One year after Colonial Pipeline was hit by a highly disruptive cyberattack, the US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) wants the company to pay a fine of nearly $1 million over failures that allegedly worsened the impact of the hack.
The PHMSA has proposed civil penalties of $986,000 for the operator of the largest fuel pipeline in the US for what it has described as control room management failures.
In May 2021, Colonial Pipeline was forced to shut down operations after its systems became infected with ransomware. The attack involved the Russia-linked Darkside ransomware and it had significant implications, including states declaring a state of emergency, temporary gas shortages caused by panicked motorists stocking up, and gas price hikes.
The pipeline was restarted five days after the attack was discovered. The company confirmed that it paid the cybercriminals for a tool designed to help it recover files encrypted by the ransomware, but that tool was ultimately not enough to immediately restore systems.
The PHMSA believes that “failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.”
These failures did not come to light after the 2021 cyberattack. Instead, they were found during an investigation conducted between January and November 2020. Colonial Pipeline was allegedly informed at the time about several violations of federal pipeline safety regulations, including many related to supervisory control and data acquisition (SCADA) and other industrial control systems (ICS).
Colonial told Reuters that the notice issued by the PHMSA is the first step in a multi-step regulatory process and the company is looking forward to working with the regulator. Colonial’s statement to Reuters suggests that it’s happy with the time it took to restart the pipeline following the attack.
Commenting on the first anniversary of the Colonial ransomware attack, Kudelski Security CEO Andrew Howard said, “This kind of incident is often characterized by media and security leaders as an attack on an operational technology (OT) system. Now that we understand the full details of the attack a year later, we know that while an OT-oriented company was targeted, compromised billing systems on the IT network are what created the vulnerability. The systems that actually moved and controlled oil on the pipeline were not compromised. While companies should absolutely be concerned about the security of their operational technology systems, it’s crucial not to lose sight of the IT functions in and around such systems.”
“Across our client base, we have seen a material uptick in proactive OT-related security concerns following the Colonial Pipeline hack. While this specific attack received a lot of attention, it was not the first attack of an operational technology network and certainly won’t be the last – it represents the new normal of cybersecurity attacks we’re going to see in the future,” Howard said.
Benny Czarny, founder and CEO of OPSWAT, believes the incident highlighted the need for a managed security operations center (SOC), with “operationalization of ransomware response and professional response teams and services.”
As an example, Czarny named a managed OT SOC, which provides “better performance monitoring of all systems, enforcing standard change management processes, vetting and deploying updates, and immediately reacting to any potential threats.”
Czarny added, “Organizations have also learned the need to assess both livelihood and financial risks. From a livelihood perspective, critical organizations now understand both cyber and physical risks, including prioritization of risk areas, and asset management and containment of attacks through more aggressive segmentation of critical data.
“From a financial risk perspective, Colonial Pipeline and other critical infrastructure attacks have taught organizations NOT to pay. There is no guarantee they will regain access or that data has not already been leaked or stolen. Payment also reinforces future and more sophisticated attacks—and it could be a US Sanctions Violation.”