Steel long pipes in crude oil factory during sunset showing Colonial Pipeline ransomware attack

Colonial Pipeline May Face $1 Million Penalty for “Operational” Lapses in 2021 Ransomware Attack

After losing millions to the 2021 ransomware attack that cut off fuel to parts of the United States, Colonial Pipeline may be facing more financial damage if a fine proposed by the US Department of Transportation (DOT) holds up.

The DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) is proposing a civil penalty of nearly $1 million due to a failure to address safety issues raised during inspections conducted throughout the prior year. PHMSA inspected several Colonial Pipeline control room facilities from January to November 2020 and found it in violation of several rules, including failure to prepare for a manual shutdown and restart of its pipeline system.

Culpability in ransomware attack may cost Colonial Pipeline an additional $1 million

PHMSA has tallied a “probable fine” of $986,400 for multiple control room violations found during the 2020 inspections of Colonial Pipeline facilities in Georgia, New Jersey, North Carolina and Louisiana.

As an oil and gas provider Colonial Pipeline is subject to special federal pipeline safety regulations (PSRs) established by the Pipeline Safety Act of 2002, a bill created primarily due to frustrations with poor regulations of the pipeline and hazardous materials industries dating all the way back to the 1960s (and also spurred on by the then-recent 2001 terrorist attacks).

These regulations generally focus much more on physical security and emergency preparedness than cyber security, but come into play with the Colonial Pipeline ransomware attack in terms of the company’s ability to physically recover from any sort of event that forces a shutdown and manual restart of its services. This is exactly what happened on May 7 of 2021 as ransomware hit the company’s servers, and the pipeline system was taken offline until May 12 out of caution.

Though the pipeline was shut off for several days, the disruption created a ripple effect that lasted longer as about half of the East Coast’s fuel supply suddenly became unavailable. Fuel stations in the impacted regions saw lines that stretched over a mile in some cases, and the national average price of gas rose to over $3 a gallon for the first time since 2014.

The PHMSA finding appears to be that this disruption could have been limited had Colonial Pipeline addressed the violations that were identified in 2020, but at the time of the ransomware attack it had not. The fines are not yet finalized as Colonial Pipeline has the right to request a formal hearing with the agency at which it can contest the penalty.

Unusual use of rules adapted to an unusual ransomware attack

PHMSA found that Colonial Pipeline did not have a required internal communications plan for a shutdown situation, something that hampered its ability to manually restart the pipeline. Ironically, the ransomware attack only hit the business operations side of the company; the main problem it caused was cutting off access to delivery information, rather than actually physically disabling any part of the pipeline. However, the company ended up performing a full shutdown that lasted for days due to lack of proper planning and preparation.

That lack of an internal plan drew the bulk of the fine amount ($846,300). The other four fines were each for $45,000 or less. Some analysts have noted that the law the fines are based on was not designed for cybersecurity issues such as ransomware attacks, and the application of it in this case was somewhat creative. This could provide Colonial Pipeline with grounds for a challenge. While the company was required to have a general communications plan in place for scenarios in which the pipeline is shut down, it was not under any particular obligation to have something on file for a ransomware attack.

Padraic O’Reilly, Pipeline Cyber Advisor and Co-Founder of CyberSaint, notes: “Most violations and penalties levied tend to start with a physical violation, a leak, spill, etc. The laws are written around this type of event and there is not a lot of cyber in the existing regs, which are in place around the physical security of pipelines and the associated processes and documentation. My hunch is that this penalty is unique in that the event is the downtime Colonial experienced, and the regulators went after flawed process and documentation. CISA and PHMSA were much more delicate with the December 2019 attack on a natural gas compression facility that resulted in a two day shutdown. The new Directives will expand enforcement to cyber specific processes and technology, so we might see an uptick in cyber enforcement after TSA is done negotiating with the operators.”

Colonial Pipeline ended up paying $4.4 million in ransom for a tool that was supposed to de-encrypt the files, but apparently did not work as thoroughly as advertised. About $2.3 million ended up being recovered by the Department of Justice. The perpetrators, an Eastern Europe-based cybercrime group called DarkSide, became the immediate focus of an international law enforcement effort that eventually captured much of their infrastructure and hounded them out of business.

In terms of game-planning for defense against ransomware attacks and expected regulatory response, the situation demonstrates that companies handling critical infrastructure (or any public good that could cause major disruptions to everyday life if cut off for an extended period) need to expect everything and anything to be brought to bear against them if there is a cybersecurity lapse of any sort.

As O’Reilly notes, “All Incident response and contingency planning focuses on communications. The best practices are well known, and overall the delivery and software providers are simplifying the implementation. The first elements of the new directives are straightforward, but the second directive, which includes architectural review, contingency planning, and mitigation measures, is more expensive and time intensive.

“Operators will need to take a risk based approach to implementation. That is, identify the key business processes, game out loss scenarios (which includes proposed penalties), and begin implementing in a prioritized manner. Governance and executives will need to be engaged and nimble with budgetary decisions. Ultimately, the companies that do this well will be in the best position both competitively and reputationally.”