Washington — The CEO of the company thatduring a ransomware attack last month apologized to lawmakers for the disruption caused by the incident, but defended his decision to close the pipeline and pay a to the hackers.
“We are deeply sorry for the impact that this attack had, but are also heartened by the resilience of our country and of our company,” Joseph Blount, the CEO of the Colonial Pipeline Company, told the Senate Homeland Security and Governmental Affairs Committee on Tuesday in his first congressional appearance since the attack.
Blount’s testimony came amid growing calls for U.S. companies to bolster cyber defenses and as lawmakers formulate a response to the attack on critical infrastructure. Last month, the hijacking of Colonial Pipeline’s IT system prompted the company to shut down the pipeline, a 5,500 mile track responsible for delivering 45% of the East Coast’s fuel supply. The incident sparked panic buying and spikes in gasoline prices in more than a dozen states along the East Coast.
The CEO, who has led Colonial Pipeline since 2017, defended the company’s decision to close the pipeline and pay a ransom worth roughly $4.3 million in bitcoin amid fears of a prolonged shutdown. The Justice DepartmentMonday that the FBI recovered roughly $2.3 million worth of the bitcoin payment.
“Shutting down the pipeline was absolutely the right decision, and I stand by our employees’ decision to do what they were trained to do,” Blount told lawmakers. The chief executive said paying the ransom was “the hardest decision I’ve made in my 39 years in the energy industry.” The decision to pay up was made on May 7 and executed on May 8, according to Blount.
Blount noted that the pipeline operator first contacted the FBI’s Atlanta office, which referred the company to the agency’s “center of excellence” in California, which specializes in ransomware crimes.
He said that although he understands the federal government opposes ransom payments, he cannot recall having any specific conversations about the decision to pay with FBI or other government officials. Ultimately, the payment was executed through lawyers and negotiators, according to Blount.
The hackers, believed by the FBI to be a Russia-based group known as DarkSide, gained access to the company’s computer system in late April by using a compromised account to log in to the company’s virtual private network, Blount confirmed. The encrypted internet connection enables employees to remotely access Colonial Pipeline’s network, but “was not intended to be in use,” the CEO conceded. The account lacked an extra layer of security known as multi-factor authentication, Blout confirmed, though it remains unclear how criminals got ahold of the login credentials.
And while the attack compromised Colonial Pipeline’s IT systems, Blount told lawmakers there is no evidence thus far that the criminal infiltration impacted the company’s operational systems. Colonial Pipeline has enlisted the help of three private cybersecurity firms in the wake of the attack — Mandiant, Dragos and Black Hills Information Security.
Blount added that DarkSide provided decryption keys to Colonial to regain control of its systems following the ransom payment, which he said were “advantageous” but not a perfect fix. According to the chief executive, efforts to restore the company’s operations are “ongoing,” and financial systems were brought online Tuesday.
Just last week, the world’s largest meat processor, Brazil-based JBS, was forced to halt cattle-slaughtering operations at 13 of its meat processing plants in the U.S. after it was the target of a ransomware attack attributed to the Russian-speaking ransomware gang “REvil.” On Tuesday morning, a private company that provides constituent services to congressional and state government offices — iConstituent — became the latest victim in a string of cyber attacks.
“As I’ve said before, no one is safe from these attacks including us,” said Ohio Republican Senator Rob Portman, the ranking member of the committee.
Last month, the Biden administrationthat pipeline companies report cyber incidents to federal authorities. The directive required pipeline owners and operators to designate “a 24/7, always available cybersecurity coordinator” to coordinate with two federal agencies in the event of a cyber incident.
But a slew of critical infrastructure sectors — including dams, public health and agriculture — still do not impose mandatory cybersecurity standards. Lawmakers have been mulling new legislation to institute mandatory cyber requirements. Similar action failed nearly a decade ago in the face of strong industry dissent.
“Protecting the American people from these sophisticated, harmful and growing attacks will not be easy,” Michigan Senator Gary Peters, the Democratic chairman of the committee, said at the start of the hearing. “Inaction is simply not an option.”
Energy Secretary Jennifer Granholm said in an interview Sunday that she also supports a law banning companies from paying ransom to hackers in cyberspace.
Blount returns to Capitol Hill on Wednesday to testify before the House Homeland Security Committee.