- Colonial Pipeline did not directly contact the Cybersecurity and Information Security Agency (CISA), said Brandon Wales, CISA's acting director, during a Senate committee hearing Tuesday. The FBI brought in CISA after Colonial disclosed the cyberattack to law enforcement.
- While CISA "received information fairly quickly" from the FBI, the agency is waiting for additional technical information, Wales said. The wait for more technical detail is "not surprising given that they've only been working on the incident response since over the weekend."
- Had the FBI not included CISA early in its investigations, Wales does not believe Colonial would have contacted CISA. When Sen. Ron Portman, R-OH, asked Wales if he thought that was a problem, Wales agreed and highlighted CISA's need to share related information more broadly for other members of critical infrastructure.
CISA's mission relies on information sharing so it can provide critical infrastructure organizations with data to defend a threat. Historically, the private sector is selective in what cyberthreat data it shares with government agencies.
CISA's reliance on private sector cybersecurity input is a "true asset," said Wales. The agency provides cybersecurity assistance to private and public sector organizations, occasionally providing technology too. However, CISA, founded in 2018, is not a law enforcement agency and may not be companies' first outreach in light of an incident.
"CISA's unique responsibility is to help the broad community improve their cybersecurity," said Wales. "We're the only federal agency charged with getting the information out to support everyone's cybersecurity and resilience, but for us to do that, we need to be fed the right information from all of our partners."
These partners include the intelligence community, private sector organizations, and state and local governments. The culmination of input allows CISA to provide a well-rounded picture of the cyberthreats the U.S. is facing.
As of Monday, Colonial had not asked for cybersecurity support from the federal government, Anne Neuberger, deputy national security advisor, said during a White House press briefing Monday. "Colonial was very careful," and chose to shut down part of the pipeline out of concern the ransomware would jump from its IT environments to its OT environments.
"There is no indication that the entity's operational technology (OT) networks have been directly affected by the ransomware," CISA and the FBI confirmed Tuesday in an alert.
The U.S. economy is already experiencing the impacts of the cyberattack, with rising gasoline prices and airline refueling concerns. The Colonial Pipeline attack "is probably the biggest one ever on American infrastructure, certainly the biggest one that we know of," said Portman.
Colonial is responsible for almost half of the East Coast's oil supply and with access concerns, gas prices have already increased by an average of 6 cents compared to a week ago, according to estimations. AAA expects prices to increase more because of the stalled pipeline.
Colonial resumed operations Monday "under manual control while the existing inventory is available, along with some of the smaller lines that are spurs off of the major lines," said Jennifer Granholm, secretary of energy, during a White House press briefing Tuesday. "By close of business [Wednesday], Colonial will be in a position to make the full restart decision … there should be no cause for hoarding gasoline."
The FBI attributed Colonial's attack to a ransomware as a service variant DarkSide. The U.S. isn't attributing it to a nation-state actor at this point.
DarkSide is a ransomware criminal group that often targets "high-revenue organizations" that can "afford to pay large ransoms," sparing hospitals, schools or governments, CISA said. Though Neuberger said paying a ransom is a private sector decision.
DarkSide affiliates splits its payments with the criminals who made the ransomware, a business model common for decentralized ransomware operations. Security researcher and blogger Marcus Hutchins noted "ransomware groups usually just pick out companies based on revenue then ransom their business network. They rarely anticipate side effects outside of corporate network outage," he said in a tweet.
"Honestly, I'd not even be surprised if the majority of ransomware operators don't even know what it is the company they're ransoming does," Hutchins said.