In May 2021, the largest refined petroleum pipeline in the US was brought down using a method that is still leveraged today: a single compromised credential on an old, unused VPN that lacked multifactor authentication.
No sophisticated exploit. No nation-state tradecraft. One password, one unlocked door and than 5,500 miles of pipeline went dark. The incident, coming on the heels of the global pandemic, marked a turning point in public awareness of cyber attacks on the private sector.
Five years later, the Colonial Pipeline ransomware attack remains the clearest blueprint for what a ransomware strike on critical infrastructure looks like. Colonial faced a business continuity crisis, a reputational crisis, a supply chain crisis, and a public safety event all at once.
As the first-ever senior executive regional director for CISA Region 4, I coordinated the government’s effort across eight south eastern states. What I saw then, and in the years since, is that most organizations still lack the resilience maturity required to get through cyber-attacks. And the threat has only grown more sophisticated since.
The Decisions That Matter
At the time of the attack, Colonial did not have a CISO. But its CIO, who had spent years in operational security at a major energy company, made two decisions early in the crisis that shaped the response.
First, she prioritized focus on mitigating the highest risk: human safety. A breach of infrastructure carrying 45% of the East Coast’s fuel supply could mean explosions, spills and casualties. She shut the pipeline down.
Second, she engaged the federal partner she knew, not the one she was supposed to call. The Department of Transportation was technically the sector-specific agency for pipelines. But Colonial had a trust-based relationship with the Department of Energy.
In a crisis, trust moves faster than protocol. Security professionals place immense value on personal, known connections. Forcing new relationships under fire costs precious time and increases the risk of mistakes due to lack of context.
Read More: Why Ransomware Remains One of Cybersecurity’s Most Persistent Threats
The calculus is straightforward: the faster a victim coordinates with the government and other responders through trusted channels, the higher the probability of protecting employee safety, recovering the ransom, prosecuting the attackers, and restoring operations quickly.
I had worked for different federal agencies for 17 years by that time and urged the path of trusted and efficient communication. I also urged the multiple stakeholder agencies to coordinate in the background, with one primary relationship working directly with Colonial, to minimize bureaucratic noise during the response.
Colonial’s effective government relationships also facilitated smooth interface with the FBI, resulting in its success to trace and seize $2.3m of the ransom before it moved beyond reach.
Even with quick, decisive action, the crisis had dimensions no company could fully control. Within days after the pipeline shutdown, gas stations across the Eastern Seaboard were running dry. Lines of cars waiting for a pump stretched around the block. For ordinary Americans, Colonial Pipeline wasn’t a cybersecurity story. It was the reason they couldn’t fill their tank.
The group behind the attack, DarkSide, was not a typical criminal gang. It operated with an affiliate licensing model and a PR apparatus. When the attack drew more attention than it wanted, it responded with corporate-style, damage-control messaging on dark web forums. At the time, that level of professionalization shocked observers. Five years later, it is the baseline.
What Sound Cybersecurity Strategy Looks Like
Colonial Pipeline avoided a catastrophe in large part because of one woman’s wise judgment. In the five years since the attack, I have reflected on how the security community has evolved, and how we can get better at our tradecraft.
Three lessons from the Colonial Pipeline incident stand out:
-
The CISO must have a direct line with the CEO. Having to pass critical information through the CIO, General Counsel, or other intermediaries can cause critical context to be lost and delay action.
-
Boards should include at least one member with operational cybersecurity experience. They could be from the military, the intelligence community, or senior private-sector security leadership. When high-stakes decisions must be made quickly, someone in that room needs to understand the language and culture of cybersecurity.
-
Boards should probe security risks deeply. Too often, the default is “Are we secure?” Instead, boards should examine who specifically would want to attack their network and for what reason – financial gain, information, or to create havoc? Board members should understand their top risks in order of priority and be able to weigh the proper mitigation strategies.
And let’s not forget to focus on resilience. Focus on the people, processes, and tools that allow post-incident recovery to succeed. Progress is being made through information sharing, vigorous red-teaming and other exercises, and a maturing private sector security community.
Five years later, I continue to urge a ‘resilience focus’ with boards and CISOs, as I did in the aftermath of Colonial.
I have a vision that one day, threat actors will breach a network, look around, and become so confused and dismayed that they exit the victim’s premises. Attackers will decide “the juice is not worth the squeeze.” I have seen glimmers of this scenario, and it gives me great joy.
