Colonial Pipeline CEO Defends Cyberattack Response

Colonial Pipeline CEO Joseph Blount
Joseph Blount, chief executive officer of Colonial Pipeline Co., is sworn in during a Senate Homeland Security and Governmental Affairs Committee hearing in Washington June 8. (Andrew Caballero-Reynolds/AFP via Bloomberg News)

[Stay on top of transportation news: Get TTNews in your inbox.]

The chief executive officer of the pipeline company hit by a ransomware attack last month apologized to a U.S. Senate panel for the incident that paralyzed the East Coast’s flow of gasoline, diesel and jet fuel, while defending his company’s response and offering tips for future hacking victims.

“We are deeply sorry for the impact that this attack had, but are also heartened by the resilience of our country and of our company,” Colonial Pipeline Co. CEO Joseph Blount Jr. said at the June 8 hearing.

Blount’s appearance before the Senate Homeland Security and Governmental Affairs Committee comes as Congress readies its response to the hack, which affected 45% of the East Coast’s fuel supply, driving up gasoline prices and sparking shortages at filling stations after the company shut the roughly 5,500-mile pipeline on May 7.

The senators’ questions for Blount were direct but relatively gentle. Blount was contrite — and sometimes vague — on some details about the company’s cybersecurity protections. When asked about Colonial’s cybersecurity budget, for instance, he said they had spent $200 million on information technology over five years without specifying how much was defending against hacks.

Blount said responding quickly to contain the threat and swiftly communicating with the government were among the most important lessons he learned from the incident.

The hackers, whom the FBI said have been linked to a group known as DarkSide operating in Russia, were able to breach the company’s computer system April 29 using a virtual private network (or VPN) account, an encrypted internet connection that allowed employees to remotely access the company’s computer network. Blount testified that the VPN account only had single-factor authentication.

The “legacy” network “was not intended to be in use,” said Blount, who took over as Colonial CEO in 2017. He added that the company is still trying to determine how the hackers gained the needed credentials to exploit it.

Sen. Rob Portman (R-Ohio), the ranking member on the committee, called out this failure. “Mr. Blount, you’re a victim, and we understand that,” he said, but added, “this account apparently didn’t use multifactor authentication, which again is just a basic cybersecurity hygiene item that companies should have in place, making it harder for people to gain access.”

Blount was asked repeatedly about his decision to pay the hacker’s ransom, an action that is discouraged by the FBI because it encourages others to attempt cyberattacks. He described it as “the hardest decision I’ve made in my 39 years in the energy industry.”

“I believe with all my heart it was the right choice to make,” Blount told the committee. After it was over, he told reporters, “I’d do it again under the same circumstances.”

Sen. Ron Johnson (R-Wis.) asked Blount to consider the alternative. “How much worse could it have been had you not made that very difficult decision to bite the bullet so you could get your pipelines up and operational?” Johnson asked.

Blount responded, “That’s an unknown we probably don’t want to know.” But he said that even after paying the ransom, it still took the company six days to get the pipeline back up and running. The remediation at Colonial is ongoing, Blount said, including bringing seven affected financial systems back online this week.

The Department of Justice announced June 7 it had recovered the majority of the payment Blount made to the perpetrators in cryptocurrency after law enforcement identified a virtual wallet used in the ransom payment. Because of the declining value of Bitcoin since the ransom was paid, the U.S. seizure in late May amounted to $2.3 million, just over half the $4.4 million paid weeks earlier after the ransom was demanded.

The ransomware attack on Colonial is part of a rising trend of such acts against critical infrastructure that is posing an early test of President Joe Biden’s administration. It was among a wave of ransomware attacks that included JBS SA, the largest meat producer globally, which forced the shutdown of all its U.S. beef plants, halting output at facilities that account for almost a quarter of American supplies.

Sen. James Lankford (R-Okla.) said the Colonial pipeline shutdown and resulting fuel shortages demonstrated the need to build more pipelines to provide redundancy in the case of outages.

The Colonial shutdown, he said, is “the ghost of Christmas future for the entire country if we don’t continue to maintain our pipelines, increase capacity of pipelines, if we don’t continue to expand, have a duplication of pipelines in spots.”

Want more news? Listen to today's daily briefing below or go here for more info: