U.S. lawmakers criticized Colonial pipeline Co’s cybersecurity practices as the company’s chief executive officer faced his second day of questioning on Capitol Hill.
“If your pipeline provides fuel to 45% of the East Coast, why are you only hardening systems after an attack? Why wasn’t it done beforehand,” said Representative John Katko, a Republican from New York and ranking member of the House Homeland security committee,which held Wednesday’s hearing on lessons learned from the attack.
A ransomware attack early last month forced Colonial to shut down, raising gas prices and causing fuel shortages across the East Coast. CEO Joseph Blount Jr. decided to pay a 75-Bitcoin ransom to the attackers in order to restart operations, and on Monday, the FBI announced that it had recouped 63.7 Bitcoin of this payment. Because of the declining value of Bitcoin since the ransom was paid, the U.S. seizure in late May amounted to $2.3 million, just over half the $4.4 million paid weeks earlier after the ransom was demanded.
“I hope Colonial will use the recouped money to make necessary improvements to its cybersecurity,” said Representative Bennie Thompson, a Democrat from Mississippi who chairs the committee.
Blount largely restated his comments from the day before, when he appeared before a Senate committee, apologizing for the disruption but defending his company’s response. Under questioning, he said he didn’t discuss paying a ransom with the FBI or other U.S. agencies before making the payment.
Blount told lawmakers that he expected that his company’s cyber insurance would cover the cost of the ransom.
“We will be doing a lot of things differently,” he said. “We’re headed toward a lot more hardening and a lot of different architecture than we had before mainly because we’ve been compromised and we need to change.”
Multiple lawmakers questioned why Colonial opted not to participate in voluntary Transportation Security Administration Critical Facility Security Reviews, which includes a physical review of pipelines.
“We are concerned with respect with what’s happened to you to make sure TSA is able to help,” Donald Payne, a Democratic representative from New Jersey, said. Separately, Representative Bonnie Watson Coleman, a Democrat from New Jersey, asked about Colonial’s postponement of a different type of TSA assessment called Validated Architectural Design Review, which assesses a pipeline’s cybersecurity.
“Delaying these assessments for so long amounts to declining them, sir,” Watson Coleman said.
Blount denied that the company refused to allow TSA to review its systems, saying it was simply a scheduling conflict and caution over exposing employees during the pandemic.
“We have a good working relationship with TSA. It’s been a function of timing, and again we’ve never refused or denied the part of wanting to participate in that program as a volunteer,” Blount said. The company has now scheduled a TSA security review at the end of July.
Yvette Clarke, a Democratic representative from New York who chairs the subcommittee on cybersecurity, infrastructure protection and innovation, said the Colonial hack represents a “case study on cyber hygiene because it was through an unsecure password that the nation’s largest pipeline was disrupted.”
“I want that to be a lesson to everyone who is listening to this hearing, that we must, must do better with our cyber hygiene.”