IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Looking Back at the Colonial Pipeline Ransomware Incident

In early May 2021, the world was shocked into attention by a ransomware attack that brought down gas lines. What have we learned — or not — one year later?

sign marking Colonial Pipeline Company oil pipes running through Doraville, GA residential neighborhood
On the anniversary of the Colonial Pipeline ransomware incident, eyes have been opened to the potential impact to society that can occur when critical infrastructure is targeted.

But what have we learned from the events in 2021? Where is this ransomware trend going next? Has our situation improved or worsened?

Last year I wrote this blog that described what happened. Here’s an excerpt:

"All across the southeast, the results of our collective failure to protect critical infrastructure were on display last week. As gas shortages and long lines of vehicles snaked through Virginia, North Carolina, South Carolina, Georgia and other states, more Americans than ever before were learning the definition of ‘ransomware.’ And, perhaps, what critical infrastructure insecurity truly means. …

"I can easily picture this conversation between a six-year-old girl in the back seat of a car and her father driving her to school last week in North Carolina: 'Daddy, why are the cars all lined-up at the gas station? It wasn’t like this yesterday. What happened?' 'Well honey, it was ransomware.'”
According to “On May 7, 2021, the Colonial Pipeline Company proactively shut down its pipeline system in response to a ransomware attack. On May 13, 2021, Colonial Pipeline announced the company restarted their entire pipeline system and product delivery commenced to all markets. …

“A year ago, gas prices on the East Coast surged after the operator of America's biggest fuel pipeline shut down amid a ransomware attack. The five-day-long cyber siege was a wake-up call: The country's infrastructure was vulnerable to criminals anywhere in the world.

“Colonial Pipeline paid millions of dollars to restore its systems, which had been frozen by alleged associates of the REvil ransomware gang. Some of the payment, made in bitcoin, was eventually recovered. But memories of panic buying at the pumps linger to this day."


And a lot has happened over the past year. The ransomware attacks continued, and even accelerated, and the top technology story of 2021 was again our ransomware troubles with critical infrastructure. Indeed, these events, along with challenges caused by Russia when they invaded Ukraine, led to the passage of unprecedented new breach (and ransomware) reporting mandates.

Here are some of the articles that I like that were written on this Colonial Pipeline anniversary:

CNET — A Year After Colonial Pipeline, Threat of Ransomware Attacks Looms: “In the year since the Colonial attack, corporate America, the Biden administration and federal agencies like the Transportation Security Administration have taken steps to secure the country's critical infrastructure, which in addition to energy companies includes schools, cities and hospitals. They had to because Colonial Pipeline wasn't an outlier. Transit authorities, a meat processor and a business software company were all taken down as REvil roamed free for months on the Internet.

“The number of successful ransomware attacks surged to new highs last year. Sixty-six percent of the organizations surveyed by Sophos for its annual State of Ransomware report admitted that they were hit with a ransomware attack in 2021, up from 37 percent in the year before. And 65 percent of those attacks succeeded in encrypting their victims' data, up from 54 percent the year before.”

The Washington Post One year ago, Colonial Pipeline changed the cyber landscape forever: “The attack — along with other ransomware strikes against the meat processor JBS and the IT provider Kaseya — prompted a diplomatic confrontation between President Biden and Russian President Vladimir Putin during a Geneva Summit. Biden demanded that Putin prevent Russia-based cyber criminals from targeting U.S. critical infrastructure including pipelines, energy and financial firms — a move U.S. officials had not taken six months earlier when the Kremlin hacked into a slew of U.S. government agencies.

“The attack also arguably led directly to congressional passage of the most substantial cyber requirements for critical infrastructure firms in history — obligating them to alert the government within three days if they’re hacked and within one day if they pay a ransom to hackers.”

MeriTalk — Colonial Pipeline Hack One Year Later: CISA’s Wales Shares Lessons Learned: "Cybersecurity experts shared lessons learned from the attack and about how to implement a shared cyber defense between the public and private sectors to protect critical infrastructure at ATARC’s 'Colonial Pipeline in Retrospect: Securing the Nation’s Critical Infrastructure' webinar on May 5.

“Colonial Pipeline was a galvanizing event for the country, raising awareness about the potential threats and risks posed by cyber attacks, that it’s not just ones and zeros inside of computers, [and] that these attacks could have real implications on our way of life,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA)."

Dark Reading — Colonial Pipeline 1 Year Later: What Has Yet to Change?: "While the Colonial Pipeline incident was a devastating attack, it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed. Enterprises that make active efforts to strengthen their cybersecurity strategies will be able to proactively mitigate threats as they arise, exceed regulatory compliance requirements, and ultimately foster trust with their employees, customers, and the community as a whole. Moving beyond Colonial Pipeline is possible but cannot be done without real improvement in cybersecurity defenses."


There is no doubt that the Colonial Pipeline incident was one of most impactful cybersecurity events to hit the U.S., if not the top incident so far.

Sure, there have been other events like the OPM data breach and the Snowden revelations that may have caused more long-term costs and damage, but no other event has opened the eyes of the public to the potential dangers of ransomware and digital disruption, in my opinion.

I think there have been many lessons learned and actions taken to improve our cyber defenses over the past year, and the policy changes have been significant. Also, the “Shields Up” campaign from CISA is an example of proactive steps that DHS and the wider government is taking on cybersecurity.

Are there more substantial cybersecurity incidents coming? For sure.

Will they be worse than what happened to the Colonial Pipeline? Only time will tell, but let’s continue to prepare for the worst and hope for the best.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.