Business lessons learned from the Colonial Pipeline attack

• According to IBM's X-Force Threat Intelligence Index 2021 research, the energy industry has risen from 9th position in 2019 to 3rd spot in 2020 among industries most frequently facing cyber-attacks.
• In May 2021, the Colonial Pipeline was the target of a ransomware assault. It infected the pipeline's digital systems, causing it to go offline for several days.
• Colonial Pipeline paid DarkSide a $4.4 million (USD) ransom for the decryption keys to open their systems.

The Colonial Pipeline is among the US's largest and most important oil pipelines. In May 2021, it was the target of a ransomware assault. It infected the pipeline's digital systems, causing it to go offline for several days. Consumers and airlines on the East Coast were affected by the shutdown.


Because the pipeline transports oil from refineries to industrial markets, the intrusion was declared a national security danger. Experts confirmed that the attackers gained access to the Colonial Pipeline network through an unsecured password for a VPN account.


Many businesses utilize a virtual private network (VPN) to enable secure, encrypted, remote access to their corporate network. So, the risk is huge and needs attention!

The lessons learned

1. OT and IT network convergence creates additional risk.

Colonial's decision to shut down its whole pipeline system – for the first time in its history – was based on a lack of knowledge about who was attacking, what their motivations were, or how the attack may harm its operational technology (OT) infrastructure. The lack of complete insight into OT network operations and integrations resulted in a considerably more serious problem than a "simple" compromise of back-office systems.

Maintaining a separation between OT and information technology (IT) networks, except where absolutely necessary, and rigorously controlling and monitoring them can help to reduce risk.

2. A successful breach breeds other hacking efforts

The attack on the Colonial Pipeline had repercussions, as phishing attacks on other energy companies rose shortly after the incident. One effort sent a notice to Microsoft 365 subscribers ostensibly from their IT help desk, urging them to install a ransomware system update to escape the same fate as Colonial Pipeline.

Of course, the download was designed to infect the target computers with malware. In other cases, spear-phishing assaults and robo-filled "Contact Us" forms containing phony threats purporting to be from DarkSide became more common, primarily targeting the energy and food sectors.

In many incidents, the alleged threat actor claims to have successfully penetrated the target's network, obtaining access to critical data that will be made public unless a ransom of 100 bitcoins is paid.

3. Successful breaches carry a variety of costs

Colonial Pipeline is famous for paying DarkSide a $4.4 million (USD) ransom for the decryption keys to open their systems.


Despite the fact that DarkSide expressed regret and the FBI recovered 63.7 bitcoins out of 75 given out, the threat actors got off with hundreds of thousands of dollars in extorted monies.


But that's just the beginning. Colonial Pipeline had to rebuild its billing systems for weeks before they could again start the billing for oil distribution.

4. The importance of system monitoring

Before releasing their ransom demands, the hackers initiated their attack in the wee morning of May 7, exfiltrating 100GB of data and encrypting back-office systems.


The first breach, however, was alleged to have occurred on April 29 and over a week earlier. This follows a common threat actor pattern of gaining access to the system, then conducting stealth reconnaissance while building the basis for a large-scale attack.


SIEM (security information and event management) solutions, when combined with threat intelligence, identification, and monitoring, can assist in detecting unusual activity that may indicate the beginning stages of an assault before the real trouble begins.

5. The importance of IT governance

Not only was the breach made possible by this out-of-date but still functional section of the network, but access was also allowed by a single user ID/password combination, according to reports.


Access to the IT infrastructure of the United States' largest refined oil pipeline system does not need multi-factor authentication (MFA). Colonial shut down the traditional VPN after the intrusion and added additional layers of security as a result. The organization's danger surface and risk of a data breach would have been lowered in the first place if formal, established procedures for dismantling and closing down access points, outmoded equipment, and networks had been in place. MFA should be regarded as a baseline need for remote access.


The danger to the oil and gas industry, as well as the entire energy sector, is serious and growing. The threat actors vary from sophisticated, government-sponsored attackers attempting to inflict societal and financial havoc to smaller hacktivist groups seeking to protest energy projects or advancements.


According to IBM's X-Force Threat Intelligence Index 2021 research, the energy industry has risen from 9th position in 2019 to 3rd spot in 2020 among industries most frequently attacked by cyber-attacks.


According to the analysis, the energy sector would experience the second-highest rate of data theft of any sector in 2020, accounting for more than one-fifth of all breaches. So, it's a must to seriously incorporate these lessons!