019
EXH-0192021Fictional reconstruction
Gauging Station Offline
May 7, 2021. Colonial Pipeline proactively halts fuel flows on the largest U.S. refined-products line. The headline says ransomware, your job is what the logs say about ingress.
Type
Defensive / IR
Difficulty
Intermediate
Era
2020s
Time
9 min
Briefing
Fictional hostnames. Real lesson: single-factor VPN and reused passwords still collapse national-scale OT in 2021.
Your role
Joint OT/IT responder working from CISA-style fusion-cell handouts, no SCADA access in this shell.
Objective
Reconstruct from synthetic artefacts that the blast radius started on IT VPN credentials, not PLC zero-days.
Terminal environment
- user
- ot-ir
- host
- fusion-cell
- cwd
- /tabletop/colonial-shape
- steps
- 4
Enter the terminalAbout 9 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.