry survey.

Climate Change and Data Center Shutdowns Are Causing a Supply Chain Crisis

Posted on September 15, 2022September 7, 2023 by interos-blogger

by Julia Hazel, Ph.D

Climate change-driven extreme weather events wreaked havoc across the world this past summer and amplified concerns of data center resiliency. The possibility that “The Internet wasn’t built to endure climate change,” as stated in InformationWeek, seems more likely than ever. In July, an unprecedented heat wave hit the UK and temperatures reached the highest ever recorded in the region. In addition to the toll on human life and devastating wildfires, the heat also impacted the data center industry. At least two data centers controlled by Google and Oracle were forced to shut down due to cooling system problems. Unfortunately, this likely was not a black swan event. As with many other global challenges, the black swan is dead, and the shutdown is indicative of the growing risk water scarcity poses to data centers and supply chains across the globe.

Data Centers, Supply Chains, and Climate Change

Data centers power the cloud infrastructure fundamental to modern daily life and the overall functioning of businesses and industries. Cloud infrastructure is imperative to the supply chain and allows for logistical efficiency, management of inventory, and enterprise planning. Outages in London underscore the fact that data centers are an often-overlooked component of supply chains that are increasingly under heightened risk from climate change. Data center closures due to extreme weather events — which are projected to become more severe in the coming years — will lead to rising costs and disruptions across the supply chain.

The risks to data centers from climate change extend beyond heat waves. Data centers need vast amounts of water for two purposes: electricity generation and cooling. Drought and water scarcity are therefore enormous threats to operations. According to Your Computer is on Fire, midsize data center consumes about 400,000 gallons of water each day while larger data centers can consume up to 1.7 million gallons (about twice the volume of an Olympic-size swimming pool) per day. In a paper published last year, it was reported that the U.S. data center industry uses water from 90% of U.S. watersheds, and 20% of data centers rely on watersheds under moderate to high stress. Water use limitation has not been prioritized due to the tradeoff between using more energy-intensive closed loop chillers or water-intensive evaporative cooling. In short, water scarcity will pose an extreme risk to data center operations, and more attention should be focused on water usage and operational resilience given the threat of climate change.

A Global Analysis of Data Centers and Water Scarcity

The threat that climate change poses to exacerbating drought motivates our analysis on data centers found in water-scarce regions that place extra stress on the already strained environment. We compare global data center facility locations to both the historical drought risk, based on the historical frequency of drought events weighted by magnitude, and the drought risk we attribute to climate change, based on the linear multi-decadal trend of drought severity. The drought risk is calculated from global Climate Research Unit Palmer Drought Severity Index data that spans 1901-2021 and scaled between 0-100 globally on a 10km-by-10km grid. We consider drought risk scores below 34 to be “high” risk and scores below 67 to be “medium” risk.

Our findings show that out of 4,772 global data centers, 34 are within areas that have a historical high drought risk, and 665 are located within areas of medium drought risk. Those data centers within high-risk locations are primarily located within Arizona, which has recently become a data center hotspot for large U.S. companies such as Microsoft, Google, and Facebook despite record low water levels at Lake Meade and the Colorado river.

These numbers are even more stark when looking at the drought risk attributed to climate change. Looking ahead at the future risks posed by climate change, 15% of global data centers are in high-risk areas such as the Southwestern U.S., Western Europe, and Japan, where the trend in drought conditions has worsened in recent decades, and approximately 33% or 1,566 of all data center facilities are within medium risk areas. Equinix, one of the largest data center corporations that serves companies such as Amazon, Facebook, and Apple, has multiple locations within these high-risk areas.

Climate change will lead to unpredictable events and various disruptions, and these risks need to be mitigated where possible. Our analysis of drought risk and data center facilities highlights the need for climate change to be considered when constructing data centers and assessing the potential supply chain disruptions that may occur at the intersection of data centers and water scarcity. The geographic locations of these data centers will determine their water footprint and their resultant impact on the surrounding environment, in many cases exacerbating already pressing water shortages.

The risk of climate change to data centers extends beyond water scarcity and droughts. Hurricanes and severe weather, forecasted to become more severe with climate change, will pose a large cybersecurity risk to data centers if critical infrastructure is damaged during these events. Given the importance of cloud infrastructure to the supply chain, organizations should itemize those data centers on which their supply chains (and their livelihoods) rely and assess the current and future risks posed by climate change to augment their resiliency and avoid disruption from climate-related events.

To learn more about how the Interos platform can help prepare companies to face climate change challenges, visit interos.ai.

Why Drought Risk Must Be Upgraded in Supply Chain Decision-Making

Posted on September 6, 2022September 7, 2023 by Geraint John

By Geraint John

As if a pandemic, war, labor strikes, and rampant inflation weren’t enough, supply chain leaders now have another disruptive force to contend with – mass-scale drought.

From the U.S. and South America to Western Europe and China, record-breaking heatwaves and exceptionally low rainfall are disrupting not only agriculture, but also power generation, manufacturing, and logistics, necessitating drought risk management on a massive scale.

For many companies, severe water scarcity will be the first tangible impact of the relationship between climate change and supply chains. It should act as a wake-up call to take this category of supply chain risk more seriously and model it more systematically in footprint investment and supplier selection decisions.

Manufacturers are suffering from the heat

Farmers and agricultural producers are used to drought risk and their crops being at the mercy of extreme weather, from major storms and floods to wildfires and drought. But for manufacturers, recent events are more unusual, and make operational resilience more important than ever before.

In Germany, chemicals firms and car makers are among those that have been affected by low river levels in the Rhine, making it impossible for the biggest barges to transport their products to ports and onwards to customers.

Almost half of Europe is currently experiencing drought, according to a new European Commission report – the worst situation in 500 years.

In China, which is battling its most severe heatwave on record, hydroelectric power plants have been taken offline this month by low water levels in the Yangtze River. This has forced many manufacturing firms in Sichuan, Zhejiang, Jiangsu, and Anhui provinces to suspend operations.

Those impacted by rationing measures include Toyota, Volkswagen, Apple supplier Foxconn, and CATL – China’s biggest lithium-ion battery maker – according to news reports.

Analysis of Interos’ global relationship mapping platform data shows that:

There are over 560,000 relationships between suppliers in the four affected Chinese provinces and buyers outside of China.
More than 185,000 distinct foreign entities buy from Chinese suppliers in these regions.
The main industries represented by these trading relationships include machinery, electronic equipment and components, chemicals, and textiles.
In Germany, BASF – the world’s largest chemicals company and a major user of the Rhine for transportation – supplies almost 1,400 customers directly (tier 1) and over 86,000 indirectly (tier 2) in sectors such as chemicals, pharmaceuticals, food products, and apparel.

Drought risk management is an increasingly dire concern

While the scale and intensity of this summer’s droughts are the worst for many years, they shouldn’t come as a big surprise to companies that have been following discussions about climate change and supply chain risks:

Research by the United Nations shows that the number of droughts across the world has risen by 29% since 2000.
The Intergovernmental Panel on Climate Change has been warning that drought and other extreme weather events are becoming more common since its formation in 1988.
Extreme weather was ranked as the number one most likely risk in the World Economic Forum’s annual global risks perception survey for five years in a row from 2017.

As climate change increasingly impacts supply chains, the implications are dire. Interos’ proprietary risk i-Score shows that in terms of “natural disasters” (an attribute of operational risk that includes meteorological and climatological events):

China is in the top 10 highest-risk countries and territories, with a ranking of 240 out of 249 and a score of 12.1/100.
The U.S. is in the top 20 highest-risk countries and territories, with a ranking of 234 out of 249 and a score of 14/100.
Germany is, by comparison, considered much lower risk for natural disasters, with a score of 82.4/100, although it still only ranks mid-table at number 134.

A Gartner survey of procurement leaders in the DACH region last year found that extreme weather and natural disasters were rated as the third highest risk for the next 2-3 years after cyber attacks and supply shortages.

A quarter of the sample also rated climate change as very or extremely concerning, putting it ahead of pandemics, geopolitical tensions, and trade disputes (see chart).

Past events are not always a guide to climate change and supply chain risks

Sentiment in the U.S. and other parts of the world will no doubt vary somewhat, but these findings demonstrate that drought risk management and other extreme weather concerns are recognized as more significant supply chain risks than they would have been a few years ago.

Another recently published Gartner survey found that just 11% of 320 supply chain leaders “do not consider climate change as a future risk”.

Just over a quarter (27%) said they had conducted a climate change risk assessment and identified their most critical supply chain risks.
Just under a fifth (18%) had conducted risk assessments and scenario planning around climate change.
Almost half (44%) said they had “a general sense of potential future climate risks based on events from the last three years”.

This last finding is a little concerning, given the extremely hot and dry conditions afflicting so many countries in recent months.

The lesson must surely be that the risk of drought risk management – along with other disruptive weather considerations – is no longer as predictable and as confined to certain areas of the world as it used to be. The future is going to look different than the past, so relying solely on historical patterns is dangerous.

Instead, companies are going to need to model climate change-related supply chain risks much more diligently than they have previously when deciding where to build new manufacturing and distribution facilities, and when making critical supplier selection decisions.

To learn about how the Interos platform can help to protect your supply chain from drought risks and other potential impacts of climate change, visit interos.ai.