Colonial Pipeline Incident - When an IT Attack Shuts Down an Entire Pipeline

On May 7, 2021, Colonial Pipeline - the operator of a pipeline transporting 2.5 million barrels of fuel per day along the US East Coast - made the decision to shut down its entire transmission infrastructure. Not because attackers had seized control of pumps or valves. Not because ransomware had reached the industrial control systems. The pipeline was shut down because the operator lost the ability to measure and account for the fuel being transported.

This distinction is critical to understanding this incident - and to drawing the right lessons from it.

WARNING

Colonial Pipeline is the most frequently misinterpreted OT incident. The control systems (pumps, valves, SCADA) were not attacked. It was the loss of the MES/billing system - an IT system supporting operations - that forced the decision to shut down the pipeline. This difference has fundamental implications for security planning.

Attack Timeline

Date	Event
April 29, 2021	Earliest traces of attacker presence - access via an inactive VPN account without MFA
April 29 - May 7	Reconnaissance, privilege escalation, exfiltration of approximately 100 GB of data
May 7, morning	DarkSide ransomware encrypts IT systems; ransom demand displayed on screen
May 7, afternoon	Decision to preemptively shut down the pipeline
May 8-12	Six-day fuel crisis, panic at gas stations, state of emergency declared in several states
May 8	Ransom payment: 75 BTC (approximately $4.4 million)
May 13	Gradual resumption of pipeline operations
June 7	FBI recovers 63.7 BTC by tracing cryptocurrency wallets

Why the Pipeline Was Shut Down - the MES and Billing System

This is the most important aspect of this incident, and one that is often misinterpreted.

The attack encrypted Colonial Pipeline’s IT systems, including a Manufacturing Execution System (MES) responsible for:

Fuel flow measurement - how much fuel flows through the pipeline
Customer billing - to whom and how much fuel was delivered
Invoicing - generating billing documents

Without a functioning MES/billing system, the operator was unable to:

Verify how much fuel was being transported
Determine to whom it was being delivered
Issue invoices and settle accounts with customers
Confirm the integrity of measurement data

There is no evidence that the attackers penetrated the operational technology (OT) network. The control systems - pumps, valves, SCADA systems - could technically have continued operating. It was a business decision by the operator, made under conditions of lost visibility into processes, that led to the six-day crisis.

This underscores why collaboration between IT and OT teams and mutual understanding of system dependencies is so critical.

DarkSide - Business Model

The attack was carried out by the DarkSide group, active since August 2020. Key facts:

Aspect	Details
Model	Ransomware-as-a-Service (RaaS)
Origin	Likely Russia (the malware skipped systems with language settings from former Soviet republics)
Revenue split	75-90% for the affiliate (depending on ransom amount)
Tactic	Double extortion - data theft + encryption
Ransom	75 BTC (approximately $4.4 million at the time of payment)
Recovery	FBI recovered 63.7 BTC by tracing cryptocurrency wallets

DarkSide presented itself as “ethical criminals” - declaring it would not attack hospitals, schools, or non-profit organizations. The consequences of the Colonial Pipeline attack - panic at gas stations, threats to millions of people - evidently did not fall into that category.

After the incident, the group “retired,” only to reappear as BlackMatter, and later BlackCat/ALPHV. More on the rebranding strategy of ransomware groups in our ransomware trends analysis.

TSA Regulations - a Direct Consequence of the Incident

Before the Colonial Pipeline attack, there were no mandatory cybersecurity regulations for the pipeline sector in the United States. The Transportation Security Administration (TSA) had relied exclusively on voluntary guidelines for a decade. The incident changed that.

Regulation	Date	Key Requirements
Security Directive Pipeline-2021-01	May 2021	Incident reporting to CISA within 12 hours, designation of a cybersecurity coordinator
Security Directive Pipeline-2021-02	July 2021	Incident response plan, cybersecurity architecture assessment
SD Pipeline-2021-01D (ratification)	June 2024	Formalization of requirements, effective until May 2025
SD Pipeline-2021-02E (ratification)	August 2024	Update of technical requirements
NPRM (Notice of Proposed Rulemaking)	November 2024	Proposal for permanent regulations based on NIST CSF and CISA CPG

TIP

A GAO report from January 2024 found that TSA directives are not fully aligned with ransomware protection best practices. TSA has not developed metrics for measuring the effectiveness of its regulations, nor has it conducted a cybersecurity risk assessment for the entire pipeline sector in the context of internet-connected devices.

Lessons for Critical Infrastructure Operators

1. OT Dependence on IT Systems Is Real

Even when control systems are physically separated from the IT network, business processes (billing, logistics, reporting) can be so tightly coupled with IT systems that their loss forces operations to halt.

2. MFA on Every Remote Access Point

The attack vector - an inactive VPN account without MFA - is a scenario that can be eliminated with simple measures. Every remote access point must be protected with multi-factor authentication (MFA). More on securing remote access to ICS.

3. Visibility and Segmentation

An organization must understand the dependencies between IT and OT systems. Which IT systems, if taken offline, would make it impossible to continue operations? This analysis should be part of the risk assessment. Practical guidance in the article on Defense in Depth in DCS.

4. Business Continuity Plans

Colonial Pipeline had no prepared plan for the scenario “IT systems are down, but OT is still running.” Procedures for the loss of billing and measurement systems should exist and be regularly tested.

Checklist for Critical Infrastructure Operators

Asset inventory of all remote access points (VPN, RDP, web access)
MFA on every remote access point - no exceptions
Identification of IT systems critical to OT operations (MES, billing, ERP)
Operational procedures for the loss of IT systems
Network segmentation between IT and OT with a dedicated DMZ
Regular reviews of inactive accounts and permissions
Monitoring of lateral movement within the network
Backups of critical systems with rapid recovery capability
Incident response exercises including ransomware scenarios
Collaboration with regulators and CERT for incident reporting
IT-OT dependency mapping (which IT systems must be operational for OT operations to continue?)

Summary

The Colonial Pipeline incident is a reminder that in modern critical infrastructure, the boundary between IT and OT is fluid. An attack that technically did not touch the control systems paralyzed the entire operation by taking out supporting systems - billing, measurement, and logistics. The TSA regulations that emerged as a direct response to this incident formalize cybersecurity requirements for the pipeline sector - but their effectiveness still requires verification.

Effective protection requires understanding these dependencies and preparing procedures for scenarios that go beyond traditional OT cybersecurity frameworks. SEQRED helps critical infrastructure operators identify IT-OT dependencies, implement network segmentation, and test incident response procedures.

Sources: