Legacy authentication and machine identity gaps after Colonial pipeline

TL;DR: The Colonial Pipeline attack showed how legacy authentication, weak passwords, and unmanaged machine identity create outsized risk across critical infrastructure, according to Axiad. The lesson is that modernisation is now an identity governance problem, not just a network hardening exercise.

NHIMG editorial — based on content published by Axiad: Future-Proof Authentication: The Impact of the Colonial Pipeline Attack

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should organisations modernise authentication in critical infrastructure without breaking operations?

A: Start with the systems that can affect safety, continuity, or regulated service delivery, then move from password-only access to phishing-resistant MFA and stronger device authentication.

Q: Why do legacy systems create more identity risk than modern platforms?

A: Legacy systems often depend on older authentication patterns, limited logging, and brittle integrations that make assurance hard to prove.

Q: What breaks when machine identities are not governed like user identities?

A: Devices, controllers, and service endpoints become trusted by default even when their certificates, ownership, or revocation paths are weak.

Practitioner guidance

• Replace password-only access on critical systems Move the highest-risk operational and administrative accounts to phishing-resistant MFA and eliminate lingering password-only paths where possible.
• Inventory machine identities and certificate dependencies Build a complete register of devices, certificates, and trusted endpoints across operational and enterprise environments.
• Tie legacy auth remediation to compliance evidence Map each authentication gap to the standards and audit obligations you already report against, including logging, assurance, and access control requirements.

What's in the full article

Axiad's full blog post covers the operational detail this post intentionally leaves for the source:

• The article's specific discussion of MFA implementation choices for legacy environments and critical infrastructure.
• The section on machine identity and PKI for connected devices in manufacturing, energy, government, and transportation.
• The commentary on compliance pressure from NIST SP 800-171, CMMC, and future legislation.
• Axiad's framing of cloud-based authentication services and audited controls in its own environment.

👉 Read Axiad's analysis of the Colonial Pipeline attack and future-proof authentication →

Legacy authentication and machine identity gaps after Colonial pipeline?

Explore further

View Full Forum →  |  NHI Foundation Course →