Colonial Pipeline Industrial Control System Hack: Everything We Know So Far

May 12, 2021

By Dr. Ron MartinProfessor of Practice: Critical Infrastructure, Industrial Control System Security, and Access and Identity Management

This is an ongoing series. Be sure to check back on our website and social media for future updates on this story from other industry experts at Capitol.

The Colonial Pipeline, which provides nearly half of the gasoline and fuels used on the East Coast, shut down all its operations Friday May 7, 2021, after hackers broke into some of its networks.3 The pipeline represents 5,500 miles of the total 2.7 million miles of pipelines in the United States. It supplies approximately one-half of petroleum supplies to the Eastern United States. On Monday May 11, 2021, the Federal Bureau of Investigation (FBI) announced this attack is a ransomware strain called DarkSide. DarkSide attacks a network by encrypting files so the network’s owner cannot access their files. The ransomware hacker demands a fee to decrypt the affected files. The FBI and other federal and private cybersecurity entities are working to mitigate the effects of this attack.

Attacks on the United States Pipeline Infrastructure are nothing new. In October 2020, the National Cybersecurity and Communications Integration Center (NCCIC), industrial control systems (ICS) Cyber Emergency Response Team (CERT) issued an Alert (AA20-049A) titled Ransomware Impacting Pipeline Operations.1 This alert identified the Spear phishing Link. Ransomware encrypts data for impact, operator Loss of Human Interface availability, operator Loss of View, and loss of productivity and revenue after the system’s normal actions are restored.

At this point in this event’s investigation, a lot remains unknown. Also, it is not public knowledge what security protocols were in place before the attack. Alert AA-20-049A suggested technical and architectural mitigations that pipeline owners and operators should follow. They should ensure network segmentation between information and operational technology networks. This segmentation could reduce or eliminate unregulated communications between the networks.The operators require multifactor authentication across all networks and filter network traffic by organizing operational technology assets into logical zones. This alignment should consider account criticality, consequence, and functional necessity. Alert AA-20-049A contains additional mitigations owner/operators should take.

At Capitol Technology University, we have undergraduate and graduate courses that review Industrial Control System Security elements. The students learn two essential assessment tools. The first is the Department of Energy’s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONGC2M2). The ONG-C2M2 can help oil and natural gas organizations of all types evaluate and make improvements to their cybersecurity programs. The other tool is The Cyber Security Evaluation Tool (CSET®). CSET is a Department of Homeland Security (DHS) product that assists organizations in protecting their critical national cyber assets. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks.

A lot remains to be revealed about the DarkSide attack on the Colonial Pipeline. Until more information is disclosed, owner/operators of critical infrastructure industrial control systems should review the recommendations of Alert AA-20-049A, The Transportation Security Administration’s Pipeline Security Guidelines, and the Cybersecurity and Infrastructure Security Agency Pipeline Cybersecurity Initiative2 .


CERT. “Alert (AA20-049A).” Cybersecurity and Infrastructure Security Agency CISA, 24 Oct. 2020,

“Pipeline Security Guidelines.” Transportation Security Administration, Apr. 2021.

Reuters and Dennis Romero. “Colonial Pipeline Blames Ransomware for Network Shutdown.”, NBCUniversal News Group, 9 May 2021,