October 1, 2022

Colonial Pipeline Missed Requested Security Review Before Hack

Colonial Pipeline Co. last year didn’t undergo a requested federal security review of its facilities and was in the process of scheduling a separate audit of its computer networks when hackers hit on May 7.

The ransomware attack led to a six-day shutdown of the East Coast’s largest conduit for fuel, sparking scrutiny of pipeline security and pushing the Department of Homeland Security to prepare to issue first-of-their-kind cybersecurity regulations for the sector.

It is unclear if an assessment by the Transportation Security Administration, a division of DHS that oversees pipeline security, would have uncovered digital weak points exploited in a hack that U.S. officials attributed to a criminal group known as DarkSide.

A Colonial spokesman said the company offered to undergo a virtual review of its facilities, rather than a typical in-person audit, when TSA officials requested the security check last year. The company had protocols in place at the time to limit employees’ exposure to the coronavirus pandemic, he said.

Many pipeline operators similarly restricted TSA officials’ access during the pandemic, an agency spokeswoman said.

“There is no virtual substitute for this review, as it requires physical review of critical pipeline components,” she said. “Postponed reviews are being rescheduled as those [companies’] restrictions lift.”

Colonial has been in contact with TSA officials since March for a separate assessment of its networks, the spokesman said, adding that the company aims to accommodate that request after it has fully recovered its computer systems and completed an investigation of the recent hack.

Officials from Colonial and the TSA have discussed last year’s missed security review in a series of briefings in recent weeks with the U.S. House Homeland Security Committee, according to people familiar with the matter. Colonial Chief Executive

Joseph Blount,

who told The Wall Street Journal last week that he decided to pay hackers a roughly $4.4 million ransom to help restore the company’s computer systems, is slated to testify before the committee on June 9.

Some lawmakers and cybersecurity experts criticized pipeline security standards after the Colonial hack, as many drivers panic-bought gasoline and caused supply shortages in some areas along the East Coast.

While electric utilities face federal cyber requirements, mandatory audits and potential seven-figure fines for violations, regulators have taken a hands-off approach to pipelines and allow companies to set many of the terms of their own oversight.

Some cyber experts say the voluntary compliance has contributed to uneven security investments by pipeline companies, which have digitized more of their systems in recent years to improve efficiency.

The fallout from the Colonial hack has spurred regulators into action.

DHS officials this week said the department is preparing to issue cyber regulations for the pipeline sector in the hope of preventing such attacks. The pending rules would require pipeline companies to report when they are targeted by hackers and to bolster their security measures, The Wall Street Journal reported Tuesday.

The regulations come alongside efforts by the Cybersecurity and Infrastructure Security Agency to counter the growing threat of ransomware across the U.S. economy.

“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” a DHS spokeswoman said Tuesday. “TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

TSA has guidelines for how companies can tighten access to their systems, improve visibility of potential threats and respond to incidents. Officials with the agency’s pipeline security branch also conduct voluntary reviews of corporate security policies and on-site assessments of facilities that companies deem critical.

The Colonial spokesman said the TSA in 2018 completed security assessments that included three facility reviews and an audit of its security policies.

The TSA team that oversees such work has lacked sufficient cybersecurity expertise and staff for much of the past decade, according to a 2019 Government Accountability Office report. That has hampered pipeline security oversight, the watchdog said, adding that the TSA reviewed corporate security policies of fewer than 10 of the country’s 100 most critical pipeline systems annually from 2013 to 2017.

A TSA spokeswoman said earlier this month that the agency has expanded its pipeline security branch to the equivalent of 34 full-time staffers, up from six in 2018.

More From WSJ Pro Cybersecurity

Write to David Uberti at [email protected]

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Related Posts

Zoom Reports Customer Growth in Latest Quarter, Raises Expectation

June 1, 2021

June 1, 2021

Zoom Video Communications Inc. ZM -1.15% said that its largest customers by revenue more than doubled from a year earlier,...

U.S. and Taiwan Set Date to Revive Trade and Investment Talks

June 25, 2021

June 25, 2021

TAIPEI—The U.S. will revive trade and investment talks with Taiwan next week in a move intended to draw Washington and...

Covid-19 Aid to Concert Halls, Theaters Set to Be Distributed Next Week

May 21, 2021

May 21, 2021

WASHINGTON—The Small Business Administration is aiming to start awarding Covid-19 aid to concert halls, theaters and other live-entertainment venues early...

United Airlines Bets on Post-Pandemic Growth With Its Biggest Ever Jet Order

June 29, 2021

June 29, 2021

United Airlines Holdings Inc. is making its largest ever plane order, adding Boeing and Airbus jets to fuel its post-pandemic...

Wage Gains at Factories Fall Behind Growth in Fast Food

June 22, 2021

June 22, 2021

Pay for factory jobs has grown so slowly in the U.S. that manufacturers are having trouble competing with fast-food restaurants....

Theranos Founder Elizabeth Holmes’s Emails With Law Firm Allowed at Trial

June 3, 2021

June 3, 2021

A federal judge rejected Theranos Inc. founder Elizabeth Holmes’s request to keep her emails with law firm Boies Schiller Flexner...

Chip Shortage Brings Frustration but More Business to Industry’s Middlemen

June 13, 2021

June 13, 2021

TAIPEI—When buyers need chips in a pinch, they turn to Erik Drown, a middleman who is able to source scarce...

The Southwest Is America’s New Factory Hub. ‘Cranes Everywhere.’

June 1, 2021

June 1, 2021

Companies producing everything from steel to electric cars are planning and building new plants in Southwest states, far from historical...

Americans Are Leaving Unemployment Rolls More Quickly in States Cutting Off Benefits

June 27, 2021

June 27, 2021

The number of unemployment-benefit recipients is falling at a faster rate in Missouri and 21 others states canceling enhanced and...

Hackers Linked to SolarWinds Return With Phishing Attack, Microsoft Says

May 28, 2021

May 28, 2021

The Russia-linked hackers behind the cyberattack on SolarWinds SWI -0.72% have returned, launching a phishing attack targeting approximately 3,000 email...

Toshiba Shareholders Oust Chairman in Landmark for Foreign Activists

June 25, 2021

June 25, 2021

TOKYO— Toshiba Corp.’s TOSYY 0.18% chairman was ousted in a vote at the company’s annual meeting, a milestone in Japanese...

10 STEPS TO BECOMING AN SEO EXPERT

July 29, 2021

July 29, 2021

Having SEO expertise is not the exclusive privilege of SEO professionals. This is a skill that can be mastered by...

U.S. Retail Spending Fell 1.3% in May

June 15, 2021

June 15, 2021

Retail sales dropped 1.3% in May as shoppers pulled back on goods purchases and shifted more of their spending to...

Eli Lilly to Seek FDA Approval for Alzheimer’s Drug

June 24, 2021

June 24, 2021

Eli Lilly & Co. plans to seek approval for its Alzheimer’s drug later this year, a sign that regulators are...

UBS Says Hybrid Work Is Here to Stay

June 28, 2021

June 28, 2021

UBS Group AG will allow around two-thirds of its staff to mix working from home and the office as an...