The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Once again: Operations can be impacted by a “purely IT” incident

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents, Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 426 items added with 154,667 views
  • May 10, 2021


Even though there have been lots of ransomware attacks, today’s news story on the Colonial Pipeline ransomware attack was quite interesting to me for one reason: Even though the attack (according to Colonial) only affected Colonial’s IT network, pipeline operations were shut down as a precaution. To quote WaPo:

The company learned of the attack on some of its “information technology” or corporate network systems Friday, but “proactively took certain systems offline to contain the threat,” it said.

In other words, if the company is to be believed, the ransomware didn’t directly affect the OT network at all. However, they shut OT down anyway, out of what’s often referred to as “an abundance of caution”. But not everyone believes the company. WaPo also says:

Mike Chapple, a cybersecurity expert at the University of Notre Dame and a former computer scientist at the National Security Agency, said the shutdown of pipeline infrastructure indicated that the attack was either very sophisticated or that Colonial’s (operational) systems were not well secured.

Note I inserted “operational”, since that’s very likely what Mr. Chapple meant.

However, Rob Lee of Dragos said in the same article “There are absolutely cases in industrial operations where ransomware impacts operations..” Note this doesn’t mean he also thinks that Colonial is lying. In fact, I think he’s taking their words at face value: They “proactively took certain systems offline to contain the threat…”. In other words, Colonial couldn’t take the chance that the ransomware would spread to their OT network and they wanted to contain any further spread on their IT network. This led them to shut both networks down. I believe Rob is saying “Even though the ransomware attack didn’t directly force Colonial to bring their OT network down, the fact that they felt compelled to do so means it in fact impacted operations.”

This is just another example of something I pointed out in this post last October: A cyberattack that is confined to the IT network can impact OT just as seriously as if OT had been directly attacked.

And what’s the moral of this story? It’s that protection of an OT network requires protection of the IT network as well. The protections don’t need to be the same (and they’ll usually be much more rigorous on the OT network), but they need to be coordinated. In the case of the utility in the 2018 incident described in my October post, the additional protections would probably have included a much greater focus on anti-ransomware training, as well as perhaps technologies that can block a lot of ransomware emails before they’re even read.

Does this mean I support extending the NERC CIP standards to cover IT systems in some way? Absolutely. But does it also mean that I support extending the existing NERC CIP standards to cover IT systems? Absolutely not. As I’ve said many times and also discussed in this webinar in 2019, the generally prescriptive nature of the NERC CIP standards (except for CIP-012, -013 and -014) requires a huge – and continually growing - investment of resources by NERC entities, well in excess of the cybersecurity benefits that are realized.

The last thing we need to do is require utilities to extend CIP-002 through CIP-011 to IT systems. Instead, we need to rewrite all of the CIP standards as risk-based ones. CIP-013-1 is a pretty good example of what I mean by “risk-based”, although even that isn’t perfect.

P.S. Rob Lee added this comment to this post when I posted it on LinkedIn a little while ago. As usual, he raises good points!

"You’re interpreting me correctly. I take Colonial at their word. But also, IT attacks can impact OT and we have been responding to ransomware incidents in OT directly (so exactly as you stated).

IMO a big challenge is the community puts so much focus on prevention controls like segmentation and patching that without visibility and monitoring they don’t see those preventive controls atrophy and change over time, and have incomplete enforcement of them.

I’m glad that the electric sector and others are pushing for more visibility and detection, as it isn’t just about detecting cyber threats, it’s about making sure you’re getting the expected value out of your preventive investments as well."

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at


Matt Chester's picture
Matt Chester on May 10, 2021

Even though the attack (according to Colonial) only affected Colonial’s IT network, pipeline operations were shut down as a precaution.

You note this is all according to Colonial and we're for now taking them at their word-- is there any compelling reason to necessarily believe that, though? If it weren't true, is there a legal cover for Colonial pushing this story anyway? 

Tom Alrich's picture
Tom Alrich on May 11, 2021

I'm not taking them at their word. Please reread the post, and note the link to my post last year, which described a much more serious ransomware incident, which - but for dumb luck - might have caused a catastrophe on the power grid. That post is here:

And please read the post I just put up today (which is awaiting approval - ahem! - on EC).

Richard Brooks's picture
Richard Brooks on May 10, 2021

Tom, you may also want to point out that Colonial Pipeline has selected FireEye as the forensics expert to investigate this matter. IMO, FireEye is the "GOLD standard" when it comes to investigating and reporting on cyber incidents, such as Solarwinds and Colonial Pipeline attacks. Although, I do have to admit that Dragos is far better at marketing and providing quotes to the press than the FireEye folks.

Randy Long's picture
Randy Long on May 10, 2021


Pretty good take on how Colonial has responded to this incident. We need to see what the forensics shows when the cyber team is finished. 

One thing that I've never really been able to wrap my head around is that in the last 3-4 years, ransomware is exploding. I think as a result of tools that were released from the NSA (unintentionally) and a dark web that can use cryptocurrency's with impunity. There needs to be some type of "Pearl Harbor" (maybe Solar Winds?) that will get industrial sector to put more time into training, defensive systems, and a mindset that will put security at the top (or near the top) of risk and compliance. I don't get that the executive teams are putting efforts into security.

It doesn't need to be a sledge hammer, but we need to step up our game or this will get worse before it gets better.

Richard Brooks's picture
Richard Brooks on May 10, 2021

Good point Randy. I'm curious to know if this is another software supply chain attack. Looking for to the forensic analysis from FireEye.

Tom Alrich's picture
Tom Alrich on May 11, 2021

Thanks, Randy. I agree that ransomware is a huge problem, not just because it can cost lots of money but because it can entail a lot of other problems, a la Colonial. In fact, it seems the White House is now moving to directly address this problem, including going after the nation-states that permit the ransomware operators to do this. Of course, in the case of Colonial, the signs point to - you'll never believe this - Russia as the nation-state that allowed this to happen, if it wasn't actually conducted by them.

We really need to come down hard on whoever is behind this - although short of nuclear war, of course.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »