Tech audit of Colonial Pipeline found ‘glaring’ problems
AN outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author said.
“We found glaring de ciencies and big problems,” said Robert F. Smallwood, whose consulting rm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”
How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent rms for cybersecurity risk assessments and increased its overall IT spending by more than 50 . While it did not specify an amount, it said it has spent tens of millions of dollars.
“We are constantly assessing and improving our security practices both physical and digital,” the privately held Georgia company said the audit’s ndings. It did not name the rms who did cybersecurity work but one rm, Rausch Advisory Services, located in Atlanta near Colonial’s headquarters, acknowledged being among them. Colonial’s chief information of cer sits on Rausch’s advisory board.
Colonial has not said how the hackers penetrated its network. How vulnerable it was to compromise is sure to be intensely scrutinized by federal authorities and cybersecurity experts as they consider how the most damaging cyberattack on U.S. critical infrastructure might have been prevented.
Friday’s pipeline shutdown has led to distribution problems and panic-buying, draining supplies at thousands of gas stations in the Southeast. Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.
Ransomware attacks have reached epidemic levels as foreign criminal gangs paralyze computer networks at state and local governments, police departments, hospitals and universities demanding large sums to decrypt the data. Many organizations have failed to invest in the safeguards needed to fend off such attacks, though U.S. of cials worry even more about state-backed foreign hackers doing more serious damage.
Any shortcomings by Colonial would be especially egregious given its critical role in the U.S. energy system, providing the East Coast with 45 of its gasoline, jet fuel and other petroleum products.
Smallwood, a partner at iMERGE and managing director of the Institute for Information Governance, said he prepared a 24-month, 1.3 million plan for Colonial. While iMERGE’s audit was not directly focused on cybersecurity “we found many security issues, and that was put in the report.”
Colonial’s statements Wednesday suggest it may have heeded a number of Smallwood’s recommendations. In addition, it says it has active monitoring and overlapping threat-detection systems on its network and identi ed the ransomware attack “as soon as we learned of it.” Colonial said its IT network is strictly segregated from pipeline control systems, which were not affected by the ransomware.
Unlike electrical utilities, the pipeline industry is not subject to mandatory cybersecurity standards, which the Federal Energy Regulatory Commission chair, Richard Glick, called for in a statement Tuesday.
Smallwood’s study was not a cybersecurity audit. It focused on ensuring smooth operations and preventing data theft, which is exactly what Colonial suffered last week. Colonial is not saying what the cybercriminals took before activating the ransomware.