Dive Brief:
- Colonial Pipeline is facing almost $1 million in civil penalties from the Department of Transportation’s regulatory unit in charge of pipeline safety for multiple control room management violations, which may have contributed to fuel disruptions during the May 2021 ransomware attack.
- The DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) inspected Colonial’s procedures and records for control room management in four locations, the regulator said in a notice Thursday. The company was in probable violation of several regulations, including failure to properly prepare for manual restart and shutdown of operations.
- “The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative,” Tristan Brown, deputy administrator at the regulator, said in the announcement. “PHMSA holds companies accountable for violations and aims to prevent any instances of noncompliance.”
Dive Insight:
The notice of probable violation arrived just before Saturday's anniversary of the May 2021 ransomware attack against Colonial, an incident closely aligned with calls to shore up critical infrastructure cybersecurity. International geopolitical conflicts have added urgency for calls to ensure U.S. critical infrastructure remains resilient against cyberattacks.
PHMSA conducted inspections of Colonial Pipeline’s control room management from January through November 2020 in the company’s Linden, New Jersey, Alpharetta, Georgia, Hebert, Louisiana and Greensboro, North Carolina offices.
The agency informed Colonial Pipeline of the potential violations soon after the inspections ended, PHMSA said. Colonial can, in part or in whole, accept or reject the regulator's findings. The pipeline can also request a hearing to respond to the allegations.
For Colonial, its approach to manual operations allows it the flexibility required to operate safely during unplanned events, a company spokesperson told Cybersecurity Dive in an email.
"Our incident command structure facilitates a deliberate approach when responding to events," the spokesperson said. "Our coordination with government stakeholders was timely, efficient and effective as evidenced by our ability to quickly restart the pipeline in a safe manner five days after we were attacked – which followed localized manual operations conducted before the official restart."
The notice of probable violation is the first of a multistep regulatory process, the company said.
The company discovered the ransomware attack on May 7, 2021, which FBI officials attributed to the DarkSide ransomware organization. The attackers encrypted the company’s IT and demanded a ransom, leading Colonial officials to shut down operations to prevent the hackers from reaching the company’s operational technology, which involves fuel delivery.
Colonial is the largest refined products pipeline in the U.S. by volume, with 5,500 miles of pipeline and delivers more than 100 million gallons of product per day, according to the company.
The company transports more than half the fuel used on the East Coast, and the attack led to the shutdown of fuel delivery until May 12, according to testimony from CEO Joseph Blount before the Senate Committee on Homeland Security during a June 2021 hearing.
Blount testified the attackers exploited a legacy VPN account and used it to get into the company network. The company paid $4.4 million ransom in bitcoin, though federal investigators were able to recover about $2.3 million in bitcoin through an operation that traced the multiple transfers of funds.