Transportation Proposes Near $1M Fine for Colonial Pipeline One Year After Hack

Colonial Pipeline should pay $986,400 for multiple probable violations of federal pipeline safety regulations, the Department of Transportation Pipeline and Hazardous Materials Safety Administration said in a proposed compliance order the agency announced days before the anniversary of last year’s pivotal ransomware attack. 

“The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative,” said PHMSA Deputy Administrator Tristan Brown in a press release Thursday. “PHMSA holds companies accountable for violations and aims to prevent any instances of non-compliance.” 

On May 7, 2021, a criminal ransomware gang that U.S. officials linked to Russia disrupted fuel supplies along the Eastern Seaboard for five days and caused state-of-emergency declarations in several states.

“Following the receipt of this notice, you have 30 days to submit written comments, or request a hearing under 49 C.F.R. § 190.211,” Gregory A. Ochs, director of PHMSA’s pipeline safety office for the region, wrote to Colonial Pipeline President  and CEO Joseph Blount. “If you do not respond within 30 days of receipt of this Notice, this constitutes a waiver of your right to contest the allegations in this notice and authorizes the associate administrator for pipeline safety to find facts as alleged in this notice without further notice to you and to issue a final order.”

Ochs added that the 30-day period may be extended by written request for good cause.

The Department of Homeland Security also noted the anniversary of the attack with a release for the press pointing to two security directives its Transportation Security Administration issued in response. The directives exercise TSA’s authority to issue fines for failure to implement security measures they detail.

DHS’ Cybersecurity and Infrastructure Security Agency, along with NSA, FBI and Department of Energy partners, have recently warned of malware designed—likely by a nation-state actor, intelligence analysts who work with the government say—to target the operational technology in critical infrastructure sectors like the pipeline industry.  

PHMSA said while TSA has authority over the pipeline industry’s information technology, it oversees safety of the operational technology, and in cybersecurity there is a crucial intersection that attackers can exploit to create kinetic impacts on critical infrastructure.

A spokesperson for Colonial Pipeline told Reuters the company is looking forward to engaging with PHMSA.

The pipeline industry and sympathetic Republican lawmakers have pushed back against the TSA’s security directives, questioning the agency’s motives for issuing them.