On 7 May 2021, Colonial Pipeline shut down 5,500 miles of fuel pipeline carrying 45% of US East Coast petroleum supply, after a ransomware attack by the DarkSide group. The pipeline was offline for six days. Petrol queues, panic buying, presidential statements. The company paid a ransom of approximately $4.4 million in Bitcoin, most of which the FBI subsequently recovered. The initial access vector, as Colonial's CEO confirmed to the Senate this week, was a single compromised VPN account without multi-factor authentication.

I want to write about Colonial because it is the event UK CNI boards should be discussing in the next round of executive sessions, before something equivalent happens here. The UK has been fortunate, in part by luck and in part because of NCSC guidance to CNI operators. The luck will run out. The question is whether the guidance has been operationalised.

What actually happened

The DarkSide affiliate that hit Colonial was not technically sophisticated. They used a leaked credential — one of many in the underground markets — to reach a legacy VPN that was not behind MFA. Once inside, they spent some days moving around before deploying ransomware to the corporate IT estate. Crucially, the pipeline itself — the operational technology — was not encrypted. Colonial took it offline as a precaution, because they could not bill for fuel without their IT systems, and rather than risk uncontrolled flow they shut the pipeline.

The lesson there is structural and easy to miss. The OT was fine. The IT was hit. The business shut the OT because it could not operate the IT. This is the shape of most CNI ransomware: the operational system is targeted indirectly, through the corporate IT systems that operate, bill for, and monitor it. The defender's question is not can our OT be encrypted (usually no, in well-designed CNI environments) but can we operate the OT without the IT for the duration of an IT incident? For Colonial, the honest answer was no, not really.

What UK CNI boards should be asking

Six questions for the next executive briefing on cyber resilience, in roughly the order they should be asked.

Do we have an inventory of every external-facing access point — VPN, RDP, jump host, contractor access — and is MFA enforced on every one? Colonial's VPN was forgotten, not maliciously left exposed. Forgotten access is the dominant pattern.

If our corporate IT systems were unavailable for a week, could we operate our core service? This is the manual mode question. For water utilities, electricity distribution, gas, ports, airports, rail — the honest answer is increasingly no, because the operational systems have been integrated with the billing, monitoring, and customer service systems to a point where they cannot easily be separated.

Have we exercised an OT-without-IT scenario in the past twelve months? Tabletop, partial drill, anything. If not, the can we operate manually answer is theoretical.

What is our ransom decision process? Who is in the room. What is the decision tree. Is the answer pre-committed (no ransom) or contingent (depends on the situation). Either is defensible. We will work it out when it happens is not.

Have we engaged with the NCSC's CNI assurance work? Most regulated CNI operators have, but the engagement varies in quality. A board paper that summarises the firm's standing against NCSC guidance is a six-page document, not a one-line assurance.

What does our cyber insurance actually cover, and what does it require us to demonstrate? Cyber cover after Colonial has tightened sharply. Several providers have already withdrawn from CNI sectors entirely. The board should know where the firm stands.

The supply chain dimension

Colonial is also a supply chain story. The pipeline is private but its disruption affected airports, road haulage, retail fuel, emergency services, and the public mood. Critical service operators in the UK should be thinking about what their Colonial looks like — which of their suppliers, if hit, would cause them to take their own service offline as a precaution. The answers are uncomfortable. A water utility might depend on a third-party laboratory for sample analysis. A regional rail operator might depend on a private cloud provider for its scheduling platform. A hospital trust might depend on a pathology partnership.

The Synnovis pattern has not yet happened in the UK (at the time of writing). It will. The Colonial-shape question is whether we have done the supplier mapping needed to know what we would shut down precautionarily, and what we would keep running anyway. Most UK CNI operators have not done this work to a standard that would survive scrutiny. Some are starting.

A note on ransom payment

Colonial paid. The FBI recovered most of it. This is not the typical outcome and it should not be relied on. The UK government's position remains that ransom payment is strongly discouraged and that, in some circumstances, sanctioned-entity payment is criminal. OFAC published its updated advisory last autumn making the position clearer. Any UK CNI board considering payment in a future incident should understand the legal and regulatory consequences before the moment arrives.

What I think will happen next

Three predictions, with the usual humility about how badly predictions age.

The US response will tighten over the next year — executive orders, CISA mandates, federal procurement requirements for CNI suppliers. The UK will follow, with the Network and Information Systems Regulations likely updated within 18 to 24 months to cover a wider range of operators.

CNI cyber insurance will continue to harden, and several smaller CNI operators will find themselves unable to renew cover without significant control improvements.

A UK Colonial-shape event will happen within five years. I do not know which sector. I would put rail, water, and shared healthcare services in the top three. I hope to be wrong.

The work to start this quarter is not waiting to be told. It is asking the six questions above and producing answers worth defending.