Assessing & Optimizing Cyber Risk with Bayesian Networks: The Colonial Pipeline Case
Presented at the 2024 BayesiaLab Conference in Cincinnati on April 12, 2024.
Abstract
On May 7, 2021, Darkside hackers exploited a leaked Colonial Pipeline Corporation (CPC) password, breaching a dormant VPN to infiltrate CPC’s IT system. Lacking a contingency plan, CPC entirely shuttered its pipelines, which at the time carried 45 percent of all jet fuel and gasoline consumed on the East Coast of the United States. This ransomware hack showcased stereotypical weaknesses in cybersecurity modeling, controls, and compliance monitoring and revealed the company's failure to create a response playbook or contingency plan, as required by U.S. Department of Transportation regulations. This presentation illustrates the use of Bayesian networks and influence diagrams for cybersecurity risk modeling, assessment, ranking, and management and suggests how their use might have prevented the Colonial Pipeline hack and/or mitigated its consequences to the company and other stakeholders.
Presentation Video
About the Presenter
Kurt Schulzke, JD, CPA, CFE, is a Professor of Accounting & Law at the University of North Georgia. His teaching, research, and consulting thrive at the intersection of data science, accounting, law, and risk management. He has published in the Columbia Journal of Transnational Law, Vanderbilt Journal of Transnational Law, Tennessee Journal of Business Law, Journal of Forensic Accounting Research, and The Value Examiner. MAcc (Brigham Young University), J.D. (Georgia State University), M.S. Applied Statistics (Kennesaw State University).
