Colonial CEO defends hack response and offers lessons learned

The chief executive officer of the pipeline company hit by a ransomware attack last month apologized to a U.S. Senate panel for the incident that paralyzed the East Coast’s flow of gasoline, diesel and jet fuel, while defending his company’s response and offering tips for future hacking victims.

“We are deeply sorry for the impact that this attack had, but are also heartened by the resilience of our country and of our company,” Colonial Pipeline Co. CEO Joseph Blount Jr. said at Tuesday’s hearing.

Blount’s appearance before the Senate Homeland Security and Governmental Affairs Committee comes as Congress readies its response to the hack, which affected 45 per cent of the East Coast’s fuel supply, driving up gasoline prices and sparking shortages at filling stations after the company shut the roughly 5,500-mile pipeline on May 7.

The senators’ questions for Blount were direct but relatively gentle. Blount was contrite — and sometimes vague — on some details about the company’s cybersecurity protections. When asked about Colonial’s cybersecurity budget, for instance, he said they had spent US$200 million on information technology over five years without specifying how much was defending against hacks.

Blount said responding quickly to contain the threat and swiftly communicating with the government were among the most important lessons he learned from the incident.

The hackers, who the FBI said have been linked to a group known as DarkSide operating in Russia, were able to breach the company’s computer system April 29 using a virtual private network — or VPN — account, an encrypted internet connection that allowed employees to remotely access the company’s computer network. Blount testified that the VPN account only had single-factor authentication.

The “legacy” network “was not intended to be in use,” said Blount, who took over as Colonial CEO in 2017. He added that the company is still trying to determine how the hackers gained the needed credentials to exploit it.

Senator Rob Portman, a Republican from Ohio and the ranking member on the committee, called out this failure. “Mr. Blount you’re a victim, and we understand that,” he said, but added, “this account apparently didn’t use multifactor authentication, which again is just a basic cybersecurity hygiene item that companies should have in place, making it harder for people to gain access.”

Blount was asked repeatedly about his decision to pay the hacker’s ransom, an action that is discouraged by the FBI because it encourages others to attempt cyberattacks. He described it as “the hardest decision I’ve made in my 39 years in the energy industry.”

“I believe with all my heart it was the right choice to make,” Blount told the committee. After it was over, he told reporters, “I’d do it again under the same circumstances.”

Senator Ron Johnson, a Republican from Wisconsin, asked Blount to consider the alternative. “How much worse could it have been had you not made that very difficult decision to bite the bullet so you could get your pipelines up and operational?” Johnson asked.

Blount responded, “That’s an unknown we probably don’t want to know.” But he said that even after paying the ransom, it still took the company six days to get the pipeline back up and running. The remediation at Colonial is ongoing, Blount said, including bringing seven affected financial systems back online this week.

The Department of Justice announced Monday it had recovered the majority of the payment Blount made to the perpetrators in cryptocurrency after law enforcement identified a virtual wallet used in the ransom payment. Because of the declining value of Bitcoin since the ransom was paid, the U.S. seizure in late May amounted to US$2.3 million, just over half the US$4.4 million paid weeks earlier after the ransom was demanded.

The ransomware attack on Colonial is part of a rising trend of such acts against critical infrastructure that is posing an early test of President Joe Biden’s administration. It was among a wave of ransomware attacks that included JBS SA, the largest meat producer globally, which forced the shutdown of all its U.S. beef plants, halting output at facilities that account for almost a quarter of American supplies.

U.S. intelligence and law enforcement officials say stopping hacking attacks has become a national security priority. Congress is also considering a legislative response that could include cybersecurity mandates that energy and pipeline companies have spent years opposing.

Speaking to reporters after the hearing, Senator Gary Peters, a Democrat from Michigan and chairman of the committee, said the committee is working on comprehensive cybersecurity legislation that would address information sharing by the private sector with government during cyberattacks. “The private industry has to be very forthcoming. They have to let us know what they know so that information can be shared with other companies. We’re going to be putting a mechanism to do that,” he said.

Senator Maggie Hassan, a Democrat from New Hampshire, expressed concern that Colonial didn’t have a specific plan in place for ransomware attacks prior to the breach. “I have small school districts in New Hampshire that are more prepared than Colonial Pipeline appeared to be, and that’s really concerning,” she told reporters.

“It really speaks to the importance of understanding that when critical infrastructure is run by a private entity, that there needs to be some rules and frameworks to make sure that interests of the American people are served,” Hassan added.

Johnson endorsed a response led by the private sector, saying he wasn’t convinced that government could issue standards and keep them up-to-date given its struggles to pay for top talent.

Meanwhile, Senator James Lankford, a Republican from Oklahoma, said the Colonial pipeline shutdown and resulting fuel shortages demonstrated the need to build more pipelines to provide redundancy in the case of outages.

The Colonial shutdown, he said, is “the ghost of Christmas future for the entire country if we don’t continue to maintain our pipelines, increase capacity of pipelines, if we don’t continue to expand, have a duplication of pipelines in spots.”