BOSTON – An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.
“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”
How far the company, Colonial Pipeline, went to address the vulnerabilities isn't clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.
"We are constantly assessing and improving our security practices — both physical and digital,” the privately held Georgia company said in response to questions from the AP about the audit's findings. It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial's headquarters, acknowledged being among them. Colonial's chief information officer sits on Rausch's advisory board.
Colonial has not said how the hackers penetrated its network. How vulnerable it was to compromise is sure to be intensely scrutinized by federal authorities and cybersecurity experts as they consider how the most damaging cyberattack on U.S. critical infrastructure might have been prevented.
Friday's pipeline shutdown has led to distribution problems and panic-buying, draining supplies at thousands of gas stations in the Southeast. Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.
Ransomware attacks have reached epidemic levels as foreign criminal gangs paralyze computer networks at state and local governments, police departments, hospitals and universities — demanding large sums to decrypt the data. Many organizations have failed to invest in the safeguards needed to fend off such attacks, though U.S. officials worry even more about state-backed foreign hackers doing more serious damage.
Any shortcomings by Colonial would be especially egregious given its critical role in the U.S. energy system, providing the East Coast with 45% of its gasoline, jet fuel and other petroleum products.
Smallwood, a partner at iMERGE and managing director of the Institute for Information Governance, said he prepared a 24-month, $1.3 million plan for Colonial. While iMERGE’s audit was not directly focused on cybersecurity “we found many security issues, and that was put in the report.”
Colonial’s statements Wednesday suggest it may have heeded a number of Smallwood’s recommendations. In addition, it says it has active monitoring and overlapping threat-detection systems on its network and identified the ransomware attack “as soon as we learned of it.” Colonial said its IT network is strictly segregated from pipeline control systems, which were not affected by the ransomware.
Unlike electrical utilities, the pipeline industry is not subject to mandatory cybersecurity standards, which the Federal Energy Regulatory Commission chair, Richard Glick, called for in a statement Tuesday.
Smallwood’s study was not a cybersecurity audit. It focused on ensuring smooth operations and preventing data theft, which is exactly what Colonial suffered last week. Colonial is not saying what the cybercriminals took before activating the ransomware.
The hackers, from a Russian-speaking syndicate called DarkSide, steal data before locking up networks to doubly extort victims. If a victim refuses to pay, they not only refuse to unscramble the data, they threaten to release sensitive material online. Colonial has not said whether it paid DarkSide.
Smallwood read portions of his report to the AP but would not share it because he said some of the content is confidential. He said he was paid about $50,000 for it.
He cited, for example, Colonial's inability to locate a particular maintenance document. "You’re supposed to be able to find it within 15 minutes. It took them three weeks.”
Locating such a document could be crucial in responding to an accident or keeping up-to-date pipeline inspection records to prevent leaks, Smallwood said.
Colonial experienced one of the worst gasoline spills in U.S. history last August, contaminating a nature preserve north of Charlotte . After it was discovered by two teenagers, the spill's severity was not immediately clear as Colonial's initial reports indicated a far lower volume. North Carolina environmental regulators angrily called the company's failure to promptly provide reliable data unacceptable. Colonial says it released the best available data on spill volume as the discovery progressed.
Separately, shippers have complained to the Federal Energy Regulatory Commission that Colonial inflated what it spends on pipeline integrity to deflect accusations it overcharges them. Colonial rejects this, citing the rising costs of safely maintaining its system.
Bill Caram, executive director of the nonprofit watchdog Pipeline Safety Trust, called worrisome the allegations of deficient IT management, piecemeal spill reporting and pipeline integrity issues.
“I think all these things just could paint a picture of the culture at Colonial maybe not taking risks seriously enough,” he said.
Smallwood said he was reluctant to go public about the Colonial audit for fear of alienating future clients “but the gravity of the situation demands that the public know just how fragile some of these systems within our infrastructure are.”
One of his main recommendations was that Colonial hire a chief information security officer, a position that cybersecurity experts consider essential in any company with infrastructure vital to national security. Colonial said it instead assigned those responsibilities to a subordinate of chief information officer Marie Mouchet.
Mouchet was on the advisory board of Rausch when it did a cybersecurity study for Colonial concurrent to Smallwood’s audit. Asked if that might present a conflict of interest, Rausch CEO Michael Lisenby said Mochet's advisory board seat is an unpaid, voluntary position.
Smallwood’s recommendations included a data loss prevention program to ensure highly confidential, marketable data — such as details on how the pipeline is used — could not be easily removed.
Colonial says it has strengthened data-loss-prevention defenses with three different software tools that provide alerts when data leaves the network.
Smallwood said he found no security-awareness training, which mostly teaches employees not to fall victim to phishing, the cause of more than 90% of cyber-intrusions. But Colonial said its expanded cybersecurity regime includes regular simulated phishing campaigns for employees.
The audit “covered environmental procurement, legal risk, business development, asset integrity, accounting and tax safety operations, information technology, (Microsoft) SharePoint and human resources. And so it was a very comprehensive assessment,” said Smallwood.
Originally founded by nine oil companies in 1962, Colonial is privately held. It's owners include a pair of private equity firms, a Canadian fund manager, a Koch Industries subsidiary and a subsidiary of Shell Midstream Partners. The company does not release earnings or revenue figures.
This story has been updated to correct reference to one of the owners of Colonial. It is a Koch Industries subsidiary, not a Koch Brothers subsidiary.