Colonial Pipeline Cyber Attack: Lessons Learned

  • Dec 10, 2021, 12:58:19 PM
  • 864 Times
Ransomware attack on Colonial Pipeline caused a significant disruption and here are major lessons...

As you may know the DarkSide ransomware attack on the Colonial Pipeline caused a significant disruption to key infrastructure in the United States. 

Here are some major lessons we can learn from this breach: 

According to the company’s CEO, Joseph Blount, the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use. The bad actors not only were able to access this obsolete, yet still operational part of the network, but the access was granted by a single ID/Password combination. Also, surprisingly no multi-factor authentication (MFA) was required to access the IT infrastructure of the largest refined oil pipeline system in the United States. A robust GRC framework to address the required standard procedures for decommissioning and shutting down access points and obsolete equipment and networks would have reduced the organization’s threat surface and risk of data breach in the first place. Also, MFA must be considered a basic necessity for secure remote access. 

  • Constant monitoring is essential

Based on the evidence, the attack was launched in early hours of May 7, 2021, exfiltrating some 100GB of data and encrypting back-office systems before issuing their ransom demands. However, the initial breach reportedly occurred on April 29, over a week before. A strong detection solution would have been able to detect the issue before the main attack by picking up on the anomalous activities that could signal the early stages of an attack before real trouble started.


  • The convergence of OT and IT networks creates additional risks

Nowadays, organisations have a significant dependence on both operational technology (OT) and information technology (IT) networks. As interdependencies between these traditionally diverse systems continue to grow, the cyber risk levels grow as well. Colonial’s decision to shut down its entire pipeline system – for the first time in its history – stemmed from not knowing who was attacking, what their motives were or just how the attack could affect its OT infrastructure. 
As integration progresses, it is essential to build in cybersecurity and cyber audit practices into both from day one and constantly run resilience assessments to manage the cyber risk. Also, it’s important to develop the required policies and procedures to enhance cybersecurity resilience in OT and IT. In addition to that, a zero-trust architecture is critical to increase resilience against any cyber-attack. 

  • A successful breach can cause a variety of costs

Apparently, Colonial Pipeline paid a $4.4 million (USD) ransom to DarkSide for the decryption keys, more than half of which was recovered by the FBI. Nevertheless, the threat actors still made off with hundreds of thousands of dollars in extorted funds. But that is just the tip of the iceberg. As the President of Colonial Pipeline acknowledged, it will take months and “tens of millions of dollars” to fully repair the damage and restore its business systems. Also, the significant reputation issue has been another damage which can’t be easily quantified. 

In conclusion, the ransomware threat to organisations is real, and growing. The threat actors range from sophisticated, government-sponsored attackers looking to cause social and financial chaos to smaller hacktivist interests seeking to show opposition to energy projects or developments. To prepare for such an event contact us and we are happy to provide you with the right advice and tools.