A previous version of this article stated that Colonial Pipeline Co. had spent an estimated $1.5 million on systems integrity over the past five years. The actual figure is $1.5 billion, a number that refers not to cybersecurity investments but to the physical integrity of the pipeline and its related systems. This version has been corrected.
Hackers were able to gain access to the company’s network through an account that was not protected with multi-factor authentication, a basic tenet of corporate cybersecurity. Rather, it was protected by a single password.
“It was a complicated password … I want to be clear on that … it was not a ‘colonial123’-type password,” Blount said. He later added that the company is now compliant with new cybersecurity regulations “almost to a T.”
In prepared remarks obtained by The Washington Post, Blount apologized for the shutdown’s effect on customers and called for the public and private sectors to “develop even more robust tools and intelligence” to prevent future ransomware attacks.
“We are deeply sorry for the impact that this attack had but are heartened by the resilience of our country and of our company,” Blount said in remarks prepared for delivery to the Senate Committee on Homeland Security and Governmental Affairs.
The hearing delved into the company’s preparedness and response, as well as cast a spotlight on the broader cybersecurity posture of U.S. energy infrastructure. Though companies such as Colonial play a crucial role in the nation’s supply chain, they are largely left on their own with respect to cybersecurity.
The pipeline company learned of the cyberattack early May 7, after hackers locked up much of its proprietary data and offered to decrypt it in exchange for a ransom. Without knowing the extent of the attack and seeking to prevent attackers from advancing any further into its systems, the company opted to shut down its pipeline network. That decision, which executives maintain was correct based on what they knew at the time, set off panic buying and gasoline shortages from Texas to New Jersey. It took about a week for fuel availability to return to normal.
The scale of the pipeline cyberattack — as well as a separate hack on the world’s largest meat supplier weeks later ― has elicited responses from the highest levels of government. Where ransomware attacks were once relegated to the world of online scams, affecting primarily the private sector, the threat is increasingly being framed as a matter of national security.
President Biden plans to raise it during his meeting with Group of Seven nations, known as the G-7, in Britain this month as well as with leaders in other meetings during his European trip this month, a senior official said Monday. The administration hopes it can spur the bloc to come up with a robust action plan to prevent and respond to future ransomware attacks.
On Monday, federal officials announced that $2.3 million of the Colonial ransom had been recouped, the first such recovery by a new Justice Department ransomware task force set up in April.
Biden also intends to press the issue directly with Russian President Vladimir Putin during a summit in Geneva next week. Russia harbors cybercriminals who carry out ransomware attacks, experts say, and Biden has said the Kremlin bears “some responsibility” for solving the problem.
Blount said he recognized that there are discussions about what additional regulations may be appropriate in the wake of attack. He offered little insight on whether any federal rules could have prevented such an incident, although he recommended the establishment of a single point of contact to help coordinate the federal response to future attacks.
Blount said there are also limits to what any single company can do to prevent these sorts of attacks. “Colonial Pipeline can — and we will — continue investing in cybersecurity and strengthening our systems,” he said. “But criminal gangs and nation states are always evolving, sharpening their tactics and working to find new ways to infiltrate the systems of American companies and the American government. These attacks will continue to happen, and critical infrastructure will continue to be a target.”
Blount said he decided to pay the ransom that hackers demanded in order to “have every tool available to us to swiftly get the pipeline back up and running.” He added that it was one of the toughest decisions he had ever had to make.
“I believe that restoring critical infrastructure as quickly as possible, in this situation, was the right thing to do for the country,” Blount said in prepared remarks.
In response to questions from Sen. Maggie Hassan (D-N.H.), he acknowledged that his company’s disaster preparedness plan included “no discussion of ransom or action to ransom.” Hassan called that a “stunning admission” in a statement published shortly after the hearing.
“I’ve talked with small school districts in my state of New Hampshire that are better prepared for cyberattacks than Colonial Pipeline was,” Hassan said. “Colonial Pipeline operates critical infrastructure that families and our economy rely on. It is unacceptable that it was so unprepared for a cyberattack, and it is a wake-up call that more must be done to secure our critical infrastructure.”
Blount insisted that the company takes cybersecurity “extremely seriously,” adding that its board of directors has never denied the company’s chief information officer funding for cybersecurity. Blount later said the company has invested more than $200 million into its IT systems over the past five years, in addition to over $1.5 billion in system integrity, referring to the physical integrity of the pipeline.
Blount said in Tuesday’s hearing that his company asked the Treasury Department whether the hacking group was a sanctioned entity before it paid the ransom. Paying a sanctioned entity would have been a violation of federal law.
A House panel will take up the issue Wednesday.
Ellen Nakashima contributed to this report.