House lawmakers on Wednesday were keen to ask Colonial Pipeline's chief executive officer what he knew about the ramifications of making a ransom payment and how it might affect the company's finances.
Colonial Pipeline chief Joseph Blount faced a second round of questioning on Wednesday, this time from House lawmakers, including a series of inquiries about the financial ramifications of the $4.3 million ransom payment made to the criminal group Darkside in May.
During a House Homeland Security Committee hearing, where Blount appeared alongside a FireEye executive, Rep. Jim Langevin (D-R.I.) grilled the Colonial executive on whether his company held cybersecurity insurance and if the payment would be reimbursed.
Blount during testimony this week has repeatedly stated the decision to pay was his alone and defended it as the right one to make. Responding to Langevin, he said the company has submitted a claim to the insurance company but has not yet received a response.
"I suspect that it will be covered," he added.
Blount and Langevin also had a tense exchange about the involvement the Cybersecurity and Infrastructure Security Agency should play in remediating Colonial's IT systems. The energy executive ultimately declined to commit to allowing CISA to assist his company, citing the three firms he has already retained as enough.
Blount said the company has not yet tabulated a cost estimate of the entire incident and the CEO also could not say whether Colonial would seek a tax deduction for the ransom payment.
The Justice Department earlier this week announced it was able to recover $2.26 million (63.7 BTC) of the $4.3 million (73 BTC) Colonial Pipeline made in Bitcoin through a virtual wallet.
The committee chairman Rep. Bennie Thompson (R-Miss.) sought and received a commitment from Blount to use the funds recovered for an investment in improving cybersecurity. However, later in the hearing, the energy executive also stated he is not certain whether his company has yet received those funds.
Blount was joined by Charles Carmakal, chief technology officer at FireEye Mandiant, one of three cybersecurity firms Colonial has hired to assist with remediation, during the hearing on Wednesday.
Carmakal said the earliest indicators of compromise FireEye has found so far is a login to a legacy virtual private network using credentials that were believed to be invalidated. He said the password was complex and not "easily guessable," and that hackers likely obtained it through a third-party website where the employee used the same password.
House and Senate lawmakers skeptical of Blount's decision to pay asked multiple questions about the efficacy of the decryption tool Darkside provided to Colonial. Many of them picked up on media reports stating the tool was not effective as well as Blount's own admission during a Senate hearing on Tuesday that it was "not perfect."
Carmakal said on Thursday the tool did work, albeit with some bugs, but went one step further to say that the company's back-ups were sufficient on their own. Blount however remained firm that his decision to pay was the right one.
"When you're there in the early hours of having your system … encrypted, you don't know what you have in front of you. You don't know how good your back up systems are," he said. "We had to avail ourselves of any and every option that we had" to restore service to the pipeline quickly and safely.
As Blount testified to House lawmakers on Wednesday, CISA published new guidance for industry on how to combat against a "rise in ransomware targeting operational technology assets."
This article first appeared on FCW, a GCN sibling publication.