Federal regulatory body discovers and announces Colonial Pipeline's violations, potentially leading to a fine exceeding $1 million

In a recent development, the Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed approximately $1 million in civil penalties for Colonial Pipeline over multiple control room management violations. These violations may have contributed to fuel disruptions during the May 2021 ransomware attack.

The inspections, which took place from January to November 2020, were carried out in four locations: Linden, New Jersey; Alpharetta, Georgia; Hebert, Louisiana; and Greensboro, North Carolina. PHMSA inspected Colonial Pipeline's control room management practices during this period.

The ransomware attack on Colonial Pipeline occurred on May 7, 2021, leading to the shutdown of fuel delivery until May 12. The attack was attributed to the DarkSide ransomware organization, and Colonial Pipeline paid $4.4 million in bitcoin as ransom during the attack.

However, the company has the right to accept or reject the regulator's findings, or request a hearing to respond to the allegations. Testimony from CEO Joseph Blount confirmed these details before the Senate Committee on Homeland Security.

The proposed violations include failure to properly prepare for manual restart and shutdown of operations, which could have exacerbated the effects of the ransomware attack. Colonial Pipeline, which transports more than half the fuel used on the East Coast, delivers more than 100 million gallons of product per day.

Federal investigators were able to recover about $2.3 million in bitcoin from the attack. The notice of proposed violation is the first of a multistep regulatory process. The attackers exploited a legacy VPN account to gain access to the company network.

The proposed violations arrived just before the anniversary of the May 2021 ransomware attack against Colonial. Colonial Pipeline's approach to manual operations allows it the flexibility required to operate safely during unplanned events. The company can accept or reject the penalties and respond to the allegations in due course.