Fact-checked by Grok 2 weeks ago

Colonial Pipeline ransomware attack

The ransomware attack was a May 2021 cyber intrusion by the DarkSide ransomware group that compromised the IT networks of , operator of the largest refined-products pipeline in the United States spanning from to . On May 7, the company detected the breach and proactively shut down its pipeline operations to contain the damage, halting the transport of approximately 45% of the East Coast's fuel supply and triggering regional shortages, , and temporary fuel . The incident, attributed to Russian-speaking cybercriminals marketing ransomware-as-a-service, exposed systemic cybersecurity gaps in critical energy infrastructure, as the attackers exploited a compromised legacy VPN account with no . Colonial Pipeline resumed limited operations on May 12 after securing its systems manually, with full capacity restored shortly thereafter, though recovery efforts involved paying a of about 4.4 million dollars in to regain access to encrypted data. The U.S. Department of Justice later seized 2.3 million dollars of those payments through tracing on the , marking a significant action against proceeds. The attack prompted immediate federal responses, including emergency declarations waiving fuel transport regulations and accelerated cybersecurity mandates for pipeline operators, underscoring the causal risks of unpatched vulnerabilities and inadequate in high-stakes sectors. While no evidence linked the perpetrators to state sponsorship, the event fueled debates on payments—discouraged by U.S. due to incentivizing further attacks—and highlighted dependencies on single points of failure in supply chains.

Background

Colonial Pipeline overview

Colonial Pipeline Company operates the largest refined products pipeline system in the United States, spanning more than 5,500 miles from refineries along the Gulf Coast in and to terminals serving the area. The pipeline transports , , , , and other refined products at a daily capacity exceeding 100 million gallons, equivalent to 2.5 million barrels. This network supplies approximately 45 percent of the fuel consumed on the East Coast, delivering to markets that support over 50 million Americans across 14 states and the District of Columbia. Founded in 1962 by a of companies, including major refiners, the system represented the largest privately funded project undertaken at the time, designed to connect southern hubs directly to northeastern centers and reduce reliance on less efficient modes like rail and tanker trucks. Company, the operator, functions as a providing services such as storage, exchanges, and title transfers to shippers, with ownership held through Colonial Enterprises Inc., acquired by in a $9 billion deal in 2025. The 's scale and regional dominance underscore its role as critical essential for , , and .

Pre-attack cybersecurity context

Prior to the May 2021 ransomware attack, the U.S. pipeline industry, including , operated under the Transportation Security Administration's (TSA) Pipeline Security Guidelines, which provided voluntary recommendations for cybersecurity measures rather than mandatory requirements. These guidelines categorized protections into baseline and enhanced levels based on asset criticality, emphasizing risk assessments, access controls, and incident response planning, but enforcement relied on self-regulation by operators, with limited federal oversight or penalties for non-compliance. This approach reflected a broader complacency in sectors, where operational reliability often superseded investments in cyber hygiene, despite escalating threats documented in federal alerts from agencies like the Department of Homeland Security (DHS) and (CISA) throughout the late 2010s. Colonial Pipeline's specific vulnerabilities exemplified common lapses in the sector, including the use of a legacy (VPN) for remote access that lacked (MFA), a basic control recommended by cybersecurity standards such as NIST SP 800-63 for years prior. Attackers exploited a leaked password associated with an inactive VPN account—likely obtained from credential dumps—to gain initial entry around April 29, 2021, underscoring deficiencies in password management, account lifecycle oversight, and segmentation between IT systems and (OT) networks. In congressional testimony, Colonial's CEO acknowledged that while the company had a general emergency response plan, it lacked a tailored strategy to detect or prevent propagation, and pre-existing weaknesses in its cyber defenses facilitated the breach. These gaps were not isolated; (GAO) assessments and industry analyses prior to 2021 highlighted persistent risks in pipeline cybersecurity, such as unpatched legacy software and insufficient monitoring, amid a surge in targeting energy firms globally, yet voluntary guidelines failed to compel widespread adoption of defenses like MFA or zero-trust architectures. The absence of binding regulations left operators exposed, as evidenced by the ease of initial access in Colonial's case, where a single compromised credential bypassed perimeter controls without triggering .

The Breach and Attack

Initial access method

The DarkSide ransomware group gained initial access to Colonial Pipeline's network on April 29, 2021, by exploiting a compromised password associated with an outdated (VPN) account. This account, intended for remote access by a single employee, lacked (MFA) and had not been properly decommissioned despite the employee's departure from the company months earlier. The password itself had been exposed prior to the breach, likely through or leaks from unrelated incidents, enabling the attackers to authenticate directly into the network without additional verification. CEO Joseph Blount testified to U.S. senators that the stemmed from legacy systems where shared or static passwords were used across multiple workers for remote access, bypassing modern like MFA. Upon entry via the VPN, the intruders targeted the billing and procurement systems, establishing persistence through tools that evaded detection for weeks before escalating to and deployment. This method highlights the risks of unpatched remote access points in , where a single weak provided a foothold for lateral movement across segmented networks.

Ransomware deployment and encryption

On May 7, 2021, DarkSide operators, having maintained undetected access to Colonial Pipeline's since at least April 29, executed the payload primarily against the company's , including billing and administrative systems, following on May 6. The deployment occurred after extensive and lateral movement within the environment, where attackers had compromised privileged accounts and mapped critical assets, but did not directly target () systems controlling the pipeline itself. This selective execution on IT networks aimed to maximize leverage through data encryption and theft, prompting Colonial to proactively shut down the pipeline to prevent potential compromise. The binary, typically delivered as an such as variants of power_encryptor.exe, was run on infected Windows hosts, propagating via shares to encrypt accessible files across local and networked drives. DarkSide operators, operating as a ransomware-as-a-service (RaaS) model, customized deployment to avoid immediate detection, often disabling backups and security tools beforehand. In Colonial's case, the encryptors rendered key IT functions inoperable, though the firm retained manual operational capabilities for the pipeline via offline procedures. DarkSide ransomware employs hybrid : a per-victim RSA-2048 public key encrypts randomly generated symmetric keys, while file contents are encrypted using the Salsa20 (or variants in some builds), ensuring rapid processing without verifiable decryption absent the private key. Encrypted files receive a unique extension (e.g., .darkside or victim-specific), and notes are deposited in affected directories, detailing payment instructions in via Tor-hidden services. This mechanism, analyzed in CISA's malware report, prioritizes thoroughness over speed, skipping certain system files to maintain host viability while targeting high-value data.

Shutdown Decision and Immediate Effects

Rationale for pipeline shutdown

Colonial Pipeline detected the ransomware intrusion on its (IT) network on May 7, 2021, prompting the company to proactively halt all pipeline operations as a measure. The primary rationale was to isolate the affected IT systems from the (OT) networks that control the pipeline's physical functions, thereby preventing the from propagating and compromising industrial control systems (ICS). This separation was critical because ICS manage automated processes like pressure regulation and flow control across the 5,500-mile pipeline, where disruption could lead to operational failures or safety hazards such as overpressurization or leaks. Company executives cited uncertainty about the full extent of the breach, including potential that could enable subsequent targeted attacks on vulnerable components. The shutdown was not triggered by direct compromise but by precautionary assessment that continued operation risked lateral movement of the , a common tactic in such attacks where initial IT access serves as a vector for broader system . authorities, including the FBI, later affirmed this approach, noting that the proactive halt averted escalation from IT to environments, which could have amplified physical impacts on fuel transport. The decision reflected standard cybersecurity incident response protocols for , prioritizing containment over continuity to avoid cascading failures, despite the foreseeable economic disruptions from suspending deliveries of approximately 45% of the East Coast's fuel supply. Colonial Pipeline's leadership emphasized that partial manual operations were infeasible without verified network integrity, as reliance on backup controls carried risks of undetected persistence. This rationale aligned with industry best practices for events, where from prior incidents demonstrated that delayed often exacerbates scope and timelines.

Regional fuel disruptions and public response

The shutdown of Colonial Pipeline's 5,500-mile system on May 7, 2021, disrupted fuel deliveries primarily to the southeastern United States, where it supplies about 45% of gasoline and diesel demand. Distribution terminals in states including North Carolina, Georgia, South Carolina, Virginia, and Florida relied on pre-existing inventories and increased trucking from Gulf Coast refineries, but these measures proved insufficient amid heightened demand. The U.S. Energy Information Administration noted that alternative supply chains via truck and rail could not fully compensate for the pipeline's capacity in the short term. Panic buying by motorists rapidly depleted station supplies, turning potential shortages into acute ones across at least 11 states and Washington, D.C. By May 12, GasBuddy surveys indicated 65% of stations in North Carolina and 43% in Georgia and South Carolina lacked fuel, with Virginia reporting similarly high outages. In specific areas, outages reached 72% in Raleigh, North Carolina, and 73% in Pensacola, Florida. Washington, D.C., saw 88% of stations dry by May 14. This consumer-driven hoarding, rather than the shutdown alone, was identified by experts as the primary cause of the visible disruptions, as inventories were adequate for normal demand. Public response featured long lines at remaining open stations and widespread reports of fuel rationing, with images of snaking queues dominating coverage. Retail prices in affected areas rose by an average of 4 cents per , a modest increase attributed to localized supply pressures rather than broader market effects. The U.S. later highlighted how such amplified the incident's impact, underscoring vulnerabilities in public behavior during supply scares. Government actions aimed to mitigate the crisis through measures. On May 10, the issued a regional declaration for 17 states and of Columbia, waiving hours-of-service limits for haulers to expedite trucking deliveries. States including , under Governor , and declared emergencies to coordinate responses and temporarily suspend taxes, easing and costs. The Biden launched an "all-of-government" effort, coordinating with firms to redirect supplies while publicly discouraging to prevent self-inflicted shortages.

Economic and Operational Impacts

Supply chain interruptions

The ransomware attack compelled to suspend operations across its 5,500-mile network starting May 7, 2021, halting the daily transport of 2.5 million barrels of refined petroleum products, including , , and , which constituted about 45% of the East Coast's supply. This interruption disrupted the primary linking Gulf Coast refineries to distribution terminals in the Southeast and Mid-Atlantic regions, where pipeline efficiency enables rapid, high-volume delivery compared to alternatives. Distributors initially relied on pre-existing terminal inventories, but the shutdown's duration—extending several days—led to rapid depletion, as pipeline flows operate continuously at speeds of approximately five , preventing quick replenishment. Efforts to redirect supplies via and from other regions faced capacity constraints and elevated costs, insufficient to offset the shortfall in a market accustomed to pipeline-dominated . Consumer accelerated the strain on downstream supply chains, resulting in widespread station outages; by May 12, 2021, 68% of gas stations in lacked fuel, alongside 49% in , 45% in , and 45% in . These shortages underscored the fragility of regional fuel distribution networks dependent on centralized , prompting a U.S. government-declared on May 9 to waive restrictions on interstate fuel hauling and bolster truck imports. Although and sectors experienced milder disruptions due to diversified sourcing, the event exposed systemic vulnerabilities in just-in-time inventory practices across the , where a single breach can cascade into multi-modal logistical failures.

Financial costs and market reactions

incurred direct financial losses from the attack, including a payment of approximately $4.4 million in to the DarkSide group on , 2021, as confirmed by company CEO Joseph Blount. The shutdown of the pipeline, which normally transports 2.5 million barrels per day of refined fuels, resulted in estimated daily losses of $1.5 million from foregone revenues and remediation efforts during the six-day operational halt from May 7 to May 12, 2021. Additional costs arose from cybersecurity enhancements and manual operational transitions, though exact figures for these were not publicly disclosed by the . Market reactions centered on the U.S. Southeast, where the pipeline supplies about 45% of demand, leading to localized shortages and price volatility. An empirical found the shutdown caused an average price increase of 4 cents per gallon in affected regions, with variations by location, far less than initial fears of widespread spikes. amplified disruptions, emptying stations and prompting temporary state declarations of emergency in and , though national averages rose only modestly by 6 cents per gallon in the following week. The incident spurred broader economic ripples, including a surge in premiums industry-wide, as insurers recalibrated risks for . Recovery was swift, with supplies normalizing by May 15, , mitigating prolonged market effects.

Ransom Payment Process

Negotiation and decision to pay

executives initiated contact with the DarkSide ransomware operators shortly after detecting the of critical billing and operations on May 7, 2021, using the group's dedicated communication on the . The perpetrators demanded payment in to unlock the decryption tools, with initial reports indicating a demand of nearly $5 million. Negotiations, handled through the affiliate model typical of DarkSide's -as-a-service operations, resulted in an agreed ransom of 75 . On May 8, 2021, CEO authorized the transfer of the $4.4 million equivalent, stating that the payment was made primarily to acquire and evaluate the decryptor tool amid uncertainty over the time required for manual system restoration from backups. Blount described the choice as the toughest of his career, emphasizing the operational imperative to resume fuel deliveries quickly given the pipeline's role in supplying nearly half of the U.S. East Coast's refined petroleum products. The decision proceeded despite explicit guidance from the FBI against paying ransoms, which the agency argued perpetuates cybercrime by providing funds that enable attackers to refine tactics and target more victims, while offering no guarantee of effective recovery or an end to extortion. Colonial's cyber insurance policy covered the payout, reducing direct financial exposure but highlighting broader debates on whether such payments align with long-term cybersecurity incentives. Following the transaction, DarkSide supplied the decryptor, which testing revealed to be functional but impractically slow for the volume of affected data, prompting reliance on pre-attack backups for eventual system recovery.

FBI's partial ransom seizure

On June 7, 2021, the United States Department of Justice announced that the FBI had seized approximately 63.7 bitcoins, valued at $2.3 million at the time, from a cryptocurrency wallet used by DarkSide actors to launder a portion of the ransom paid by Colonial Pipeline. This recovery represented about 85% of the original 75-bitcoin ransom, equivalent to roughly $4.4 million when paid on May 8, 2021, with the remaining funds having been transferred by the perpetrators to other addresses prior to the seizure. The operation relied on blockchain transaction tracing by FBI investigators, who identified the movement of funds from the initial wallet to a secondary address controlled by DarkSide, enabling the agency to obtain a from the U.S. District Court for the Northern District of . FBI Deputy Director stated that the seizure demonstrated the traceability of despite the anonymity claims of ransomware groups, as the bitcoins were not fully laundered through mixers or exchanges before partial recovery. The warrant authorized the FBI's virtual currency intermediaries to transfer the seized assets to agency-controlled , marking one of the first major public recoveries of ransomware payments via forensics. ![DarkSide Bitcoin Seizure Warrant, June 7, 2021][center] Although the recovery disrupted DarkSide's immediate access to the funds, it did not prevent the group's operations entirely, as evidenced by subsequent incidents attributed to affiliates before their reportedly dismantled later in May 2021; however, U.S. officials emphasized that such seizures underscore the limitations of relying on untraceable digital currencies for . The action highlighted interagency collaboration, including input from the Department of 's National Cryptocurrency Enforcement Team, but left unresolved questions about the ultimate disposition of the unrecovered portion amid DarkSide's opaque fund management practices.

Perpetrators

DarkSide group profile

DarkSide emerged in August 2020 as a operation targeting high-value organizations, primarily in English-speaking countries. The group, likely comprising experienced Russian-speaking cybercriminals, developed custom and operated via a Ransomware-as-a-Service (RaaS) model, leasing tools and infrastructure to affiliates who handled intrusions in exchange for profit shares typically ranging from 20-80%. This structure enabled scalable attacks, with core operators focusing on code maintenance while affiliates pursued targets yielding ransoms from $200,000 to $20 million in . DarkSide's tactics emphasized targeted intrusions over indiscriminate spraying, gaining initial access through exploited vulnerabilities, , or compromised remote desktop protocols, followed by lateral movement using legitimate remote monitoring tools like and credential dumping with . Once inside, actors exfiltrated data via before deploying encryptors that appended ".darkside" extensions, deleted volume shadow copies, and disabled recovery options. The group practiced double and triple extortion, not only encrypting files but also stealing sensitive information for leak threats on their DarkSide Leaks site and, in some cases, DDoS attacks against non-payers. To limit scrutiny, DarkSide self-imposed restrictions, avoiding attacks on , countries, hospitals, schools, and nonprofits, while claiming an apolitical profit-driven ethos without state affiliations. Despite no confirmed ties to Russian entities, the operation's patterns and geographic selectivity pointed to Eastern European origins. By May 2021, amid U.S. sanctions, disruptions, and asset seizures—including $2.3 million in by the FBI—DarkSide announced cessation of operations, citing insurmountable losses, though analysts suspect rebranding into successors like BlackMatter or BlackCat.

Attribution challenges and motives

The (FBI) officially attributed the Colonial Pipeline ransomware attack to the DarkSide group on May 10, 2021, based on forensic analysis of the and network indicators. DarkSide, a Russia-based ransomware-as-a-service (RaaS) operation, publicly claimed responsibility via its site, releasing samples of stolen data to substantiate the breach. However, precise attribution to individual actors within DarkSide proved challenging due to the group's decentralized structure, where affiliates conduct intrusions independently while the core developers provide the toolkit. DarkSide consistently professed financial motives, emphasizing profit through rather than political or ideological goals; the group explicitly avoided targeting entities in countries like and former Soviet states, and post-attack statements expressed surprise at the resulting fuel shortages, suggesting an intent focused on data theft and rather than operational . Cybersecurity analyses corroborated this, noting DarkSide's operational rules prohibiting attacks on in ways that cause physical harm, though the Colonial incident highlighted inconsistencies when affiliates disregarded such guidelines for higher payouts. The demand and subsequent payment of approximately 75 (valued at about $4.4 million at the time) aligned with standard economics, where victims pay to regain access and prevent data leaks. Attribution faced broader hurdles inherent to cyber operations, including the use of anonymizing tools like VPNs, , and , which obscured actor identities and origins. Russia's non-cooperation in extraditing or prosecuting cybercriminals, coupled with linguistic and infrastructural ties linking DarkSide to speakers, raised suspicions of tacit tolerance, though U.S. found no of government orchestration for this attack—distinguishing it from state-sponsored or disruption campaigns. This ambiguity blurred lines between pure and threats, complicating deterrence as adversaries exploited jurisdictional gaps without clear national accountability. The FBI's recovery of $2.3 million in seized in June 2021 relied on tracing rather than direct actor apprehension, underscoring persistent evidentiary challenges in linking digital footprints to physical perpetrators.

Restart Efforts

Transition to manual operations

Following the ransomware intrusion detected on May 7, 2021, proactively shut down its entire 5,500-mile network to contain the breach and assess damage, halting automated supervisory control and (SCADA) systems that managed flow rates, valve operations, and monitoring. The transition to manual operations required operators to physically manipulate valves, conduct on-site inspections, and rely on paper-based logging for inventory tracking and compliance, as the compromised billing and IT systems prevented digital oversight. This shift prioritized safety by isolating from infected networks, though it exposed procedural gaps, including inadequate pre-planned protocols for manual restarts, which federal regulators later cited as contributing to prolonged disruptions. Initial resumption began on , 2021, with Line 4—a primary artery spanning from , to Woodbine, Maryland—restarted to deliver pre-existing stockpiles at reduced capacity under human-directed . Operators maintained physical presence at key facilities to adjust pressures and flows manually, ensuring no loss of physical over the pipeline infrastructure despite the ransomware's confinement to IT networks. This localized approach allowed limited distribution to mitigate shortages, but scalability was constrained by the labor-intensive nature of the process, requiring qualified personnel trained in emergency manual procedures. The manual mode underscored vulnerabilities in hybrid IT-OT environments, where targeting administrative functions like billing indirectly forced operational halts to avoid risks to core controls. Subsequent Pipeline and Hazardous Materials Safety Administration (PHMSA) reviews determined that Colonial's failure to document and train for comprehensive manual shutdowns and restarts violated management regulations under CFR Part 192, resulting in a $970,000 in 2022. Despite these shortcomings, the transition enabled phased recovery without compromising pipeline integrity, paving the way for full automated resumption by May 15, 2021.

Timeline of resumption

The resumption of Colonial Pipeline operations followed a phased approach emphasizing manual controls and safety validations after the May 7, 2021, shutdown. On May 10, 2021, the company restarted its Line 4 fuel line—from , to Woodbine, —under manual operation to test system integrity without full reliance on compromised . Full pipeline restart commenced on May 12, 2021, at approximately 5:00 p.m. ET, after Colonial conducted exhaustive offline inspections and simulations to ensure secure operations, in close coordination with the and . The company emphasized that this initiation did not equate to immediate full capacity, projecting several days for gradual ramp-up to avoid pressure surges or other hazards. Product delivery restarted across the entire 5,500-mile network on , , enabling to terminals in the southeastern and , though at reduced volumes initially. All systems returned to normal operational levels by May 15, , with Colonial confirming full functionality and no ongoing disruptions from the incident. normalization, including terminal restocking and recovery, extended beyond this date, with estimates of up to two weeks for complete market stabilization amid lingering and regional shortages.

Investigations

Federal agency involvement

The (FBI) took the lead in attributing the attack to the DarkSide group on May 10, 2021, confirming the compromise of 's networks. The FBI collaborated with and other government partners to investigate the breach, focusing on disrupting the ecosystem. On June 7, 2021, the Department of Justice, acting through the FBI, seized approximately 63.7 —valued at about $2.3 million at the time—from the ransom payment made by to DarkSide actors. This recovery was achieved by obtaining a warrant for a wallet address where the funds were stored, leveraging tracing techniques in coordination with partners. FBI Deputy Director emphasized that such actions aimed to hold cybercriminals accountable and deter future attacks. The (CISA), under the Department of , supported the response by issuing joint cybersecurity advisories with the FBI, including one on May 11, 2021, detailing DarkSide tactics and recommending mitigations for operators. CISA also released best practices for preventing DarkSide on July 8, 2021, urging immediate implementation of , , and to reduce risks. Despite these efforts, reports indicated initial delays in CISA's awareness of the incident, as prioritized coordination with the FBI and prioritized operational shutdowns to contain the breach. Broader federal involvement included an all-of-government effort coordinated by the , with agencies like the Department of Energy monitoring energy supply impacts, though primary investigative and technical response centered on the FBI and CISA. Post-incident analyses by CISA highlighted ongoing needs for enhanced resilience, informing subsequent policy and advisory updates.

Key findings and breach analysis

The ransomware attack on originated from initial unauthorized access to the company's IT network via a compromised () in April 2021. The attackers, affiliated with the DarkSide ransomware-as-a-service operation, exploited a legacy VPN account that lacked () and relied on single-factor authentication with a complex but leaked password, which had been exposed in a dump likely due to reuse across personal and corporate accounts. Following initial access, DarkSide actors conducted reconnaissance, escalated privileges on domain controllers, moved laterally across the IT environment, and exfiltrated approximately 100 gigabytes of data over several days before deploying the ransomware payload on May 7, 2021. The malware, a variant using Salsa20 for symmetric encryption and RSA-2048 for asymmetric key exchange, targeted Windows systems, encrypting files and appending the ".darkside" extension while displaying a ransom note demanding 75 Bitcoin (approximately $4.4 million at the time). Critical to the analysis, the compromise remained confined to IT systems; no evidence emerged of direct intrusion into operational technology (OT) or supervisory control and data acquisition (SCADA) systems controlling the pipeline, though inadequate network segmentation heightened the risk of potential lateral movement. Investigations by the FBI and (CISA) revealed that basic cybersecurity lapses—such as the absence of MFA on remote access points, reliance on static passwords without rotation or monitoring for leaks, and limited visibility into network traffic—enabled the prolonged of attackers, estimated at weeks prior to execution. Colonial Pipeline's decision to proactively shut down the 5,500-mile on stemmed from an inability to rapidly verify OT integrity amid the encryption chaos, underscoring causal vulnerabilities in hybrid IT-OT environments where manual verification processes proved too slow for real-time threat response. Post-incident forensic analysis confirmed DarkSide's use of tools like Cobalt Strike for command-and-control over , but the breach's success hinged more on human-error-enabled access than zero-day exploits, highlighting systemic underinvestment in credential hygiene over advanced persistent threats.

Policy Responses

Executive and regulatory actions

On May 12, 2021, President Biden signed Executive Order 14028, titled "Improving the Nation's Cybersecurity," five days after the Colonial Pipeline ransomware attack disrupted fuel supplies across the U.S. East Coast. The order directed federal agencies to modernize cybersecurity practices, including adopting zero-trust architectures, enhancing security, and improving incident response for sectors like . It also established requirements for federal contractors to align with improved standards and promoted information sharing between and entities to counter threats. In parallel, the (TSA) issued its first pipeline-specific Security Directive (Pipeline Security Directive Security_2021-01) on May 28, 2021, mandating owners and operators of critical hazardous liquid and pipelines—including —to establish and implement cybersecurity plans, report significant incidents within 12 hours, and assess vulnerabilities. This was followed by Pipeline Security Directive Pipeline-2021-02 on July 20, 2021, which required third-party cybersecurity assessments, programs, and measures for control systems. Updates to these directives, such as Pipeline-2021-02D in , expanded requirements to include annual reporting and recovery plan testing, applying to over 100 pipeline operators deemed critical by TSA. These actions complemented ongoing federal efforts, including the July 28, 2021, Biden administration outlining additional protections, such as enhanced CISA coordination with owners for threat intelligence sharing. The directives marked TSA's first mandatory cybersecurity requirements for the sector, shifting from voluntary guidelines to enforceable standards with civil penalties for noncompliance.

Criticisms of government overreach

In response to the Colonial Pipeline ransomware attack on May 7, 2021, the (TSA) invoked emergency authority to issue Security Directive Pipeline-2021-01 on May 28, 2021, requiring owners and operators of critical pipelines to report significant cybersecurity incidents within 12 hours and conduct assessments within 30 days. This was followed by Pipeline-2021-02 on July 20, 2021, mandating enhanced measures such as , , and third-party audits. Critics contended that TSA's unilateral directives bypassed and public rulemaking processes, constituting regulatory overreach into private infrastructure operations traditionally governed by lighter-touch federal guidance. Industry groups, including the , warned that such mandates could impose undue compliance burdens and stifle innovation without proportionate evidence of effectiveness, echoing broader concerns about federal expansion post-attack. Suzanne Lemieux, vice president of operations and safety at the Institute, highlighted risks of "regulatory overreach" that might deter investment in the sector. Conservative lawmakers and commentators similarly criticized the directives as emblematic of executive overstep, arguing they leveraged the incident to justify prescriptive controls absent from prior statutes like the Pipeline Safety Act. Related legislative proposals, such as bills to prohibit ransomware payments by firms, drew fire for analogous overreach; opponents, including cybersecurity experts, asserted that outright bans would constrain companies' operational autonomy during crises, potentially prolonging disruptions like the six-day Colonial shutdown without addressing root causes like legacy IT vulnerabilities. These critiques emphasized that while the attack exposed gaps—such as Colonial's use of a compromised legacy VPN without —punitive regulations risked higher costs passed to consumers rather than fostering resilient, market-driven defenses.

Long-term Implications

Sector-wide cybersecurity enhancements

In response to the May 2021 ransomware attack on , the (TSA) issued Security Directive Pipeline-2021-02 on July 20, 2021, mandating that owners and operators of critical pipeline facilities implement specific cybersecurity measures to mitigate risks to systems. These requirements applied to approximately 100 hazardous liquid and pipeline systems identified as critical, focusing on protections against unauthorized access and disruption, including the designation of a cybersecurity coordinator, annual assessments, and the of cyber incident response plans with procedures tested at least every two years. The directive emphasized segmenting networks from networks to prevent lateral movement by attackers, a exploited in the Colonial incident. Subsequent updates to the directive, such as Pipeline-2021-02D issued in July 2023, extended and refined these obligations, requiring enhanced reporting of significant cyber incidents to the Department of Homeland Security's (CISA) within 12 hours and mandating third-party audits for compliance verification. Pipeline operators reported substantial investments in compliance, with measures like , endpoint detection, and privileged access management becoming standard, reducing the sector's exposure to by isolating control systems from internet-facing corporate networks. CISA complemented these efforts with advisory guidance post-attack, recommending immediate adoption of practices such as timely software patching, strong spam filtering to block , and limiting administrative privileges to essential functions only, which addressed common entry vectors observed in the DarkSide campaign. These enhancements extended beyond pipelines to influence broader sectors, prompting similar TSA directives for liquefied natural gas facilities and contributing to the May 2021 Executive Order on Improving the Nation's Cybersecurity, which established federal standards for software supply chain security and zero-trust architectures applicable to energy operators. Industry analyses indicate that by 2023, over 90% of covered pipeline entities had implemented the core TSA requirements, leading to measurable improvements in incident detection times and operational resilience, though challenges persist in fully securing legacy systems. Federal audits have highlighted ongoing gaps in TSA's tracking, underscoring the need for sustained oversight to long-term .

Debates on ransomware strategies

The Colonial Pipeline ransomware attack catalyzed debates on optimal strategies for responding to such incidents, particularly regarding whether victims should pay demanded ransoms. Colonial Pipeline paid DarkSide approximately 75 Bitcoin, valued at $4.4 million USD, on May 8, 2021, to obtain a decryption tool and restore operations amid fears of extended fuel shortages. This decision prioritized rapid recovery over withholding funds, as manual operations proved insufficient for full pipeline functionality, leading to widespread panic buying and temporary gasoline rationing across the southeastern United States. U.S. government agencies, including the FBI and (CISA), strongly discourage ransom payments, contending that they finance criminal operations, offer no assurance of data restoration, and incentivize future attacks by demonstrating profitability. The FBI exemplified an alternative approach by seizing 63.7 —worth about $2.3 million—from DarkSide's wallet on June 7, 2021, using a court-authorized warrant, thereby partially recovering Colonial's payment without relying on the attackers' cooperation. Critics of payments argue that empirical evidence from repeated incidents shows ransoms sustain ransomware-as-a-service models, with groups like DarkSide reinvesting proceeds into sophisticated tools and evasion tactics, perpetuating a cycle of escalating threats to . Proponents of paying in select cases, often from perspectives, assert that for high-stakes sectors like , the economic and societal costs of prolonged downtime—evident in Colonial's week-long shutdown—can exceed ransom amounts, especially when backups are incomplete or decryption is time-sensitive. This view holds that individual rationales for payment conflict with collective incentives to starve attackers of funds, highlighting tensions between short-term operational imperatives and long-term deterrence. Debates extend to potential bans on payments; while some policymakers advocate criminalizing them to disrupt criminal economies, opponents caution that rigid prohibitions could drive payments underground, complicate markets, or force vulnerable entities into without viable recovery options. Alternative strategies emphasized post-Colonial include bolstering preventive measures such as , regular offline backups, and —deficiencies exploited in the breach—and fostering international to dismantle infrastructures, as seen in the disruption of DarkSide's operations shortly after the attack. In response, the U.S. Congress passed the Cyber Incident Reporting for Act of 2022, mandating timely disclosure of payments and incidents to CISA, aiming to aggregate data for improved threat intelligence and coordinated defenses rather than punitive measures on victims. Cyber insurance providers have also adapted by increasingly excluding or scrutinizing ransom coverage, shifting focus toward resilience-building incentives to reduce overall attack viability. These approaches underscore a that no single tactic suffices, advocating integrated policies balancing enforcement, regulation, and technological hardening to address 's root causes.

References

  1. [1]
    Colonial Pipeline Cyber Incident - Department of Energy
    On May 7, 2021, the Colonial Pipeline Company proactively shut down its pipeline system in response to a ransomware attack.
  2. [2]
    FBI Statement on Compromise of Colonial Pipeline Networks
    May 10, 2021 · The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks.
  3. [3]
    The Attack on Colonial Pipeline: What We've Learned & What ... - CISA
    May 7, 2023 · On May 7, 2021, a ransomware attack on Colonial Pipeline captured headlines around the world with pictures of snaking lines of cars at gas stations across the ...
  4. [4]
    Colonial Pipeline Cyberattack Highlights Need for Better Federal ...
    May 18, 2021 · The recent cybersecurity attack on the Colonial Pipeline Company has led to temporary disruption in the delivery of gasoline and other petroleum products.
  5. [5]
    Deputy Director Speaks at Press Conference on Colonial Pipeline ...
    Jun 7, 2021 · DarkSide developers market their ransomware to criminal affiliates, who then conduct attacks and share a percentage of the proceeds with the ...Missing: facts | Show results with:facts
  6. [6]
    DarkSide Ransomware: Best Practices for Preventing Business ...
    Jul 8, 2021 · CISA and FBI urge CI owners and operators to apply the following mitigations to reduce the risk of compromise by ransomware attacks. Require ...
  7. [7]
    Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to ...
    Jun 7, 2021 · Colonial Pipeline reported to the FBI that its computer network was accessed by an organization named DarkSide and that it had received and paid ...
  8. [8]
    FACT SHEET: The Biden-Harris Administration Has Launched an All ...
    May 11, 2021 · EPA and DOE evaluated the implications of the ransomware attack and determined that extreme and unusual fuel supply circumstances exist. In ...<|separator|>
  9. [9]
    Our Operations | Energy Infrastructure - Colonial Pipeline
    Colonial Pipeline was founded in 1962 and is now the largest refined petroleum products pipeline by volume in the United States. We transport more than 100 ...
  10. [10]
    About Us - Colonial Pipeline
    For more than 60 years we have safely and responsibly transported fuels to serve American communities, commerce, travelers, and military installations. We are ...Our History · Asset Map · Our Leadership · Mission & Vision
  11. [11]
    [PDF] Colonial Pipeline Company - Department of Energy
    Jun 2, 2014 · In 1961, a handful of energy companies came together to build what was then the single largest privately funded.
  12. [12]
    Pipeline Products
    Colonial Pipeline provides energy logistics and solutions to our shippers and customers including system storage, IHT service, exchange, title transfer and ...<|separator|>
  13. [13]
    Brookfield to Buy Colonial Pipeline Owner in $9B Deal - Rigzone
    Apr 4, 2025 · A group of investors led by Brookfield agreed to acquire Colonial Enterprises in a deal that values the operator of the biggest US fuel pipeline at about $9 ...
  14. [14]
    [PDF] Pipeline Security Guidelines - TSA
    Table 3 shows the baseline and enhanced cybersecurity measures that pipeline operators should apply to pipeline cyber assets based on their criticality ...
  15. [15]
    Cybersecuring the Pipeline | Published in Houston Law Review
    Mar 18, 2023 · The Colonial Pipeline ransomware attack reignited the importance of the energy infrastructure's cybersecurity. Notably, the pipeline's ...
  16. [16]
    The Colonial Pipeline Incident Shows the Need for Broader Thinking ...
    May 20, 2021 · The Colonial Pipeline episode highlights that a core policy challenge remains cultivating the resilience of US critical infrastructure.
  17. [17]
    Colonial Pipeline Hacked Via Inactive Account Without MFA - CRN
    Jun 5, 2021 · The Darkside ransomware gang broke into Colonial Pipeline through an inactive account that didn't use multifactor authentication.
  18. [18]
    What IT security teams can learn from the Colonial Pipeline ...
    Jun 28, 2021 · Specifically, the attackers used the stolen password to gain access to a VPN service that did not have multi-factor authentication (MFA) enabled ...
  19. [19]
    Back to Basics: A Deeper Look at the Colonial Pipeline Hack
    Jul 8, 2021 · The cyber attack on Colonial Pipeline Co. was due to a leaked password, an inactive VPN account and a lack of multifactor authentication.
  20. [20]
    Looking back on the Colonial Pipeline hack - Imprivata
    May 17, 2022 · About a month after the hack occurred, it was reported that the cyber criminals hacked into Colonial Pipeline using an old VPN account password ...
  21. [21]
    One password allowed hackers to disrupt Colonial Pipeline, CEO ...
    Jun 8, 2021 · Blount said Colonial did not have a plan in place to prevent a ransomware attack, but did have an emergency response plan. The company ...
  22. [22]
    [PDF] Colonial Pipeline Hack Rockets Ransomware to Top of U.S. Security ...
    “In the case of the Colonial Pipeline attack, a single password compromise on a legacy VPN that did not have MFA in place allowed the attackers to infiltrate.<|control11|><|separator|>
  23. [23]
    Cyber catastrophe meets enterprise ransomware: Colonial Pipeline ...
    May 17, 2021 · The attack underscores the rising need for underwriters to assess basic cyber hygiene alongside threat specific risks such as ransomware for ...Missing: context | Show results with:context<|separator|>
  24. [24]
    Ransomware attackers used compromised password to access ...
    Jun 4, 2021 · Ransomware attackers gained access to Colonial Pipeline's computer networks in April using a compromised password, according to the company and ...Missing: VPN | Show results with:VPN
  25. [25]
    Hackers Breached Colonial Pipeline Using Compromised VPN ...
    Jun 7, 2021 · The Colonial Pipeline was breached by ransomware hackers using a hacked VPN password. ... Pipeline attack early last month crippled the pipeline ...
  26. [26]
    Colonial Pipeline: How Hackers ​​​​​​​Exploited a Password ...
    Jun 29, 2021 · A single password on an old, unprotected account – that's all it took for hackers to paralyze the largest fuel pipeline in the United States.Missing: initial | Show results with:initial
  27. [27]
    Colonial Pipeline ransomware attack (2021) - Cyber Law Toolkit
    Mar 7, 2022 · Date, The threat actor gained access to the network on 29 April 2021. Data was stolen on 6 May 2021. Ransomware was deployed on 7 May 2021.
  28. [28]
    Shining a Light on DARKSIDE Ransomware Operations
    May 11, 2021 · The threat actor deployed the file power_encryptor.exe in a victim environment, encrypting files and creating ransom notes over the SMB protocol ...
  29. [29]
    DarkSide Ransomware - Qualys Blog
    Dec 22, 2022 · DarkSide ransomware identified data backup applications, exfiltrates data, and then encrypts local files as part of the ransomware deployment.
  30. [30]
    DarkSide Ransomware - Enterprise Strategies to Mitigate Threats
    The malware uses Salsa20 stream cipher combined with RSA public key cryptography to encrypt victim files. Then, attackers threaten to publicly release stolen ...
  31. [31]
    A defender's view inside a DarkSide ransomware attack
    May 11, 2021 · The DarkSide ransomware performs specific steps to encrypt a document, first appending a unique file extension to the name of every targeted ...<|control11|><|separator|>
  32. [32]
    MAR-10337802-1.v1: DarkSide Ransomware | CISA
    Jul 8, 2021 · This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA). CISA ...
  33. [33]
    FBI blames DarkSide ransomware operators for Colonial Pipeline ...
    May 10, 2021 · ... Colonial Pipeline had proactively shut its operations down to prevent the ransomware from spreading from the company's IT networks to the ...<|separator|>
  34. [34]
    Colonial Pipeline hack explained: Everything you need to know
    Apr 26, 2022 · Ransomware attack begins. Colonial Pipeline becomes aware of the breach. Security firm Mandiant called in to investigate and respond to attack.Missing: deployment | Show results with:deployment
  35. [35]
    US Colonial Oil Pipeline Hack! Shutdown due to Ransomware Attack
    May 11, 2021 · ... to prevent spread of the malware to operational industrial control systems (ICS). ... colonial-pipeline-ransomware-attack/. What is Darkside ...
  36. [36]
    Colonial Pipeline Attack Highlights the Need for OT Security
    May 10, 2021 · Colonial Pipeline announced they did indeed shut down the pipelines as a precaution to prevent the attack from spreading. Initial thoughts ...
  37. [37]
    Cyberattack Forces a Shutdown of a Top U.S. Pipeline
    May 13, 2021 · ... pipeline, which it says carries 45 percent of the East Coast's fuel supplies, in an effort to contain the breach. Earlier Friday, there were ...
  38. [38]
    Cyberattack halts fuel movement on Colonial petroleum pipeline - EIA
    May 11, 2021 · Pipeline shipments move at approximately five miles per hour, so some markets may need to rely on inventories for several days after Colonial ...Missing: ransomware | Show results with:ransomware
  39. [39]
    Colonial Pipeline slowly restarts as Southeast U.S. scrambles for fuel
    May 12, 2021 · Its survey showed 65% of stations in North Carolina and 43% in Georgia and South Carolina without fuel. Virginia also reported high outages. “ ...Missing: percentage | Show results with:percentage<|separator|>
  40. [40]
    Colonial Pipeline operation restart underway
    May 12, 2021 · Cities that are most impacted by gas shortages, according to CNN, are Pensacola, Florida (73%); Raleigh, North Carolina (72%); metro Charlotte, ...
  41. [41]
    U.S. capital running out of gas, even as Colonial Pipeline recovers
    May 14, 2021 · On Friday gas station outages in Washington climbed to 88% from 79% the day before, tracking firm GasBuddy said. President Joe Biden assured ...Missing: affected | Show results with:affected
  42. [42]
    Panic Drives Gas Shortages After Colonial Pipeline Ransomware ...
    May 11, 2021 · The Colonial Pipeline hack that shut down the major gasoline and jet fuel pipeline to large swaths of the South and the East Coast is leading to temporary ...
  43. [43]
    Cyberattack on Colonial Pipeline affected gas prices far less than ...
    Dec 16, 2021 · Tsvetanov discovered the Colonial Pipeline incident only led to a 4-cents-per-gallon increase in average gasoline prices in affected areas.
  44. [44]
    US issues emergency declaration following Colonial Pipeline ...
    May 10, 2021 · The 'regional emergency declaration” is meant to alleviate any disruptions to supply following the incident at Colonial Pipeline.<|control11|><|separator|>
  45. [45]
    Governor Northam Declares State of Emergency After Colonial ...
    May 11, 2021 · **RICHMOND—**Governor Ralph Northam today signed Executive Order Seventy-Eight declaring a state of emergency in Virginia to address gasoline ...
  46. [46]
    Ransomware cyberattack shuts down major US pipeline, company ...
    May 9, 2021 · A cyberattack has forced the shutdown of Colonial Pipeline, which delivers 45% of all fuel consumed on the East Coast.
  47. [47]
    Colonial Pipeline cyberattack reveals economic impact of ransomware
    May 12, 2021 · Economic impact of the attack. When critical infrastructure is hit and millions of barrels oil have to be carried on trucks, that really hurts.
  48. [48]
    Gas stations in the Southeast run out of gas as people panic buy fuel
    May 12, 2021 · As of 4 pm ET Wednesday, 68% of all gas stations in North Carolina, 45% in Georgia, 49% in Virginia and 45% in South Carolina were without ...
  49. [49]
    Cyber Case Study: Colonial Pipeline Ransomware Attack | INSURICA
    The pipeline shutdown spanned from May 7-12, 2021. The company reported that normal operations resumed on May 15. In addition to shutting down its pipeline, ...
  50. [50]
    Colonial Pipeline confirms it paid $4.4m ransom to hacker gang after ...
    May 19, 2021 · Colonial Pipeline confirms it paid $4.4m ransom to hacker gang after attack ... The operator of the nation's largest fuel pipeline confirmed it ...Missing: financial | Show results with:financial
  51. [51]
    Colonial Pipeline boss confirms $4.4m ransom payment - BBC
    May 19, 2021 · Colonial Pipeline has confirmed it paid a $4.4m (£3.1m) ransom to the cyber-criminal gang responsible for taking the US fuel pipeline offline.Missing: revenue | Show results with:revenue
  52. [52]
    The Colonial Pipeline Ransomware Attack and the Perils of Privately ...
    May 19, 2021 · Not only was it estimated to have cost a million and a half dollars a day in lost revenues and remediation expenses but it also caused the ...
  53. [53]
    The effect of the Colonial Pipeline shutdown on gasoline prices
    The Colonial Pipeline covers 5500 miles and is a major source of fuel supply for the Southeast and the East Coast, transporting 2.5 million barrels each day ( ...<|separator|>
  54. [54]
    Here's what the Colonial Pipeline cyberattack means for energy ...
    May 10, 2021 · On the week, prices jumped 6 cents and AAA forecasts a rise this week in reaction to the pipeline shutdown.
  55. [55]
    Cyber Insurance Premiums and Demand Surge After Boom of Costly ...
    Jun 28, 2022 · ... ransomware attack on Colonial Pipeline Company. In May 2021 ... The Colonial Pipeline incident was one among a surge of costly ransomware attacks ...
  56. [56]
    Analysis and insight on the Colonial Pipeline shutdown from OPIS
    The 2.5-million-b/d pipeline supplies about 45% of the East Coast's fuel supply, and the May 7-12 outage led to panic-buying and gas station closures in ...
  57. [57]
    A Closer Look at the DarkSide Ransomware Gang - Krebs on Security
    May 11, 2021 · DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments ...
  58. [58]
    Colonial Pipeline did pay ransom to hackers, sources now say - CNN
    May 13, 2021 · The group, previously identified as DarkSide, demanded nearly $5 million, two other sources familiar with the incident said.Missing: negotiation | Show results with:negotiation
  59. [59]
    https://www.wsj.com/tech/cybersecurity/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
  60. [60]
    Colonial Pipeline boss 'deeply sorry' for cyber attack - BBC
    Jun 8, 2021 · Joseph Blount said the decision to pay hackers a $4.4m (£3.1m) ransom was the toughest in his career.Missing: details | Show results with:details
  61. [61]
    Colonial Pipeline CEO admits to authorizing $4.4 million ... - CNN
    May 19, 2021 · Colonial Pipeline CEO Joseph Blount said he authorized a ransom payment of $4.4 million in response to a cyberattack on the company's network earlier this ...
  62. [62]
    JBS, Colonial Pipeline paid $15 million in ransom, fueling FBI worries
    Jun 8, 2021 · “It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” Christopher Wray said in ...
  63. [63]
    Colonial Pipeline paid $5M ransom one day after hack, CEO tells ...
    Jun 8, 2021 · Colonial Pipeline CEO testifies to Congress after DOJ recovers ransom. The News with Shepard Smith. The company was attacked by a ransomware ...
  64. [64]
    US House Interrogates Colonial Pipeline CEO Joseph Blount
    a move that ultimately proved unnecessary when Colonial discovered it could ...
  65. [65]
    US Authorities Seize DarkSide Ransom | Elliptic
    Jun 7, 2021 · The US Department of Justice and the FBI today announced that they had seized 63.7 BTC of the 75 BTC ransom paid to DarkSide by Colonial Pipeline.<|control11|><|separator|>
  66. [66]
    How FBI Investigators Traced DarkSide's Funds - Chainalysis
    worth roughly $4.4 million at the time — to DarkSide, the Russia-based ...Missing: negotiation | Show results with:negotiation
  67. [67]
    DarkSide Ransomware Group Explained - Check Point Software
    Here we take a look at Darkside, a ransomware group that performs highly targeted attacks, including the Colonial Pipeline hack in early 2021.Missing: origin | Show results with:origin
  68. [68]
    What Is DarkSide Ransomware? - Akamai
    DarkSide ransomware is a type of malware that encrypts files, allowing attackers to demand a ransom in exchange for decryption keys.
  69. [69]
    DarkSide Ransomware Gang: An Overview
    May 12, 2021 · The DarkSide ransomware gang is responsible for an attack on a major U.S. pipeline company. Learn about their tactics and how to mitigate ...
  70. [70]
    [PDF] DarkSide Ransomware Analysis Report | Brandefense
    In this way, threat actors will notify the victim customers or press about the ransomware attack. The DarkSide ransomware gang has been sold ransomware as RaaS ...Missing: algorithm | Show results with:algorithm
  71. [71]
    Hacking group DarkSide responsible for Colonial Pipeline shutdown
    May 10, 2021 · A hacker group called DarkSide is behind the cyberattack on Colonial Pipeline that shut down a major oil pipeline over the weekend.
  72. [72]
    DarkSide Ransomware Hit Colonial Pipeline—and ... - WIRED
    May 10, 2021 · As the White House gets involved in the response, the group behind the malware is scrambling.
  73. [73]
    https://www.eff.org/deeplinks/2021/05/faq-darkside-ransomware-group-and-colonial-pipeline
  74. [74]
    How Ransomware Adversaries Reacted to the DarkSide Attack
    May 28, 2021 · Learn how the notorious ransomware operators have responded to the DarkSide pipeline attack and the effect it's had on the ...
  75. [75]
    [PDF] Lessons Learned from the Colonial Pipeline Ransomware Attack
    Aug 7, 2021 · This source cites three federal officials as stating, “Among the signs that the [DarkSide] hackers were novices is the fact that they chose a ...
  76. [76]
    Colonial Pipeline says one fuel line operating under manual control ...
    May 10, 2021 · Colonial Pipeline says one fuel line operating under manual control after cyber attack. By Reuters. May 10, 20215:53 PM PDTUpdated May 10, 2021.Missing: transition | Show results with:transition
  77. [77]
    [PDF] Before the - Pipeline Risk Management Information System (PRIMIS)
    Jun 6, 2022 · Colonial pipeline failed to provide a procedure to satisfy the ... initiate manual operations where possible. The full restart, which ...
  78. [78]
    Ransomware Impacting Pipeline Operations - CISA
    Oct 24, 2020 · The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the ...
  79. [79]
    [PDF] PIPELINE CYBERSECURITY: PROTECTING CRITICAL ...
    Jul 27, 2021 · ransomware against Colonial Pipeline's information technology network. ... of manual operations. Additionally, personnel must be qualified ...
  80. [80]
    US PHMSA penalizes Colonial Pipeline nearly $1 million for control ...
    May 10, 2022 · “The NOPV alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts ...
  81. [81]
    Colonial Pipeline restarts after hack, but supply chain won't return to ...
    May 12, 2021 · Colonial Pipeline restarted operations Wednesday at approximately 5 p.m. ET after a ransomware attack last week forced the entire system offline ...
  82. [82]
    Media Statement Update: Colonial Pipeline System Disruption - IWS
    May 11, 2021 · Wednesday, May 12, 5:11 p.m. Colonial Pipeline initiated the restart of pipeline operations today at approximately 5 p.m. ET. Following this ...Missing: details | Show results with:details
  83. [83]
    Colonial Restarts Operations At Key Pipeline After Cyberattack - NPR
    May 12, 2021 · Colonial Pipeline said Wednesday it has "initiated the restart of pipeline operations" after suffering a cyberattack while warning it would take several days ...Missing: exact | Show results with:exact
  84. [84]
    Colonial Pipeline resumes normal operations after hack - CNBC
    May 15, 2021 · Colonial restarted operations around 5 p.m. ET on Wednesday but warned that the pipeline would not be fully functional immediately. A U.S. ...
  85. [85]
    US's Colonial Pipeline announces restart following cyberattack
    May 12, 2021 · US's Colonial Pipeline announces restart following cyberattack. Even with full service restored, it will take about two weeks for gasoline ...
  86. [86]
    What we know about the Colonial Pipeline ransomware cyberattack
    May 10, 2021 · The FBI added that it will continue to work with the company and government partners on the ongoing investigation. The Darkside criminal ...<|separator|>
  87. [87]
    CISA left in the dark during Colonial Pipeline's initial response
    May 12, 2021 · Colonial was very careful, and chose to shut down part of the pipeline out of concern the ransomware would jump from its IT environments to its OT environments.
  88. [88]
    How One Compromised VPN Account Brought Down Colonial ...
    Jun 20, 2025 · The ransomware attack against Colonial Pipeline in May 2021 demonstrates how a single compromised VPN account can paralyze critical ...
  89. [89]
    Cybersecurity Policy Responses to the Colonial Pipeline ...
    Mar 7, 2023 · State regulators were also motivated to act due to the underlying dangers demonstrated by the Colonial Pipeline attack and the chaos it created, ...Missing: pre- context
  90. [90]
    Executive Order 14028 and Federal Acquisition Regulation (FAR)
    Mar 10, 2022 · In response to incidents such as the Colonial Pipeline and Solar Winds attacks, on May 12, 2021, President Biden signed executive order 14028 ...
  91. [91]
    Critical infrastructure continues to call for more attention two years ...
    May 6, 2023 · The Colonial Pipeline attack led President Joe Biden to issue Executive Order 14028 which focuses on improving the nation's cybersecurity.
  92. [92]
    [PDF] OIG-23-57 - Better TSA Tracking and Follow-up for the 2021 Security ...
    Sep 26, 2023 · The 2021 Colonial Pipeline data breach and ransomware attack illustrated vulnerabilities in private industry and government networks and systems ...
  93. [93]
    A Guide for OT Professionals on TSA Pipeline Security Directives ...
    Mar 20, 2025 · The TSA Pipeline Security Directives, initially issued in 2021 and updated annually, outlined critical measures to secure pipeline operations ...
  94. [94]
    FACT SHEET: Biden Administration Announces Further Actions to ...
    Jul 28, 2021 · Following the ransomware attack on a major petroleum pipeline in May 2021, TSA issued an initial Security Directive requiring critical pipeline ...
  95. [95]
    TSA Is Taking Steps to Address Some Pipeline Security Program ...
    Jul 27, 2021 · TSA's July 2021 cybersecurity directive mandates that certain pipeline owner/operators implement cybersecurity mitigation measures; develop a ...
  96. [96]
    Pipeline Cybersecurity: Protecting Critical Infrastructure - TSA
    Jul 27, 2021 · The first Security Directive issued by TSA following the Colonial Pipeline incident requires pipeline owners and operators of critical ...
  97. [97]
    TSA Security Directive Requires 30-Day Cybersecurity Assessments ...
    Jun 2, 2021 · TSA Security Directive Requires 30-Day Cybersecurity Assessments, Rapid Incident Notification for "Critical" Pipeline and LNG Facilities.Missing: overreach | Show results with:overreach
  98. [98]
    TSA's Pipeline of Cybersecurity Requirements | Insights
    Aug 13, 2021 · The Transportation Security Administration (TSA) on July 20, 2021, reversed two decades of pipeline cybersecurity policies.
  99. [99]
    IMPACTS OF EMERGENCY AUTHORITY CYBERSECURITY ...
    While the Colonial Pipeline ransomware incident in 2021 propelled TSA into ... This is exactly the conservative perspective of Government overreach. So ...
  100. [100]
    None
    Nothing is retrieved...<|separator|>
  101. [101]
    Federal Legislation Considers Banning Ransom Payments to Hackers
    Jun 17, 2021 · Others in this camp have noted that banning ransomware payments would be a “regulatory overreach that would ultimately act to weaken the safety ...
  102. [102]
    Should Paying Ransoms to Attackers Be Banned? - BankInfoSecurity
    May 24, 2021 · "A federal law to ban ransomware payments reminds me of the calls to weaken encryption standards, another example of regulatory overreach that ...
  103. [103]
    How could the Colonial Pipeline hack have been prevented?
    Sep 16, 2021 · While some feel that this may constitute government overreach, in the wake of Colonial Pipeline's shutdown, many feel that the country's ...
  104. [104]
    TSA updates, renews cybersecurity requirements for pipeline ...
    Jul 26, 2023 · The Transportation Security Administration (TSA) announced an update to its Security Directive regarding oil and natural gas pipeline cybersecurity.
  105. [105]
    Colonial Pipeline incident helped reinforce cybersecurity across ...
    May 7, 2022 · Shortly after the attack, the U.S. administration released an executive order intended to improve national cybersecurity, highlighting the need ...Missing: enhancements | Show results with:enhancements
  106. [106]
    Colonial Pipeline paid ransomware hackers $5 million, U.S. official ...
    May 13, 2021 · The FBI has historically discouraged, but not prohibited, American ransomware victims from paying hackers, as a payment isn't guaranteed to work ...<|separator|>
  107. [107]
    Ransomware and Federal Law: Cybercrime and Cybersecurity
    Oct 5, 2021 · For example, in May 2021, a ransomware attack prompted the Colonial Pipeline Company to shut down its network temporarily, impacting gasoline ...
  108. [108]
    (PDF) To Pay or Not to Pay- The US Colonial Pipeline Ransomware ...
    Aug 18, 2024 · ... 2021 ransomware attack on Colonial Pipeline ... immediately disrupted fuel supplies across the Southeastern U.S., leading to panic buying and gas.
  109. [109]
    The Colonial Pipeline attackers wanted money. Should companies ...
    May 12, 2021 · In extreme cases, companies could go under if they don't pay a ransom and the wider impact on the economy could be huge. That's why it's not ...
  110. [110]
    Should there be a total ban on ransomware payments? - IBM
    The U.S. government is debating restrictions on whether companies should be allowed to make ransomware payments. But what effects would such a ban create?
  111. [111]
    Should Ransomware Payments Be Illegal? - Tanium
    Dec 2, 2021 · Legislation advocates believe organizations paying ransom demands incentivize hackers. Skeptics say such laws punish victims; they suggest ...
  112. [112]
    Should ransomware payments be illegal? - Considerations for (re ...
    Jul 2, 2021 · Banning ransomware payments would have a direct effect on cyber insurance policies that cover cyber-related business interruption (BI).