KTEP - El Paso, Texas

The Colonial Pipeline CEO Explains The Decision To Pay Hackers A $4.4 Million Ransom

Originally published on June 4, 2021 5:13 am

Updated June 3, 2021 at 6:35 PM ET

Last month, a cyberattack on the company Colonial Pipeline, which operates a pipeline providing nearly half the East Coast's fuel supply, triggered a massive shutdown. Hackers infiltrated its computer network and demanded more than $4 million in ransom; the company shut down the pipeline.

Colonial Pipeline made the decision to pay the ransom on the same day, and it took 6 days to restart the pipeline.

In the interim, several governors in affected states declared states of emergency and urged the public not to hoard gas, but panic-buying led to temporary outages in 11 states and Washington, D.C.

Last week, the Transportation Security Administration announced a new policy which requires pipeline operators to report cyberattacks to the federal government within 12 hours and on Thursday, the White House released a memo to corporate executives and business leaders urging them to take immediate steps to protect against ransomware risks in the wake of attacks on both Colonial Pipeline and the meat company JBS.

"The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world," said Anne Neuberger, deputy national security adviser, in the memo, "is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively."

Joe Blount, CEO of Colonial Pipeline, says his company did exactly that. He spoke with NPR's All Things Considered about getting the pipeline safely back online, making the tough call to shut down the gas over a cyberattack and why paying the ransom was "the right decision to make for the country." Listen in the audio player above, and read on for highlights of the interview.


Interview Highlights

On whether operations are fully restored

No, definitely not fully restored. And I think if you talk to anybody who suffered from one of these criminal cyberattacks, they would tell you that it takes months and months and months to restore all your IT infrastructure. In our case, our focus initially was to get the pipeline back up and running safely and as soon as we possibly could. So we got the critical IT structure put back together. But we have lots and months and months of work ahead of us.

On why the company shut down the gas over a computer system attack

Let me take you back to the early morning of May 7. We knew immediately that there was an issue, and we are programmed to only operate the pipeline if we feel that it's in safe operating condition: it won't cause any harm to employees, the communities we serve or to the environment. So we have what we call "stop work authority" at Colonial; any of our employees has the opportunity to use it. If they identify a risk, their job is to contain it immediately. In this case, a ransomware note came across the screen in our control room. It was immediately recognized, and the control room supervisor immediately decided to shut down the pipeline. It was the right decision to make because you don't know what you have [to deal with] at that point in time.

On his decision to pay a nearly $4.5 million ransom in cryptocurrency

[It was] obviously, probably the hardest decision I've ever made in my career. I've been around this asset for a long time: I've been an employee of Colonial Pipeline for three and a half years, but I've been in the industry for almost 39 now. So once we identified the risk and contained the risk by shutting the pipeline system down and immediately called in cyber experts to help us with identifying further what had been done to our system, one of the things that came up, ultimately, was the ransom and whether to pay the ransom or not.

The conversation went like this: Do you pay the ransom or not? And of course, the initial thought is: You don't want to pay the ransom. You don't want to encourage [hackers], you don't want to pay these contemptible criminals. But our job and our duty is to the American public. So when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the Southeastern and Eastern seaboard of the United States, it's a very critical decision to make. And if owning that de-encryption tool gets you there quicker, then it's the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.

On the government's role when private companies face cyberattacks and ransom

At the end of the day, it's a decision that has to be made by the company. ... I think that obviously private industry has a responsibility here. Pipelines do invest in cyberware and security. It's a natural extension of what we've done historically, which is focus on the physical security of our asset. So it really pretty much needs to become a private-public partnership.

I think once we complete our investigation into this event, partnering with the government, sharing those learnings with our peers in the infrastructure space and more broadly across other sectors, is very important so that they can learn lessons from our event.

Correction: 6/03/21

An earlier version of this story suggested that Colonial Pipeline waited 6 days to pay the ransom. In fact, it decided to pay the ransom on the same day it got the demand.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

MARY LOUISE KELLY, HOST:

Panic fueling, long lines for gas, handwritten signs taped to pumps, empty - those were the headlines last month in the U.S., particularly the southeast, fallout from a cyberattack. Colonial Pipeline provides nearly half the East Coast's fuel supply. And when hackers hit its network and demanded ransom, the company shut the pipeline down for six days and ended up paying that ransom, more than $4 million. Joe Blount signed off on that payment. He is CEO of Colonial Pipeline, and he joins me now.

Welcome.

JOE BLOUNT: Thank you, Mary Louise, for having us today.

KELLY: Are your operations fully restored now? Any lasting damage?

BLOUNT: No, definitely not fully restored. And I think if you talk to anybody whose suffered from one of these criminal cyberattacks, they would tell you that it takes months and months and months to restore all your IT infrastructure. In our case, our focus initially was to get the pipeline back up and running safely and as soon as we possibly could. So we got the critical IT structure put back together, but we have lots and months and months of work ahead of us.

KELLY: Well, and help me understand this. The attack was on your computer system - right? - not on the actual pipeline. So why did you have to shut down the gas? Why not keep it flowing while you were dealing with the problem with the computers?

BLOUNT: Well, let me take you back to the early morning of May 7. We knew immediately that there was an issue. And, you know, we are programmed to only operate the pipeline if we feel that it's in safe operating condition and won't cause any harm to employees, the communities we serve or to the environment. So we have what we call stop work authority at Colonial. Any of our employees has the opportunity to use it. If they identify a risk, their job is to contain it immediately. In this case, a ransomware note came across the screen in our control room. It was immediately recognized, and the control room supervisor immediately decided to shut down the pipeline. It was the right decision to make because you don't know what you have at that point in time.

KELLY: Let's turn to the other decision you made, that you signed off on paying nearly $4 1/2 million ransom. This was in cryptocurrency. Doesn't that just encourage the next attack?

BLOUNT: You know, obviously probably the hardest decision I've ever made in my career. You know, I've been around this asset for a long time. I've been an employee of Colonial Pipeline for three and a half years, but I've been in the industry for almost 39 (ph) now. So once we identified the risk and contained the risk by shutting the pipeline system down and immediately called in cyber experts to help us with identifying further what had been done to our system, one of the things that came up ultimately was the ransom and whether to pay the ransom or not.

KELLY: Well, and take me inside that conversation because I'm thinking if I'm a hacker in Russia, my takeaway might well be, that worked great. Which big U.S. company should be hit next?

BLOUNT: The conversations went like this. Do you pay the ransom or not? And, of course, the initial thought is you don't want to pay the ransom. You don't want to encourage. You don't want to pay these contemptible criminals. But our job and our duty is to the American public. So when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the southeastern and eastern seaboard of the United States, it's a very critical decision to make. And if only that, the encryption tool, gets you there quicker, then it's the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.

KELLY: You know, as I'm sure you know now - you would have learned it if you didn't know it before - the FBI policy is don't pay the ransom because it does encourage the next attack and the next one. What kind of advice, what kind of pressure were you getting from the government as you were weighing this?

BLOUNT: I don't know that there was any pressure from the government. I think the FBI has stated in the past that they don't encourage it. But at the end of the day, it's a decision that has to be made by the company.

KELLY: What role, in your view, should the government play when a private company like yours faces an attack like this, faces ransom? As this seems to be becoming a more frequent problem, is it too big for private companies to handle privately when so many Americans are ultimately affected?

BLOUNT: I think that obviously private industry has a responsibility here. Pipelines do invest in cyberware and security. It's a natural extension of what we've done historically, which is focus on the physical security of our asset. So it really pretty much needs to become a private-public partnership.

KELLY: So you're happy to share information with the government, but you would prefer to have a private contractor who's helping keep the system safe?

BLOUNT: I think once we complete our investigation into this event, partnering with the government and sharing those learnings with our peers in the infrastructure space and more broadly across other sectors is very important so that they can learn lessons from our event. And obviously we can share with them what they've learned perhaps from similar type events.

KELLY: Mr. Blount, thank you for your time.

BLOUNT: Thank you very much. Have a great day.

KELLY: And you as well. Joe Blount - he's the CEO of Colonial Pipeline. Transcript provided by NPR, Copyright NPR.