Almost one year to the day after the Colonial Pipeline incident, which sparked controversy and brought new attention to the cybersecurity industry, the company is facing nearly one million dollars in civil penalties for multiple probable violations of federal pipeline safety regulations (PSRs), according to the U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA).
Interestingly enough, the penalty Colonial Pipeline currently faces is actually not for the cybersecurity incident itself, but for failing to comply with safety regulations prior to the incident.
PHMSA says it conducted an inspection of the company’s procedures and records for Control Room Management (CRM) at various locations, determining it was in probable violation of several PSRs, “including a probable failure to adequately plan and prepare for manual shutdown and restart of its pipeline system.” This inspection occurred between January and November of 2020, months before the infamous incident came to light.
Colonial Pipeline was informed of the alleged non-compliance after the inspection concluded, but it appears it still failed to prepare for a manual restart and shutdown operation, which contributed to the national impact of its pipelines being out of service after the cyberattack last May.
PHMSA said in a Notice of Probable Violation and Proposed Compliance Order:
“The pipeline shutdown impacted numerous refineries’ ability to move refined product, and supply shortages created wide-spread societal impacts long after the restart.
Colonial Pipeline’s ad-hoc approach toward consideration of a ‘manual restart’ created the potential for increased risks to the pipeline’s integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts.”
PHMSA Deputy Administrator Tristan Brown commented:
“The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative. PHMSA holds companies accountable for violations and aims to prevent any instances of non-compliance.”
The proposed civil penalties amount to $986,400.
In response to the penalties, a spokesperson for Colonial Pipeline discussed the cyberattack with The Hacker News:
“This notice is the first step in a multi-step regulatory process and we look forward to engaging with PHMSA to resolve these matters. [The] incident command structure facilitates a deliberate approach when responding to events.
As the 2021 cybersecurity incident demonstrated, Colonial’s approach to operating manually gives us the flexibility and structure necessary to ensure continued safe operations as we adapt to unplanned events.
Our coordination with government stakeholders was timely, efficient and effective as evidenced by our ability to quickly restart the pipeline in a safe manner five days after we were attacked—which followed localized manual operations conducted before the official restart.”
Do you think Colonial Pipeline made the right call? Let us know in the comments below.