No Need for an Extensive Hunt Just Read Below |
On June 8th Joseph E. Blount, Jr., President and CEO of Colonial Pipeline testified before the US Senate Committee on Homeland Security and Governmental Affairs.
I have annotated quotes from his prepared statement before the Committee to provide further context and set the stage for a following post on the Committee’s reaction.
Quote 1
Colonial Pipeline is cognizant of the important role we play as critical infrastructure. We recognize our significance to the economic and national security of the United States and know that disruptions in our operations can have serious consequences.
That certainly sounds promising, Colonial acknowledges its “significance to the economic and national security of the United States”.
Based on that we can expect a description of the robust measures that Colonial took to prevent hacking and ransomware attacks.
Quote 2
I recognize that the attackers were able to access our systems. While that never should have happened, it is a sobering fact that we cannot change.
Indeed it should never have happened.
It is as well a “sobering fact”.
While great philosophers have debated whether a “sobering fact” is more urgent than a “wake-up call”, I think it’s safe to say that they largely agree that for a fact to be “sobering” one must not have been a “sober” state prior thereto.
Quote 3
We take our role in the United States infrastructure system very seriously.
With a previously reported 30%+ net profit margin, very seriously no doubt.
That aside, I guess we’re about to hear about Colonial’s robust preventive measures and the millions spent on cybersecurity.
I’d note that I take my role as a parent very seriously with respect to the safety of my children while traveling in our car.
That means of course that the Prince of Wails is secured in a baby seat and the two other little ones are buckled in before we embark.
Madame Arqala generally rides “shotgun” in these cases.
And makes ample use of the “phantom” brake and periodic verbal warnings to moderate any perceived excesses in my speed.
Note that those steps are undertaken before not after a crash.
So you’re probably as excited as I am to hear from Joe.
Quote 4
Colonial Pipeline is an accountable organization, and that starts with taking proactive steps to prevent an attack like this from happening again.
It seems that CP’s “accountability” is focused on the future.
They're looking "forward not backward."
Unspoken is the extent of accountability for pro-actively securing the stable gate before the horses bolt.
That can’t be quite right after all Joe of his statements so far about Colonial’s attitude to protecting critical infrastructure.
There’s got to be more to come.
Quote 5
Although the investigation is ongoing, we believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.
Ah, the answer.
When you hear the word “legacy”, you immediately know that its not current management’s failure.
It’s like the fraternity or college that has to accept an applicant because he’s a “legacy”. Neither can be blamed if the “legacy” doesn’t work out.
Or “legacy” can also mean something unwanted that you inherited, like your Aunt Stella’s collection of glass figurines. Just stick them in a box and forget about them.
With a name like “Colonial” you might well expect that John Murray, Fourth Earl of Dunmore, George Washington, or Alexander Hamilton probably set up the VPN.
Before you rush to blame any of them, let me remind you that internet security was not as advanced then as it is now.
Also we learn that the system “was not intended” for use.
But it certainly seems that it was “left on”.
So Colonial’s management is filled with good intentions among other things.
I guess in some quarters that counts for more than “effective actions”.
But that doesn’t mean that Colonial isn’t taking action now.
Quote 6
We have worked with our third-party experts to resolve and remediate this issue; we have shut down the legacy VPN profile, and we have implemented additional layers of protection across our enterprise. We also recently engaged Dragos’ Rob Lee, one of the world’s leading industrial and critical infrastructure and OT security specialists to work alongside Mandiant and assist with the strengthening of our other cyber defenses. We have also retained John Strand from Black Hills Information Security, another leader in the cybersecurity space, who will provide additional support to strengthen our cybersecurity program.
Clearly quite a bit work is being done now—that is to remind you after the hack.
Can we infer from the long list of remedial items that there were widespread and serious security weaknesses pre-hack?
It sure sounds like it.
With this as backdrop, you probably expect that Joe is about to get a quite grilling from the Senators on the Committee.
Let me remind you that “expectations” just like “intentions” don’t always deliver the wished for results.
Once the transcript of the hearing is published we’ll take a closer look.
No comments:
Post a Comment