2018 audit found 'glaring deficiencies' at pipeline company

2018 audit found 'glaring deficiencies' at pipeline company

SeattlePI.com

Published

BOSTON (AP) — An outside audit three years ago of the pipeline company hit by a cyberattack threatening fuel supplies in the eastern United States found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn't clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

"We are constantly assessing and improving our security practices — both physical and digital,” the privately held Georgia company said in response to questions from the AP about the audit's findings. It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial's headquarters, acknowledged being among them. Colonial's chief information officer sits on Rausch's advisory board.

Colonial has not said how the hackers penetrated its network. How vulnerable it was to compromise is sure to be intensely scrutinized by federal authorities and cybersecurity experts as they consider how the most damaging cyberattack on U.S. critical infrastructure might have been prevented.

Friday's pipeline shutdown has led to distribution problems and panic-buying, draining supplies at thousands of gas stations. Colonial said it initiated the restart of pipeline operations on...

Full Article