ThreatGEN
Back to blog

AutoTableTop Scenarios

Colonial Pipeline Scenario Walkthrough

Clint Bodungen
August 12, 2025
Colonial Pipeline Scenario Walkthrough

Background: The Colonial Pipeline Attack

In May 2021, the Colonial Pipeline ransomware attack disrupted fuel supply across the southeastern United States for nearly a week. The attack, attributed to the DarkSide ransomware group, compromised Colonial Pipeline's IT systems and led to the precautionary shutdown of their operational technology (OT) pipeline operations.

This incident demonstrated the critical interdependency between IT and OT systems and the cascading effects of cyberattacks on critical infrastructure.

The AutoTableTop Scenario

Our Colonial Pipeline scenario recreates the key decision points and challenges that organizations face during a similar attack. The AI-generated exercise walks participants through:

Phase 1: Initial Detection

The exercise begins with indicators of compromise detected in the IT environment. Participants must decide:

  • How to scope the initial investigation
  • Which systems to prioritize for analysis
  • When to escalate to executive leadership
  • Whether to engage external incident response support

Phase 2: Ransomware Confirmation

Once ransomware is confirmed, the scenario introduces time-sensitive decisions:

  • Should IT systems be isolated immediately, accepting business disruption?
  • What is the blast radius of the compromise?
  • Has the ransomware spread to OT networks or is it contained to IT?
  • Should the organization proactively shut down OT operations?

Phase 3: Operational Decisions

The most critical phase focuses on the IT/OT interdependency:

  • Can OT systems operate safely without IT system support?
  • What manual processes can maintain operations during IT recovery?
  • How do you communicate with customers, regulators, and the public?
  • What are the regulatory notification requirements (TSA, CISA, FBI)?

Phase 4: Recovery and Lessons Learned

The final phase covers recovery strategy and long-term improvements:

  • Restore from backups vs. paying the ransom
  • Phased restoration of IT and OT systems
  • Enhanced monitoring during recovery
  • Gap analysis and remediation planning

Key Learning Outcomes

Participants consistently identify critical gaps in their own incident response plans, including unclear IT/OT coordination procedures, missing communication templates, and untested backup restoration processes.

Try this scenario with AutoTableTop -- generate your own customized version in minutes.