Colonial Pipeline: when cybersecurity becomes physical resilience

On 7 May 2021, pipeline company Colonial Pipeline shut down the largest fuel pipeline on the US East Coast after a ransomware attack. For several days, five states experienced fuel shortages. The company paid approximately five million dollars in ransom.

For most executives, the first reaction is "this doesn't apply to us, we're not a pipeline company." I think that is the wrong reaction.

What happened technically

Based on available information, the ransomware entered the company's corporate IT network. The actual operational control systems for the pipeline may not have been directly compromised - Colonial shut the pipeline down partly because of uncertainty about the scope of the infection and concerns about OT systems.

This is an important nuance: the company could not continue operating critical physical infrastructure not because attackers had broken into the control systems, but because there was no confidence that they hadn't. The absence of visibility and control was itself the reason for the shutdown.

The boundary between IT and OT no longer protects

Traditionally, operational technology (OT) - systems controlling production, infrastructure, and equipment - was physically separated from corporate IT networks. This isolation, called an "air gap", was the primary protective mechanism.

Over recent years that gap has narrowed or disappeared in most industrial companies. The reasons are understandable: remote monitoring, ERP integration, digitalisation of operations. These are real operational benefits.

The price is the disappearance of the barrier between the corporate network, which faces regular attacks, and the systems on which physical operations depend.

Who this affects beyond pipelines

If your company has:

• manufacturing equipment with networked control;

• building systems - climate, access control, video surveillance - connected to a network;

• logistics or warehouse automation;

• any equipment with remote monitoring or control,

• then you have an OT attack surface, whether or not you think of yourself as an industrial company.

The Colonial Pipeline attack showed that attackers do not necessarily need to break into industrial systems directly. It is enough to create sufficient uncertainty that the company shuts down operations itself.

What to do

I am not suggesting panic or immediately rebuilding infrastructure. But a few questions deserve answers:

1. Do you have an inventory of all network-connected systems - both corporate and operational?
2. Are your corporate IT network and operational network separated, at least logically?
3. Is there a procedure for what happens if the corporate network is compromised - can physical operations continue in a manual or isolated mode?
4. Who makes the decision to stop physical operations during a security incident, and do they have enough information to make that decision?

The absence of answers to these questions is itself the vulnerability, regardless of the technical level of protection.

Colonial Pipeline stopped not only because there was an attack. It stopped because there were no tools for understanding the scope of the situation. That is a manageable problem - if you work on it before an incident.