• Colonial CEO Says Poor Password Practices Led to Ransomware Attack

  • Colonial CEO Says Poor Password Practices Led to Ransomware Attack

    Poor password security practices allowed hackers into the Colonial Pipeline
    computer system, leading to the ransomware attack that shuttered the pipeline
    and caused fuel shortages throughout the Southeastern United States, Colonial's
    CEO said during a hearing with federal lawmakers Wednesday.

    Testifying before the House Committee on Homeland Security, Colonial CEO Joseph
    Blount said it appeared a Colonial employee used the same username and password
    on at least one other internet site. Hackers got the information from one site
    and then used it to gain entrance to a Colonial virtual private network (VPN)
    that the pipeline company thought was no longer in use, Blount said. The
    so-called legacy VPN did not require a second form of authentication, such as
    entering a PIN number, that is now recommended as a standard security practice,
    Blount said.

    "We had cyber-defenses in place, but the unfortunate reality is those defenses
    were not enough," Blount said.

    Blount said that while Colonial has continually upgraded its cyber security
    operations, the company has had to make a "substantial" investment in security
    following the attack, as hackers had access to the system and now know its

    "We have been compromised. We have had criminals in our system," he said,
    adding that the company was willing to provide whatever resources its staff
    identifies as being needed to harden the system against future attacks. He said
    the company has spent about $200 million on its IT system over the last decade,
    including funds for cyber security.

    When asked what kind of changes Colonial is making, Blount was unwilling to
    share the information publicly, saying, "We are doing a lot of things
    differently, but don't want to give a roadmap to a criminal actor who might
    want to get in."

    Blount also did not identify the employee whose password was compromised. The
    password that was hacked "was not a common password, or easy password" and met
    the security standards for password protocols. He said that while the company
    screens itself for cybersecurity vulnerabilities, the problem with the VPN
    network was not identified because the company did not think it was still in
    use. Cyber security experts recommend strict password measures, including using
    unique passwords. But Blount acknowledged that it is not unusual for people to
    use the same password across multiple sites, another factor unlikely to be
    identified during a security screening.

    During the hearing, lawmakers alternately expressed outrage that Colonial's
    cyber defenses were able to be breached and asked what steps the CEO thought
    were needed to prevent similar attacks on other critical energy infrastructure.

    Blount also told committee members that the United States needs to do more to
    pressure countries, such as Russia, to crack down on hackers operating within
    their borders.

    "Approach the host, put political pressure on them to stop it before it
    starts," he said.

    The CEO gave members of the house committee a timeline of the attack, saying a
    Colonial operator identified that the system was under attack at about 5 a.m.on
    May 7 and that the decision to shut the pipeline system was made within an
    hour. The company contacted the FBI early the same morning and made the
    decision to begin negotiating to pay the ransom in the late afternoon. The
    company paid the $4.4 million ransom on May 8 but did not discuss with federal
    officials whether or not they should pay it, he said. Blount defended the
    decision to pay the hackers, saying he put the interest of the country first.

    "I believe with all my heart it was right decision to make," he said.

    While Colonial began working with the White House and a variety of federal
    agencies shortly after recognizing it was under attack, it did not inform the
    FBI that it had paid the ransom until two days after the payment was
    made.Blount defended the secrecy, saying he had been concerned about
    "operational security."

    Blount said Colonial also worked with law enforcement as it attempted to
    recover the ransom paid to the hackers. On Monday, the U.S. Department of
    Justice announced it had recovered bitcoin worth $2.3 million, which it said
    was part of the payment Colonial had made. The 63.7 in bitcoins recovered by
    federal officials is a lion's share of the 75 bitcoins Colonial reportedly
    paid. The value of bitcoin, like stocks, vary from day to day. Blount said the
    company has filed a claim with its cyber insurance company for the ransom and
    expects it will be paid.

    The 2.5-million-b/d Colonial Pipeline provides about 45% of the fuel used on
    the U.S. East Coast, carrying refined productions from Texas to the Northeast
    and metropolitan areas along the Eastern Seaboard. The pipeline was shut down
    May 7 after the operator said its business systems were hit by a ransomware
    attack, and Colonial announced a restart of pipeline operations six days later
    in the afternoon of May 12.

    --Reporting by Steve Cronin, scronin@opisnet.com; Editing by Michael Kelly,

    Copyright, Oil Price Information Service