{
	"id": "ef4e9fea-0215-404f-9480-641c36ea7b46",
	"created_at": "2026-04-10T03:20:36.861098Z",
	"updated_at": "2026-04-10T03:22:18.081723Z",
	"deleted_at": null,
	"sha1_hash": "3a00ceaadebcfc1a999b3bb17c01bbe22bac9ed8",
	"title": "Recommendations Following the Colonial Pipeline Cyber Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 573480,
	"plain_text": "Recommendations Following the Colonial Pipeline Cyber Attack\r\nBy Mike Hoffman\r\nPublished: 2021-05-12 · Archived: 2026-04-10 02:19:11 UTC\r\nOn May 7th, public reporting emerged about Colonial Pipeline operations being impacted by a ransomware\r\nincident in their IT environment, and then operators temporarily halted OT operations as a precaution. Like any\r\npipeline, Dragos would expect Colonial Pipeline to have so many dependencies between their control and SCADA\r\nsystems into their business systems that it becomes hard to reasonably delineate and separate. With this in mind,\r\nout of an abundance of caution, halting operations becomes the safest choice.\r\nColonial Pipeline is a midstream Oil and Natural Gas (ONG) pipeline and storage company based in Alpharetta,\r\nGeorgia, USA that transfers refined petroleum products between downstream refining facilities to storage sites and\r\nhandling transfer from upstream production sites to downstream refining facilities for a large majority of the\r\nUnited States.\r\nThis blog is intended to share what is known about the Colonial Pipeline cyber attack, offer a perspective of what\r\nsubsystems can be found and what operations occur within pipelines to those unfamiliar, and offer\r\nrecommendations to asset owners based on similar ransomware cases Dragos has worked in OT networks,\r\nincluding from the same group, DarkSide.\r\nDarkSide and Ransomware Outlook\r\nOn Sunday, May 9th Dragos released an intel report to our customers that assessed with high confidence that the\r\nDarkSide ransomware group was responsible for the IT compromise. During the past year, various manufacturing\r\nindustries have reported similar incidents and have attributed them to other ransomware groups such as REvil, and\r\nCL0P. The recent pattern of ransomware incidents encrypts filesystems and steals either confidential information\r\nor Personally Identifiable Information (PII) from the organizations and threatens to post the information on\r\ndedicated leak sites (DLS) unless the ransom is paid in a timely manner. During the past year, Dragos has\r\nobserved several instances of this happening in multiple industrial sectors, including against the major vendor and\r\nasset operator, Honeywell. No industry has been immune to this with numerous cases taking place in\r\nmanufacturing as well as electric power sectors. However, the Colonial Pipeline cyber attack is the most\r\ndisruptive incident Dragos has witnessed on US energy infrastructure from cyber intrusions.\r\nDarkSide, and many other ransomware groups, are opportunistic. They find soft targets, evaluate if they are a\r\nstrong candidate to ransom, and then they attack.\r\nUnfortunately, this applies to many industrial companies. These groups rely on weak passwords via unsecured\r\ninternet exposed services such as Remote Desktop Protocol or exploits against a vulnerable version of common\r\ninternet-facing devices. Numerous vulnerabilities have been released over the past year for these types of devices\r\nto include Pulse Connect Secure, Fortinet FortiOS, and Accellion FTA devices. Once initial access is achieved,\r\nthey quickly bring in tools focused on gaining Domain Administrator access to enable them to then deliver their\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/\r\nPage 1 of 4\n\nransomware. Dragos response teams have observed this initial access to the deployment of ransomware ranging\r\nwidely with ransomware delivered as quickly as 24 hours from initial access while in other cases several months\r\nbefore the group deploys their ransomware payload. In our incident response cases and assessments, Dragos often\r\nfinds shared credential management between IT and OT networks such as connected Domain Controllers as a\r\nmechanism to impact OT.\r\nHow a Strong Architecture Can Support Response Efforts\r\nAlthough this attack was carried out on the Enterprise network, it brings to light the highly interconnected nature\r\nof OT operations that businesses must consider. Many organizations feel they have highly segmented OT\r\nnetworks to include their industrial control systems (ICS). However, in Dragos’s assessments and cases, we find\r\nthis to not be the case. It is common to hear about pending IT-OT convergence, but in reality, much of that\r\nconvergence took place a decade ago, and the preventative controls, such as segmentation, that the organizations\r\nhad in place have atrophied over time through misconfigurations, additional devices, or just the nature of needing\r\nincreased connectivity for the business. What the industry is experiencing now is the digital transformation of our\r\ninfrastructure, which is resulting in hyper-connectivity not only to the corporate IT networks but also personnel,\r\nvendors, integrators, original equipment manufacturers, and cloud resources.\r\nResponding to ransomware attacks in the OT environment is even more challenging due to the overall lack of\r\nnetwork monitoring and host-and-network based logging. At a minimum, crown jewels, which are the most\r\ncritical assets in operational systems, should be actively monitored. When preventative measures fail or atrophy\r\nover time, asset owners and operators are often at the mercy of discovering the incident only after the malware has\r\nexecuted and run its course, encrypting systems and taking them offline. Unfortunately, during incident response\r\nengagements, Dragos has found that many companies have little visibility into the operations and production\r\nnetworks. This slows down incident response and removes options from the company on what they can do to blunt\r\nthe incident. Those organizations that are proactive and develop consistent insights using frameworks such as the\r\ncollection management framework are able to know what the most relevant logs are, where they are stored, and\r\nhow long they are available. These simple types of actions rapidly increase the ability to respond to incidents.\r\nOften in incident response cases, almost nothing is available.\r\nComplete segmentation is often impractical, but a defensible architecture can still be maintained that significantly\r\nreduces risk and makes the response more effective. As shown in Figure 1 below, SCADA systems should be\r\narchitected in such a way as to provide communications segmentation and disconnection points in case of an\r\nattack. Limit what protocols communicate through this segmentation, as ransomware groups will use protocols\r\nsuch as remote desktop (RDP), windows file sharing (SMB), and Active Directory authentication (NTLM) to\r\nmove from one zone into another.\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/\r\nPage 2 of 4\n\nWith network monitoring and visibility in place, a defender could view malicious traffic coming into the DMZ\r\nand begin changing the environment or disconnecting the systems from the outside world. Next, defenders will\r\nwant to ensure monitoring is taking place down in the SCADA server to identify changes to outstation\r\ncommunications or at the application server to identify if configurations or modifications are occurring. Project\r\nfiles at the Engineering Workstation (EWS) are also a valued target that needs monitoring, protection, and offline\r\nbackups as they often contain programs and configurations of the SCADA itself or those of remote PLC and RTU\r\ndevices.\r\nContinuing this example, if remote polling and operational visualizations systems are compromised, the next\r\nisolation point is around the communications out to remote pipeline pump and metering stations. Isolating here\r\nensures local systems are kept operational, and control is still possible. If we made it to this point, remote teams\r\nwould be activated and sent to the remote locations. This is difficult to achieve in a reduced workforce setting\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/\r\nPage 3 of 4\n\ncommon among highly automated environments. Each of these scenarios needs to be discussed and documented\r\nin OT incident response plans and regularly exercised.\r\nAgain, this is a best-case response scenario with many fallback options. Many of our responses are instead based\r\non loosely segmented networks or networks with no segmentation at all.\r\nMike Hoffman is a Principal Industrial Consultant at the industrial cybersecurity company Dragos, Inc., where he\r\nserves as the primary subject matter expert with customers to perform architecture assessments, network\r\nvulnerability assessments, consequence driven modeling, etc. of their industrial environment. Before joining\r\nDragos, Mike was a global Principal ICS Security Engineer at Shell and held the role of ICS Security SME across\r\nthe Americas region. Among his 20 years working at Shell, he also held the positions of ICS Security Specialist,\r\nControls \u0026 Automation Specialist, Process \u0026 Environmental Analyzer Specialist, and Instrumentation \u0026\r\nElectrical Technician.\r\nSource: https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/\r\nhttps://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/"
	],
	"report_names": [
		"recommendations-following-the-colonial-pipeline-cyber-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775791236,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a00ceaadebcfc1a999b3bb17c01bbe22bac9ed8.pdf",
		"text": "https://archive.orkl.eu/3a00ceaadebcfc1a999b3bb17c01bbe22bac9ed8.txt",
		"img": "https://archive.orkl.eu/3a00ceaadebcfc1a999b3bb17c01bbe22bac9ed8.jpg"
	}
}