back to article 'I put the interests of the country first': Colonial Pipeline CEO on why oil biz paid off ransomware crooks

The boss of Colonial Pipeline has appeared before a Senate Committee to explain the events which led to US East Coast fuel supplies running dry last month and some $5m being handed over in ransom. Speaking yesterday before the Senate Homeland Security Committee, Joseph Blount was quizzed about the incident before it became …

  1. Blofeld's Cat
    Coat

    Er ...

    '... the password used to gain access to the VPN was "complex" – it wasn't just "colonial123" ...'

    So "Coloni4l123!" then?

    1. Throatwarbler Mangrove Silver badge
      Joke

      Re: Er ...

      Oilpipelinebatterystaple

      1. KarMann Silver badge
    2. katrinab Silver badge
      Coat

      Re: Er ...

      Colonial1!

      Has upper and lower-case letters, numbers, and symbols.

    3. Anonymous Coward
      Anonymous Coward

      Re: So "Coloni4l123!" then?

      No, the password was, literally the string "complex". It says so right there in the article :-)

      1. Phil O'Sophical Silver badge

        Re: So "Coloni4l123!" then?

        Speak friend, and enter?

      2. Version 1.0 Silver badge

        Re: So "Coloni4l123!" then?

        Maybe it was "1complexpassword" - but most likely it was something like GJt75$fhSwE09^ but written down on a sticky note attached to the underside of the keyboard because good safe passwords are very hard to remember... If I was in the malware business I would be financing an office cleaning company...

    4. Glen Turner 666

      Re: Er ...

      A "complex password" can't be brute-forced. So the password was picked up from the configuration of the VPN client on an employee's laptop. That's most likely because the employee's laptop was hacked and that VPN configuration file was one of the files exfiltrated and then offered for sale on a darkweb site.

      Later evidence by Colonial's CEO mentioned locking accounts of departed staff. That might be a generic suggestion, or it might be a hint.

      The main VPN used by the company already had 2FA. So there's also a lesson here about withdrawing old services, and in making sure replacement services fulfill the full range of requirements so that old services can be withdrawn.

  2. Yet Another Anonymous coward Silver badge

    I put the interests of the country first

    Ahead of shareholders?

    Isn't that the very definition of communism ?

    1. DS999 Silver badge

      Re: I put the interests of the country first

      What's good for GM^H^H Continental Pipeline is good for the country

    2. Xalran

      Re: I put the interests of the country first

      There's no Shareholders in communism, everything is owned by the state.

      1. avakum.zahov

        Re: I put the interests of the country first

        But, who owns the state ...

  3. Mr. Moose
    FAIL

    I Regret that I Have Only One Country to Give for My Money!

    The hackers didn't shut down the pipeline. The hackers hacked the billing system. Colonial shut down their own pipeline because they couldn't bill their customers.

    That's what I call "Putting the Country First".

    Also: Using a "legacy VPN", reusing passwords, and no recovery infrastructure is a security plan. Got it.

    Many of you know just how cheap corporate types are when it comes to IT and security. There will be more like this, unfortunately.

    1. Woodnag

      The Big Lie

      Colonial will keep saying that they Did The Right Thing to drown out the voices saying "Errrm, no...".

    2. Mr. Moose
      Devil

      <Sound of unsecured infrastructure crashing>

      SCADA-BOOM!

    3. DS999 Silver badge

      It isn't only the billing system

      It isn't a single pipe from point A to point B. It is a huge number of pipes that go to a lot of places and carry a lot of different stuff like various grades of gas, jet fuel, and other products. They have to know what to send where, and their internal systems manage that as well.

      It isn't as simple as "they should have just turned it on and made everything free"

      1. Mr. Moose

        Re: It isn't only the billing system

        Fair enough. So, what could they realistically do without the system? I don't want to just jump on people, but it sounds like they were at fault for not securing their systems. I was sort of hoping to hear more from knowledgeable industry types in this publication. So far it's only us in the peanut gallery giving Bronx Cheers.

        They, and other similarly situated companies hold our lives in their hands. Ask Texans, who froze to death when their power went out because companies went cheap by not protecting their turbines against freezing, after they had been warned. This is a common problem.

        I've been reading about the threat to SCADA and industrial systems for years. What's being done? People seem to wait until the "Big One" to do something.

        1. Dvon of Edzore

          Re: It isn't only the billing system

          Worse, the systems were almost secure, leading to a bit of complacency. If you read the neighboring story about Identity and Access Management, you'd know how difficult it is maintaining a list of every VPN and other hole in Hadrian's Wall that let those annoying Pictsies in. Oopsie!

          It's a pretty standard response to go on lockdown when a breach is suspected, so I don't blame Colonial for their first actions. I do blame them for having a network design that was easy to move about once inside. The days one can trust local systems to be clean ended with the "I Love You" email virus, and Management will just have to pay to do things a bit differently.

          To other admins: I'm in the midst of a similar security upgrade, so I share your headache.

    4. Glen Turner 666

      Re: I Regret that I Have Only One Country to Give for My Money!

      The CEO said that their finance system just came back online this week. So they're obviously happy to run the pipeline first and work out the bills later.

      It was the production supervisor who used their "stop work" power to halt the pipeline, without reference up the management chain. The supervisor did this because a hack of the SCADA systems which control the pipeline could kill people across the east coast of the USA. When the pipeline was shut down it wasn't clear if the ransomware had got that far, but the production supervisor simply followed the firm's safety policy that people matter first and acted to minimise the risk to people.

      As for recovery, that's a fair argument. The pipeline was restarted manually. Using the expertise of long-serving employees from the era when manual operation was the norm. Many of those employees are near retirement age. The CEO said to the Senate Committee that they'll make manual operation part of training going forward.

      It took until two weeks after the incident for Mandiant, the contractors Colonial employed, to determine that the SCADA system hadn't been affected. So it's unreasonable to think that someone at Colonial could have made that decision shortly after the ransonware attack. There's a lesson there for SCADA software developers -- it shouldn't be that hard to determine the integrity of the software.

      [The facts above are from the CEO's evidence to the Senate Committee, the interpretation is mine.]

  4. Claptrap314 Silver badge

    I. do. not. get. it.

    I worked for a company with a particularly...interesting system. They did their billing on the second of the month, starting at 0200. It needed to lock the database that our company ran on, it took hours to run, and it tended to break.

    In that area, Comcast did it's monthly network thingy on the second of the month, starting at 0100.

    Guess who drove 40 minutes to work once a month at 0100?

    Explain to me exactly why the correct business decision is to allow critical infrastructure controllers to be connected to the internet in the first place. Use small words.

  5. Potemkine! Silver badge

    Paying ransomware is helping one's country? WTF! How encouraging ransomware scums is helping anybody?

    1. Yet Another Anonymous coward Silver badge

      They play a vital role in keep M2 high which is critical for any economy

  6. Lunatic Looking For Asylum

    To quote his Bobness, parphrasing Dr J I think

    "They say that patriotism is the last refuge to which a scoundrel clings"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like