Tech audit of Colonial Pipeline found 'glaring' problems

The entrance of Colonial Pipeline Company is shown Wednesday, May 12, 2021, in Charlotte, N.C.  Several gas stations in the Southeast reported running out of fuel, primarily because of what analysts say is unwarranted panic-buying among drivers, as the shutdown of a major pipeline by hackers entered its fifth day.  (AP Photo/Chris Carlson)
The entrance of Colonial Pipeline Company is shown Wednesday, May 12, 2021, in Charlotte, N.C. Several gas stations in the Southeast reported running out of fuel, primarily because of what analysts say is unwarranted panic-buying among drivers, as the shutdown of a major pipeline by hackers entered its fifth day. (AP Photo/Chris Carlson) (Copyright 2021 The Associated Press. All rights reserved)

BOSTON – An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press.

“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”

How far the company, Colonial Pipeline, went to address the vulnerabilities isn't clear. Colonial said Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%. While it did not specify an amount, it said it has spent tens of millions of dollars.

"We are constantly assessing and improving our security practices — both physical and digital,” the privately held Georgia company said in response to questions from the AP about the audit's findings. It did not name the firms who did cybersecurity work but one firm, Rausch Advisory Services, located in Atlanta near Colonial's headquarters, acknowledged being among them. Colonial's chief information officer sits on Rausch's advisory board.

Colonial has not said how the hackers penetrated its network. How vulnerable it was to compromise is sure to be intensely scrutinized by federal authorities and cybersecurity experts as they consider how the most damaging cyberattack on U.S. critical infrastructure might have been prevented.

Friday's pipeline shutdown has led to distribution problems and panic-buying, draining supplies at thousands of gas stations in the Southeast. Colonial said it initiated the restart of pipeline operations on Wednesday afternoon and that it would take several days for supply delivery to return to normal.

Ransomware attacks have reached epidemic levels as foreign criminal gangs paralyze computer networks at state and local governments, police departments, hospitals and universities — demanding large sums to decrypt the data. Many organizations have failed to invest in the safeguards needed to fend off such attacks, though U.S. officials worry even more about state-backed foreign hackers doing more serious damage.

Any shortcomings by Colonial would be especially egregious given its critical role in the U.S. energy system, providing the East Coast with 45% of its gasoline, jet fuel and other petroleum products.