Colonial Pipeline May Have to Pay Fine of Nearly $1 MillionUS Regulators Say Firm Violated Series of Federal Pipeline Safety Rules
U.S. regulators have proposed that Colonial Pipeline, which was hit by a cyberattack in May 2021, be fined $986,400 over a series of federal pipeline safety regulation violations. The ransomware attack caused fuel shortages along the U.S. East Coast, where Colonial Pipeline operates a 5,500-mile pipeline that supplies fuel, gasoline and other petroleum products.
The U.S. Department of Transportation's Pipeline and Hazardous Materials Safety Administration on Thursday issued a list of probable violations and a proposed compliance order to the operator of the largest fuel pipeline in the country.
"Last week, the Pipeline and Hazardous Materials Safety Administration (PHMSA) issued Colonial a Notice of Probable Violation. This notice is the first step in a multi-step regulatory process and we look forward to engaging with PHMSA to resolve these matters," a spokesperson for Colonial Pipeline tells Information Security Media Group.
Sam Curry, chief security officer at Cybereason, says PHMSA's proposal sheds light on the fact that safety violations are important - with or without ransomware entering the picture. And when asked if the proposed penalty is fair, Curry points out that the company shut down its services despite the fact that the delivery of fuel was never directly being attacked.
The company's probable violations include those in control room management, failure to follow procedures such as point-to-point verification for documenting SCADA displays and failure to comply with field equipment for 87 safety-related pressure transmitter alarms in 2019.
Colonial Pipeline, the agency note says, also did not verify - for the years 2017, 2018 and 2019 - if all safety-related alarm set-point values and alarm descriptions were correct.
"Colonial failed to provide records to demonstrate they verified correct safety-related alarm set-point values and alarm descriptions for all safety-related alarms at least once each calendar year not to exceed 15 months. Colonial has safety-related alarms that relate to tank levels and reliefs requiring annual calibration, [...]. However, there are other safety-related alarms that the system manages outside of these alarms that must also be reviewed," the notice says.
"At the time of the inspection, and in a subsequent telephone call on June 24, 2021, Colonial believed they completed all the safety-related alarm verifications, but they did not have adequate records to demonstrate compliance," it adds.
The notice says that Colonial Pipeline has had multiple issues with its Safety Life Cycle Management, or SLM, application and employee documentation performance since their implementation in 2017, including:
- Employees not entering data into SLM;
- Information not being maintained in the database or presenting properly;
- The application, per Colonial, not being well designed for Colonial's application.
"Violations discovered by auditors during routine inspections at Colonial Pipeline or any company attacked by ransomware gangs highlight potential problems in governance, auditing, and checks and balances. At this moment, instead of hunting for cybercriminals, we need to encourage more disclosure, more openness and more self-improvement," Curry says.
This announcement evoked mixed reactions from the industry. Some say there is broader awareness now about attacks on supply chain infrastructure, and organizations are more mindful about risk today. Others feel the nearly $1 million penalty pales in comparison with the $5 million paid as ransom.
"It's hard to believe it's been a year since the Colonial Pipeline ransomware attack. The good news is that cybersecurity requirements for infrastructure providers like Colonial have become more formalized since the cyberattack occurred, and there's broader corporate awareness of ransomware's impact," says Neil Jones, director of cybersecurity evangelism at Egnyte, a cloud-based content security, compliance and collaboration tools provider.
Jones says the recent geopolitical events in Europe and global supply chain pressures remind us that service disruptions from ransomware are just as likely now as they were a year ago. And now organizations also have to manage data infiltration allegations via social media that may or may not have even occurred.
"It was always clear that cybersecurity deficiencies at Colonial made this attack possible. Management has to own cybersecurity, which includes informing themselves about their current security status and taking action to mitigate emerging risks. Failures in these areas invariably have impacts on a wider audience and so it is entirely appropriate that managements who fail in the task should attract regulatory fines. Sadly, a $1 million fine is likely to be too small to make enough of an impact to a large organization like Colonial," says Alan Calder, CEO of IT risk management solutions provider GRC International Group.
Curry says that in cases of material cyberattacks, the penalties companies pay for violations can have a negative effect on curbing future attacks. And if the penalties are too low, the message will be that possible consequences from disruption to oil, gas and food supplies don't matter.
"For critical infrastructure operators and all organizations, put risk front and center. Stop treating security as some function in IT and start discussing the systemic risk to your organization. And for security folks, stop acting like the job is just about the policies and tools under administration. Maturity in security comes when it is seen by practitioners and peers alike not as a jargon-laced domain for specialists but as a business function for adult discussions around risk and risk mitigation," Curry says.
Erfan Shadabi, cybersecurity expert at data security company comforte AG, tells ISMG that the Colonial Pipeline attack in 2021 showcased the extensive turmoil that a single compromised account can create when it facilitates a ransomware attack on a large service or commodity provider.
"When it comes to the financial damage that breaches can wreak on organizations, it is not just the ransom, the outright loss of business, the loss of customer data or even just rebuilding network damage after an attack that can be costly - there are also the regulatory penalties and fines associated with not properly shoring up systems or giving timely notice to impacted customers," he says.
In its response to ISMG, Colonial Pipeline's spokesperson downplayed such concerns, saying, "Our incident command structure facilitates a deliberate approach when responding to events. Our coordination with government stakeholders was timely, efficient and effective as evidenced by our ability to quickly restart the pipeline in a safe manner five days after we were attacked - which followed localized manual operations conducted before the official restart."
Shadabi says that despite the fact that these penalties can be expensive and damning, the good news is that fines could encourage other organizations to reexamine their security posture and implement necessary defenses. Every enterprise should operate under the assumption that its perimeters have already been breached and that unauthorized access to data or resources will lead to exposed sensitive information, he says.
"This notion is a key principle of Zero Trust, which helps to reorient an enterprise's posture so that no implicit trust of any entity within the IT environment is granted. Continually challenge, continually verify and authenticate, and continually protect the very data that threat actors are after. The only way to do the latter effectively is with datacentric security, which protects the data itself. Methods such as format-preserving encryption and tokenization go a long way toward supporting a healthy Zero Trust outlook," Shadabi says.
In fact, to curb haphazard data collection during and after cyberattacks, U.S. President Joe Biden recently signed into law the Better Cybercrime Metrics Act, which requires the Department of Justice and the FBI to compile detailed cybercrime statistics and develop a taxonomy to help contextualize and sort this data (see: US Passes Law Requiring Better Cybercrime Data Collection).