Colonial Pipeline was shut down with worst-case scenario in mind, executives say
WASHINGTON — Lawmakers called for aggressive action against cybercriminals on Wednesday, as the chief executive of Colonial Pipeline Co. faced a second day of congressional questioning about the company’s handling of a massive breach last month.
CEO Joseph Blount reiterated the rationale behind the controversial decision to suspend pipeline operations and negotiate with the online criminals who’d locked up Colonia’s proprietary data, insisting during a House hearing that swift action was needed to guard against the worst-case scenario.
In the frenzied early hours of May 7, what worried executives most was the possibility that hackers could seize physical control of equipment crucial to running one of the nation’s largest fuel supply networks.
“If you even think there is even a one percent chance that that criminal got into your [operational technology] system and could potentially take over control of a 5,500-mile pipeline moving 100 million gallons a day, then you shut that pipeline down,” Blount said Wednesday.
Charles Carmakal, chief technology officer of the cybersecurity firm Mandiant, which is working with Colonial, also addressed the House Committee on Homeland Security. In prepared remarks obtained by The Washington Post, Carmakal explained how industrial organizations try to wall off important physical systems from vulnerable online ones. Attacks on the physical systems themselves, while rare, could take longer to remedy.
“There have been relatively fewer publicly disclosed intrusions of [physical systems] as compared to IT environments, but the impact can be exponentially more significant,” Carmakal wrote.
In recent years, as more physical things are connected to the Internet, hackers are increasingly able to disrupt physical systems as opposed to just extorting money. The evolution has raised the prospect that critical supply systems that millions of people rely on ― such as fuel or food supplies ― could collapse under online extortion.
The Colonial Pipeline hackers entered through the company’s IT systems, Carmakal said, using an old login credential that was not protected by some basic industry-standard security protocols. From there the hackers locked up important company information and demanded a ransom. Although an investigation is ongoing, there is no evidence that the hackers went after physical systems or intended to do so.
On May 7, as Colonial executives scrambled to respond to the breach, they did not know its breadth, Blount had told a Senate panel a day earlier. They knew that shutting off the pipeline would have serious consequences. But they couldn’t run the risk that hackers might “move laterally” through the company’s infrastructure and cause lasting damage. If hackers had done so, it might take even longer for fuel distribution to return to normal.
So managers shut down the pipeline and engaged with the hackers, eventually agreeing to pay them 75 bitcoin, worth $4.3 million at the time, according to the FBI. Authorities have since recovered more than half the ransom ― about $2.3 million. Colonial submitted an insurance claim to cover its costs.
Blount expanded Wednesday on why he decided to pay the ransom to a Russian criminal group known as DarkSide. It gave Colonial access to a decryption tool as well as unspecified services that the hackers offer to its victims.
“When you’re moving $100 million gallons of fuel every day to 50 million Americans, and you think you can potentially get there quicker by having that tool, you avail yourself of that tool,” Blount said. “I did not like handing that money over to criminals, but it was a decision that I made in order to support the country.”
Carmakal, the Mandiant CTO, said in prepared remarks that the experience with Colonial shows how ransomware has moved from being a strictly online phenomena to one that has serious implications for regular people.
The cyberattack set off panic buying and gasoline shortages from Texas to New Jersey. It took about a week for fuel availability to return to normal. The scale of the pipeline cyberattack — as well as a separate hack on JBS, world’s largest meat supplier weeks later ― has elicited responses from the highest levels of government. President Biden plans to raise it during his meeting with Group of Seven nations, known as the G-7, in Britain this month as well as with leaders in other meetings during his European trip this month, a senior official said Monday.
Representatives from both parties pressed for a stronger government response to deter and go after cybercriminals. Rep. Elissa Slotkin, D-Mich., decried the “absolute lack of deterrence, absolute lack of punishment and consequences for the people who conduct these attacks.” Until criminals face consequences, she added, “we are going to have more CEOs in front of our committee.”
Ransomware attacks surged and became more disruptive in 2015 as hackers would destroy business systems, leak proprietary data, and intimidate executives as part of broader strategy that Mandiant and others have called “multifaceted extortion.” In 2019, one notorious hacking group threatened to publicly humiliate its corporate victims while demanding seven- and eight-figure ransoms.
Those attacks took on a new urgency when hospitals became the focus of ransomware attacks by an unspecified Eastern European group, Carmakal said. Hospitals had to divert patients and find ways to operate without IT systems.
“The impact of cyber intrusions to human lives has never been more dire,” Carmakal wrote in prepared remarks.
He told lawmakers such events have reached an “intolerable” level, adding: “we must come together as a community to help organizations defend their networks.”
House homeland security committee chairman John Katko (R-NY.) told CNBC there needs to be a more aggressive and better-funded response to ransomware attacks from the government and the private sector. He called for a coordinated effort, one that would include a crackdown on cryptocurrency.
“We also need to make sure the Biden administration and subsequent administrations have cybersecurity infrastructure plans in place, so they can anticipate attacks and have a plan in place for when critical infrastructure is attacked — much like we did in the Cold War,” Katko said. “We have to have the same type of security plan ready for cyber attacks and ransomware attacks.”
In Wednesday’s hearing, Carmakal suggested the U.S. government and unspecified “select private organizations” should aggressively go after foreign hackers. Companies are not allowed to “hack back” against online assailants, but some have suggested the government should play a more aggressive role in finding and attacking foreign cybercriminals.
“I certainly think there is a way and an opportunity to disrupt the aggressive threat actors that continue to cause havoc in the United States,” he said. “But we certainly need to define what are the rules of engagement.”