Colonial Pipeline: when a cyberattack stops physical infrastructure

In May 2021, Colonial Pipeline, the operator of the largest fuel pipeline in the United States, shut down operations for several days after a ransomware attack. Fuel ran short at stations along the East Coast. The company paid a ransom of around 4.4 million dollars. Some of the funds were later recovered by the FBI, but that is a detail.

What matters is this: the attack came through the corporate IT network, but it forced the company to halt operational infrastructure - the pipeline itself - because of uncertainty about how far the threat had spread. The physical infrastructure stopped not because it was directly compromised, but because the company could not assess where the boundary of the infection was.

What this means for infrastructure operators

Many manufacturing and infrastructure companies still think about security in two separate spaces: IT security is for office systems, operational security is for industrial control systems. And that the two do not cross.

This model stopped working. Not because there are more attackers. But because operational technology - industrial controllers, SCADA systems, sensors - is increasingly connected to corporate networks and to the internet. Without this there is no telemetry, no remote control, no predictive maintenance. But this also means that OT systems are no longer isolated.

Where the boundary actually runs

In most companies I have worked with, the boundary between IT and OT exists on paper. In practice:

• engineers connect laptops directly to industrial equipment for diagnostics;
• remote access systems for OT use the same credentials as the corporate network;
• software updates for controllers travel through the same channels as corporate traffic;
• there is neither traffic monitoring between the networks nor a clear incident response process for OT.

Colonial Pipeline paid the price for not knowing where IT ended and OT began in the moment of crisis. Given that uncertainty, a shutdown was the only reasonable decision.

Practical questions for the manager

I am not going to describe how to build OT security correctly - that is work for specialists. But there are questions that every manager responsible for operations should be able to answer:

1. Do we know which OT systems are connected to the corporate network and through which points?
2. If the IT network were hit by ransomware today - what is our plan for the operational systems?
3. Who makes the decision to stop the production process during a cyber incident, and does that person have the information needed to make that call?
4. When were the access points to OT systems last reviewed - contractor remote access, diagnostic ports, integrations with corporate systems?

These are not technical questions. They are management questions. And the answers should be held by the executive team, not just the IT director.

Why this is different from ordinary cyber risk

Ordinary cyber risk means data leaks, office systems going down, reputational damage. All of this is unpleasant but recoverable.

When an attack affects operational infrastructure - pipelines, power plants, manufacturing lines, logistics hubs - what is at stake is the physical safety of people and the continuity of supply. That is a different level of consequence.

For infrastructure companies, the security conversation should happen at board level, not only within the IT department. Colonial Pipeline is not an exception. It is a demonstration of a threat class that already exists.