Senators query Colonial Pipeline CEO about cyberattack shutdown

    June 21, 2021

    Colonial Pipeline Co.’s chief executive welcomed a range of ideas for improving pipeline security as he addressed the Senate Homeland Security Committee June 8 on the ransomware cyberattack that temporarily incapacitated the 5,500-mile system in May.

    Joseph Blount, Colonial’s president and chief executive officer (CEO), said his company is hardening its security in the wake of the attack and is implementing recent federal guidance and directives on cybersecurity. He said additional technical guidance from the government “would be extremely helpful.”

    Blount also did not shy away from welcoming the prospect of mandatory standards, although the details of such standards, if any, remain to be determined.

    Sen. Rob Portman (R-Ohio) suggested there may be a need for the government to mandate reporting of cyberattacks and mandate coordination of response with the government.

    Sen. Gary Peters (D-Mich.), chairman of the committee, said there will be cybersecurity provisions in the infrastructure legislative package now being negotiated between members of Congress and the White House.

    Operations system questions

    Sen. Josh Hawley (D-Mo.) asked whether Colonial could fall back on manual operations during such a computer system disruption, and if not, whether it should.

    “There’s no question that we will look at that capability,” Blount said.

    The CEO said many of the older workers with the expertise to operate the system manually have been retiring. The company did return some segments to manual operations, with assistance from cybersecurity firm Mandiant. But Colonial executives decided it would be faster to pay the ransom and restart the system with its computerized controls.

    His prepared testimony indicated another vulnerability: connections between the computer systems for information technology (IT) and operations. When hackers found their way into the IT system, the operations supervisor ordered a halt to operations “to help ensure the malware did not spread to the operational technology network, which controls our pipeline operations, if it had not already.”

    Restart of all systems is a cumbersome process. Blount said the company focused on critical systems for the first week of its return to service. During the week of June 7, seven financial systems were restarted, he said. Full restoration could go on for months, he said.

    How it happened

    Hackers in a group called DarkSide apparently gained access to Colonial’s IT system through a legacy “virtual private network” (VPN) that was not intended to be in use. Such networks often are used by companies to allow staff to access internal corporate networks from home.

    The vulnerable VPN connection at Colonial had a complicated password, “not a Colonial123-type password,” Blount said. But it did not use the heightened security of multifactor authentication, he acknowledged.

    Colonial personnel identified the attack at 5 a.m. May 7. Employees then activated a company-wide incident response process, which in this case led to the shutdown order. Shutdown began at 5:55 a.m. and was completed in 15 min, by 6:10.

    Blount indicated his company’s primary point of contact with the government during the ransomware attack was the Federal Bureau of Investigations, but that other agencies were added to the crisis response, notably the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security.

    Colonial executives decided late May 7 to pay the ransom, and it was paid the next day. The attackers then provided Colonial with an encryption key to unlock the infected IT system. The company began returning all lines to service May 12.

    Some ransom recovered

    Panic buying during the shutdown sent long lines of cars to service stations and emptied many of those stations. The Colonial Pipeline system provides about 45% of the fuel consumed on the US East Coast. It transports more than 100 million gpd of refined products, serving 260 delivery points from Texas to New Jersey.

    The ransom was paid in Bitcoin cryptocurrency valued at $4.4 million. The Justice Department announced June 7 that it had found and seized $2.3 million of that ransom in an online “Bitcoin wallet.” In making the announcement, Deputy Attorney General Lisa Monaco emphatically urged companies to heighten their defenses.

    “Every day, the digital threats that we face are more diverse, more sophisticated, and more dangerous,” she warned.

    Continue Reading

    Most Read