August 11, 2022

Colonial Pipeline Missed Requested Security Review Before Hack

Colonial Pipeline Co. last year didn’t undergo a requested federal security review of its facilities and was in the process of scheduling a separate audit of its computer networks when hackers hit on May 7.

The ransomware attack led to a six-day shutdown of the East Coast’s largest conduit for fuel, sparking scrutiny of pipeline security and pushing the Department of Homeland Security to prepare to issue first-of-their-kind cybersecurity regulations for the sector.

It is unclear if an assessment by the Transportation Security Administration, a division of DHS that oversees pipeline security, would have uncovered digital weak points exploited in a hack that U.S. officials attributed to a criminal group known as DarkSide.

A Colonial spokesman said the company offered to undergo a virtual review of its facilities, rather than a typical in-person audit, when TSA officials requested the security check last year. The company had protocols in place at the time to limit employees’ exposure to the coronavirus pandemic, he said.

“We offered to hold this review virtually—as we did with other agencies—but the facility review did not occur,” he said.

The spokesman didn’t comment on why the audit never took place. Representatives for the TSA had no immediate comment.

Colonial has been in contact with TSA officials since March for a separate assessment of its networks, the spokesman said, adding that the company aims to accommodate that request after it has fully recovered its computer systems and completed an investigation of the recent hack.

Officials from Colonial and the TSA have discussed last year’s missed security review in a series of briefings in recent weeks with the U.S. House Homeland Security Committee, according to people familiar with the matter. Colonial Chief Executive

Joseph Blount,

who told The Wall Street Journal last week that he decided to pay hackers a roughly $4.4 million ransom to help restore the company’s computer systems, is slated to testify before the committee on June 9.

Some lawmakers and cybersecurity experts criticized pipeline security standards after the Colonial hack, as many drivers panic-bought gasoline and caused supply shortages in some areas along the East Coast.

While electric utilities face federal cyber requirements, mandatory audits and potential seven-figure fines for violations, regulators have taken a hands-off approach to pipelines and allow companies to set many of the terms of their own oversight.

Some cyber experts say the voluntary compliance has contributed to uneven security investments by pipeline companies, which have digitized more of their systems in recent years to improve efficiency.

The fallout from the Colonial hack has spurred regulators into action.

DHS officials this week said the department is preparing to issue cyber regulations for the pipeline sector in the hope of preventing such attacks. The pending rules would require pipeline companies to report when they are targeted by hackers and to bolster their security measures, The Wall Street Journal reported Tuesday.

The regulations come alongside efforts by the Cybersecurity and Infrastructure Security Agency to counter the growing threat of ransomware across the U.S. economy.

“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” a DHS spokeswoman said Tuesday. “TSA, in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

TSA has guidelines for how companies can tighten access to their systems, improve visibility of potential threats and respond to incidents. Officials with the agency’s pipeline security branch also conduct voluntary reviews of corporate security policies and on-site assessments of facilities that companies deem critical.

The Colonial spokesman said the TSA in 2018 completed security assessments that included three facility reviews and an audit of its security policies.

The TSA team that oversees such work has lacked sufficient cybersecurity expertise and staff for much of the past decade, according to a 2019 Government Accountability Office report. That has hampered pipeline security oversight, the watchdog said, adding that the TSA reviewed corporate security policies of fewer than 10 of the country’s 100 most critical pipeline systems annually from 2013 to 2017.

A TSA spokeswoman said earlier this month that the agency has expanded its pipeline security branch to the equivalent of 34 full-time staffers, up from six in 2018.

More From WSJ Pro Cybersecurity

Write to David Uberti at [email protected].com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

in Tech
Related Posts

Amazon Founder Jeff Bezos to Be on Blue Origin’s First Human Space Flight

June 7, 2021

June 7, 2021

Jeff Bezos plans to travel to space next month as one of the first passengers carried by Blue Origin, the...

Concerns Over Meat Supply Ebb as JBS Plants Reopen After Cyberattack

June 3, 2021

June 3, 2021

SYDNEY—Production at JBS SA JBSAY -0.33% meat-processing plants in Australia is coming back online faster than authorities had expected after...

Microsoft’s Combination of CEO and Chairman Roles Goes Against Trend

June 17, 2021

June 17, 2021

Microsoft Corp.’s move to combine the roles of its chief executive and chairman goes against recent governance trends. The Redmond,...

Lordstown Motors Executives Resign Amid Inaccurate Preorder Disclosures

June 14, 2021

June 14, 2021

Lordstown Motors Corp. RIDE -17.43% said its chief executive and top financial leader have resigned, decisions that come amid a...

The Elizabeth Holmes Trial: Theranos Founder Takes the Stand

November 20, 2021

November 20, 2021

SAN JOSE, Calif.—Elizabeth Holmes took the witness stand Friday afternoon to defend herself against criminal-fraud charges tied to the failure...

Roku Shares Fall 8% After Hours on Slower Account Growth

November 3, 2021

November 3, 2021

Roku Inc. reported a slowdown in new active accounts for its streaming services in the latest quarter and guided for...

Driver-Assistance Crashes Attract Closer U.S. Scrutiny

June 29, 2021

June 29, 2021

Federal regulators are tightening their oversight of car crashes that involve advanced driver-assistance or automated-driving features, a shift that follows...

MicroStrategy to Sell New Bitcoin Bond

June 7, 2021

June 7, 2021

MicroStrategy Inc. MSTR -5.77% is borrowing $400 million in junk bonds to buy more bitcoins, adding to the company’s bet...

Bitcoin Price Slips on Elon Musk’s Breakup Meme Tweet

June 4, 2021

June 4, 2021

Bitcoin, dogecoin and other cryptocurrencies skidded Friday, extending their monthlong rout, following another cryptic tweet from Elon Musk. Bitcoin was...

Why Express, Urban Outfitters and J.Crew Now Sell Items From All Over Online

June 15, 2021

June 15, 2021

Express Inc., EXPR -8.92% best known as a presence in American malls, has been testing a new strategy: selling other...

U.S. to Levy Tariffs Over Digital-Service Tax, but Suspend Implementation

June 2, 2021

June 2, 2021

WASHINGTON—The U.S. said Wednesday it will impose tariffs on the U.K. and five other countries in response to their taxes...

Food Giant ADM Bolsters Its Defense Against Hacks, CEO Says

June 24, 2021

June 24, 2021

Agriculture company Archer Daniels Midland Co. ADM 0.70% is shoring up defenses against what it views as inevitable cyberattacks, its...

Hackers Target Videogame Publishers for Ransom, Source Code

June 15, 2021

June 15, 2021

Gamers have struggled for years with hackers who cheat and take over accounts. Now, videogame studios are coming under serious...

Gen Z Gets Career Advice, One TikTok at a Time

May 20, 2021

May 20, 2021

Jackie Cuevas has read a lot of lackluster emails from job seekers. One particularly uninspired entry last May prompted the...

How the FBI Got Colonial Pipeline’s Ransom Money Back

June 11, 2021

June 11, 2021

After Colonial Pipeline Co. on May 8 paid roughly $4.4 million in cryptocurrency to hackers holding its computer systems hostage,...