On Thursday, May 6th, hackers launched a cyberattack against Colonial Pipeline. They stole 100 gigabytes of data, then proceeded to lock computers and systems down while demanding a ransom payment. By the next morning, Colonial Pipeline had both paid nearly $5 million in an attempt to recover their data and taken several key systems offline to prevent further damage. This move shut down their fuel delivery systems throughout the east coast of America. 

While the company scrambled to implement alternative fuel delivery systems, leaning on truck or train, their main pipelines remained inoperable. Smaller lines were brought back on manual control. As the situation developed over the weekend, by Monday May 10th the American public was aware of the attack and the consequences; fuel may be running low. 

By Wednesday May 12th over 1,000 gas stations were out of fuel amid a panicked run on gas. Officials warned consumers to not store gasoline in plastic bags. Cars waited in long lines for gas, and experts pleaded for people to not hoard gasoline. After all, it was only a temporary shortage as the Colonial Pipeline began operating its main lines that very day. 

What caused all this mayhem? A security safeguard that wasn’t quite strong enough, and a lack of rapidly-deployable backups. 

In a statement to congress, CEO Joseph Blount revealed that the compromised account was not protected by two-factor authentication (2FA) as is standard in corporate security. Rather it was protected by one password, albeit strong. It was this singular password that became compromised and allowed a Russian-based hacker group known as Darkside to infiltrate and encrypt Colonial Pipeline’s network.

Although the company initially stated it would not pay a ransom, it did quickly supply 75 bitcoin, valued at around 4.5 million USD, to the hacker group in an attempt to restore their offline systems. However, the decryption program provided by Darkside worked so slowly that Colonial Pipeline ended up restoring their systems from their own backups. Colonial Pipeline, despite investing heavily in IT and cyber security, had never developed a cyber attack response plan.

Even though the Darkside attack did not target any physical infrastructure such as the controls for the fuel pipes themselves, their attack on the systems that handled billing for the company still shut down the entire operation. And with one company attacked, the eastern seaboard was without 80% of its fuel supply. Despite the economy being heavily dependent on this private company’s service, there are no regulations on how Colonial Pipeline protects itself, its IT infrastructure, its physical infrastructure, or its data. 

The most obvious conclusions to draw from this incident are to enable 2FA on all critical infrastructure and to deploy tested backups to enable restoration from any ransom attack. Yet, according to Sen. Maggie Hassan of New Hampshire, “it is a wake-up call that more must be done to secure our critical infrastructure.”