Blog
← Back to Blog
May 10, 2021 cybersecurity

Colonial Pipeline: Ransomware Just Shut Down America's Fuel Supply

Fuel pipeline and critical infrastructure

On Friday, a ransomware attack forced Colonial Pipeline to shut down operations. Colonial operates the largest fuel pipeline in the United States, carrying 2.5 million barrels of fuel daily from Texas to the East Coast. Gas stations across the Southeast are running dry. Prices are spiking. Panic buying has made the shortage worse.

Ransomware, the threat we've been writing about for five years, just became a national security crisis.

What Happened

The DarkSide ransomware group compromised Colonial Pipeline's IT systems. Colonial shut down pipeline operations as a precaution, fearing the attack could spread to operational technology (OT) systems that control the physical pipeline. The pipeline has been offline for five days and counting.

Reports indicate the initial access came through a compromised VPN account that used a password found in a previous data breach. No multi-factor authentication was enabled on the account.

Read that again: the largest fuel pipeline in the US was shut down because of a reused password on a VPN without 2FA.

The Impact

  • Gas stations across the Southeast running out of fuel
  • Average gas prices rising above $3/gallon for the first time since 2014
  • Airlines adjusting routes due to fuel supply concerns
  • Federal emergency declaration to allow fuel transport by truck
  • Colonial reportedly paid a $4.4 million ransom in Bitcoin

The Irony

We started this blog five years ago writing about a hospital that paid $17,000 in ransom. We've written about ransomware more than any other topic. We've repeatedly said: enable 2FA, don't reuse passwords, segment your networks.

Colonial Pipeline, operator of critical national infrastructure, was brought down by the same basic failures we've been warning dental practices about since 2016. A reused password. No 2FA. Inadequate network segmentation between IT and OT systems.

The fundamentals aren't just for small businesses. They're for everyone.

What This Means for Your Practice

1. Ransomware doesn't discriminate. If it can shut down national infrastructure, it can shut down your practice. The same gangs that hit Colonial target healthcare every day.

2. The basics matter at every scale. 2FA on VPN access. Unique passwords. Network segmentation. These aren't advanced security measures. They're baseline requirements that a $15 billion pipeline company failed to implement.

3. Prepare for secondary effects. Even if your practice isn't directly attacked, disruptions to fuel, power, internet, or supply chains can affect your operations. Incident response plans should include scenarios beyond direct cyberattacks.

4. Government response is coming. The Biden administration is preparing executive orders on cybersecurity. Regulatory requirements for critical infrastructure and potentially healthcare will increase. Getting ahead of regulation is always better than catching up to it.

Five years of writing about ransomware. It just shut down America's fuel supply. If this doesn't convince you to take cybersecurity seriously, nothing will.