The Colonial Pipeline ransomware attack is proof that hindsight is not always 20/20. Five years after the fact, ransomware remains a threat, and organizations still struggle to secure operational technology (OT) environments.
In 2021, a ransomware attack caused Colonial Pipeline to halt operations for nearly a week, resulting in a gas crisis along the East Coast of the United States.
The shutdown served as a catalyst for industry regulation and a proof of concept for threat actors, who realized the potential to gridlock infrastructure with destructive cyberattacks.
Reflecting on the five-year anniversary of the Colonial Pipeline attack, there are many lessons to be learned.
However, the steady drumbeat of ransomware attacks and nation-state threats suggests that organizations have been slow to integrate these lessons.
To help bridge the gap, the security industry has operationalized these lessons into frameworks, such as the SANS Institute’s Five ICS Cybersecurity Critical Controls.
The majority of these controls, such as network visibility and monitoring, map to the continuous threat and exposure management (CTEM) framework.
Key Takeaways of the Colonial Pipeline Attack
- Colonial Pipeline shut down OT operations due to limited visibility into the scope of a ransomware attack on IT systems.
- Ransomware and nation-state threats continue to expose weaknesses in critical infrastructure security.
- Network visibility, segmentation, and secure remote access remain essential OT security controls.
- Post-breach TSA directives now require monitoring, incident reporting, and IT/OT segmentation.
- Organizations must operationalize CTEM and zero trust rather than simply adopting frameworks.
The Dark Side of Operational Technology
DarkSide, a financially motivated cybercrime group, breached Colonial Pipeline with compromised credentials to a VPN account that lacked multi-factor authentication and detonated a ransomware attack costing 75 bitcoin (~$4.4 million at the time).
Notably, DarkSide’s intrusion into Colonial Pipeline’s network was limited to its IT systems, but Colonial Pipeline shut down its OT systems because it lacked visibility into the attack.
The Cybersecurity and Infrastructure Security Agency (CISA) notes the unique challenges of securing OT environments: “The blanket application of traditional IT-focused [zero trust] capabilities to OT is neither reasonable nor feasible…”
In its recent guidance, CISA recommends “organizations should prioritize safety and operational continuity above all else,” but cultural differences between plant engineers and enterprise security teams make it challenging to close these gaps.
Threat actors have capitalized on this. In 2024, the ALPHV/BlackCat ransomware attack on Change Healthcare cost UnitedHealth Group $22 million in ransom and $872 million in “unfavorable cyberattack effects” in Q1 2024.
The lack of visibility into OT environments that defined the Colonial Pipeline attack remains a risk with sophisticated state-sponsored threats, such as Volt Typhoon.
According to CISA, Volt Typhoon is “targeting OT systems to compromise, escalate, and maintain access within operational environments.”
The Breach to Compliance Pipeline
The Colonial Pipeline breach led to significant cybersecurity regulation in the transportation industry. The Transportation Security Administration (TSA) is the Sector Risk Management Agency (SRMA) for pipelines.
In 2021, the TSA issued Security Directive (SD) Pipeline-2021-01 and SD Pipeline-2021-02.
The current versions of these directives require owner-operators to designate a 24/7 Cybersecurity Coordinator, report cybersecurity incidents to CISA no later than 24 hours after detection, complete a Cybersecurity Implementation Plan, maintain a Cybersecurity Incident Response Plan, and conduct annual vulnerability assessments.
The 02-series of directives identifies required security outcomes: network segmentation between IT and OT, continuous monitoring, and a documented patching strategy.
Similar to the SANS Institute’s Five ICS Cybersecurity Critical Controls, these directives also cleanly map to the CTEM framework.
Back to Basics – Five Critical Controls for ICS
A back-to-basics approach would have changed the outcome for Colonial Pipeline.
Consider the SANS Institute’s Five ICS Cybersecurity Critical Controls as a report card: an ICS-specific incident response plan, a defensible architecture (network segmentation), ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management.
Measured against that list, Colonial Pipeline failed at least three of them.
Remote access was the entry point. A lack of network visibility and monitoring was the reason for the shutdown. The decision to halt operations suggests the absence of an ICS-specific incident response plan.
These controls are the baseline.
A Roadmap to CTEM
The Five ICS Cybersecurity Critical Controls define the capabilities of an OT program.
CTEM charts a course that brings this work to life: scoping, discovery, prioritization, validation, and mobilization.
Although these processes are presented as a linear flow, the reality is that they begin with visibility.
The phases of scoping, discovery, and prioritization are all closely connected.
Scope defines what matters, but defining scope may first require the discovery of a comprehensive asset inventory and the context of prioritization.
You can’t protect what you don’t know exists, and you can’t prioritize without context.
Continuous network visibility and risk-based vulnerability management enable organizations to identify vulnerable devices and respond based on their business impact instead of their CVE score.
The next two phases require bridging the cultural gap between IT and OT.
Validation simulates the attack and tests the response. Mobilization closes the loop on remediation.
Both of these processes require collaboration and coordination.
Closely related to CTEM, organizations must operationalize zero trust.
For the past five years, zero trust in OT has been seen as an aspiration.
However, CISA’s recent guidance is the strongest evidence yet that this attitude is no longer tenable. Zero trust must be a budget line item with named owners and measurable milestones.
The lessons learned from Colonial Pipeline are not unknown.
They are codified in TSA directives, the SANS controls, and CISA’s latest guidance.
The gap that remains is one of execution: funding the visibility, exercising the response plans, and operationalizing the zero trust that those frameworks already prescribe.