On May 5, 2022, The U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) issued a Notice of Probable Violation (NOPV) and Proposed Compliance Order to Colonial Pipeline Company for close to $1 million. The announcement comes almost exactly one year after the ransomware attack that shut down Colonial Pipeline’s operations for five days, resulting in gas shortages across the southeastern United States.
The official announcement from PHMSA states, “From January through November 2020, PHMSA conducted an inspection of Colonial Pipeline Company’s procedures and records for Control Room Management (CRM) in Linden, NJ, Hebert, LA, Greensboro, NC and Alpharetta, GA. PHMSA made preliminary determinations that Colonial Pipeline Company was in probable violation of several PSRs, including a probable failure to adequately plan and prepare for manual shutdown and restart of its pipeline system. PHMSA informed Colonial Pipeline of the alleged non-compliance items shortly after the 2020 inspections concluded. The NOPV alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyberattack.”
A notable element of the proposed violation is that Colonial Pipeline simply did not have an adequate plan in place to manually restart their operational technology (OT) systems. During CEO Joseph Blount’s testimony to Congress last year, it was revealed that the company was operating with limited information about their own network architecture and limited information concerning the true extent of the breach. While this indicates that the actual attack could have been prevented with better cybersecurity protections, the impact of the attack would certainly have been lessened if there was an established manual backup plan in place.
“Critical infrastructure companies should take note of PHMSA’s actions. If executive teams aren’t prepared today with a strong contingency plan for when a system is compromised, they could become the next Colonial,” said Peter Lund, CTO at Industrial Defender. “One of the main factors contributing to the shutdown of the pipeline last year was the fact that they had insufficient incident response preparation. Planning and practicing an incident response scenario that addresses how to maintain business continuity is an important element of cyber resilience.”
To avoid hefty regulatory fines like the one from PHMSA, businesses should get serious about applying a defense in depth methodology to their cybersecurity planning, which includes both incident response and recovery. The controls found in the NIST Cybersecurity Framework (CSF) are a perfect model for how to achieve this: identify, protect, detect, respond and recover.