It is the middle of the night in a suburban office. A technician opens a laptop, types a password found in an old database on the dark web. No second factor, no alert. Just one click, and the digital gates of one of the most critical infrastructures in the United States swing open.

This is the beginning of the Colonial Pipeline case, one of the most instructive cybersecurity cold cases for leaders responsible for industrial networks and essential services.

The Critical Infrastructure That Came to a Halt

Colonial Pipeline operates more than five thousand miles of pipelines transporting gasoline, diesel and jet fuel from Texas to the East Coast. About forty-five percent of the fuel consumed on the East Coast flows through those pipes.

On May 7, 2021, the company suffers a ransomware attack. Its IT systems are hit and the organization decides to shut down the entire pipeline for several days as a precaution. The outcome is well known: long lines at gas stations, airports in difficulty, a federal state of emergency. The group responsible is called DarkSide, as confirmed by the FBI a few hours later.

How Attackers Breached a Pipeline Without Touching a Single Industrial Component

Behind the spectacular ending lies an almost banal sequence.

1. The forgotten VPN account (Initial Access Risk) – No MFA, exposed credentials

The initial access occurs through a single VPN account no longer in use but still active, protected only by a password. No multi-factor authentication. The password, complex but reused, had ended up online after a breach on another service. An exposed credential, no upstream checks, a convenient entry point for anyone who knows where to look.

2. Silent lateral reconnaissance and data exfiltration

Once inside, the criminals map the infrastructure and gather information. Nearly one hundred gigabytes of corporate data are exfiltrated before encryption.

3. Ransomware execution and organizational paralysis

On May 7, the ransomware is launched on the IT systems. Workstations in the administrative area and IT servers are encrypted. Industrial control systems are not directly impacted, but the company still decides to shut down the entire pipeline to prevent a potential jump from IT to OT and to manage the chaos.

The company pays approximately 75 bitcoin, worth 4.4 million dollars at the time, to obtain the decryption key, as also reported by The Guardian.

A few weeks later, the Department of Justice recovers 63.7 bitcoin. But the damage is already done. Images of empty gas pumps spread worldwide, turning a single forgotten account into a national security crisis.

What an Offensive Security Program Would Have Changed for Colonial Pipeline

The Colonial Pipeline case is a living manual of everything CyberGrant Offensive Services are designed to test before criminals do. Three main weaknesses stand out:

• Remote access without modern security controls

• No realistic ransomware simulations

• Lack of visibility and segmentation in IT-to-OT boundaries

Offensive Recon: Identifying Exposed Credentials Before Criminals Do

CyberGrant’s Offensive Services begin with an ethical recon phase – the same reconnaissance a ransomware group like DarkSide would perform.

An offensive team would have:

• searched for exposed credentials on the dark web

• tested VPN gateways for MFA enforcement

• discovered lingering, deactivated, or misconfigured accounts

• simulated entry using a decommissioned credential to show the real attack path

The outcome: a precise, evidence-based report highlighting how a forgotten VPN account could lead straight to core systems.

Simulating Real-World Ransomware Before It Arrives

Another essential step is ransomware emulation and executive tabletop exercises that prepare the organization for worst-case scenarios.

CyberGrant would have:

• designed a red team campaign to simulate ransomware deployment

• measured detection time, isolation capability and backup readiness

• executed crisis simulations involving IT, OT, Legal and Executive Leadership

Key strategic questions addressed:

• When do we shut down the pipeline?

• Who decides whether to pay?

• How do we communicate with regulators and federal agencies?

Ransomware resilience is not theoretical. It is measured through controlled, realistic testing.

IT-OT Segmentation Failures: The Blind Spot in Critical Infrastructure Security

CISA highlighted a key lesson: the absence of a clear, enforceable boundary between IT and OT networks.

An offensive engagement would have:

• mapped lateral movement paths between IT and OT

• identified segmentation gaps and shared accounts

• tested whether an attacker could reach pipeline control consoles

• simulated an IT-to-OT pivot to expose systemic weakness

Understanding the realism of cross-domain compromise enables leaders to build escalation plans that don’t hinge on shutting down an entire national pipeline.

How the Colonial Pipeline Story Could Have Been Entirely Different

With a pre-existing CyberGrant Offensive Services program:

• The forgotten VPN account would have been identified and deactivated.

• Mandatory MFA and credential monitoring would have blocked initial access.

• Ransomware simulations would have exposed gaps in backups, monitoring, and incident response.

• A clear IT-OT map would have allowed the company to contain the incident without stopping fuel distribution.

An attack might still have occurred.
But a single outdated credential would not have been enough to cripple half of the East Coast’s fuel supply.

Executive Takeaways for Critical Infrastructure Operators

1. Ghost accounts are the silent threat no one tracks

Every forgotten but active remote account is a door attackers love. Continuous credential discovery is mandatory.

2. You cannot prepare without realistic simulations

Ransomware resilience is measured on the field, not in policy documents.

3. IT-OT boundaries must be explicit, enforced and tested

If OT systems are reachable from corporate VPN credentials, the breach is just waiting to happen.

4. Offensive security is essential for critical infrastructure

It is the digital equivalent of fire drills – only far more necessary.