Insights

Ransomware Against Critical Infrastructure | SUMāTO

Written by Andrés Lozada | Jul 9, 2026 7:13:26 PM

On May 7, 2021, one of the most significant fuel pipelines in North America shut down its operation. It was not a mechanical failure or a physical accident: it was a ransomware attack that compromised the information technology (IT) systems of the operating company. The organization decided to shut the pipeline down preemptively, and for several days the flow of fuel was interrupted. The lesson for any company that depends on physical processes is uncomfortable and clear: a digital attack can bring the real world to a halt. At SUMāTO we believe it is worth reading this episode without alarmism, for what it is: a failure playbook you can use to strengthen your own operation.

In short: An attack on IT systems can force a shutdown of physical operations (OT), even when the malware never directly touches the industrial machinery. The defense does not rest on a single control, but on the orderly convergence between IT and OT, network segmentation, and a fast, tested recovery capability. Those who know how to restore in time regain control; those who don't are left at the attacker's mercy.

When an IT Attack Shuts Down Physical Operations

The most instructive technical detail of this incident is that the encryption mainly affected the administrative and billing systems, not the controllers that physically move the fuel. Even so, the operation stopped. Why? Because when a company loses visibility into its metering, dispatch, and billing systems, operating blind becomes unfeasible and, above all, unsafe.

This dismantles a dangerous myth: the idea that "as long as the malware doesn't reach the plant, production is safe." In practice, the dependency between the digital and the physical is so tight that encryption in the back office can translate into paralysis in the field. For any organization with critical assets (energy, water, manufacturing, logistics, healthcare), the takeaway is direct: cyber risk is also operational risk.

IT/OT Convergence: The Boundary That No Longer Exists

For decades, industrial networks (OT) lived isolated from corporate networks (IT). That physical separation was, in itself, a layer of security. Digitalization erased that boundary: today control systems exchange data with management platforms, predictive maintenance, telemetry, and external vendors. Convergence brings enormous efficiency benefits, but it also expands the attack surface.

The problem is not convergence itself, but converging without governance. Some frequent warning signs:

  • Shared credentials between the corporate and industrial environments.
  • Remote access for vendors without multi-factor authentication or traceability.
  • Legacy OT equipment that no longer receives patches but remains connected to the network.
  • Lack of inventory: no one knows for certain which devices are actually connected.

The first practical exercise is to honestly map where your IT and your OT touch, and to treat each point of contact as a door that must be watched.

Segmentation: Contain the Fire Before It Spreads

Network segmentation is probably the control that would have most limited the reach of an incident like this. To segment is to divide the network into zones with strict rules about what can communicate with what. If an attacker compromises the administrative network, well-designed segmentation prevents that access from becoming a direct highway to the control systems.

Thinking about segmentation means thinking about internal firewalls. Some principles we recommend at SUMāTO:

  • Separate IT from OT with controlled intermediate zones, not with a flat connection.
  • Apply least privilege: every user and every system accesses only what is strictly necessary.
  • Monitor traffic between zones; unusual lateral movement is often the first footprint of an intruder.
  • Design for partial shutdown: being able to isolate a segment without stopping the entire operation.

Segmentation does not prevent an attack from happening, but it turns a potentially catastrophic fire into a contained, manageable one.

Defense in Depth: No Single Control Is Enough on Its Own

No incident of this magnitude comes down to a single failure. It is usually a chain: an exposed access point, a credential without a second factor, an alert no one attended to in time. That is why the response cannot be a single miracle product, but an architecture of layered defense where, if one control fails, another backs it up.

The layers that every organization with critical infrastructure should review include:

  • Identity: mandatory multi-factor authentication, especially for remote and privileged access.
  • Detection: continuous monitoring capable of identifying anomalous behavior across IT and OT.
  • Hygiene: patch management, retirement of inactive accounts, and disconnection of unnecessary services.
  • Backup: immutable copies, isolated from the network and tested regularly.

Building these layers coherently is the heart of a serious cybersecurity program, which should be understood as a living process, not a one-time purchase.

Why Fast, Tested Recovery Is Decisive

Here, in our view, is the most important operational lesson. The right question is not only "can we prevent an attack?" but "how long will it take us to operate again when one happens?" The difference between an interruption of hours and one of weeks almost never lies in prevention, but in the capacity to recover.

Many organizations discover, in the middle of a crisis, that their backups were incomplete, out of date, or worse still, also encrypted by the attacker because they lived on the same network. A recovery plan that was never rehearsed is not a plan: it is an assumption. Real resilience demands:

  • Defined objectives: how much time (RTO) and how much data (RPO) you can afford to lose.
  • Immutable, isolated backups, beyond the reach of encryption.
  • Periodic test restorations, measured with a stopwatch, not assumed in theory.
  • Crisis playbooks that any team can execute under pressure.

For this we designed SyncDR, our disaster recovery solution built to get your operation back on its feet in hours rather than weeks, with tested recovery rather than improvisation.

What Your Organization Can Do This Week

Strengthening your posture against ransomware does not require reinventing everything at once. It requires starting with what most reduces the damage. We propose four immediate actions:

  • Enable multi-factor authentication on all remote and administrative access, without exceptions.
  • Verify your backups: confirm that they exist, that they are isolated, and that you know how to restore them.
  • Map the points of contact between your IT and your OT, and close those without a clear justification.
  • Rehearse a scenario of shutdown and recovery, even on a small scale, to uncover the gaps before the attacker does.

Frequently Asked Questions

Did the attack reach the pipeline's control systems?
According to the public information on the case, the encryption mainly affected the IT systems. The physical operation was halted preemptively, which shows that an incident does not need to touch the plant to paralyze production.

Does paying the ransom solve the problem?
Paying does not guarantee a full or fast recovery; the decryption tools handed over tend to be slow or partial. A recovery capability that is your own, tested, and isolated returns control to you without depending on the attacker's goodwill.

Does this only apply to large infrastructure?
No. Any organization that depends on digital processes to operate (logistics, manufacturing, healthcare, services) faces the same risk logic. The scale changes; the principles of segmentation, layers, and recovery do not.

Where should you start if resources are limited?
With recovery. Securing immutable backups and testing them is the investment that most reduces the potential impact of an attack, even before hardening prevention.

The First Step

A pipeline halted by encryption in the back office is a reminder that digital security and operational continuity are the same conversation. The good news is that resilience is built with concrete decisions: segmenting, defending in depth, and above all, knowing how to recover. At SUMāTO we help organizations across LATAM assess their exposure and strengthen their response capability before the test arrives. If you would like to review where your operation stands today, let's talk: the best time to prepare for recovery is before you need it.