Colonial Pipeline: When Vendor Risk Meets Critical Infrastructure

On May 7, 2021, Colonial Pipeline Company — the operator of the largest refined products pipeline in the United States, spanning approximately 5,500 miles from Houston, Texas to Linden, New Jersey — was hit by a ransomware attack carried out by the DarkSide cybercriminal group. The attack forced Colonial Pipeline to shut down all pipeline operations for six days, triggering fuel shortages, panic buying, and gas station closures across the southeastern United States. The company paid a ransom of approximately $4.4 million in Bitcoin, of which the U.S. Department of Justice later recovered approximately $2.3 million. The incident became a watershed moment for critical infrastructure security and demonstrated how a single compromised credential linked to third-party access can have cascading physical consequences.

How the Attack Began

According to reporting by Bloomberg and testimony by Colonial Pipeline CEO Joseph Blount before the U.S. Senate Committee on Homeland Security, the attackers gained initial access through a compromised password on a legacy VPN account. The VPN account was not protected by multi-factor authentication (MFA). Blount confirmed in his June 2021 Congressional testimony that the compromised VPN account was no longer in active use but had not been deactivated.

While the exact source of the compromised credential has not been definitively established publicly, forensic analysis suggested the password may have appeared in a batch of leaked credentials from a previous, unrelated data breach — consistent with credential reuse or exposure from a third-party service compromise. The credential was found on a dark web leak, indicating it had been exposed through a breach of another service where the same password was used.

The Impact

Upon discovering the ransomware on May 7, Colonial Pipeline proactively shut down its pipeline operations as a precautionary measure. The company's IT systems were compromised, and the decision was made to halt operations to prevent the attack from potentially spreading to operational technology (OT) systems that control the physical pipeline.

The six-day shutdown caused significant disruptions. Average gas prices rose above $3 per gallon nationally for the first time since 2014. States across the Southeast experienced fuel shortages, with some areas reporting that over 70% of gas stations were without fuel. The federal government declared a state of emergency, and the Department of Transportation issued an emergency declaration relaxing hours-of-service regulations for fuel truck drivers.

The Third-Party Credential Problem

The Colonial Pipeline attack highlights a third-party risk management challenge that many organizations face: the exposure of credentials through unrelated third-party breaches. When employees or service accounts reuse passwords across multiple services, a breach of any one of those services can provide attackers with valid credentials for the target organization.

In this case, the compromised VPN credential likely originated from a breach of a third-party service where the same password had been used. This represents a form of indirect third-party risk that is difficult to detect through traditional vendor risk assessments. The affected VPN account was a legacy account that was no longer in active use but had never been decommissioned — a common gap in identity and access management hygiene.

Federal Response and Policy Changes

The Colonial Pipeline attack galvanized federal action on critical infrastructure cybersecurity. On June 7, 2021, the Department of Justice announced the recovery of approximately $2.3 million of the ransom payment, tracing the Bitcoin through the blockchain to a wallet for which the FBI had obtained the private key.

The Transportation Security Administration (TSA), which oversees pipeline security, issued two Security Directives in 2021. The first (May 2021) required pipeline operators to report cybersecurity incidents and designate a cybersecurity coordinator. The second (July 2021) required pipeline operators to implement specific cybersecurity measures, including protection against unauthorized access, detection of cybersecurity threats, and contingency planning for cyber incidents.

The CISA and FBI issued a joint advisory detailing indicators of compromise associated with DarkSide ransomware and providing mitigation guidance, including the implementation of MFA, network segmentation between IT and OT environments, and regular patching of internet-facing systems.

Implications for Vendor Risk Management

The Colonial Pipeline incident reinforced several key principles for organizations managing third-party risk:

• MFA is non-negotiable for vendor access: Any remote access mechanism — VPN, RDP, web portal — used by vendors or employees must be protected by multi-factor authentication. Single-factor credentials are insufficient regardless of password complexity.
• Credential monitoring: Organizations should actively monitor dark web and breach databases for credentials associated with their domains and systems, and force password resets when exposed credentials are detected.
• Access lifecycle management: Legacy, orphaned, and unused accounts are a form of unmanaged vendor access. TPRM programs must include regular access recertification and automated deprovisioning of inactive accounts.
• IT/OT segmentation: For organizations operating critical infrastructure, TPRM assessments must evaluate the potential for IT-side vendor compromises to cascade into operational technology environments.
• FAIR risk quantification: The Colonial Pipeline attack resulted in losses far exceeding the $4.4 million ransom — including operational downtime, reputational damage, regulatory costs, and broader economic impact. FAIR analysis helps organizations quantify these cascading loss scenarios and prioritize security investments accordingly.