Threat Intelligence

Phishing and Stolen Credentials: The Way Into Energy OT

The Colonial Pipeline ransomware attack of 2021 did not begin with sophisticated zero-day exploits. It began with a single compromised password for a legacy VPN account that lacked multi-factor authentication, almost certainly harvested from a credential leak. Time and again, the most consequential attacks on energy operators trace back to the simplest of openings: a member of staff who clicked a convincing email, or a reused password that an attacker bought cheaply on a criminal forum.

Colonial Pipeline was breached via one compromised VPN password with no multi-factor authentication

Phishing is the front door to nearly every major incident

Across industry threat reporting, phishing and the use of valid stolen credentials consistently rank as the top initial-access vectors. For energy operators this is doubly dangerous, because a foothold in the corporate IT environment is frequently the staging point for an eventual move into operational technology. The attacker does not need to breach the SCADA system directly; they need only to fool one person or buy one password to get started.

  • Targeted spear-phishing aimed at engineers, control-room staff and IT administrators
  • Credential stuffing using passwords leaked from unrelated breaches
  • Fake login portals harvesting Microsoft 365 and VPN credentials
  • Business email compromise targeting procurement and finance teams

Why energy staff are especially exposed

Operational staff are busy, often work shifts, and may use shared workstations and accounts in control rooms. Contractors and original-equipment manufacturers hold remote-access credentials that are easy to forget about. Operational technology vendors sometimes mandate specific configurations that conflict with good security hygiene. Each of these realities widens the gap that a well-crafted phishing campaign can exploit.

From a phished inbox to the control network

A typical chain runs from a phished credential or malicious attachment, to mailbox and identity compromise, to discovery of internal systems, to escalation and lateral movement, and finally to a jump into OT through a poorly segmented connection or a shared engineering workstation. Stopping the chain early, at the email and identity layer, is far cheaper and more reliable than trying to catch the attacker once they are deep inside.

Closing the initial-access door

Most successful phishing-led intrusions exploit gaps that are well understood and fixable. The highest-value controls are phishing-resistant authentication, hardened email defences, and rapid detection of suspicious sign-ins and inbox manipulation.

  • Phishing-resistant multi-factor authentication on every account, with no legacy exceptions
  • Advanced email filtering to strip malicious links, attachments and impersonation attempts
  • Monitoring for impossible-travel logins, new mailbox rules and unusual identity activity
  • Regular, scenario-based awareness training for operational and corporate staff alike

How Kyanite Blue and Coro defend against phishing-led intrusions

Because phishing attacks the endpoint, the inbox and the identity all at once, the defence has to cover those same layers in a way an energy team can actually manage. Kyanite Blue deploys Coro, which unifies endpoint protection, email security and identity and access controls in a single platform built for organisations without a large security team. Coro filters phishing and malicious attachments before they reach staff, flags compromised identities and suspicious sign-ins, and protects the endpoints attackers try to land on, closing the exact gaps that opened the door at Colonial Pipeline. We configure and monitor it so the corporate IT estate stops being the soft launch pad for an attack on your operations.

Frequently Asked Questions

How did attackers get into Colonial Pipeline?

Investigators concluded the attackers logged into a legacy VPN account using a compromised password that lacked multi-factor authentication. The password was likely exposed in an unrelated data breach. No advanced exploit was required, which is exactly why phishing-resistant MFA and disciplined credential management are such high-value controls for energy operators.

Why does a phishing attack on IT matter for operational technology?

In most energy environments the corporate IT network and the OT network are connected, even if imperfectly. A phishing attack that compromises IT gives an attacker a base from which to discover and pivot toward OT systems. Stopping the intrusion at the email and identity layer prevents the attacker from ever getting close enough to operational systems to cause physical disruption.

Is staff training enough to stop phishing in an energy operation?

Training helps but is not sufficient on its own, because even well-trained staff will occasionally click a convincing message. The reliable approach layers technical controls, phishing-resistant MFA, strong email filtering and identity monitoring, on top of awareness training, so that a single human mistake does not translate into a full compromise.

Shut the door on phishing with Kyanite Blue and Coro

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides