The Senate Homeland Security Committee is about to kick off a hearing on the Colonial Pipeline hack with CEO Joseph Blount.
hsgac.senate.gov/hearings/threa…
I'll tweet highlights.
hsgac.senate.gov/hearings/threa…
I'll tweet highlights.
While questioning Colonial CEO Joseph Blount, Senate HSGAC Chair Gary Peters says lawmakers are "working on legislation right now to make sure that information is...being shared" w/ govt.
As we reported: politico.com/news/2021/05/1…
As we reported: politico.com/news/2021/05/1…
Peters: Where are you today in the restoration process?
Blount: “This week, we're bringing back online seven finance systems that we haven't had since the morning of May 7. ... The remediation is ongoing.”
Blount: “This week, we're bringing back online seven finance systems that we haven't had since the morning of May 7. ... The remediation is ongoing.”
HSGAC RM Rob Portman: When did you pay the ransom?
Blount: We made the decision to negotiate on the evening of May 7, the day of the hack. But we didn’t make the payment until May 8.
Blount: We made the decision to negotiate on the evening of May 7, the day of the hack. But we didn’t make the payment until May 8.
Portman: Did you talked to OFAC before paying, given the potential sanctions implications?
Blount: We hired experts for legal and negotiating assistance, and we checked to make sure that DarkSide was not "an OFAC-sanctioned entity."
Blount: We hired experts for legal and negotiating assistance, and we checked to make sure that DarkSide was not "an OFAC-sanctioned entity."
Portman: Did DarkSide’s decryption tool work?
Blount: “It has worked.”
Portman: So WSJ story was wrong?
Blount: “That article came out pretty early on...we know subsequently that the encryption decryption tool actually does work to some degree. … It's not a perfect tool.”
Blount: “It has worked.”
Portman: So WSJ story was wrong?
Blount: “That article came out pretty early on...we know subsequently that the encryption decryption tool actually does work to some degree. … It's not a perfect tool.”
Portman: Did you require MFA on all systems prior to the attack?
Blount: Not on the legacy VPN system that was hacked. But that VPN’s password was complicated. “It was not a ‘colonial123’-type password.”
Portman: Agree MFA is critical?
Blount: Yes.
Blount: Not on the legacy VPN system that was hacked. But that VPN’s password was complicated. “It was not a ‘colonial123’-type password.”
Portman: Agree MFA is critical?
Blount: Yes.
Portman: Do you support TSA’s new pipeline cybersecurity regulations?
Blount: “If you look at our actions starting on May 7, we, almost to the tee, duplicated what the new standards are, and we are in full compliance today as well.”
Blount: “If you look at our actions starting on May 7, we, almost to the tee, duplicated what the new standards are, and we are in full compliance today as well.”
Portman: Should there be cyber hygiene requirements for critical infrastructure?
Blount: “Anything that can help industry have better security practices standards to follow would be extremely helpful," esp. for smaller companies.
Blount: “Anything that can help industry have better security practices standards to follow would be extremely helpful," esp. for smaller companies.
Tom Carper: What’s the most important advice you can offer to other companies?
Blount: Look at your defenses, have an emergency response plan, and be transparent with the authorities.
Blount: Look at your defenses, have an emergency response plan, and be transparent with the authorities.
Carper: How quickly did you contact the FBI?
Blount: “Within hours.”
Blount: “Within hours.”
Blount says Colonial called the FBI's Atlanta office, which referred the company to the FBI’s DarkSide “center of excellence” in California.
Several years ago, the FBI reorganized its cyber operations around threats. This is an example of the specialization in various offices.
Several years ago, the FBI reorganized its cyber operations around threats. This is an example of the specialization in various offices.
Ron Johnson opens his time by saying that Colonial was "not the bad guy here" and encouraging people to treat the company as "the victim of a crime" rather than focusing on what they could have done better.
Maggie Hassan: Did your spending analyses incorporate your responsibility to the public?
Blount: “That's always been our focus our investment.”
Blount: “That's always been our focus our investment.”
Hassan: Cybersecurity doesn’t seem to have been a “formal factor” in your spending analyses.
Blount: “We take cybersecurity very seriously. … We’ve never had our board deny us any funds associated with safety and security. … If my CIO wants funds, she gets them.”
Blount: “We take cybersecurity very seriously. … We’ve never had our board deny us any funds associated with safety and security. … If my CIO wants funds, she gets them.”
James Lankford says the Colonial hack shows the need for pipelines, calling them "essential to America" and mentioning liberal opposition to projects such as the Keystone XL pipeline.
Jacky Rosen: Is it true, as press reported, that you refused to participate in a voluntary CISA/TSA security review?
Blount: “That [report] was quite a shock to me and quite a shock to our CIO.”
He doesn't deny it.
Blount: “That [report] was quite a shock to me and quite a shock to our CIO.”
He doesn't deny it.
Rosen: Do you participate in security reviews on a regular basis?
Blount: “We do participate in periodic penetration tests, we do auditing, outside auditing, of our cyber procedures and our IT department."
Blount: “We do participate in periodic penetration tests, we do auditing, outside auditing, of our cyber procedures and our IT department."
Rosen: Should you have been personally involved in security reviews?
Blount: "While it'd be nice to be involved in every conversation ... I can't be every place at once. ... It was well taken care of by any number of my management team members."
Blount: "While it'd be nice to be involved in every conversation ... I can't be every place at once. ... It was well taken care of by any number of my management team members."
Rosen: Why didn’t you directly share information with CISA?
Blount: “We knew that CISA would be notified and brought into the conversation. We had a conversation with CISA the first day as a result of that connection with the FBI. If the FBI had not called them, we would have.”
Blount: “We knew that CISA would be notified and brought into the conversation. We had a conversation with CISA the first day as a result of that connection with the FBI. If the FBI had not called them, we would have.”
Blount on acting CISA Director Brandon Wales saying Colonial wasn't sharing data:
“I don't know why he made that statement, but I can tell you, we would have called him. There's no reason not to. We were extremely transparent, and we wanted all the help that we could get..."
“I don't know why he made that statement, but I can tell you, we would have called him. There's no reason not to. We were extremely transparent, and we wanted all the help that we could get..."
Josh Hawley: Why didn’t you accept TSA’s offer of a comprehensive cybersecurity review?
Blount: We were setting it up. Covid and bldg move made it difficult.
Hawley: Do you regret not doing it?
Blount: “Anything that you could do is always helpful.”
Blount: We were setting it up. Covid and bldg move made it difficult.
Hawley: Do you regret not doing it?
Blount: “Anything that you could do is always helpful.”
Hawley: Do you think the TSA review would have just duplicated what you were already checking?
Blount: “I think in this case, it probably would not have resulted in finding that legacy VPN. They don't actually go into the system. It's a questionnaire-format type thing.”
Blount: “I think in this case, it probably would not have resulted in finding that legacy VPN. They don't actually go into the system. It's a questionnaire-format type thing.”
Hawley: What should Congress require companies like yours to do?
Blount: “I think what Congress should require is that we have a focus on safety and security of this critical asset.”
Blount: “I think what Congress should require is that we have a focus on safety and security of this critical asset.”
Jon Ossoff: Can you share Mandiant’s incident report once it’s finished?
Blount: “I don’t think there’s any issue with that. ... We'll be very transparent."
Blount: “I don’t think there’s any issue with that. ... We'll be very transparent."
Peters, adjourning the hearing, says, “Cyberattacks used to be merely an inconvenience. We now know that they're becoming attacks on our very way of life.”
• • •
Missing some Tweet in this thread? You can try to
force a refresh
