CISA Awaits Technical Details on Colonial Pipeline AttackActing CISA Director Tells Lawmakers FBI, Not Company, Alerted Agency
The Cybersecurity and Infrastructure Security Agency is still awaiting more technical details from Colonial Pipeline about the Friday ransomware attack that forced it to shut down its operations, the agency's acting director told a Senate committee Tuesday.
"Right now, we are waiting for additional technical information on exactly what happened at Colonial so that we can use that information to potentially protect other potential victims down the road," Acting CISA Director Brandon Wales told the U.S. Senate Homeland Security and Governmental Affairs Committee.
The FBI, and not Colonial Pipeline, contacted CISA to help investigate the attack, and the agency's investigators have been working since the weekend to help determine the size and scope of the incident, Wales testified.
"We have had historically a good relationship with Colonial as well as the cybersecurity firms that are working on their behalf," Wales noted when pressed on the issue by Sen. Rob Portman, R-Ohio, the ranking member of the committee. "We do expect information to come from that, and when we have it, we will use it to help improve cybersecurity more broadly."
In a statement released Monday, Colonial Pipeline said its goal was to "substantially" restore its fuel transport services by the end of this week.
During a briefing at the White House on Tuesday, Energy Secretary Jennifer Granholm told reporters that Colonial Pipeline's management team would make a final decision about restarting operations on Wednesday. That news came as Virginia's governor declared a state of emergency over potential gas shortages tied to the East Coast pipeline shutdown.
At the same White House briefing, Secretary of Homeland Security Alejandro Mayorkas, who has made ransomware one of the DHS' top priorities, said the department is taking steps to ensure that the nation's other critical infrastructure is secure in the wake of the Colonial attack.
"Attacks on our critical infrastructure are not new. There are different levels of strength and resilience across the critical infrastructure enterprise, and that is why we are so focused on making sure that cyber hygiene across the entire enterprise is strengthened," Mayorkas said.
Wales testified at a Senate committee hearing that had been scheduled to discuss the government's response to the SolarWinds supply chain attack and the follow-on campaign targeting about nine federal agencies and 100 companies.
When asked about connections between the SolarWinds supply chain attack and the incident at Colonial Pipeline, Wales told lawmakers that the FBI has determined that the pipeline attack was "criminal," while the SolarWinds attack, which the Biden administration has blamed on Russia's Foreign Intelligence Service, was part of a cyberespionage campaign designed to gather sensitive government data and communications.
The FBI and White House officials said Monday that the Colonial Pipeline attackers used a crypto-locking malware variant called DarkSide, which was developed by a ransomware-as-a-service group of the same name. The group has tried to shift blame for the attack to one of its affiliate organizations, according to a posting on the darknet (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).
CISA and the FBI have not released specific details about the attack, and Colonial Pipeline has not said whether the attackers have contacted the company about a ransom or whether the firm is in contact with the group responsible.
The Georgia-based company connects refineries in the Gulf Coast to customers throughout the southern and eastern U.S. through a pipeline system of more than 5,500 miles. This pipeline carries gasoline, diesel, jet fuel and home heating oil as well as fuel for the military. Colonial Pipeline transports about 45% of all the fuel consumed on the East Coast, and the Biden administration has been monitoring the developments amid growing concerns over fuel shortage and price increase as well as the security implications (see: Colonial Pipeline Starts Recovery From Ransomware).
Responding to Cyberthreats
During opening statements during Tuesday's hearing, Sen. Gary Peters, D-Mich., chairman of the committee, and Portman each noted that the attack that targeted Colonial Pipeline is the fourth major cybersecurity incident of the last six months, following attacks on SolarWinds and vulnerable on-premises Microsoft Exchange email servers as well as exploits of flaws in Pulse Connect Secure VPN products that appear to have affected five executive branch agencies.
"We must continue working to strengthen our cybersecurity defenses and response plans to prevent these types of attacks from occurring in the first place and prevent them from having catastrophic consequences on our daily lives," Peters said during his opening remarks.
Portman and Peters said Congress should consider updating the 2014 Federal Information Security Modernization Act to ensure that federal agencies report when they are victims of attacks. Both senators noted some federal agencies, including the Department of Health and Human Services, that were targeted as part of the SolarWinds supply chain attack failed to report the incident immediately as required by the law.
The two lawmakers are also now pushing a new bill called the Cyber Response and Recovery Act, which would require the secretary of the Department of Homeland Security to declare a "significant cyber incident" when there is a major breach or attack on a public or private network (see: Lawmakers Seek to Expand CISA's Role).
Updating Security Plans
During the hearing, Wales testified that one of the main efforts underway at CISA is creating a joint cyber planning office, which would increase the use of public-private partnerships. Such partnerships were key in the response to the SolarWinds and Exchange attacks, he said. The cyber planning office was authorized under the 2021 National Defense Authorization Act.
Wales also noted that CISA is using the additional $650 million that was allocated to the agency through the American Rescue Plan to invest in cybersecurity measures that will be deployed across the federal government. These include using endpoint detection and response technology to help agencies gather additional data and add a layer of protection, investing in hardened cloud environments for government departments and reengineering IT architectures with a focus on creating "zero trust" protections.