Colonial Pipeline could face a $1 million fine for safety violations that had a role in the 2021 cyberattack

PHMSA (Pipeline and Hazardous Materials Safety Administration) – the US Department of Transportation’s agency responsible for the safe operations of pipelines in the United States, proposed a $ 1 million fine for Colonial Pipeline after an inspection back in 2020 highlighted non-compliances that have contributed to the plants shutdown during the May 2021 cyber-attack.

A step back to May 2021

On May 7th 2021 Colonial Pipeline – an American oil pipeline system carrying gasoline and jet fuel mainly to the southeastern US – was victim of a ransomware attack by DarkSide gang. The attack started as of May 6th, when the gang exfiltrated more than 100 GB of company data in just 2 hours. In order to prevent any further damage to its systems, the company decided to shut down operations, interrupting the 5.500 miles of pipeline from Texas to New York. As a result, many gas stations ran out of fuel in the next few days, with episodes of panic buying in Georgia, North and South Carolina, Tennessee and Washington D.C. 

On May 12th, after a 6 days shutdown, Colonial Pipeline restarted operations and the situation slowly returned to normality. Later on the company reported that it had paid DarkSide a 75 bitcoin ransom (4.4 million $), which was partially recovered by the FBI in the following months. During the downtime, the fuel price skyrocketed to the highest levels in the last 6 years: as of May 18th, the average cost was 3,04 $ a gallon and around 10.600 gas stations were still without gas.

The attack happened in a period of intense debate in the US covering the growing concern over the vulnerability of infrastructures – including critical ones – to cyber-attacks, especially after several other high-profile attacks that hit multiple federal government agencies.

Non-compliance can be fatal

PHMSA in 2020 conducted a recurrent audit to check Colonial Pipeline’s compliance with Pipeline Safety Regulations, detecting several violations in their plants. One of those violations is believed to have played a role, later on, in the cyber-attack. Specifically, Colonial proved not to have an internal communication plan for manual operation of the pipeline, believing that the possibility of losing SCADA was remote. This points out how Colonial Pipeline employees did not have the necessary knowledge to manually restart and operate the pipeline, thus causing gas shortage in the country. 

Moreover – despite the fact that there is no legal obligation in this regard –  their SCADA system did not have a backup ready to be used in case of unavailability of the main server. 

A penalty of nearly $1 million

PHMSA proposed to fine Colonial Pipeline a total of $1 million, as if the company would have had proper knowledge and procedures to operate the pipeline manually, it could have avoided the operations shutdown and the resulting gas shortage in the country. Based on PHMSA assessment, Colonial Pipeline failed to put in place the necessary actions to comply with the pipeline safety regulations.

Those failures highlight how powerful the insights from an  assessment are. 

If we move into the cybersecurity domain, keeping our focus on OT environment and Industrial Security, let’s think about what could have been found in an assessment following IEC 62443 regulation.

Assessment against IEC 62443 framework

IEC 62443 is designed to foster an Industrial Automation Control System (IACS) Security Lifecycle around 3 actions: assess risks and threats, implement actions and maintain those actions over time.

The Assessment phase includes a risk and vulnerability assessment, as well as a threat modeling, in order to understand the liabilities, the ways a system can be exposed to a cyber-attack, and the effort that should be put in place to protect it. The results of the assessment phase should then be implemented in a coherent action plan that results in a Defense Strategy and a structured Cyber Security Management System (CSMS), with policies and procedures dedicated to cybersecurity. 

Last but not least, security is a continuous process, so each of those steps does not happen once and then remains unchanged. On the contrary, security should be maintained with regular auditing and follow-ups in order to test if everything is actually contributing to improve the security posture.

Sababa Security can help organizations during all the phases of IACS Security Lifecycle of IEC 62443, from the Security and Vulnerability Assessment, through the Penetration Test, up to the implementation and maintenance of a proper CSMS. As well as conduct Security Assessment against NIST, NERC CIP, National Cybersecurity Framework or any other global or local standard. 

Zooming into Security Assessment: what is the value 

Having a list of the technologies you are using to protect your IT and OT environment cannot help you to see the existing vulnerabilities, nor can they help to identify your real security needs and priorities. This is where the Security Assessment can help. 

Being performed against global frameworks – such as NIST CSF, NERC CIP, and more – Security Assessment brings visibility into the existing security status, checking if security processes and policies are in place, evaluating if the company is ready to react to a cyber incident, ensuring corporate compliance with cyber security related regulations. 

This comprehensive analysis includes several stages. After the interviews with the representatives of different teams and departments, an audit of security measures, processes and roles used on the corporate network is performed. Once highlighted the areas requiring outstanding attention and classified findings according to their severity, the activity ends with the creation of an explicit roadmap including recommendations on what should be fixed and when.

In conclusion, every time you need to decide what will be your company’s next cybersecurity investment or build a long-term cybersecurity strategy, try to understand first what is your starting point with a Security Assessment.