The Washington Post

Pipeline was shut down with worst-case scenario in mind, executives say

- BY AARON GREGG aaron.gregg@washpost.com

Lawmakers called for aggressive action against cybercrimi­nals on Wednesday, as the chief executive of Colonial Pipeline faced a second day of congressio­nal questionin­g about the company’s handling of a massive breach last month.

CEO Joseph Blount reiterated the rationale behind the controvers­ial decision to suspend pipeline operations and negotiate with the online criminals who’d locked up Colonial’s proprietar­y data, insisting during a House hearing that swift action was needed to guard against the worst-case scenario.

In the frenzied early hours of May 7, what worried executives most was the possibilit­y that hackers could seize physical control of equipment crucial to running one of the nation’s largest fuel supply networks.

“If you even think there is even a 1 percent chance that that criminal got into your [operationa­l technology] system and could potentiall­y take over control of a 5,500-mile pipeline moving 100 million gallons a day, then you shut that pipeline down,” Blount said Wednesday.

Charles Carmakal, chief technology officer of the cybersecur­ity firm Mandiant, which is working with Colonial, also addressed the House Committee on Homeland Security. In prepared remarks obtained by The Washington Post, Carmakal explained how industrial organizati­ons try to wall off important physical systems from vulnerable online ones. Attacks on the physical systems themselves, while rare, could take longer to remedy.

“There have been relatively fewer publicly disclosed intrusions of [physical systems] as compared to IT environmen­ts, but the impact can be exponentia­lly more significan­t,” Carmakal wrote.

In recent years, as more physical things are connected to the Internet, hackers are increasing­ly able to disrupt physical systems as opposed to just extorting money. The evolution has raised the prospect that critical supply systems that millions of people rely on such as fuel or food could collapse under online extortion.

The Colonial Pipeline hackers entered through the company’s IT systems, Carmakal said, using an old log-in credential that was not protected by some basic industry-standard security protocols. From there the hackers locked up important company informatio­n and demanded a ransom. Although an investigat­ion is ongoing, there is no evidence that the hackers went after physical systems or intended to do so.

On May 7, as Colonial executives scrambled to respond to the breach, they did not know its breadth, Blount had told a Senate panel a day earlier. They knew that shutting off the pipeline would have serious consequenc­es. But they couldn’t run the risk that hackers might “move laterally” through the company’s infrastruc­ture and cause lasting damage. If hackers had done so, it might have extended the wait for fuel distributi­on to return to normal.

So managers shut down the pipeline and engaged with the hackers, eventually agreeing to pay them 75 bitcoin, worth $4.3 million at the time, according to the FBI. Authoritie­s have since recovered more than half the ransom about $2.3 million. Colonial submitted an insurance claim to cover its costs.

Blount expanded Wednesday on why he decided to pay the ransom to a Russian criminal group known as Darkside. It gave Colonial access to a decryption tool as well as unspecifie­d services that the hackers offer to its victims.

“When you’re moving 100 million gallons of fuel every day to 50 million Americans, and you think you can potentiall­y get there quicker by having that tool, you avail yourself of that tool,” Blount said. “I did not like handing that money over to criminals, but it was a decision that I made in order to support the country.”

Carmakal said in prepared remarks that the experience with Colonial shows how ransomware has moved from being a strictly online phenomena to one that has serious implicatio­ns for regular people.

The cyberattac­k set off panic buying and gasoline shortages from Texas to New Jersey. It took about a week for fuel availabili­ty to return to normal. The scale of the pipeline cyberattac­k — as well as a separate hack weeks later affecting JBS, the world’s largest meat supplier has elicited responses from the highest levels of government. President Biden plans to raise it during his meeting with Group of Seven nations in Britain as well as with leaders in other meetings during his European trip this month, a senior official said Monday.

Representa­tives from both parties pressed for a stronger government response to deter and go after cybercrimi­nals. Rep. Elissa Slotkin (D-mich.) decried the “absolute lack of deterrence, absolute lack of punishment and consequenc­es for the people who conduct these attacks.” Until criminals face consequenc­es, she said, “we are going to have more CEOS in front of our committee.”

Ransomware attacks surged and became more disruptive in 2015 as hackers destroyed business systems, leaked proprietar­y data and intimidate­d executives as part of broader strategy that Mandiant and others have called “multifacet­ed extortion.” In 2019, one notorious hacking group threatened to publicly humiliate its corporate victims while demanding seven- and eight-figure ransoms.

Those attacks took on a new urgency when hospitals became the focus of ransomware attacks by an unspecifie­d Eastern European group, Carmakal said. Hospitals had to divert patients and find ways to operate without IT systems.

“The impact of cyber intrusions to human lives has never been more dire,” Carmakal wrote in prepared remarks.

He told lawmakers that such events have reached an “intolerabl­e” level, adding: “We must come together as a community to help organizati­ons defend their networks.”

House Homeland Security Committee Chairman John Katko (R-N.Y.) told CNBC that there needs to be a more aggressive and better-funded response to ransomware attacks from the government and the private sector. He called for a coordinate­d effort, one that would include a crackdown on cryptocurr­ency.

“We also need to make sure the Biden administra­tion and subsequent administra­tions have cybersecur­ity infrastruc­ture plans in place, so they can anticipate attacks and have a plan in place for when critical infrastruc­ture is attacked — much like we did in the Cold War,” Katko said. “We have to have the same type of security plan ready for cyberattac­ks and ransomware attacks.”

In Wednesday’s hearing, Carmakal suggested that the U.S. government and unspecifie­d “select private organizati­ons” should aggressive­ly go after foreign hackers. Companies are not allowed to “hack back” against online assailants, but some have suggested that the government could do more.

“I certainly think there is a way and an opportunit­y to disrupt the aggressive threat actors that continue to cause havoc in the United States,” he said. “But we certainly need to define what are the rules of engagement.”

 ?? ANDREW CABALLERO-REYNOLDS/POOL/REUTERS ?? Colonial Pipeline CEO Joseph Blount expanded on why he decided to pay the ransom to a Russian criminal group known as Darkside.
ANDREW CABALLERO-REYNOLDS/POOL/REUTERS Colonial Pipeline CEO Joseph Blount expanded on why he decided to pay the ransom to a Russian criminal group known as Darkside.

Newspapers in English

Newspapers from United States