Which systems were actually compromised by the Colonial Pipeline Company ransomware attack?

Posted on August 13, 2021

Many have assumed that the May ransomware attack on Colonial Pipeline Company compromised the operational systems supporting the Colonial Pipeline. This is what we should expect, if the attack was indeed on the Colonial Pipeline infrastructure itself and not merely on Colonial Pipeline Company, the owner and operator of the pipeline.

The Wikipedia article on the ransomware attack states that Colonial Pipeline “suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline.” To support this claim, Wikipedia cites reports from Reuters, CBS News, and NPR. However, only the CBS News article mentions which systems were compromised by the attack, and it says that “The attack looks to be a IT attack, but it shut down the pipeline which is an OT system.” This agrees with a ZDNet report that states that “DarkSide operators targeted the business side rather than operational systems.”

While Colonial Pipeline Company has not stated which specific systems were compromised, Bloomberg quotes the company as saying that it “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.” If the pipeline operations were only halted because systems were proactively taken offline, it is unlikely that the operational systems supporting the pipeline were actually compromised.

Furthermore, Bloomberg describes the attack as a double-extortion scheme, where the attackers threatened both to publicly distribute data stolen from the company and to leave data encrypted on the company’s systems unless it paid the ransom. According to Bloomberg, this is one of the attacker’s “hallmark” schemes. In order to believe that the attack had compromised operational systems, we would have to suppose either that an attacker ordinarily focused on extortion was expanding into new waters or that the security of the operational systems supporting the pipeline was so poor that the attackers themselves even lost control of which systems they were compromising. Both possibilities are rather difficult to believe.

The Wall Street Journal reported that “Two people briefed on the probe said the attack appeared to be limited to information systems and hadn’t infiltrated operational control systems, but cautioned that the investigation was in its early stages.” May 12, the day pipeline operations were restarted, CNN reported that Colonial Pipeline Company “halted operations because its billing system was compromised” and that there was “no evidence that the company’s operational technology systems were compromised.”

We will have to wait until more information about the attack is disclosed publicly, but given the evidence so far that the operational systems supporting the pipeline were not actually compromised and may not have even been targeted by the attackers, we should consider whether Colonial Pipeline Company may have overreacted. Should a company shut down all of its operations if only its finanicial systems are compromised? Should not an effective cybersecurity strategy isolate the different types of systems so that executives do not need to worry about a threat to operational systems even if other systems are compromised? Are all the recent efforts to improve the security of critical infrastructure even effective at preventing an event like this?