The US Department of Transportation (DoT) is looking to fine fuel supplier Colonial Pipeline over the widely publicized ransomware attack of 2021, saying that the company failed inspections conducted in 2020 and required improvements were not made. Had the recommended changes been implemented, the government contends that the fallout might not have been so bad.
Colonial Pipeline operates the largest Gulf Coast pipeline that services East Coast states, and a number of these states saw fuel supplies dry up for about a week after a ransomware attack hit the company’s business operations systems. Though the pipeline equipment was not directly impacted, the company ordered a full shutdown for five days as a precaution; the government says that lack of a required communications plan in the wake of this emergency shutdown contributed to the negative outcome.
Ransomware attack punished with fines, but relevant law doesn’t directly apply to cyber readiness
While the law that the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) applied to the situation does not mandate any sort of cyber response plan, it was applied to the ransomware attack by way of the emergency shutdown that Colonial Pipeline ordered. The 2020 inspections, which lasted most of the year and covered a number of the company’s facilities, found that the company was not adequately prepared for such a shutdown.
The lack of a required communications plan cost the company a fine of $846,300, with about another $100,000 levied for a variety of smaller violations. The issue is not completely settled, however, as Colonial Pipeline has a right to challenge the fines in a formal hearing. The new cybersecurity directives issued by the Biden administration require energy companies to have various new forms of cyber readiness measures and plans in place, but this incident occurred prior to those orders (which were in large part driven by the Colonial Pipeline and other major ransomware attacks). The fines were issued under the authority of the Pipeline Act of 2002, which focuses more on physical security and the handling of emergency incidents.
Risks of ransomware attacks on vital goods and services
Protection of critical infrastructure against ransomware attacks has been a primary focus of the Biden administration since the Colonial Pipeline, JBS and SolarWinds attacks posed major risks to private American companies that supply vital goods and services. JBS’s beef and pork supply was impacted for some time, hitting not just numerous American states but also its operations in other countries (such as Australia, Brazil and Canada). The SolarWinds attack looked to be perpetrated by Russian state-backed hackers seeking state secrets from federal agencies, but in the process some of the IT service firm’s customers were exposed and could have potentially been hit with a mass ransomware wave should that have been the desired goal.
Colonial Pipeline ended up paying the hackers over $4 million to end the ransomware attack, but ended up recovering about half of that money with the assistance of law enforcement agencies. With an estimated annual revenue of over $500 million, the total cost of the incident will likely be trivial to the company; however, it could be on the hook for much more substantial fines if more serious lapses occur in the future.