1. Comment
May 12, 2022

One year on: Lessons from the Colonial Pipeline cyberattack

It is a year since the world of critical national infrastructure suffered one of its biggest jolts: a ransomware attack on the Colonial Pipeline, the largest pipeline system for refined oil products in the US.

The attack forced the company to take its 5,500-mile network offline to ensure that the malware could not spread from corporate IT systems into the operational technology (OT) systems that manage the flow and distribution of fuel through its pipelines. This led to the shutdown of a major refinery, forced airlines to rethink their fuelling arrangements, and caused hundreds of filling stations to run out of gasoline and diesel supplies.

At the same time, Colonial Pipeline was also having to deal with the implications of the ransomware attack, paying a $4.4 million ransom to the hackers, an affiliate of the Russia-linked DarkSide cybercrime group.

This week, the US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) found management failings at Colonial Pipeline, resulting in a possible $986,000 civil penalty for failing to adequately plan and prepare for a manual restart and shutdown operation, which contributed to the national impacts following the cyberattack.

What lessons have been learned since the Colonial Pipeline attack

The Colonial Pipeline attack was more than a wake-up call to critical national infrastructure in the US and around the world. It was a sharp dig to the ribs that highlights the thread of a cyberattack bridging the traditional corporate information technology systems and the operational technology systems that control industrial equipment.

The Colonial Pipeline cyberattack exposed the soft underbelly of US critical infrastructure, which soon got the White House’s attention and led to tighter rules on breach notification. What became crystal clear was how a single, well-targeted cyberattack can create chaos and cause devastating impacts on government, business, and the public.

The Colonial Pipeline attack was one of the highest-profile examples of how compromised credentials can be used to exploit what was previously believed to be secure infrastructure.

Although there have been signs of greater awareness—not least in the case of the White House and US government agencies after the attack—there are still many companies who will rely on the hopeful (but fatal) defense: ‘it won’t happen to me’.

Perhaps the biggest lesson learned is that critical infrastructure owners and operators must assume that experiencing an attack is inevitable and understand that the ability to recover quickly is critical to both the safety of operations and, ultimately, the financial stability of the business.

The impact of the Russo-Ukrainian conflict

The Russo-Ukrainian conflict may so far have seen fewer examples of cyber warfare than had been expected, but the ramping up of rhetoric—as the West provides military support for Ukraine—could herald future cyberattacks on Western nations.

The Colonial Pipeline attack undoubtedly exposed weaknesses in the US’s critical infrastructure that could be exploited. Russia, for example, now knows that a single successful cyberattack like the one on Colonial Pipeline could have a dramatic impact on US fuel supplies.

At the same time, for cyberattackers, it is a case of whose feathers you dare ruffle. The shutting down of DarkSide’s ransomware infrastructure and the recovery of some of the ransom paid to the group is a clear lesson to ransomware attackers that they cannot operate without repercussions. That is good news—but the reality, as always, is that another major cyberattack is probably just around the corner.