💰💣

Colonial Pipeline Security Incident

May 7, 2021 1599 days ago Resolved

Incident Overview

Situation Description

Colonial Pipeline experienced a ransomware attack in early May 2021, which disrupted operations and caused widespread fuel shortages.

Event Types

Ransomware Malware / Destructive Attack

Industry Sector

Energy

Geographic Scope

National (US)

Response Actions

Isolated Compromised Systems Took Systems or Services Offline Restored Systems from Secure Backups Engaged Third-Party Forensic Investigators Conducted Threat Hunting & Eradication Notified Affected Individuals & Entities Refused to Pay Ransom / Extortion Notified Law Enforcement Managed Public Narrative & Crisis Communications Restructured Security Leadership Revised Incident Response Plan Hardened Attack Surface Shared Threat Intelligence Collaborated with Peers / Community

Impact Analysis

Event Types (2 identified)

Ransomware Malware / Destructive Attack

Financial Impact

$0 USD

Records Affected

Data Types Compromised

Operational / System Data

Primary Impacts

Operational Disruption Financial Loss Reputational Damage

Key Decisions Made

The Transportation Security Administration issued a directive ordering pipeline operators to report any potential cyberattacks and have an onsite cybersecurity coordinator.; A second directive required pipeline operators to mitigate vulnerabilities, boost resilience, and develop contingency plans.; Colonial Pipeline hired Adam Tice as its first-ever CISO and has been working to fill internal cybersecurity staff.

Technical Analysis

Attack Method

Stolen Credentials

Threat Actor Attribution

DarkSide

Vulnerability / Tool

Outdated VPN Account

Additional Information

An article from How the Colonial Pipeline attack instilled urgency in cybersecurity The federal government andprivate sector are stillcoming to terms with how to protect operational technology in anincreasingly volatile threat environment. Published May 17, 2022 David Jones Reporter post share post print email license Sean Rayford / Stringer via Getty Images Listen to the article 9 min This audio is auto-generated. Please let us know if you have feedback . In the infosecurity world, this was the 5 a.m. phone call that many feared, but few were prepared to handle. In the early hours of May 7, 2021, a Colonial Pipeline worker discovered a ransom note inside the companys IT systems. Threat actors linked to the DarkSide ransomware organization had gained access to an outdated VPN account. The compromise, leveraged to encrypt data on the companys systems, left Colonials massive operational technology (OT) network, including a 5,500 mile pipeline, at risk of remote takeover. For days, millions of Americans on the East Coast, from small business owners to commercial truckers, faced lines at the gas pump not seen in the U.S. since the '70s. Gas prices shot up, consumers began to hoard dwindling supplies and numerous fuel stations shuttered as Colonial, the largest U.S. refined oil supplier, held secret negotiations to regain access to its computer systems. Colonial Pipeline is the most consequential cyberattack on U.S. energy infrastructure to date, said Mark Plemmons, senior director of threat intelligence at Dragos. The impact of the attack went well beyond the cybersecurity community, and garnered the attention of the general public and corporate boardroom officials, according to Plemmons. The attack helped lead to a greater focus on security involving industrial control systems (ICS) and operational technology at all levels. Private industry and government agencies alike have placed an increased focus on ICS security, prioritizing sector resilience and sharing...

... (truncated for display)

Quick Facts

Company:: Colonial Pipeline
Date:: May 7, 2021
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: 17/05/2022

Source Information

Original Query

TSA pipeline security directive changes following Colonial Pipeline attack

View Original Source

Timeline

Information Published

17/05/2022

Incident Occurred

May 7, 2021 (1599 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats