One Year Later, US Regulator Proposes Colonial Pipeline Fine
The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed fining Colonial Pipeline nearly $1 million for control room management failures that contributed to the severity of the May 2021 cyberattack. One year ago, Colonial Pipeline shut down operations in the wake of a ransomware attack. According to a PHSMA press release, the Notice of Probable Violation (NOPV) and Proposed Compliance Order “alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.”
While PHMSA is still under the US Department of Transportation, the Transportation Security Administration (TSA) which is under DHS has overall responsibility for pipeline security. Until the Colonial Pipeline incident, TSA largely focused on voluntary compliance and interviews on security issues, mostly focused on operational technology and physical security, with no real audits. Since the incident, TSA has put out 2 Pipeline Cybersecurity Directives (one requiring a “Cybersecurity Coordinator” for the first time) and established a cybersecurity operations branch. This is a good example to use to drive a proactive review of (a) cross OT/IT cybersecurity visibility into and security testing of OT cybersecurity and (b) development of playbooks for response to a cyber incident that impacts OT operations directly or indirectly.
If you had not considered regulatory fines for breaches and ransomware, here is an example you can use. The direct cost is more obvious: negotiator, incident response, recovery, etc. I go deeper into these costs in my blog: https://www.scythe.io/library/the-real-costs-of-ransomware-direct-costs
This emphasizes the importance of a viable COOP plan. If you're in a regulated industry, you need to make sure that your regulators are on-board with your service resumption goals. Even so, you need to make sure you can meet those goals, to include any assumptions about acquisition. Revisit plans about backup communication paths as well as changes to perimeter security to facilitate resumption of operations. The last two years have taught us that exposed services are rapidly targeted, remember security by obscurity isn't. Stand things up securely from the get-go.
In addition to fines, accountability for these failures should include changes in both governance, directors, and management. Fines alone are not sufficient to change an organization's behavior.