Critical Infrastructure Access Authority Failure Through Dormant Credential Exploitation at Colonial Pipeline

Colonial Pipeline operates the largest refined petroleum pipeline in the United States, transporting approximately 2.5 million barrels per day of gasoline, diesel, jet fuel, and heating oil from Gulf Coast refineries to markets across the southeastern and eastern United States. The pipeline's operational technology (OT) network — the systems controlling physical pipeline operations — was separate from the company's information technology (IT) network handling business functions, communications, and billing. Remote access to the IT network was available through VPN connections authenticated by username and password.

Among the VPN accounts in Colonial's authentication system was one that was no longer in active use. The account had not been deactivated through any credential lifecycle management process — it remained in the authentication database, capable of accepting a valid password and granting network access. The account did not require multi-factor authentication. The password associated with the account had appeared in a prior data breach of another service, indicating the password had been reused across platforms — a common practice the access control system had no mechanism to detect or prevent.

On May 7, 2021, the DarkSide ransomware group accessed Colonial Pipeline's IT network using the compromised VPN credential. The attackers deployed ransomware that encrypted business systems and exfiltrated approximately 100 gigabytes of data. Colonial detected the attack and shut down pipeline operations the same day — not because the ransomware had reached the OT network, but because Colonial could not confirm that the IT and OT networks were sufficiently isolated. The precautionary shutdown acknowledged an uncertainty the company could not resolve: they did not know whether the boundary between their business network and their pipeline control network would hold.

The six-day shutdown caused gasoline shortages across the southeastern United States, triggered panic buying, and forced the federal government to invoke emergency transportation waivers. Colonial paid the DarkSide group approximately $4.4 million in cryptocurrency ransom. The Department of Justice subsequently recovered approximately $2.3 million of the ransom payment through a seizure of the cryptocurrency wallet.

The VPN authentication system performed its designed function: it received a credential, checked it against the stored account, and granted access because the credential was valid. The system could not evaluate whether the credential should still be active, whether the person presenting it was the person it was issued to, or whether the account corresponded to a current operational need. A dormant account with a compromised password and no second authentication factor was indistinguishable from an active account with a secure password — both produced the same authentication result. The access control verified the credential without verifying the credential's continued legitimacy.

The precautionary pipeline shutdown revealed a second structural gap. Colonial shut down the OT network not because the attackers reached it, but because Colonial could not verify that its IT/OT segmentation was effective. The company operated critical physical infrastructure and could not confirm, under attack conditions, that the boundary between its business systems and its pipeline control systems would prevent lateral movement. The segmentation existed as an architectural claim. Under the conditions where the claim mattered — active compromise of the IT network — the company could not verify the claim was true, and chose to shut down the pipeline rather than test it.

Colonial Pipeline restored operations after six days. The company implemented multi-factor authentication across remote access points and overhauled credential lifecycle management. The Biden administration issued Executive Order 14028 on improving the nation's cybersecurity, and the Transportation Security Administration issued security directives requiring pipeline operators to implement specific cybersecurity measures — the first mandatory federal cybersecurity requirements for the pipeline sector. The DarkSide group publicly dissolved shortly after the attack, though member groups continued operating under different names. The incident became a reference case for critical infrastructure cybersecurity policy, demonstrating that a single compromised credential for a business network could force the shutdown of physical infrastructure serving tens of millions of people.