The Department of Transportation’s (DoT) Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed nearly $1 million in fines against Colonial Pipeline Company for multiple alleged “probable violations” of Federal pipeline safety regulations, PHMSA announced May 5.
Colonial Pipeline was the victim of a ransomware attack in May 2021, leading to the temporary shutdown of its pipeline operations as it sought to regain operational control. The Notice of Probable Violation (NPV) and Proposed Compliance Order from DoT includes charges that Colonial Pipeline failed to adequately plan and prepare for a manual shutdown and restart for its pipeline.
In particular, DoT said that “failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.”
“The 2021 Colonial Pipeline incident reminds us all that meeting regulatory standards designed to mitigate risk to the public is an imperative,” PHMSA Deputy Administrator Tristan Brown said in the announcement. “PHMSA holds companies accountable for violations and aims to prevent any instances of non-compliance.”
In total, the NPV alleges seven violations of control room management failures from the company. In addition to failing to adequately prepare for a manual shutdown and restart, the NPV alleges multiple violations related to supervisory control and data acquisition (SCADA) system operations and operators.
Among the violations of SCADA system operations, the NPV alleges Colonial Pipeline failed to follow proper procedures in:
- “Documenting point-to-point verification between SCADA displays and related field equipment”;
- Conducting and documenting point-to-point verification for Safety Life Cycle Management for security related alarms “to ensure alarms are accurate and support safe pipeline operations”;
- Failing “to complete and document verifications of alarm set-point and alarm descriptions” when the field instruments associated with them were calibrated or changed;
- Failing to provide a procedure for a regulation requiring “verification of the correct safety-related alarm set-point values and alarm descriptions when associated field instruments are calibrated or changed” at least once a year or 15 months at most;
- Testing backup servers at three different field operations control rooms at least once a calendar year for the 2017, 2018, and 2019 calendar years; and
- Failing “to identify and record, at least monthly, all points affecting safety that had been taken off scan in the SCADA host; all points that have had alarms inhibited; or that have had forced or manual values for periods of time exceeding that required for associated maintenance or operating activities” at three facilities for the years 2017, 2018, and 2019.
The largest fine comes from the violation of failing to adequately prepare for a manual shutdown and restart, totaling $846,300. In regards to proposed compliance with that violation, PHMSA orders that the company must test and verify its internal plan for manual operation of all of its control rooms within 90 days of receiving the final order. In all, PHMSA’s preliminary assessment of civil penalties totals $986,400.
The NPV – addressed to Colonial Pipeline’s president and CEO – said that PHMSA had inspected Colonial Pipeline procedures at four facilities for control room management twice in the past two years. The first inspections took place before the cyberattack from January 27 – November 12, 2020, while the second set of inspections took place post-attack from October 29 – November 4, 2021.