When the Hacker Pulls the Plug (on Essential Services)
A cyber-attack that affects the critical infrastructure and disrupts the essential services, such as electricity and telecommunication services, may significantly impact state security and citizens' well-being beyond the specific value of direct losses suffered, since the disruption of an essential service may generate cascading effects on related activities (Zio, E. & Sansavini, G., 2011).
To mitigate the effects of cyber-attacks on the disruption of essential services, the research community, policymakers, and operators have been focusing on the protection of the critical infrastructures underlying the services (Apt, J. et al. 2006). Several approaches, standards, and methodologies have been adopted to secure critical infrastructures' functioning, interdependencies, and reliability. However, what matters is the services those infrastructures provide and their value for the users who use these services. The current decision-making frameworks takes a narrow perspectivesand must be integrated into a broader paradigm emphasizing inter-organizational, network-based, and cross-sectoral relationship governance.
Moreover, much of the contemporary approaches to cybersecurity have been derived conceptually from prior "computer security" research conducted in related science and technology fields rather than framed across the multiple policy domains that the disruption of essential service provision may interfere with. This has generated a "fatal flaw" in cybersecurity theory, which has viewed critical infrastructure protection as a security business continuity challenge rather than an essential service disruption challenge. One of the main gaps in research and risk management framework is that the disruption of essential services is, by and large, something other than computer security and its interruption. On the contrary, the value of essential services is in the use that they enable. In turn, computer network continuity represents a necessary yet not a sufficient condition to generate value in the context of essential services.
The Colonial Pipeline attack of May 2021 is an example of how the focus on the protection of critical infrastructure, however necessary, is not enough to ensure the safe and secure provision of essential services and greater individual and societal impact (Smith, S. 2022).
Colonial Pipeline is one of the largest oil pipeline companies in the United States. The company's decision to shut down its operations systems in response to a cyberattack on its information technology systems created ripple effects across the regional economy. It caused public panic, effects on other services (e.g., flight cancellations), and social distress, as consumers worried about continued access to gasoline. The Colonial Pipeline case shows how, due to the interconnectedness of essential services, hacks can disrupt not only the attacked organization, but also cause broader effects across other organizations, individuals, and society at large.
The safety and security of essential services cannot be understood and assessed only by identifying the vulnerabilities of the assets and infrastructures providing them, and modeling the risks from the associated hazards and threats. Lusch and Vargo (2014) argue that services have no intrinsic value-they are only a value promise. It is only when a service is used that stakeholders (e.g. customers, users, and other actors of the service provision) receive value (value-in-use). This usage occurs within service ecosystems, defined as relatively self-contained and self-adjusting systems of resource-integrating actors, processes and technologies, connected by shared institutional logics and mutual value creation through service exchange (Vargo & Lusch, 2014; Aarikka-Stenroos, L., & Ritala, P., 2017). The ecosystem perspective more accurately captures the reality of essential service delivery as it represents a foundational context of modeling decision-making for cybersecurity. The disruption of essential services due to a cyber-attack may impact the value across the entire ecosystem and, consequently, for all the dependent assets and services.
Therefore, we need to invest more in interdisciplinary research that accounts for multi-level analysis, and considers individual, organizational, ecosystemic and societal perspectives and their dynamic interplay to build decision-making models that capture the intricate dynamics and complexities of the ecosystem, providing a holistic understanding of the value at risk to support informed decision-making.