A near $1 million penalty is being proposed for Colonial Pipeline following widespread fuel shortages along the U.S. East Coast in 2021 after a cyber attack on the energy pipeline operator in May 2021.
The U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) found management failings and has issued a Notice of Probable Violation (NOPV) and Proposed Compliance Order to Colonial Pipeline Company, which includes multiple probable violations of Federal pipeline safety regulations (PSRs). The proposed civil penalties amount to $986,400.
On May 8, 2021, Colonial Pipeline confirmed that its information technology (IT) systems were compromised by a ransomware attack. As a precaution, Colonial temporarily halted operational technology (OT) functions across four of its mainlines that transport gasoline, diesel, and jet fuel, stretching from Texas to New Jersey.
The attack resulted in major fuel distribution shortages across the region that the Colonial pipeline serves, which led to 17 states declaring states of emergency relative to the shortages.
The attack was attributed by the Federal Bureau of Investigation to a cybercrime group known as DarkSide, which typically targets non-Russian speaking countries and is known for double extortion schemes. The group operates like a corporate entity has been known to issue press releases and invite journalists to interview developers when it has released new malware.
From January through November 2020, PHMSA conducted an inspection of Colonial Pipeline Company’s procedures and records for Control Room Management (CRM) in Linden, NJ, Hebert, LA, Greensboro, NC, and Alpharetta, GA. PHMSA made preliminary determinations that Colonial Pipeline Company was in probable violation of several PSRs, including a probable failure to adequately plan and prepare for manual shutdown and restart of its pipeline system. PHMSA informed Colonial Pipeline of the alleged non-compliance items shortly after the 2020 inspections concluded. The NOPV alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber attack.
“The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative,” said PHMSA Deputy Administrator Tristan Brown. “PHMSA holds companies accountable for violations and aims to prevent any instances of non-compliance.”
PHMSA has longstanding and comprehensive guidance on its enforcement of PSRs as well as its civil penalties, which are calculated using a range of criteria and based on statutory limitations. Under the authorities granted by Congress, PHMSA may propose civil penalties; the recipient of which may contest, contest in part, or accept. A pipeline operator that receives a proposed civil penalty may also request and receive an informal hearing before a presiding official of the agency and prior to a proposed civil penalty being finalized.