Colonial Pipeline CEO Joseph Blount, testifying before the House Committee on Homeland Security, denied the company purposefully avoided oversight that would have possible flagged cybersecurity lapses. Lawmakers questioned why numerous reviews by the Transportation Security Administration, which oversees pipeline security, were rebuffed prior to the May 7 ransomware attack. Blount cited COVID-19 issues and said the company was in the process of relocating to new offices, but confirmed with the TSA for late July.
Blount and Charles Carmakal, SVP and CTO at Mandiant, which is leading an internal investigation into the ransomware attack, urged lawmakers to help enable companies to respond faster and provide more transparency about the attacks. Private industry needs more immediate and detailed threat intelligence to prevent these attacks from happening in the future, according to Blount.
Lawmakers need to help companies provide swift notification of ransomware activity so companies can more quickly prepare their defenses, according to Blount. "I think we've seen in the United States over the past month, a lot of companies that are admitting that they were hacked and paid ransom three or four months ago," Blount said. "That's not helping defend any of the companies that are being attacked, let alone the critical infrastructure."
Blount faced nearly three hours of additional questioning Wednesday, one day after testifying before the Senate Homeland Security & Government Affairs Committee. Carmakal, who is leading a team of forensic security experts brought in to help Colonial Pipeline get answers regarding the attack, also testified.
Colonial Pipeline, the largest U.S. supplier of refined energy products, including gasoline, jet fuel and home heating oil, had to temporarily cut off delivery through its 5,500 mile pipeline last month after the DarkSide ransomware gang compromised a legacy VPN account and hacked into the firm's IT infrastructure. Colonial Pipeline paid a ransom of $4.4 million in bitcoin to the DarkSide organization, but federal officials were able to recover $2.3 million through a court ordered intercept of payment transfers.
The earliest evidence of compromise was April 29, when the threat actor logged into a VPN appliance using the username and password of a Colonial Pipeline employee, according to written testimony from Carmakal. Colonial officials first learned about the ransomware attack on May 7, when it received a ransom demand in a systems control room.
Rep. Donald Payne, D-N.J., and Rep. Bonnie Watson Coleman, D-N.J., asked Blount why the company denied repeated attempts by the TSA to schedule voluntary security reviews.
The TSA reviews pipeline security through a program called the Critical Facility Security Review and a Corporate Security Review program that is designed to make sure pipeline operators adhere to proper security standards. One program, called the Validated Architectural Design Review, specifically drills down on cybersecurity readiness in an industrial setting.
TSA's oversight of pipeline security has been under scrutiny by lawmakers in the wake of the Colonial Pipeline attack. Last month, it issued a new directive that would require prompt reporting of confirmed and potential cybersecurity incidents to Cybersecurity and Infrastructure Security Agency (CISA).
Rep. Jim Langevin, D-R.I., also questioned Blount about why the company declined assistance from CISA. Colonial was already being advised by Mandiant, Dragos and Black Hills on how to respond to mitigate the ransomware attack, Blount said. Companies with fewer resources than Colonial Pipeline would likely benefit more from such a program, he said.