Pipeline CEO Defends Company’s Cyber Info Sharing – Breaking Defense Breaking Defense


Pipeline CEO Defends Company’s Cyber Info Sharing - Breaking Defense Breaking Defense

WASHINGTON: Colonial Pipeline CEO and President Joseph Blount defended his company’s actions after it was hacked, saying it “was extremely transparent” in sharing information with the federal government.

The acting director of DHS’s cyber arm, Brandon Wales, had told Congress that CISA was not getting the “technical information” it needed to share publicly about the Colonial ransomware incident. Wales also testified that he didn’t think Colonial would have reached out to CISA directly if the FBI hadn’t acted as an intermediary.

“If the FBI had not called [CISA], we would have,” Blount said. “I don’t know why [Wales] made that statement, but I can tell you, we would have called him. There’s no reason not to. We were extremely transparent, and we wanted all the help we could get that morning.”

Not everyone at the hearing agreed with Blount. Sen. Rob Portman said in opening remarks during yesterday’s hearing of the Senate Homeland Security and Government Affairs Committee that the Colonial incident “reveals gaps in information sharing.”

What was Colonial’s tale? Blount testified that Colonial contacted the FBI’s Atlanta field office on the morning of May 7, “within hours” of realizing the company had been hit with a ransomware attack. Blount said the FBI’s Atlanta office referred Colonial to the FBI’s San Francisco field office, which operates a Center for Excellence for DarkSide, the criminal group whose ransomware the FBI said was used in the Colonial attack. The FBI arranged a phone call for later that same day and said it would contact CISA and invite CISA representatives to that call, Blount testified.

Blount said Colonial staff regularly communicated with the FBI and CISA to assist with the criminal investigation and digital forensics, while the Department of Energy served as a central “conduit” for the company to communicate with government entities about incident response and system restoration.

Blount appeared appreciative of the government’s assistance with the incident. “For anyone who comes under an attack like this, what you can’t recreate is time and space and the ability to respond,” he said.

Blount also testified that he believes working with law enforcement from the start “may have helped” lead to the recovery of some ransom funds. On Monday, the Justice Department announced it had seized about 63 Bitcoin (worth $2.3 million) of the 75 total ($4.4 million) that Colonial paid in ransom on May 8.

As BD readers know, cyber info sharing was a focus of Biden’s cyber executive order last month and is increasingly a topic of urgent conversation by Congress and other policymakers to improve it.

Cyber Cost-Benefit Analysis

Sen. Margaret Wood Hassan asked about the company’s cost-benefit analysis when considering cybersecurity. “Some companies can focus on strictly on economics and perform traditional cost-benefit analyses without considering national security,” she noted, but critical infrastructure owners and operators have a “heightened obligation” because of the nature of their goods and services. She asked if Colonial factored national security into its cyber decisions.

“I wouldn’t say we approached it that way,” Blount said.

“We need to start imagining what can happen and respond accordingly,” Hassan observed, “instead of looking at what the last problem was.”

Ransom Payment

Senators focused on the ransom payment during questioning in yesterday’s hearing, forcing Blount to explain why he paid.

“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount said. “It was the hardest decision I’ve made in my 39 years in the energy industry, and I know how critical our pipeline is to the country, and I put the interest of the country first.”

The FBI and other government entities discourage paying ransoms because it’s believed to encourage future attacks. The Justice Department has advised companies that paying in cases of ransomware may violate the law. The Colonial incident has brought the controversial topic to the forefront of policymaking and public discussion once again.

“I believe with all my heart [paying the ransom] was the right choice to make, but I want to respect those who see this issue differently,” Blount told the committee. In opening remarks, he said, “We are deeply sorry for the impact that this attack had.”

Asked whether Colonial consulted the government prior to the ransom payment, Blount said, “It was our understanding that the decision was solely ours, as a private company, to make the decision about whether to pay or not to pay. Considering the consequences of potentially not bringing the pipeline back on as quickly as I possibly could, I chose the option to make the ransom payment in order to get all the tools necessary and the optionality of those tools to bring the pipeline on as quick as we possibly could, safely as well as securely.”

Asked whether the decryption tool provided by DarkSide upon ransom payment was useful, Blount said, “Keys are helpful, and we have used the keys. So, they have been advantageous to us, but they’re not perfect.”

Where The Attack Began — A VPN

Blount confirmed in testimony that a “legacy [Virtual Private Network]” — a technology that encrypts network traffic and allows workers to securely access IT assets remotely — was where the attack began.

Blount said the VPN had a strong password, but it didn’t have functionality for multifactor authentication, a method of using multiple forms of proof to verify a user’s identity. Blount said the VPN wasn’t intended to be in use.

Blount said that during previous penetration testing — a practice in which organizations hire cyber pros to mimic attackers in order to test organizational defenses and make recommendations for improving cybersecurity — the VPN never came up. “We could not see it, and it did not show up in any pen testing,” Blount said. “That’s unfortunate.”

Blount also confirmed the attackers stole information from company networks prior to encrypting data, which the company learned about in the ransom note.

“What we know about that material right now [is] it was exfiltrated off a share drive,” Blount said. “It contains a lot of different material. It was recovered very quickly.” But, he added, “We don’t fully understand everything that was in it” because the investigation is ongoing.

Blount stressed the company had not been ignoring cybersecurity. “We had cyber defenses in place, but the unfortunate reality is that those defenses were compromised.”

Sen. Josh Hawley pointed out that Colonial paid $670 million in stock dividends in 2018 and asked about the company’s investments in cybersecurity. Blount said Colonial had spent $200 million in IT over the past five years and another $1.5 billion for system integrity over the same period.

“We’ve never had our board deny us any funds associated with safety and security,” Blount said, “whether it’s on the IT or physical security side of the pipe. If my CIO wants funds, she gets them.”

Operational Technologies Not Hit Directly

Colonial’s Pipeline stretches some 5,500 miles from Texas up most of the Eastern seaboard, moving about 45 percent of fuel for the East Coast.

“The pipeline is one of the most complex pieces of energy infrastructure in America, if not the world,” Blount told Congress.

Blount confirmed that the malware hit Colonial’s IT systems but did not directly affect operational technologies, which control the pipeline’s physical components, such as gauges and valves, used to monitor and control the flow of fuel. The company proactively shut down its OT.

“If there was a 1 percent chance that the OT system was compromised, it was worth shutting the pipeline system down,” Blount said.

The company also quickly began physical inspections of the pipeline, because, “We didn’t know that it was just a cyberattack,” Blount said. “We had to make sure it wasn’t potentially an attack on our physical structure as well.” So, Blount added, “We drove over 29,000 miles” conducting inspections, but the company didn’t find any physical damage.

Asked whether the company could or did operate the pipeline manually, Blount said it was possible and that the company did operate “part of it” manually, but ultimately decided it would be quicker to restore IT. Blount said a major hurdle to manual operation is the recent or imminent retirement of older Colonial staff who understand manual pipeline operations.

Blount noted that, until this incident, the “pipeline has never been down completely, with the exception of over the couple of hours of Y2K.”

Government Cyber Standards

The topic of government-imposed cybersecurity standards arose during the hearing.

In the days following the incident, the Transportation Security Authority — which oversees pipeline security — issued new mandates. These cybersecurity mandates supplement existing rules and regulations on pipeline operators.

But Sen. Ron Johnson appeared skeptical of government-imposed standards. “I’m not convinced the federal government is going to be particularly effective at issuing standards and keeping them up to date,” Johnson said. “I really look at the private sector as being far more nimble at that.”

Blount said public-private partnerships will be most valuable going forward. “In combination with the government, we have a much better ability as Americans to thwart the threat of cyberattacks,” Blount observed. Blount also noted that private companies cannot, for instance, “put pressure on governments.”

Asked by Hawley what Congress should demand of Colonial, Blount said, “I think what Congress should require is that we have a focus on safety and security of this critical asset, and I think we’ve demonstrated that over the last 57 years.”




Source link