Colonial CEO Says Poor Password Practices Led to Ransomware Attack
Colonial CEO Says Poor Password Practices Led to Ransomware Attack
Poor password security practices allowed hackers into the Colonial Pipeline
computer system, leading to the ransomware attack that shuttered the pipeline
and caused fuel shortages throughout the Southeastern United States, Colonial's
CEO said during a hearing with federal lawmakers Wednesday.
Testifying before the House Committee on Homeland Security, Colonial CEO Joseph
Blount said it appeared a Colonial employee used the same username and password
on at least one other internet site. Hackers got the information from one site
and then used it to gain entrance to a Colonial virtual private network (VPN)
that the pipeline company thought was no longer in use, Blount said. The
so-called legacy VPN did not require a second form of authentication, such as
entering a PIN number, that is now recommended as a standard security practice,
Blount said.
"We had cyber-defenses in place, but the unfortunate reality is those defenses
were not enough," Blount said.
Blount said that while Colonial has continually upgraded its cyber security
operations, the company has had to make a "substantial" investment in security
following the attack, as hackers had access to the system and now know its
vulnerabilities.
"We have been compromised. We have had criminals in our system," he said,
adding that the company was willing to provide whatever resources its staff
identifies as being needed to harden the system against future attacks. He said
the company has spent about $200 million on its IT system over the last decade,
including funds for cyber security.
When asked what kind of changes Colonial is making, Blount was unwilling to
share the information publicly, saying, "We are doing a lot of things
differently, but don't want to give a roadmap to a criminal actor who might
want to get in."
Blount also did not identify the employee whose password was compromised. The
password that was hacked "was not a common password, or easy password" and met
the security standards for password protocols. He said that while the company
screens itself for cybersecurity vulnerabilities, the problem with the VPN
network was not identified because the company did not think it was still in
use. Cyber security experts recommend strict password measures, including using
unique passwords. But Blount acknowledged that it is not unusual for people to
use the same password across multiple sites, another factor unlikely to be
identified during a security screening.
During the hearing, lawmakers alternately expressed outrage that Colonial's
cyber defenses were able to be breached and asked what steps the CEO thought
were needed to prevent similar attacks on other critical energy infrastructure.
Blount also told committee members that the United States needs to do more to
pressure countries, such as Russia, to crack down on hackers operating within
their borders.
"Approach the host, put political pressure on them to stop it before it
starts," he said.
The CEO gave members of the house committee a timeline of the attack, saying a
Colonial operator identified that the system was under attack at about 5 a.m.on
May 7 and that the decision to shut the pipeline system was made within an
hour. The company contacted the FBI early the same morning and made the
decision to begin negotiating to pay the ransom in the late afternoon. The
company paid the $4.4 million ransom on May 8 but did not discuss with federal
officials whether or not they should pay it, he said. Blount defended the
decision to pay the hackers, saying he put the interest of the country first.
"I believe with all my heart it was right decision to make," he said.
While Colonial began working with the White House and a variety of federal
agencies shortly after recognizing it was under attack, it did not inform the
FBI that it had paid the ransom until two days after the payment was
made.Blount defended the secrecy, saying he had been concerned about
"operational security."
Blount said Colonial also worked with law enforcement as it attempted to
recover the ransom paid to the hackers. On Monday, the U.S. Department of
Justice announced it had recovered bitcoin worth $2.3 million, which it said
was part of the payment Colonial had made. The 63.7 in bitcoins recovered by
federal officials is a lion's share of the 75 bitcoins Colonial reportedly
paid. The value of bitcoin, like stocks, vary from day to day. Blount said the
company has filed a claim with its cyber insurance company for the ransom and
expects it will be paid.
The 2.5-million-b/d Colonial Pipeline provides about 45% of the fuel used on
the U.S. East Coast, carrying refined productions from Texas to the Northeast
and metropolitan areas along the Eastern Seaboard. The pipeline was shut down
May 7 after the operator said its business systems were hit by a ransomware
attack, and Colonial announced a restart of pipeline operations six days later
in the afternoon of May 12.
--Reporting by Steve Cronin, scronin@opisnet.com; Editing by Michael Kelly,
michael.kelly3@ihsmarkit.com
Copyright, Oil Price Information Service
computer system, leading to the ransomware attack that shuttered the pipeline
and caused fuel shortages throughout the Southeastern United States, Colonial's
CEO said during a hearing with federal lawmakers Wednesday.
Testifying before the House Committee on Homeland Security, Colonial CEO Joseph
Blount said it appeared a Colonial employee used the same username and password
on at least one other internet site. Hackers got the information from one site
and then used it to gain entrance to a Colonial virtual private network (VPN)
that the pipeline company thought was no longer in use, Blount said. The
so-called legacy VPN did not require a second form of authentication, such as
entering a PIN number, that is now recommended as a standard security practice,
Blount said.
"We had cyber-defenses in place, but the unfortunate reality is those defenses
were not enough," Blount said.
Blount said that while Colonial has continually upgraded its cyber security
operations, the company has had to make a "substantial" investment in security
following the attack, as hackers had access to the system and now know its
vulnerabilities.
"We have been compromised. We have had criminals in our system," he said,
adding that the company was willing to provide whatever resources its staff
identifies as being needed to harden the system against future attacks. He said
the company has spent about $200 million on its IT system over the last decade,
including funds for cyber security.
When asked what kind of changes Colonial is making, Blount was unwilling to
share the information publicly, saying, "We are doing a lot of things
differently, but don't want to give a roadmap to a criminal actor who might
want to get in."
Blount also did not identify the employee whose password was compromised. The
password that was hacked "was not a common password, or easy password" and met
the security standards for password protocols. He said that while the company
screens itself for cybersecurity vulnerabilities, the problem with the VPN
network was not identified because the company did not think it was still in
use. Cyber security experts recommend strict password measures, including using
unique passwords. But Blount acknowledged that it is not unusual for people to
use the same password across multiple sites, another factor unlikely to be
identified during a security screening.
During the hearing, lawmakers alternately expressed outrage that Colonial's
cyber defenses were able to be breached and asked what steps the CEO thought
were needed to prevent similar attacks on other critical energy infrastructure.
Blount also told committee members that the United States needs to do more to
pressure countries, such as Russia, to crack down on hackers operating within
their borders.
"Approach the host, put political pressure on them to stop it before it
starts," he said.
The CEO gave members of the house committee a timeline of the attack, saying a
Colonial operator identified that the system was under attack at about 5 a.m.on
May 7 and that the decision to shut the pipeline system was made within an
hour. The company contacted the FBI early the same morning and made the
decision to begin negotiating to pay the ransom in the late afternoon. The
company paid the $4.4 million ransom on May 8 but did not discuss with federal
officials whether or not they should pay it, he said. Blount defended the
decision to pay the hackers, saying he put the interest of the country first.
"I believe with all my heart it was right decision to make," he said.
While Colonial began working with the White House and a variety of federal
agencies shortly after recognizing it was under attack, it did not inform the
FBI that it had paid the ransom until two days after the payment was
made.Blount defended the secrecy, saying he had been concerned about
"operational security."
Blount said Colonial also worked with law enforcement as it attempted to
recover the ransom paid to the hackers. On Monday, the U.S. Department of
Justice announced it had recovered bitcoin worth $2.3 million, which it said
was part of the payment Colonial had made. The 63.7 in bitcoins recovered by
federal officials is a lion's share of the 75 bitcoins Colonial reportedly
paid. The value of bitcoin, like stocks, vary from day to day. Blount said the
company has filed a claim with its cyber insurance company for the ransom and
expects it will be paid.
The 2.5-million-b/d Colonial Pipeline provides about 45% of the fuel used on
the U.S. East Coast, carrying refined productions from Texas to the Northeast
and metropolitan areas along the Eastern Seaboard. The pipeline was shut down
May 7 after the operator said its business systems were hit by a ransomware
attack, and Colonial announced a restart of pipeline operations six days later
in the afternoon of May 12.
--Reporting by Steve Cronin, scronin@opisnet.com; Editing by Michael Kelly,
michael.kelly3@ihsmarkit.com
Copyright, Oil Price Information Service
Powered By GrowthZone