The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) issued a Notice of Probable Violation and Proposed Compliance Order to the fuel-pipeline operator on Thursday, alleging multiple violations of federal safety rules.
The proposed civil penalties total $986,400.
After reviewing Colonial Pipeline’s control room management procedures and records, PHMSA found that the company was in ‘probable violation’ of multiple pipeline safety requirements, including a failure to fully plan and prepare for manual shutdown and restart of its pipeline system.
Colonial’s unplanned approach to considering a manual restart resulted in higher risks to the pipeline’s integrity, as well as further delays in restart, the regulator claimed, worsening supply issues and social impacts.
“The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative,” said PHMSA Deputy Administrator Tristan Brown.
“PHMSA holds companies accountable for violations and aims to prevent any instances of non-compliance.”
PHMSA has also issued an order requiring the operator to test and validate its internal communication plan for manual operation, as well as design a method to verify accurate alarm set-point values.
Colonial Pipeline is the largest refined products pipeline operator in the US, transporting about 45% of all fuel consumed on the East Coast. The firm’s pipeline spans nearly 8,850 kilometres from Houston, Texas to the New York area, transporting more than 100 million gallons of petrol, diesel and other fuels daily.
On the 8th May, 2021 the company announced that a ransomware attack had compromised its IT infrastructure. It briefly paused operational technology activities on four of its main lines as a precaution.
The shutdown sparked panic in the southeastern USA, with residents lining up at petrol pumps for several hours over fears of a shortage. Petrol prices rose as a result of the supply disturbance, and some stations ran out of fuel.
About a week after discovering the attack, Colonial paid nearly $5 million (about £3.55 million) ransom to the DarkSide ransomware group.
In an interview with Bloomberg, Charles Carmakal, senior vice president at cybersecurity firm Mandiant, said the attackers entered Colonial’s networks on the 29th April using a VPN account that was no longer in use.
The account didn’t use multi-factor authentication, and its password was found inside a batch of leaked passwords on the dark web.