Pipeline operator Colonial Pipeline, which suffered a significant ransomware attack in May, is working with top cybersecurity firms to help the company in its response and recovery to the attack and doesn’t need similar services from the government, the company’s top executive told a House panel on Wednesday.
“Almost immediately” after Colonial Pipeline realized on May 7 that it was the victim of a ransomware attack, the company reached out to the Mandiant division of FireEye [FEYE] to help with the incident response and then two other cybersecurity firms as well, Joseph Blount, the company’s CEO, told the House Homeland Security Committee.
Later, the company also hired Dragos and Black Hills Information Security with the response, Blount said.
Blount was asked by Rep. James Langevin (D-R.I.) if he would accept assistance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), who he noted has offered the company help, “including assistance ensuring the incident was contained and validating the integrity of your OT network.” OT refers to operational technology, basically the systems that in the case of Colonial Pipeline control the machinery pumping fuel through the pipelines.
“I think CISA offers great services for companies that perhaps don’t have the resources we have to bring in the best in class with regard to people like Mandiant, Dragos and Black Hills, so I think that’s a good service but in this particular case we were already engaged,” Blount replied.
Langevin then asked if Mandiant missed something, wouldn’t it make sense to use CISA as well, given that “two sets of eyes are better than one.”
Blount said “with all due respect, I have three sets of eyes in already with the parties that I’ve explained we’ve engaged with. From my perspective, I don’t think having a fourth, a fifth and a sixth gets productive.”
Shortly after Colonial Pipeline was attacked, which the company said it realized around 5 a.m. on May 7, it contacted the FBI. The FBI in turn notified CISA and early in the afternoon that day those agencies were on a call with the company to discuss the incident.
Blount, who also testified on Tuesday to the Senate Homeland Security and Governmental Affairs Committee about the incident, said that where CISA has been helpful is in sharing information on the particular cyber threats that compromised Colonial Pipeline’s information technology (IT) network with other operators.
CISA has authorities to help protect federal civilian agencies from cyber-attacks. CISA has not authority to compel the private sector to work with the agency. In addition to offering incident response and recovery services, CISA is the key link in the federal government for sharing information about cybersecurity threats with other agencies and the private sector.
Also, shortly after the attack, Blount made the decision to shutdown pipeline operations in case the attack on the company’s IT networks had migrated, or could migrate, to the OT networks. The attack occurred on a Friday and later the next week the company began restarting pipeline operations.
Colonial Pipeline paid a $4.4 million ransom to DarkSide, a criminal group that provides its ransomware to other criminal groups as a service. The FBI this week tracked down and recaptured $2.3 million of the payments.
Colonial Pipeline operates 5,500 miles of pipeline and supplies about 45 percent of refined fuel products to the East Coast. The shutdown of the company’s operations led to fuel shortages in parts of the East Coast and Mid-Atlantic and demonstrated the fragility of a portion of the nation’s critical infrastructure to cyber-attack.
DarkSide is believed to be based in Russia. President Joe Biden left for a week-long trip to Europe on Wednesday for defense and economic meetings and next week will meet with Russian President Vladimir Putin and plans to bring up the issue of cyberattacks.
While the Colonial Pipeline attack was perpetrated by a criminal group, U.S. authorities believe that Russia could act against them. On top of the recent attack, the U.S. has blamed Russia for a cyber espionage hack that was discovered by FireEye last December and dates back at least a year. That attack, which was carried out through a software supply chain vulnerability, compromised networks of at least nine federal agencies and departments and about 100 companies, many in the technology sector.
The White House has said that the supply chain hack also had the potential to compromise OT networks, making it more than just a case of espionage.
In prepared remarks for both committees, Blount said that Mandiant, Dragos and Black Hills are helping with strengthening his company’s cyber defenses and cybersecurity program. He said Mandiant is helping with the investigation into the incident and help restore “what was lost.” Dragos is a leader in OT security.
Paying the ransom to DarkSide enabled Colonial Pipeline to received keys to decrypt its data and systems that had been frozen. Blount told the Senate panel that while “not perfect,” the keys have been helpful. However, he said that the recovery process will take months. This week, he highlighted, seven financial systems are being brought back online that have been down since May 7.