The Colonial Pipeline ransomware attack has been everywhere this month, and most of the coverage leans on the cinematic bit: a critical fuel pipeline, queues at petrol stations, a ransom reportedly paid in Bitcoin. The detail that has stuck with me is far more mundane, and far more familiar. From what has been reported, the pipeline operations were not directly compromised. The company took them down themselves, defensively, in part because the billing systems were hit and they could not be confident about isolation between the business network and the operational one.
That is the bit every engineer should sit with. The dramatic outage was a precaution born of not being sure where the blast radius ended. Not "the attackers reached the control systems", but "we could not prove they hadn't, so we pulled the plug ourselves".
I have made smaller versions of that call. The flat network where everything can reach everything because segmenting it was always next quarter's job. The shared credentials nobody got round to rotating. You take the safe-but-painful option precisely because you never invested in being able to answer "is this contained" quickly and confidently.
It is not a story about clever attackers. It is a story about not being able to draw a confident line around your own systems, and the very expensive caution that follows. Worth remembering the next time segmentation feels like work that can wait.