By the time Colonial Pipeline CEO Joe Blount was informed of the May ransomware attack, 5,500 miles of pipeline were turned off, and access to fuel stopped. But was it a physical attack? The impact of the incident was yet to be seen.
Employees are trained to shut down operations when they perceive risk, Blount said during the Mandiant Defense Summit keynote Wednesday. The company didn't have enough information to know if the ransomware jumped from its IT to OT environments.
On the morning of the incident, May 7, the usual CEO responsibilities immediately shifted to cybersecurity. Blount quickly learned that under stress, Colonial's security teams didn't have enough time or personnel — "so you become actively involved yourself," he said.
After a major cyberattack that ripples through partnering businesses or the public, CEOs become one of the main players in incident response. The CISO shares duties too, coordinating cyber response with their CEO, who in turn informs stakeholders, federal agencies and customers.
When Accellion's File Transfer Appliance (FTA) solution was exploited, CEO Jonathan Yaron, and other C-suite executives, made themselves available 24/7 to customers and government agencies globally.
"You can put aside the day-to-day stuff. And you basically say, 'It's all about the attack. And it's all about making sure everybody knows, that needs to know," and offer remediation, Yaron said during the keynote.
Because Mandiant (formerly FireEye) was an Accellion customer, the security firm made the decision to shut down its Accellion instance, Charles Carmakal, SVP and CTO of Mandiant, said during the keynote. When Mandiant engaged with Accellion, the company spoke directly to Yaron and Accellion's CSO.
The transparency Yaron provided Mandiant, Carmakal said, "gave us a lot of confidence in their technology and we actually turned it back on on that Saturday."
A shared CEO experience
Given the pedestal CISOs were thrown onto in the last year, CEOs expect real-time information in wake of a massive cyberattack, even when there is little information to provide.
Yaron's first expectation was to identify the potential victims of the cyberattack. His second expectation was to have a patch for the first zero day within 72 hours, and ensure the necessary parties applied it. Once the initial Band-Aid was applied, Yaron wanted those clients to upgrade from the legacy FTA solution.
Both Accellion and Colonial enlisted outside security firms for forensics. Those security organizations provide unbiased second opinions, and they "keep you honest," Yaron said.
As CEO, Yaron and the company were advising potential clients to shut off the technology, but without the board's blessing.
"My responsibility was to take the high road and tell [customers] the truth. And the truth was, in that second, we didn't have all the answers," Yaron said. "There's never enough communication," that is the first task.
Colonial's board "knew enough to know they needed to stay out of the way," during the first few days of the ransomware attack, Blount said. The board is aware of the "stop work authority" employees have when they perceive a risk — there was no questioning the pipeline shutdown in the first hour of the ransomware discovery. From there, Blount wanted to know the immediate next steps in remediation, which in part consisted of at least once-a-day communication with agencies and stakeholders.
Because Colonial's pipeline is a federally regulated asset, "we had a lot of phone calls to make that morning," including the FBI and Federal Energy Regulatory Commission. The Cybersecurity and Infrastructure Security Agency (CISA) was looped in via the FBI. Ultimately, the Department of Energy became Colonial's main point of contact, Blount said, and he was the department's direct line.
"I kind of had an informal agreement with the chairman of the board, I would talk to him at least once a day. And then we would pull the board together when there were significant things to report," Blount said. Having the single point of contact between the company and government was the greatest takeaway of the incident.
"Your typical CEO job went out the door just a few hours ago. And it's not coming back for quite some time. You're in the communications game," he said.
Through collaboration with federal agencies and security firms supporting the response, the company had to delegate what mission-critical systems needed to be restored, and which ones could wait, if need be. After answering those questions, Colonial and Blount had to answer the questions regulators were asking.
"Lots of people want lots of answers, and they want the answers yesterday … And quite frankly, a lot of those questions aren't critical when your primary focus is containing the risk," Blount said.