Colonial Pipeline Ransomware Attack a Warning of Infrastructure’s Vulnerability

Organizations need to shift thinking from 'if we get attacked' to 'when we get attacked'

An out of service bag covers a pump handle at a gas station May 12, 2021 in Fayetteville, North Carolina.

An out of service bag covers a pump handle at a gas station May 12, 2021 in Fayetteville, North Carolina. UConn's Stephen Fitzgerald says the ransomware attack that led to the gas shortage is a harbinger of things to come for multiple industries. (Photo by Sean Rayford/Getty Images)

Since Professor Fitzgerald wrote this article last month, warning of the looming threat of additional cyberattacks, the world’s largest meat supplier, JBS, has become the victim of a ransomware attack. The latest disruption reinforces the need for improved cybersecurity and business resilience across industries and around the globe.

Hours-long lines at the pump, gas stations that ran dry, and images of people hoarding gas in jerry cans, across multiple Eastern states, dominated the news last week.

The cyberattack that crippled Colonial Pipeline Co.’s operations seemed reminiscent of dystopian science fiction. The Colonial pipeline, the largest in the nation, extends 5,500 miles from Houston to the Northeast and provides up to 2.5 million barrels of diesel, gasoline, and jet fuel each day. Some 45 percent of the gas and diesel fuel consumed on the East Coast comes via the pipeline. The shutdown halted fuel deliveries and lead to widespread panic buying by consumers.

Although Colonial resumed operations days ago, the shortage has continued into this week.

Stephen Fitzgerald
Stephen Fitzgerald (Contributed photo).

The incident has served as a jarring reminder of how vulnerable many organizations are to cyber threats. Attacks like these continue to raise concerns about the security of our increasingly networked infrastructure.

What Happened?

The attack in question, known as a ransomware attack, holds a company’s data hostage by encrypting it and making it unusable. This is the same technology we use to keep our data safe, maliciously highlighting the impacts of security innovation.

Once intruders have this data, they may publish it, delete it, decrypt it, or exercise numerous other options based on how an organization reacts to the ransom demands. As one might expect, this is a dubious proposition as there is no guarantee that, should the ransom be paid, hackers will hold up their end of the bargain. There has been much debate about whether companies should or should not meet these demands.

Hamstrung by halted operations, Colonial executives found themselves in this position, and reportedly paid the equivalent of $5 million dollars in cryptocurrency to the hacking group to decrypt their data. Despite being provided the decryption tool, recovery was slow and the cobbled-together effort landed them back on their feet only recently.

The perpetrators were identified by the FBI as Darkside, a relatively new Eastern European ransomware group.  The future of the group remains unclear now that various governments and organizations have focused on its activity. Regardless of whether they fold, rebrand, or become emboldened, ransomware organizations are not going away anytime soon.

Where Do We Go From Here?

Much of the potency of cyberattacks comes from their ability to affect at scale. As we have seen from breaches in the past, one successful intrusion can net databases with millions of records or, as in this instance, bring operations to a grinding halt. Thankfully for individuals, this means that the odds an average person is targeted by such attacks are slim, as cyber criminals often choose to attack organizations for a bigger return on their effort.

Unfortunately, this means the attacks that do find purchase will likely be significant in scope. In the coming weeks, the Northeast will feel the effects of operational lag induced by these attacks. Much of the cost consumers will experience will be from the resulting shift in the supply chain, highlighting the dependencies many of us take for granted after long periods of smooth operations.

Due to the ubiquitous nature of our networked devices and systems, the threat of a cyberattack has shifted the question from “if we get attacked” to “when we get attacked” for all organizations. The Colonial Pipeline Co. attack reminds us that our risk analyses need to include our operational dependencies that exist in the hands of suppliers and third parties. Companies and organizations must also concern themselves with the IT security of their partners, or suffer their vulnerabilities as well.

In this instance, companies and individuals that have a high dependency on fuel will feel the impact the most and the delay is short enough to stave off many existential concerns that businesses may have had about the disruption.

As the surface area and magnitude of cyberattacks continues to grow, so too does our preparedness and knowledge. While we feel little solace in the wake of this attack, knowing that breaches will succeed in the future, organizations are taking steps to learn from and mitigate these efforts in the future as we witness the continued struggle of the IT-security arms race.


Stephen Fitzgerald is an instructor-in-residence in the Operations and Information Management (OPIM) Department in the School of Business, where he teaches a course in IT Security, Governance and Audit.