About That Pipeline: ‘An 8th-grader Could Have Hacked into That System’

'We found glaring deficiencies and big problems...'

(Associated Press) An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told the Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn’t clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

“We are constantly assessing and improving our security practices — both physical and digital,” the privately held Georgia company said in response to questions from the AP about the audit’s findings.

...article continued below
- Advertisement -

It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial’s headquarters, acknowledged being among them. Colonial’s chief information officer sits on Rausch’s advisory board.

Colonial has not said how the hackers penetrated its network. How vulnerable it was to compromise is sure to be intensely scrutinized by federal authorities and cybersecurity experts as they consider how the most damaging cyberattack on U.S. critical infrastructure might have been prevented.

Friday’s pipeline shutdown has led to distribution problems and panic-buying, draining supplies at thousands of gas stations in the Southeast. Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.

Ransomware attacks have reached epidemic levels as foreign criminal gangs paralyze computer networks at state and local governments, police departments, hospitals and universities — demanding large sums to decrypt the data. Many organizations have failed to invest in the safeguards needed to fend off such attacks, though U.S. officials worry even more about state-backed foreign hackers doing more serious damage.

...article continued below
- Advertisement -

Any shortcomings by Colonial would be especially egregious given its critical role in the U.S. energy system, providing the East Coast with 45% of its gasoline, jet fuel and other petroleum products.

Smallwood, a partner at iMERGE and managing director of the Institute for Information Governance, said he prepared a 24-month, $1.3 million plan for Colonial. While iMERGE’s audit was not directly focused on cybersecurity “we found many security issues, and that was put in the report.”

Colonial’s statements Wednesday suggest it may have heeded a number of Smallwood’s recommendations. In addition, it says it has active monitoring and overlapping threat-detection systems on its network and identified the ransomware attack “as soon as we learned of it.” Colonial said its IT network is strictly segregated from pipeline control systems, which were not affected by the ransomware.

Unlike electrical utilities, the pipeline industry is not subject to mandatory cybersecurity standards, which the Federal Energy Regulatory Commission chair, Richard Glick, called for in a statement Tuesday.

Smallwood’s study was not a cybersecurity audit. It focused on ensuring smooth operations and preventing data theft, which is exactly what Colonial suffered last week. Colonial is not saying what the cybercriminals took before activating the ransomware.

The hackers, from a Russian-speaking syndicate called DarkSide, steal data before locking up networks to doubly extort victims. If a victim refuses to pay, they not only refuse to unscramble the data, they threaten to release sensitive material online. Colonial has not said whether it paid DarkSide.

Smallwood read portions of his report to the AP but would not share it because he said some of the content is confidential. He said he was paid about $50,000 for it.

He cited, for example, Colonial’s inability to locate a particular maintenance document. “You’re supposed to be able to find it within 15 minutes. It took them three weeks.”

Locating such a document could be crucial in responding to an accident or keeping up-to-date pipeline inspection records to prevent leaks, Smallwood said.

Colonial experienced one of the worst gasoline spills in U.S. history last August, contaminating a nature preserve north of Charlotte . After it was discovered by two teenagers, the spill’s severity was not immediately clear as Colonial’s initial reports indicated a far lower volume. North Carolina environmental regulators angrily called the company’s failure to promptly provide reliable data unacceptable. Colonial says it released the best available data on spill volume as the discovery progressed.

Separately, shippers have complained to the Federal Energy Regulatory Commission that Colonial inflated what it spends on pipeline integrity to deflect accusations it overcharges them. Colonial rejects this, citing the rising costs of safely maintaining its system.

Bill Caram, executive director of the nonprofit watchdog Pipeline Safety Trust, called worrisome the allegations of deficient IT management, piecemeal spill reporting and pipeline integrity issues.

“I think all these things just could paint a picture of the culture at Colonial maybe not taking risks seriously enough,” he said.

Smallwood said he was reluctant to go public about the Colonial audit for fear of alienating future clients “but the gravity of the situation demands that the public know just how fragile some of these systems within our infrastructure are.”

One of his main recommendations was that Colonial hire a chief information security officer, a position that cybersecurity experts consider essential in any company with infrastructure vital to national security. Colonial said it instead assigned those responsibilities to a subordinate of chief information officer Marie Mouchet.

Mouchet was on the advisory board of Rausch when it did a cybersecurity study for Colonial concurrent to Smallwood’s audit. Asked if that might present a conflict of interest, Rausch CEO Michael Lisenby said Mochet’s advisory board seat is an unpaid, voluntary position.

Smallwood’s recommendations included a data loss prevention program to ensure highly confidential, marketable data — such as details on how the pipeline is used — could not be easily removed.

Colonial says it has strengthened data-loss-prevention defenses with three different software tools that provide alerts when data leaves the network.

Smallwood said he found no security-awareness training, which mostly teaches employees not to fall victim to phishing, the cause of more than 90% of cyber-intrusions. But Colonial said its expanded cybersecurity regime includes regular simulated phishing campaigns for employees.

The audit “covered environmental procurement, legal risk, business development, asset integrity, accounting and tax safety operations, information technology, (Microsoft) SharePoint and human resources. And so it was a very comprehensive assessment,” said Smallwood.

Originally founded by nine oil companies in 1962, Colonial is privately held. It’s owners include a pair of private equity firms, a Canadian fund manager, a Koch Industries subsidiary and a subsidiary of Shell Midstream Partners. The company does not release earnings or revenue figures.

- Advertisement -


Dems Ramp Up Lockdown Talk Anew, Despite ‘Herd Immunity’ Benchmark

(Headline USA) The U.S. on Monday finally reached President Joe Biden’s goal of getting at least one COVID-19 shot into 70% of American adults---a...

Illinois Gov. Prizker Signs Law Banning ICE Detainer Agreements

Illinois will effectively end immigrant detention and further restrict local law enforcement's ability to cooperate with federal immigration authorities under a plan Gov. J.B....

US Braces for Flood of Afghani Refugees as Biden Expands Eligibility

The Biden administration on Monday expanded its efforts to assist at-risk Afghan citizens fleeing Taliban violence as fighting intensifies ahead of the U.S. military...

Sen. Lindsey Graham Has COVID. Is Joe Manchin’s Houseboat Party to Blame?

(Headline USA) Just two weeks after Texas Democrats fleeing their legislative duties triggered a super-spreader event that led to cases of the deadly coronavirus...

Seattle-Area Christian Mission Asks Supreme Court to Let Them Hire Believers

Seattle's Union Gospel Mission, a Christian non-profit group that aids the homeless, appealed to the U.S. Supreme Court on Monday after the Washington Supreme...

Biden Admin Wants to Use Taxpayer Dollars to Provide Attorneys for Illegals

The Biden administration wants to spend millions of taxpayer dollars to pay federal lawyers to represent illegal immigrants seeking asylum in the U.S. According to...

‘Squad’ Says House Will Kill Infrastructure Bill if Demands Not Met

Rep. Alexandria Ocasio-Cortez, D-NY, said she and the other leftist “Squad” members of Congress would block the $1-trillion bipartisan infrastructure package if Senate Democrats...

12 Politicians Who Got Caught Violating Their Own COVID Rules

(Brad Polumbo, Foundation for Economic Education) Amid widespread panic and alarmism over the “Delta variant” of COVID-19, Mayor Muriel Bowser just reinstated an indoor mask-mandate...

‘Squad’ Urges Treasury Dept. to Revoke Tax Exemption of Pro-Israel Groups

The Marxist "Squad" sent a letter to Treasury Secretary Janet Yellen to request that her department review and revoke non-profit status from pro-Israel groups,...
- Advertisement -